Leading EU cryptographer and IT security and privacy expert.
Director of KU Leuven COSIC group, organizers of the leading EU crypto conference Eurocrypt. Former President (2008-2014) of the International Association for Cryptologic Research. Consultant to NIST on governance reform. Project manager of the Network of Excellence ECRYPT II ECRYPT-NET (2015-2019) and ECRYPT CSA (2015-2017).
JAN PHILIPP ALBRECHT
Vice-Chair of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the EU Parliament
Member of the European Parliament and Vice-Chair of its Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee). A Franco-German politician from the Alliance ’90/The Greens, he is specialized in the field of civil rights, data protection and democracy.
Recent evidence suggests that nearly all IT devices and services are remotely,undetectably and scalably hackable by several actors, through state-sanctioned or state-mandated backdoors.
As a consequence, EU and US IT companies are struggling to seek ways to offer the levels of trustworthiness that both customers and constitutions require, by differentiating themselves sustainably on the basis of provable and meanigfully-higher levels of trustworthiness.
We are told daily by nearly all privacy experts and government officials that we must to choose between meaningful personal privacy and enabling lawfully authorized cyber-investigations. But both are essential to democracy and freedom. What if it was not a choice of “either or”, a zero-sum game, but instead primarily a “both or neither” challenge, yet to be proven unfeasible?
Are key assets and capabilities of nations’ law enforcement, defense and intelligence themselves highly vulnerable to attackers – foreign, domestic and internal – due to the lack of sufficiently comprehensive, translucent and accountable socio-technical standards, such as in IT facility access, device fabrication or assembly? How vulnerable are AI-driven autonomous IT systems, moveable and not, to attacks via their critical socio-technical low-level subsystems?
Can the paradigm “Trust but verify” still be a sufficient when the bribery, threatening or identity theft of a single person (rarely 2), in key role in the lifecyle of a single criticalcomponent or process, can enable concurrent compromisation of every instance of a given critical IT system, including communication, state surveillance, or autonoumous moveable devices? Should the paradigm rather be “Trust or verify”, by deepening and extending oversight all the way to CPU designs and fabrication oversight? But how can that be made economical for wide spread adoption and compatible with feature and performance needs?
For more details on the context, see and contribute to our Challenges Backgrounder.