All across Europe, from Finland to Portugal, Ireland to Greece, governments rely on Microsoft software. As their digital systems grow in size and importance, countries are becoming increasingly dependent on this single American corporation. But what consequences does this “lock-in” have? What risks does it pose for the security of European data? And what can governments do to counter it?
It’s estimated that Microsoft makes around two billion euros in Europe every year, just from its business with the public sector. In 2012 the European Commission released a report that stated that 1.1 billion euros were unnecessarily lost by the European public sector due to being locked-in in business with IT system providers.
Investigate Europe (IE), an international team of nine journalists, investigated the dire dependency of European governments on Microsoft. The investigation was performed over the course of three months and consisted of extensive fact-checking and interviews with numerous experts across the continent.
Despite this extensive coverage, Microsoft has remained remarkably silent on the issue. Their hope is no doubt that this will blow over, but IE’s findings are serious and impact millions of Europeans.
TNW was in contact with Investigate Europe and also spoke to Arjen Kamphuis, IT-security advisor and one of the experts quoted in the investigation, about the problems facing Europe because of Microsoft’s monopoly in the continent.
What exactly is the problem?
IT systems of European governments mostly run on Microsoft software and OS, according to Computer Weekly. The systems are seen as reliable, easy to understand and most people are familiar with it. However, that means that almost all of the data of European citizens — tax information, health records, etc. — along with security related data, are in proprietary file format. This goes for both big and small governmental agencies, and the European Commission has even conceded that it is “in effective captivity with Microsoft”.
The problem with the proprietary file format is that Microsoft’s software is made to be incompatible with open source, which effectively forces all communicating departments within a government to use the company’s products, in order to ensure compatibility of files and ease of communication. Microsoft thereby establishes a de facto monopoly which discourages officials to find other ways to manage their IT systems.
IE uncovered that this extremely widespread usage of Microsoft software and operating systems had four main alarming effects:
- Expensive and hampering: Causes costs to rise continuously and blocks technical progress in government authorities and organizations
- Unfair competition: Systematically undermines European procurement and competition laws
- Intense lobbying: Brings with it overwhelming political influence for the company, culminating in personal interdependence as well as penetrations of schools and universities
- Security risk: Puts government IT systems, together with their citizens’ personal information, at high risk, both technologically and politically
Microsoft’s monopoly is maintained by introducing the company’s software in education, lack of public bids for IT services, and well connected lobbyists. For Arjen Kamphuis the most pressing issue is that this monopoly takes away Europe’s ability for self-determination.
The single biggest problem is that Europe runs on technology it doesn’t control. The fact that it’s being controlled by foreign entities, corporate or governments, is becoming a strategic issue. We’re basically living under a foreign killswitch. We would never accept this in other areas of our infrastructure.
The problem is lack of control over vital parts of state operations, leaving European countries at the mercy of a foreign company and government.
Microsoft is a US based company, so it adheres to American law, which lessens Europe’s control over its IT structure even more. This is a clear security liability as there’s plenty of evidence that shows that the US government has used Microsoft software to access data of European governments and citizens.
Edward Snowden’s leaks back in 2013, about the National Security Agency’s (NSA) extensive surveillance programs showed how the US government exploited Microsoft’s, and other companies’, software. Kamphuis describes Microsoft software as being “insecure by design” to provide access to the US government when it needs it.
This doesn’t only weaken Europe’s ability to stop the US snooping around, it also leaves security flaws for anyone with the know-how to exploit. Microsoft said recently that the company had fixed exploitable vulnerabilities in their operating systems that Shadow Brokers had made public.
Microsoft constantly tries to patch up any vulnerabilities in the system, but security breaches related to the company have been a frequent problem in Europe. Germany’s Federal Office for Information Security, BSI, released a report in 2011 which stated that half of the attacks on European IT systems were done through infected Microsoft documents, for example by hiding malware in the complexity of .docx formats.
Kamphuis says, however, that it’s important to remember that the problems related to depending on proprietary software aren’t Microsoft-specific — the company is simply the biggest and most visible example of the problem.
The problem has been known for a while
Some of these issues have been going on for the last 20 years. But due to what has happened in the last few years — changes in European privacy laws, the Snowden regulations, etc. — it has become easier to explain theoretical problems that experts have pointed out in the past. The reason is that now you can see concrete examples of insecurity, high costs, market failure and other predictions made by experts because we’ve allowed them to develop into real problems.
Kamphuis adds that these problems have been known as far back as 2001. A major report on foreign espionage against European companies, citizens and institutions that clearly showed that building IT infrastructure on top of foreign proprietary technology was “a really bad idea”. If the public and politicians had been susceptible to the warnings of experts the problem could’ve been solved 15 years ago.
The EU has fought back in some cases, showing that it realizes the seriousness of the situation. EU has fined Microsoft in the past for exploiting its ruling market position. In 2009, the EU and Microsoft made an antitrust settlement, but when the company didn’t keep up its side of the deal the EU slapped it with more fines, forcing Microsoft to pay 1.7 billion euros in total.
That sounds like a lot of money, but it’s a relatively cheap settlement considering Microsoft had been breaking European law for over 20 years. Truly conservative estimations, done by Pierre Audoin Consultants for IE, show that Microsoft generated two billion euros in revenue from the public sector in Europe in the business year 2015 to 2016. That means the EU’s fine didn’t even match what Microsoft gets from European taxpayers in just one year. Kamphuis says that the EU is likely planning a second round of antitrust lawsuits against Microsoft, but it’s too little and too uncertain.
According Der Tagesspiegel, the need for secured control over IT infrastructure is already understood by major companies and even other governments. Facebook, Amazon, and Google all operate on open source software. Doing so allows the companies to create personalized solutions and more security.
China has also begun preparing to switch from Microsoft to open source. After Snowden’s revelations, the Chinese government started “de-windowising” by creating a new open source OS named Neokylin. A complete switch will be completed by 2020, but due to Microsoft’s security flaws, China will be starting with security-sensitive sectors and making new open source programs mandatory for the military, government authorities and the financial sector.
What’s stopping Europe from going open source?
Microsoft is burrowed deep into the European public sector and does everything it can to retain its position. European children are educated in Microsoft Office, which is given to schools and universities for free, which some call the “crack model” — getting people hooked for free and then start charging them. Most public IT systems are run on Microsoft and most data stored in proprietary file formats, which are deliberately incompatible with open source or software from other companies.
European governments and institutions are inadvertently giving their consent to maintain their dependency on Microsoft. However, the problem isn’t only caused by inactivity of European politicians, but also reinforced by Microsoft and the US government when institutions make a move towards open source, according to Kamphuis.
Any government that tries to [switch to open source software] could find itself on the receiving end of a massive amount of political and corporate lobbying from the US government and companies like Microsoft. For example, there’s no open market for word processors, because there’s massive amount of political pressure. The US embassy will get involved in any country that tries to walk away from [Microsoft].
There are other difficulties with moving away from Microsoft, as Computer Weekly pointed out, such as that switching to open source doesn’t necessarily mean zero cost. There can be great training costs when teaching people how to operate new systems and institutions might still need to pay for support contracts. However it’s far from impossible for governments to go open source, and most evidence suggests that the financial benefits outweigh the initial costs of making the switch by far.
The Italian Defense Department started adopting LibreOffice in 2015, aiming to completely remove Microsoft from it’s 100,000 machines by 2020. The UK government has also taken important steps towards loosening Microsoft’s grip on European citizens by making it mandatory for all British public institutions to publish everything in open format. That means UK citizens no longer need to buy licenses for proprietary programs to get information from their own government, which is still the case in most other European countries.
Some European institutions and municipalities listened to expert warnings in the past and started even earlier than Italy and UK to ween off Microsoft’s programs. However, despite improved security and definite financial benefits of going open source, these institutions are still being heavily pressured to use Microsoft.
French secret service change
Gendarmerie Nationale (GN), one of two national police forces in France, started moving to open source in 2001 in order to save money. GN has already gone completely open source and now the department’s 72,000 computers run on individually adapted Linux OS (some on GendBuntu) and have LibreOffice as the main application. According to the police force’s officials, the move has already saved around 20 million euros.
What’s perhaps most interesting about GN’s forward-thinking plan is that it was done in secret. According to an internal memo that IE obtained, GN officials were worried that changing to Linux could be seen as a threat to Microsoft’s monopoly — which could lead to certain parties trying to undermine GN’s policy. Therefore it was decided to carry out the switch in secrecy and only reveal it once the changes would be irreversible.
It seems that GN’s policy makers were correct in assuming there would be backlash, because even though the change has been completed and proven to be successful, there’s still great pressure on the police force to revert back to Microsoft.
GN is a branch of the French Armed Forces and reports to the Ministry of Interior. IE gained access to an internal note from the ministry, dated April 14 2016, asking GN to change back to Windows 10. The reason the ministry gave was that it would guard the agency against security flaws in open source that hackers could exploit.
The note was not a one-off thing, as the leadership of GN is under permanent pressure to turn back to Microsoft. GN hasn’t responded to the ministry’s request to change to Windows 10 and deny commenting on the memo. However, they’ve pointed out that switching to open source has made the police force “more cost-efficient and ultimately independent”.
Munich’s possible relapse to Microsoft
The city of Munich has invested heavily in making the city more self-determinant when it comes to IT. For over a decade the city has had team of experts working on transferring the government’s IT system to open source.
In 2014, city officials announced that the enterprise had been an incredible success, saving taxpayers over 10 million euros in seven years, just on license fees. That’s over 10 million that can be reinvested into the city’s own economy, instead of going to Microsoft in the US.
That’s why there was a lot of hubbub last February when current city council members announced that they wanted revert the change and go back to running the city’s 24,000 office computers on Microsoft.
According to Der Tagesspiegel, there was fierce debate and the council’s Microsoft supporters couldn’t give any clear reasoning as to why this change was necessary. Even worse, they hadn’t prepared any cost projections and couldn’t say how the unfounded change would benefit taxpayers.
The ill conceived proposal — which ended up being postponed — has been seen as an attempt from current Mayor, Dieter Reiter, of the Social Democratic Party (SDP) to bolster his party’s coalition with the Christian Social Union (CSU). It’s hard to understand why the voters of CSU should care about the city’s OSs (other than pricing), but it seems the reasoning is more sinister than working on behalf of constituents.
Dorethee Belz, member of CSU’s executive committee and economic council, used to be vice president of Microsoft Europe until 2015. It’s not possible to confirm that Belz’s connection with Microsoft was the reason for the proposal, but it’s certain that Munich’s position at the front of the movement towards open source has been jeopardized.
Belz isn’t the only Microsoft-connected person working with authorities in Europe, IE found numerous other examples throughout the continent. In France Microsoft has six managers and advisers with close connections to ministries, and some the company’s tech staff even work directly in the government’s IT administration.
In Italy a former manager at Microsoft controls the “digital transformation” of Milan and another Microsoft exec managed the campaign of the current president of Portugal. Microsoft’s influence isn’t that surprising considering that it outspends other tech companies when it comes to lobbying the EU.
We reached out to Microsoft about all the allegations, but the company declined to comment on the record.
There’s has been an increase in awareness about what effects Microsoft’s monopoly has on IT systems in Europe’s public sector, which will probably grow more due to IE’s investigation. This, in addition to Microsoft’s plans and the EU’s work on tech legislation is bringing the whole continent nearer to a major decision point, according to Kamphuis.
Now Microsoft is pushing its clients towards a cloud platform, which may very well be illegal to use under European privacy laws that come into effect next year. So we’re getting to a really interesting point where people will be forced to make some choices.
With Microsoft’s current business model, it’s difficult to see why governments should stay on with the tech giant, instead of opting for safer and cheaper IT systems. As Kamphuis points out, there’s little or no evidence that using Microsoft software and OS makes services any more productive.
What is being done with word processors, for example, hasn’t fundamentally changed in the last 15 to 20 years. The features that people use the most is fairly basic stuff. That means the constant requirement for upgrades — and constant need for more powerful hardware — is kind of pointless, since your word processors doesn’t change that much. However, it makes PC companies like Microsoft really rich.
It would be relatively easy for governments to make their own office software based on open source. There’s already investment in people with the know-how – the Dutch government for example employs more IT staff than Microsoft – so the only thing that is lacking is the will to take the jump to open source.
Kamphuis adds that the change needs to come from the top-down, from governments down to municipalities and institutions. It’s clear from the examples in France and Munich, that if the change to open source is to be permanent and sustainable, it needs to come from the government and with a wide support. Otherwise any moves made towards cheaper and more secure IT systems will remain at risk.