Those who have heard that the EU is going to get “Free Wifi for Europeans”, may have to wait a little longer. The European Commission put out a first call on May 15th, to attribute vouchers on a “first come, first served,” basis – but it could not have gone (much) more wrong.
The call was wildly popular (the Commission was essentially giving out free money after all so how could it not), but plagued with technical problems. To the point that DG Connect Director Anthony Whelan has requested help from the legal service in a 5-page letter. The full leaked letter (which you can read in full below) describes the procedure, the problems, and the possible solutions.
Municipalities filed over 3.500 applications in just five minutes, after the call for project was launched at 15 May 13:00:00 Brussels time. In three hours, all participating member states but Iceland, have sent more than 11.000 applications.
However, while the call was ongoing, the Commission was alerted by an external source on two vulnerabilities of the system, risking both unauthorised access to personal data just some days before the GDPR came into effect, and a second that allowed the Municipalities to alter the call entry time depending on the local time of the computer used to file the project application. The WiFi4EU Portal was therefore shut down approximately 4 hours after its opening and the call is therefore currently de facto suspended.
As for the potential data breach vulnerability, the EU Commission’s department for informatics (DG DIGIT), the unit responsible for digital infrastructure and services of the EU executive investigated if the company that alerted the Commission has kept data copies – in a Cambridge Analytica-like manner of the employees applying on behalf of the municipalities for the project.
As for the risk of timestamp alteration, DG DIGIT confirms that it was not in fact possible for external parties to alter the timestamp of applications as recorded on DIGIT’s central server, suggesting that the call resulted in an “objective and unaltered record of the time and sequence of arrival of applications,” essential for the application of the “first come, first served” principle of the call, according to the letter in possession of New Europe.
The letter explains to the EU Commission’s legal service that DG DIGIT detected a bug in the application, that allowed each applicant depending on its clock to timestamp and not the server’s clock, that would in that way ensure equal chances for all applicants. “Thus, depending on each applicant’s own clock, there most likely was (i) a group of applicants which were able de facto to apply before 13:00 as registered in DIGIT’s system, (ii) another group which might have been prevented from applying exactly at 13:00 as registered in DIGIT’s system (their clock being set later) and (iii) a category in between which applied right on time or directly afterwards. The first category potentially contains up to 1370 municipalities (the number registered before 13:00 CEST) and there is no technical way to determine among them whether their local clock was modified voluntarily or not. The second category is impossible to identify and quantify,” writes the letter.
“As a consequence, a potentially significant number of applicants might have a reasonable belief that they applied on time, but did not, in fact, do so according to our central server’s clock, which recorded them as too early or too late to win a voucher,” even though each municipalities stakes of winning were not high, given the mass of applications of around 5.500 just 1 minute before and after 13:00, for just 1.183 vouchers.
The European Commission has confirmed to New Europe that it was not possible for external parties to alter the timestamp of applications as recorded in the central server and this will be used for the “first come, first served” selection, suggesting that the call is reliable.
From the letter, it is clear that cancelling the call would harm the institution’s reputation and reliability, even though the Commission can always take this decision. The Innovation and Networks Executive Agency (INEA) and the DG Budget did not consider that as a necessity either, according to the letter.
“Moreover, reasons would have to be provided for the cancellation, which would point to – or at least risk raising suspicions about – the robustness of the system and the soundness of the initiative itself, which is still in its pilot phase,” adds DG Connect in the letter, clarifying that DIGIT has still to confirm the clock’s good functionality in order for the call to be repeated if this is the decision.
As for the legal consequences, the small amount (€15,000) of the vouchers “makes litigation an unattractive prospect,” according to the Commission letter, and the slim chances of winning may cut the appetite short for those who would otherwise challenge the Commission’s call. Lack of evidence on behalf of the municipalities will make them fail in court, as for example, early applicants can’t prove they were more rapid than those who could and did apply directly after 13:00h CEST.
If the Commission decides in the end that the call is valid, the proposal of DG Connect is to exclude early bids, as they applied before the call was open. If municipalities that were too fast proactively request and then contest their respective time stamps,” reputational and fairness risks are arguably manageable,” as the Commission uses objective criteria in their case. “The applicants who were enabled to apply inadmissibly early, and those who could only apply late, are treated equally. At the same time, this option safeguards the legitimate expectations of those who applied on time according to the DIGIT system and saves them from having to reapply. Those excluded will still have the opportunity to apply in subsequent calls,” explains the letter.
Closing the call early could be the win-win situation for the Commission, as both from a reputational and operational point it is the wiser choice. The Berlaymont can therefore always claim that the early closure comes out to the “huge success”, after the bloc’s municipalities flooded WiFi4EU’s platform. The Commission’s letter adds that the geographic distribution criterion could be addressed by granting them a carry-over of unused minimum quota in the next call.
After all, the line to take is already here, robust, simple and clear: “After more than three hours the Commission had to close the portal to address some technical issues. The Commission has checked thoroughly: there has been no manipulation of the data in the WiFi4EU portal. For a first call for 1,183 vouchers, we are assessing it but it seems that there are already more than enough applicants.”
Keep calm and carry on. No problem here. Until the next call.