CLEAN IT: the secret EU surveillance plan that wasn’t

There are elements in Europe who would dearly like to see the CLEAN IT wish list put into practice (including from the law enforcement community, the industries that serve it, and the European Commission), but we must distinguish between transnational talking shops, EU working groups and draft EU policy.


There was a lot of interest among EU policy wonks and digital rights people last week about an initiative called CLEAN IT, following the leak of its “confidential” draft recommendations. “Police to 'patrol' Facebook and Twitter for terrorists under EU plan” announced the UK’s Daily Telegraph. Cory Doctorow blogged about how an “EU working group” had produced the “stupidest set of proposed Internet rules in the history of the human race”. The blogosphere was soon awash with reports of the new ACTA. There was only one problem: CLEAN IT is not an EU working group, and its proposals are not an EU plan.

So what was all the fuss about? CLEAN IT is a transnational project funded under the €600 million euro “Prevention of and Fight against Crime” (ISEC) programme established in 2007. Whereas the ISEC programme can be used to support projects “initiated and managed by the Commission with a European dimension”, CLEAN IT is a national project led by the office of the Dutch Counter-terrorism coordinator with their counterparts from Belgium, Germany, Spain and the UK brought in as partners. The project received €325,000 to fund four workshops, two conferences and the now hapless looking project team in The Hague. The stated objective of the project is to develop a “non-legislative ´framework´ that consists of general principles and best practices” (see outline).

What we’re really talking about then is a few meetings around Europe where representatives of law enforcement agencies, industry and government come together to discuss “terrorist use of the internet”. To most of the participants, it was probably a bit of a ‘jolly’; to the project leaders it was probably the cutting edge of cyber-terror policy. For what it’s worth, “terrorist use of the internet” is being discussed all over the place, including at the United Nations and Council of Europe, though these initiatives have apparently attracted much less critical attention.

Had they not produced such an incredibly stupid set of proposals, few people would have paid the CLEAN IT project much attention either, if any. It’s a sad truth that the European Commission is now throwing so much of money at “security” projects that if it converted all of their ‘recommendations’, ‘principles’ and ‘best practices’ into biofuel, Brussels would probably be carbon-neutral. But producing hot air is not the same as developing EU policy or even national policy – far from it.

Of course, it’s easy to see where the confusion comes from: that huge EU flag in the corner of the CLEAN IT website, and the fact that much EU policy does indeed get honed on international law enforcement ‘jollies’. Moreover, as the European Digital Rights Organisation rightly explains, the Commission is only too fond of sponsoring these kinds of devious deliberations whilst promoting ‘voluntary’ private sector enforcement across its ‘cybercrime’ portfolio.  

But who cares if it wasn’t technically an EU plan? Surely by naming-and-shaming the initiative so ruthlessly – the EU Home Affairs Commissioner was forced to publicly disown CLEAN IT in a tweet – a little exaggeration has done the world a favour and killed the initiative? The short answer is: “yes, good riddance”. The longer answer is “yes, but…”, but it’s quite an important “but”.

Yes, but.

An example speaks volumes. A few years ago news surfaced of an EU-funded initiative called INDECT. It was reported in much the same way as CLEAN IT. INDECT had received €12 million from the €1.4 billion EU security research programme and claimed it would help develop the surveillance equivalents of GM foods, stem cell research and ‘fracking’.

INDECT promised to develop face recognition, internet surveillance, smart CCTV and drones as part of suite of “threat detection tools”. People began to question the project’s credibility when it produced this terrible PR video, but by this time the cat was out of the bag and activists were telling the world that INDECT was building drones for FRONTEX (the EU border police), databases for EUROPOL (the EU police office) and targeting protest groups – none of which was actually true (ironically, an array of other little noticed EU-funded projects have effectively been doing just that). The widespread exaggeration and misrepresentation culminated in this hopelessly inaccurate video from Anonymous, which claimed that INDECT was about to be piloted at the London 2012 Olympics.

This is not good. We need activists armed with facts to target the real bad guys, for they are legion. And we need NGOs and journalists to focus on scandalising more tangible threats to internet freedom. The danger is that, just as happened with INDECT, CLEAN IT may become a focus for misguided activism while much more sophisticated but ultimately much more dangerous initiatives slip under the radar, comfortable in the knowledge that the amateurs at CLEAN IT have preoccupied many of their would-be critics.

We can be sure, of course, that there are elements in Europe who would dearly like to see the CLEAN IT wish list put into practice (including many from the law enforcement community and the industries that serve it, and some from the European Commission itself), but we should be careful to distinguish between transnational talking shops, EU working groups and draft EU policy. We should also understand that it will take scores of CLEAN ITs to take us down this particular road to tyranny.

With this in mind we’d surely do better to focus at least some of our attention on how these dreadful initiatives get funded in the first place, not least because the EU is preparing to agree its multiannual financial framework (MFF) for the period 2014-2020. As far as ‘security’ is concerned, there’s no sign whatsoever of the austerity that is devastating welfare and other areas of public policy. The proposed MFF includes the €11 billion internal security fund (a 40% increase on the previous MFF) which will allocate plenty to “raising the levels of security for citizens and business in cyberspace” and “preventing terrorism and addressing radicalisation and recruitment”.

A further €3.8 billion is earmarked for the new security research programme in “Horizon 2020”. Yet almost no-one from the human rights or civil liberties community in Europe is questioning, never mind challenging these particular ‘cash cows’. This is not good either, for the anti-democratic culture that underpins the myriad CLEAN ITs of this world is growing precisely because of the way ‘security’ is now framed and funded.

About the author

Ben Hayes is project director at Statewatch and a fellow of the Transnational Institute. He tweets @drbenhayes