This document is an excerpt from the EUR-Lex website
Document 52001AE1474
Opinion of the Economic and Social Committee on the "Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on network and information security: proposal for a European policy approach"
Opinion of the Economic and Social Committee on the "Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on network and information security: proposal for a European policy approach"
Opinion of the Economic and Social Committee on the "Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on network and information security: proposal for a European policy approach"
HL C 48., 2002.2.21, p. 33–41
(ES, DA, DE, EL, EN, FR, IT, NL, PT, FI, SV)
Opinion of the Economic and Social Committee on the "Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on network and information security: proposal for a European policy approach"
Official Journal C 048 , 21/02/2002 P. 0033 - 0041
Opinion of the Economic and Social Committee on the "Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on network and information security: proposal for a European policy approach" (2002/C 48/07) On 7 June 2001 the European Commission decided to consult the Economic and Social Committee, under Article 262 of the Treaty establishing the European Community, on the above-mentioned communication. The Section for Transport, Energy, Infrastructure and the Information Society, which was responsible for preparing the Committee's work on the subject, adopted its opinion on 6 November 2001. The rapporteur was Mr Retureau. At its 386th plenary session (meeting of 28 November 2001) the Committee adopted the following opinion by 113 votes to two, with three abstentions. 1. Introduction 1.1. Internal networks in businesses, public administrations and other bodies continue to grow at an exponential rate. The same is also true of their Internet connections - and those of private individuals. Were it not for the imminent takeoff of fast Internet connection(1) and the setting-up - already under way - of a new top-level domain name allocation system, saturation point would not be far off. 1.2. Society, the economy, public administration and national, civil and military security depend (and will increasingly depend) on properly working, reliable networks and their interconnections as well as on their bandwidth, the integrity of the information they provide and, in many cases, data confidentiality and the ability to identify precisely the parties involved. 1.3. From now on, network and communication security is a strategic issue of the highest importance, requiring a coordinated, coherent policy both among the EU Member States and at global level. 1.4. As well as setting out proposals for action, the Commission communication undertakes a very in-depth - and, in the Committee's view, well-documented - analysis of the issues involved and of the current position. 2. The Commission proposals 2.1. The Commission communication seeks to achieve a joint approach to issues of network and data transmission security in Europe. This involves promoting (i) an equivalent level of protection in each Member State, (ii) systems interoperability, (iii) the public security functions that are essential on the Internet and (iv) Member States' regulatory role. 2.2. The aim is to ensure a "minimum" degree of security for networks and private individuals' Internet connections - and for inter-network connections - and to develop a culture of security so as to foster broad awareness of the difficulties and solutions involved. 2.3. Overall security is determined by the weakest link in the chain, and the gradual introduction of high-speed access (ADSL, cable) and permanent Internet connections - including for private individuals - is generating new protection requirements. The same is true of e-commerce, where personal data and consumers' payment details must be protected. With the growth of e-administration, protection is also required for citizens' personal data. 2.4. A sufficiently harmonised legal framework is also needed to ensure that the offences of intrusion and data and information misuse, the take-over of networks by hackers and the deliberate spreading of viruses are defined and punished in an equivalent way in each country. 2.5. The Commission proposes a European warning and information system and highlights the need for training and information both for companies and for private individuals. This is the main thrust of the communication. 2.6. The communication also focuses on the key objective of protecting the privacy and confidentiality of citizens' and consumers' individual data. 3. Comments by the Economic and Social Committee 3.1. General comments 3.1.1. The Committee fully agrees with the analyses and arguments underpinning the case for a European framework policy on network and information security. It also considers the proposed actions to be broadly appropriate, subject to a number of comments and specific suggestions. 3.1.2. The Internet was not designed for electronic commerce, contracts, the sale of copyright material (music, images and films), capital transfers and other financial operations requiring specific security. Initially, it was used for military and academic purposes, and needs were met by long-key encryption (in the case of the military) and the unencrypted publication of experimental findings and scientific databases. For national security reasons, strong encryption by private individuals was often banned until 2000 in many, largely non-European countries, as was the export of certain programmes. Fortunately, the Commission has given an impetus to the development of - and trade in - the security tools that are vital to businesses and public administrations for the on-line transmission of confidential data. 3.1.3. Internet use then became more widespread. It began to be used for commercial, financial, technological and industrial purposes, for entertainment, and to access pornographic sites. Such sites currently generate substantial income and, together with on-line games, are also the origin of major technological developments (e.g. picture quality, high-speed access and secure payment methods, whether anonymous or not). 3.1.4. The Internet is still used for all these purposes and other uses are springing up. However, networks and the Internet increasingly underpin the workings of society and the economy. They play a key role in social development and national security. They also require a level of security appropriate to the type of data being transmitted and the operations being carried out - while respecting privacy and without compromising the very foundation of the Internet itself, i.e. the free circulation of information and the open exchange of data, ideas and scientific findings, etc. 3.1.5. The Committee therefore feels that any security measures adopted must always be in proportion to their cost, to the type and importance of the protected data and operations, and to the categories of users concerned. 3.1.6. The Committee broadly endorses the Commission's presentation of potential risks and the solutions it proposes. It also agrees that security is a dynamic issue, which must be adapted and adjusted constantly to match technological and software developments and changing risks. The Committee therefore proposes that the consultation and dialogue undertaken in connection with this communication with businesses, users and those responsible for network security be placed on a permanent or regular footing. Organised civil society should be fully involved in this process, because of the impact which network and communication security policy has on certain fundamental rights of citizens and on economic and social activities and public administration. 3.1.7. In its recent opinions on computer-related crime(2) and child protection on the Internet(3), the Committee set out the key principles it backs to combat unlawful or criminal Internet use. At the same time, the Committee rejects censorship, blanket surveillance and constraints on freedom of expression and communication on the global network. The Internet, however, is not above the law. 3.1.8. The Committee feels that the Commission's considerations and the European strategy should focus more on the security - in all its facets - of individual users and consumers. Even though a virus launched against the computer of a private individual has no major impact in terms of direct economic interests or collective security, it must be remembered that some attacks are large-scale and are spread via clients' work stations. The media may sometimes blow such attacks out of all proportion to the real risk involved. This greatly diminishes grassroots confidence in the benefits and usefulness of the Internet, and considerably impacts on the potential development of e-commerce, and e-business in general, and on the creation of new jobs. 3.1.9. Although the main aim is to protect privacy and personal data, consumers also have the right to genuinely effective protection against improper personal profiling by spy software (spyware and web bugs), and other means. Effective measures are also needed to curb spamming - the sending of massive amounts of unsolicited mail - which often also arises out of such misuse. Intrusion of this kind is damaging to those concerned(4). 3.1.10. Protection of privacy must apply to all persons engaged in economic activity and must therefore also cover company employees and other contract workers. In-house security rules must be negotiated by the social partners, and the whole company must be familiar with them, in line with the statutory provisions or case law of the Member State concerned. In this respect, it is essential to underscore the importance of applying such arrangements uniformly, in line with the Nice Charter of Fundamental Rights, and also with reference to the Recommendation on privacy of the European guarantors and Directive 95/46/EC on the protection of personal data. 3.1.11. Businesses and private individuals must therefore be given more effective legal means to make software operators and manufacturers financially liable for serious security and data protection lapses ascribable to them under product liability legislation(5). 3.1.12. The Committee feels that the Commission should promote and also spread awareness of the benefits - in terms of resources and protection - of open source - i.e. free operating systems and network and communication software which can be readily modified by users. Open-source programmers act quickly to remedy faults and problems, and a major business service sector - backed by certain computer industry giants - has grown up around this concept. Many servers across the world operate safely and stably, on the whole, with this software. With certain brand-name software, on the other hand, users are sometimes inconvenienced by delays in remedying faults, and new versions, with new functionalities, are sometimes hastily placed on the market. Reasons of commercial competition or the quest for novelty at any price sometimes override a culture of security. Such a culture must be strengthened among all writers of software - whether commercial or free - so that it is truly integrated into products from the design stage onwards. 3.1.13. Hence, proprietary management systems and programmes with unpublished source codes do not provide sufficient security and privacy guarantees. This is true in particular in the case of Internet-based licensing registration and patch loading (to correct errors and install updates), which can be improperly used to gather information about customer and server systems (architecture and content, mailing lists and connections). The Committee feels that anything other than simply registering the name and address of the software licence holder in order to issue an activation key or a temporary service access code would constitute intrusion and should be prohibited. 3.1.14. Free software also ensures healthy competition in the face of monopolistic trends on the software market and the burgeoning network services market. 3.1.15. The general public licence (GLP)(6) should be recognised and respected. The Committee feels that specific approaches and rules should be worked out in the intellectual property context for software and content accessible or exchangeable via the Internet. It is only too easy, for example, to use trademark legislation to curb the freedom of opinion or expression of consumers or employers vis-à-vis the policy or practices of a company and its goods or services. Patent and trademark law seems to be limited - and difficult to apply - in the face of growing networks which, as a result, require specific legal protection that is as yet inadequately framed. 3.1.16. Attempts to intercept, control or steal sensitive data are directed mainly against military, administrative and business networks. This being so, the Committee calls on the European institutions and all the Member States to join forces to combat any kind of interception or attempted intrusion for the purposes of military, industrial or commercial espionage, which runs counter to Europe's strategic and economic interests. 3.1.17. Security measures, access surveillance, internal rules and protocols, and material redundancies (appliances with breakdown tolerance, mirror and proxy sites, frequent and delocalised data saving) require appropriate software and hardware and continuous monitoring and updating by highly qualified experts. They are thus expensive. Because of a lack of technical information and awareness and their financial possibilities (particularly in the case of SMEs), public undertakings, private businesses and public authorities experience major difficulties in implementing such measures. Emergency warning teams should be well-equipped and take account of SME needs. 3.2. Specific comments 3.2.1. The risks involved and proposed countermeasures 3.2.1.1. Protection of privacy and measures to counter computer-related crime and espionage 3.2.1.1.1. The Committee fully agrees with the Commission proposal that priority must be given to the protection of privacy and the confidentiality of individual data. Protection of fundamental rights and of freedom of information and communication must be at the heart of any data and communication protection strategy. The same is true of the protection of collective interests, starting with the need to safeguard national security and ensure that democratic institutions and public administrations function properly. The Committee agrees on the need to develop and adapt the tools required for these purposes, whether that involves legislation, cooperation, research or standardisation. 3.2.1.1.2. Although scope for lawful interception - in compliance with the appropriate legal procedures - must be maintained, strong encryption may make it impossible to decrypt the messages. Those involved in serious crime use the safest, most modern means to protect their communications. Thus, international legal and technological cooperation must be developed at European level to combat serious crime and terrorism. The Committee also made this point in its opinions on the fight against money-laundering and computer-related crimed(7). 3.2.1.1.3. Under competition policy, it is also essential to monitor the concentration and monopolisation of Internet content (information, culture, etc.) and of the net's various segments. The Commission should also foster the establishment of a net "government" that is genuinely transparent and more representative of the 370 million current users. The present "government" is led by a multitude of different parties, remains focused on North America and is under the close supervision of the United States Department of Commerce. This applies in particular to domain name allocation and the choice of registrars(8). 3.2.1.1.4. To safeguard their customers' right to privacy and confidentiality, operators must provide effective guarantees that, in line with technological developments, the tools used for the material surveillance of their installations - and for communication encryption - reflect the importance of the rights to be protected as closely as possible. Operators are also bound, among other things, by Directive 97/66/EC(9). 3.2.1.1.5. Users must also be able to encrypt - with an adequate degree of security - any sensitive data they may transmit on the net. They are, however, largely unfamiliar with the appropriate options and how these are applied in practice. Enough specialists will have to be trained to meet growing encryption and security needs. 3.2.1.1.6. Intrusion into computers and networks for whatever reason (intellectual challenge, personal revenge or a desire to cause harm, information theft or take-over for various different purposes) and the dissemination of computer viruses jeopardise the rights and interests of users and the integrity of data, information and networks. 3.2.1.1.7. The Committee fully agrees with the Commission on the major damage that can be caused by various types of intrusion, sometimes culminating in the clandestine take-over of the system, but considers that it would be excessive to lump together hackers - who, with no criminal intent, seek merely to draw attention to security deficiencies that can then be corrected - and crackers, who seek to access systems for unlawful purposes. Any legislation proposed by the Commission to punish offenders will have to stay in proportion to the crimes and offences, which in turn must be defined in precise and specific terms and take account of intruders' intentions. 3.2.1.2. Applicable Community law and available technologies 3.2.1.2.1. Community law requires that Member States take all necessary steps to ensure the availability of public networks in the event of network breakdown caused by natural disasters (cf. Interconnection Directive 97/33/EC(10) and Voice Telephony Directive 98/10/EC(11)). However, the Committee would propose that the Commission undertake a comparative study of action taken and its effectiveness in all the Member States. 3.2.1.2.2. Misrepresentations by natural or legal persons may cause damage and, for all major transactions, it is essential to authenticate the party involved and ensure the veracity of the statements made. 3.2.1.2.3. Thanks to SSL and IPsec, it is possible to communicate on the Internet and on open channels with some measure of security, but this does not provide sufficient guarantees. Under the Electronic Signatures Directive(12), such guarantees may be provided by a third party - the "certification service provider". 3.2.1.2.4. This solution poses the same problem as encryption - the need for interoperability and key management. In a VPN (virtual private network) it is possible to resort to proprietary solutions. On the other hand, this is a major obstacle for public networks. 3.2.1.2.5. For these reasons, the e-signature Directive is the legal basis and essential tool for facilitating electronic authentication in the EU. 3.2.1.3. New challenges, new risks and cost-benefit analysis 3.2.1.3.1. The Committee agrees with the analysis of the new challenges and risks connected with the rapid growth of technology, the multiplication and diversification of access terminals, as well as the increased danger of piracy with the general introduction of always-on terminals with a fixed address. It endorses the approach which aims to reconcile security and freedom, network protection and protection of privacy and confidentiality. 3.2.1.3.2. Moreover, although safer encryption called for legislative changes to allow "strong encryption", these have sometimes come very late owing to security considerations. But the ability to hide messages in the "noise" of image or sound files (steganography) has meant that lawbreakers wishing to remain undetected have already been able to disguise the sending of an encrypted message. 3.2.1.3.3. Several algorithms are used, and more sophisticated ones are becoming available. This poses serious problems for the management of messages which have been encrypted by different correspondents using different methods. Even the recommendation of a European system, which may facilitate communications in the single market, will run up against the diversity of the systems used in the rest of the world. This impacts on the cost of security and its management, even if some effective systems are in the public domain and are free of charge. 3.2.1.3.4. Nevertheless, the cost of non-security, now that increasingly sensitive data are circulating, is even higher. Security will also, to a certain extent, be incorporated more and more into products. 3.2.1.3.5. The Committee takes a positive view of the European approach proposed by the Commission - while being aware of its limits - and of the need for public action, in order to compensate for the current shortcomings in the market and address the important issues at stake. 3.2.1.3.6. There are already legal guarantees in EU Directives on data protection and in the telecommunications regulatory framework. However, these measures have to be implemented in a rapidly changing environment of new technologies, competition, network convergence and globalisation and at a time when the market is tending to under-invest in security for the reasons quite rightly set out in the Communication, despite the rapid growth in the security market throughout the world. 3.2.1.3.7. It is true, as the Commission states, that the security market is still imperfect. Investment in security is only profitable if a sufficient number of people adopts the same approach. Solutions must therefore be found through cooperation. Since a host of goods and services continue to use proprietary solutions, research into more widely accepted, more secure standards and into the interoperability of security systems must be encouraged. The Committee feels it would be better to encourage the establishment of common criteria at international level rather than certification/authentication systems which may penalise the final consumer. 3.2.1.3.8. Firstly, existing EU legal provisions must be implemented efficiently. The legal framework must remain relevant and effective, and it will thus inevitably have to be constantly adapted. 3.2.1.3.9. Secondly, while market forces do not currently make it possible to generate a sufficient level of investment in technologies and security practice, the political measures proposed by the Commission could be used to bolster the market process, which has, for that matter, started to evolve. 3.2.1.3.10. Lastly, communication services and information are cross-border issues. This is why a European policy approach is required to provide a single market for these services, to benefit from common solutions, and for more effective action at global level. 3.2.1.3.11. The Committee concurs with the statement that investment in improved network security generates social costs and benefits which are not adequately reflected in market prices. With regard to costs, market players are not currently obliged to shoulder all the responsibilities resulting from their security behaviour. The Committee feels that this state of affairs cannot continue any longer. 3.2.1.3.12. The Committee also endorses the view that security benefits are no longer fully reflected in market prices, whilst the benefits of investment made in this area by operators, suppliers or service providers not only accrue to their customers, but also to the economy as a whole and to communications security in general. 3.2.1.3.13. The Committee also endorses the idea that users are not aware of all the security risks, whilst many operators, vendors or service providers have difficulty in assessing the existence and extent of vulnerabilities. Similarly, many new services, applications and software products offer attractive features, but these may be a source of new vulnerabilities. Products should be tested more thoroughly before they are placed on the market. 3.2.2. Specific comments on the proposed European policy framework 3.2.2.1. The Committee is aware of the intrinsic vulnerability of the global network, particularly as regards routing of data packets, and of the fact that the ever increasing mass of data in circulation does not make it possible to use filtering to make data generally secure outside terminals. It generally endorses the proposed actions contained in the policy framework. 3.2.3. Awareness raising 3.2.3.1. The proposals to raise the awareness of all stakeholders (individuals and organisations) are judicious. Making terminals and communications secure depends mainly on awareness raising and informed action by users themselves. 3.2.4. European rapid information system 3.2.4.1. The Committee endorses the proposal for a European rapid warning and information system which lists the problems and solutions, and the Commission's other proposals on analysis, early detection, dissemination of information and advice, and European and worldwide cooperation. Throughout the Union, suitable infrastructure for permanent and effective cooperation is also to be developed. 3.2.4.2. Nevertheless, with regard to the reports that would have to be submitted by companies, and also, in the Committee's opinion, by administrations and other bodies, the Committee recognises that the confidentiality of the procedures for reporting attacks will encourage feedback, but notes that hackers always leak information or make public revelations, and relatively speedy knowledge of the nature of the attacks or flaws and especially of the remedial action taken would, if anything, be instrumental in gaining public confidence. 3.2.4.3. The Committee feels that the detection and warning systems should also cover fault discovery in commercial or free software and any technological or other factor which could open the door to possible attacks. The early analysis system could take on this role, keep abreast of technological innovations, and monitor hackers and pirate sites and various underground publications which deal with the methods available, or even publish "turnkey" virus creation or intrusion programmes which are used by script kiddies(13). 3.2.5. Technology support 3.2.5.1. The Committee endorses the support proposals for research. It would point out, however, that no more than a few dozen experts in the world are skilled in the science of cryptography, and many of them work for the NSA(14). How can we retain the European experts to develop research? Which methods would be effective in Europe? The NSA is 10 or 15 years ahead and has calculation (and decoding) methods which seem to be difficult to match over a short space of time. What specific - and necessarily large-scale - funding will be provided for research(15)? 3.2.5.2. The possibility of accepting hackers and "informal" experts could also be explored as an alternative to the "cold shoulder" approach that appears to be emerging in Europe, where people causing no direct damage either to others or to society are being marginalised or over-penalised for acts which are wrongly assumed to be very serious. Penalties must be in place to deter acts of piracy or terrorism on the networks. However, research into security lapses undertaken to provide information for software writers or network managers for the purpose of improving protection should not, as a matter of course, be placed in the same category provided there is no evil intent such as sabotage, the hijacking of confidential data, secret network use, personal gain or the spread of computer viruses. 3.2.5.3. That said, the publication of findings without informing those directly involved well in advance and without their consent is a reprehensible and punishable act. However, efforts should be made to legalise the acts of people who commit no crime or serious offence and cause no financial damage, and to turn their skills to good account for the benefit of society. This would prevent these rare skills from being exposed to the risk of improper, criminal or terrorist use, as would be the case if they remained maginalised and outside the law. 3.2.6. Support for market-oriented standardisation and certification 3.2.6.1. The Committee shares the Commission's view that there are too many competing standards and systems - which consequently impede security and the progress of e-signature and secure electronic payments - and stresses the need for common standards, common criteria for avoiding market rigidities, and interoperability. 3.2.6.2. The Committee endorses the proposed actions, but would highlight certain difficulties inherent in the private and insufficiently representative nature of the current "government" of the Internet, which among other things, sets the standards. This will be long-term work, which will require patience and cooperation. 3.2.7. Legal framework 3.2.7.1. The Committee approves the draft specifications for networks and the Internet in the existing legislative framework for telecommunications and data protection. 3.2.7.2. The proposed actions are judicious, and the Committee endorses the planned initiatives to provide for harmonised criminal law and to strengthen cooperation in the field of criminal law between Member States on cyber-crime, without prejudicing the liberalisation of trade in powerful encryption tools, which are the only ones likely to ensure effective security. Cooperation in civil and commercial matters also plays a key role in combating cyber-criminals (financial circuits, tax fraud etc.). 3.2.7.3. However, cooperation in criminal law should, in the Committee's view, extend to the global level, and the European strategy in this area should be provided with an action line within the proposed policy framework. The Committee is pleased to note that the Commission is expected to issue a formal proposal on this issue in the coming weeks. 3.2.8. Security in government use 3.2.8.1. The Committee approves the planned actions, in view of the personal nature of a significant amount of data processed by public administrations, and also of the fact that their sites are open to terrorist-style attacks or to attacks motivated by domestic or foreign policy considerations, as Red Code (a polymorphic virus) and Nimda showed recently. This should provide the Commission with an additional reason for making its sites and official networks, and those of the Member States, even more secure. 3.2.9. International cooperation 3.2.9.1. As the Committee sees it, this is an essential, but delicate and difficult pillar of the European network and communications security policy which poses serious problems in terms of internal solidarity, external policy, joint security, and governance of interconnected networks and the Internet. 3.2.9.2. The proposal for action in this field, which aims to further cooperation between the various international authorities on network reliability, is diplomatically worded so as not to cause offence. 3.2.9.3. However, the Committee feels it would also be advisable for the appropriate international authorities and the transatlantic dialogue to continue to address issues of security; interoperability of keys and encryption systems and the problem of any possible weakness in some standards which may be known but not revealed by a particular party. It would also be desirable to work together closely on issues such as the international circulation of personal data, and legal and civil cooperation on cyber-crime, i.e. effective security and transparent, balanced management of the global network, whose strategic importance is now recognised as essential to the life and well-being of our societies. The OECD, which works on network security issues, is, among others, an appropriate body for international cooperation on this front. It is vital to attain practical results at global level. 3.2.9.4. The Committee backs what it sees as the very important Commission proposal to set up a European-level forum bringing together all the relevant players, to debate the full range of issues involved and to put forward solutions to the institutions. 4. Conclusions 4.1. Constantly evolving software and hardware solutions such as those described in the communication, are available and are quite effective. Moreover the integrity of a file can also be guaranteed by using a unique digital algorithm which shows that the transmitted file has not been modified. 4.2. However, the Committee believes that user awareness-raising, information and training hold the key to any security strategy, because without them, available procedures and solutions will not be used correctly. They also boost confidence in the overall reliability of the system, as long as all basic precautions are taken regularly by all concerned, and companies make the required investment in the security of their systems. 4.3. But the cost of security is very high, and the lack of interoperability of the solutions is a major obstacle. An open source solution could provide an input by promoting both competition and emulation. 4.4. These problems, if not solved quickly within Europe and internationally - and Europe must play an effective role in the "government" of the Internet - will continue to hinder development of e-Europe, e-commerce and the management of companies, public services and administrations. 4.5. In any event, it is essential for the sake of network security to achieve widespread implementation of effective and proportionate protective and defence measures, whether they be software solutions for private individuals (regular antivirus updates) or combined and somewhat more cumbersome solutions for other users (fire walls, external communication port monitoring, separation (DMZ)(16), shields, and other relevant software and hardware technology). 4.6. Dissuasion by appropriate criminal sanctions is within the remit of the Member States, but the Committee feels it is up to the Commission to propose a unifying overall framework for the Community approach and for international legal cooperation. 4.7. The marketing of certain products which might deliberately contain backdoors(17) - that will sometimes take years to detect - must be addressed and should be subject to sanctions, as well as the spyware which is often present in demonstration software, some free software and on-line licence registering systems. 4.8. Even unintentional flaws take time to update, and can be used as backdoors by those in the know. 4.9. Ad hoc, independent, impartial, representative national authorities - either existing bodies, whose remit needs to be broadened, or new bodies in places that do not yet have them (the applicant countries, which also have to be involved) - should monitor these security issues to help formulate recommendations and standards, and protect basic rights. The draft legislation in the pipeline must be looked at more carefully in order to reconcile the essential requirements of fighting terrorism with the principles of individual freedom that must be maintained. 4.10. In the ESC's opinion, the Internet must, in any event, remain flexible and easily accessible, and continue to provide an outlet for freedom of information and communication in an open, democratic society, while being more secure for the various users, in the diverse and growing legal applications of networks and the Internet. Brussels, 28 November 2001. The President of the Economic and Social Committee Göke Frerichs (1) IPv6 standard, enabling 6000 billion IP addresses. (2) Opinion on the Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions - Creating a safer information society by improving the security of information infrastructures and combating computer-related crime (CES 1115/2001) (not yet published in the Official Journal). (3) ESC opinion currently being drawn up on a programme for child protection on the Internet. (4) See ESC opinions on (i) electronic communications networks (OJ C 123, 25.4.2001, p. 50), (ii) electronic commerce (OJ C 169, 16.6.1999, p. 36) and (iii) the effects of e-commerce on the single market (OJ C 123, 25.4.2001, p. 1). (5) ESC opinion, OJ C 117, 26.4.2000, p. 1). (6) The general public licence recognises the intellectual property of the author of free software. (7) ESC opinion currently being drawn up on a programme for child protection on the Internet. See ESC opinions on (i) electronic communications networks (OJ C 123, 25.4.2001, p. 50), (ii) electronic commerce (OJ C 169, 16.6.1999, p. 36) and (iii) the effects of e-commerce on the single market (OJ C 123, 25.4.2001, p. 1). (8) Companies responsible for allocating and managing certain top-level names. (9) Directive on data protection in telecommunications (OJ L 24, 30.1.1998). (10) OJ L 199, 26.7.1997. (11) OJ L 101, 1.4.1998. (12) Directive 1999/93/EC of 13 December 1999 on a Community framework for electronic signatures, OJ L 13, 19.1.2000, p. 12. (13) Young learner "pirates" with no technical qualifications who merely copy what they find on underground sites and publications. (14) US National Security Agency. (15) ESC opinion on the sixth RTD framework programme (OJ C 260, 17.9.2001, p. 3). (16) DMZ: demilitarised zone, sort of buffer zone isolating the internal network. (17) Hidden access ports.