The Free and Safe in Cyberspace Event Series - Free and Safe in Cyberspace

Free and Safe in Cyberspace is a global event series aimed to catalyse a constructive dialogue and an informed consensus on new enforceable standards and certification bodies for end-2-end ICT systems and life-cycles for critical communications, targeted lawful access and advanced AI, in order to deliver wide-market access to unprecedented and constitutionally– meaningful* e-privacy and e-security, while increasing cyber-investigation capabilities and public safety.

This event series was conceived by the non-profit R&D institute Open Media Cluster, led by Rufo Guerreschi, and co-organized with EIT Digital Privacy, Security & Trust Action Line, led by Jovan Golic.

UPCOMING EDITIONS:

The 2nd EU Edition 2016, on Sept 22nd-23rd 2016 in sunny Rome at the Crowne Plaza Rome Hotel.
The 2nd LatAm Edition, in Brasilia in Fall 2016.

PAST EDITIONS:

The 1st EU Edition 2015 was held in Brussels on Sept 24-25th 2015, co-organized with EIT Digital Privacy Security and Trust Action Line, with the support of great sponsors. It attracted amazing speakers, including the best IT security experts of Europe and US – including Bruce Schneier, Bart Preneel, Richard Stallman – and the most relevant EU defense, IT security and R&D institutions – such as European Defence Agency, EDPS, DG Connect, EIT Digital PST-AL, ECSEL-JU, Future of Humanity Institute – as you can see from the report and the program with videos. A 1st smaller 1/2-day Latin American Edition was then held in Brazil on Oct 16th 2015, with distinguished guests.

The Format

All panelists will be required to submit short position Statements in advance (more details on the Call for Papers). On the day of the panel, each panelist will do a 5-minutes stand-up presentation of their position Statement, and give 1-minute replies to 3 short questions from the audience.

Panelists will then engage in panel sessions of intense debate, moderated by an expert journalist to keep speakers on the subject and keep them concrete in their, with 15 minutes of short QAs with audience.

The event will largely follow the challenges and program of the original EU Edition 2015, but it will even more proactively promote a tight debate and a constructive discourse.

To date, concrete proposals or genuine debate on these complex and crucial Challenges have been mostly non-existent, with often only very generic hint of proposals.

In the case of Challenge B, furthermore, excessive generalizations, vast distortion of basic terms, uncritical dogmatic positions, peer pressure, and even self-censorship, have stifled any constructive dialogue. Time has finally come to crack wide open this long-overdue constructive debate!!!

Setting the Context

Over the last decades an ever greater tension has emerged between, on the one hand, consumers’ desire for ever richer digital experiences and state agencies’ need to do digital investigations of criminal suspects and, on the other, the need for citizens and states to preserve meaningful civil rights and sovereignty in cyberspace.

Recent rulings of the European Court of Justice have raised substantial doubts that most current western legislations, even when they nominally respect citizens’ rights, are not supported by implementation regulations or external standards/ certification processes (e.g. Common Criteria, SOGIS, eIDAS, ETSI-LI, etc.) that provide nearly sufficient transparency, accountability and oversight safeguards to provide users with reasonable confidence of their compliance with European Charter of Fundamental Rights.

The combination of market forces driving the increasing complexity of IT systems and life-cycles – far beyond any meaningful verifiability – and the huge investments being made by states to ensure at all costs access to all IT systems for cyber-investigations, have caused all or nearly all IT systems to become remotely and scalably exploitable by many nations and other actors. All the while, a lucky few have access to technologies that are impregnable, or nearly so, resulting in a huge asymmetry of informational power, and therefore of societal and economic power.

Necessarily, after Snowden and recent hacks, any new standardization and certification paradigms will need to assume that highly-skilled state and non-state attackers, with very limited actual liability risk, are willing to devote tens of million of euros to sustainably compromise at least a few parts of the life-cycle or supply chain of a given end-2-end IT services, in order to gain and maintain remote access, preferably and mostly highly-scalable (NSA Turbine, NSA FoxAcid, Hacking Team RCS)

Such new standards will therefore need to renounce the need for or assumption of trust in anything or anyone that is critically involved in any critical IT service life-cycle component, from certifications governance to hardware fabrication oversight; except in the assurance quality of the overall organizational governance bearing on all entities critically involved in the entire life-cycle.

In such context, achieving meaningful privacy for citizens and assurance for societal systems may require radically more stringent and comprehensive standards for complete end-2-end IT services – which independently and transparently assess ALL hardware, software, and organizational components critically involved in its provisioning and lifecycle – as well as initial compliant open computing platforms.

Compliance to such new standards may well necessarily provide only extremely basic in features and performance, at least initially, but will be suitable to guard a limited but adequately trustworthy digital private sphere, equivalent of our that traditionally enjoyed home communications and private assemblies. This digital private sphere may only be supplementary, and not alternative to current ordinary commercial IT systems, which may intrinsically be suitable only for public and semi-public spheres, equivalent of our city streets and squares.

The resulting IT standards and governance models may also inspire attempts to improve the accountability of state lawful access systems, the accountability of global IT giants in their bulk handling of consumers’ private data and their lawful access compliance processes, and contribute to safer and more accountable advanced artificial intelligence systems.

Finally, recent global public opinion surveys make it clear such a level of IT security/assurance will stay legally and politically sustainable in time only if they will somehow manage to substantially reconcile meaningful privacy and the need of cyber-investigation. Most experts and researchers believe it impossible to do, so much that even discuss about possibilities may imply its, although a few researchers and states have deployed and are working on solutions to such crucial dilemma.

IT security economic potential

The event aims at fostering a proactive approach deploying trustworthy and transparent innovative technologies bridging the gaps between available techniques and practice. This is seen as necessary to sustain a further growth of the data-driven economy. To this end, it is also crucial to break out of the “privacy vs safety” zero-sum game mindset and, instead, decisively converge on win-win approaches and standards that will substantially reconcile, on the one hand, basic human rights and control of sensitive data, and on the other, the legitimate needs for cyber-investigation to get more effective protection against crimes in cyberspace and in the physical World. The resolution of this apparent dichotomy is seen as necessary if meaningfully-secure high-assurance IT is to be let legally available in the market.

Certification Governance Models

In synergy with the Trustless Computing Certification Campaign, the Free and Safe in Cyberspace event series aims to jump-start adequate constituent organizational processes for the future governance of such bodies, well aware of the fact that by far the most crucial factor affecting the success in achieving and sustaining such assurance levels is the ability to achieve and sustain extremely high-levels of technical-proficiency, citizen-accountability and presumable altruistic intentions of its key decision-making bodies. Such bodies would therefore likely need to be international non-profit, only partly-governmental, and self-financed by the costs of certifications to IT services offered by private and public entities. They could constitute for the digital world, for example, what the International Democratic and Electoral Assistance represents for global elections (OMC blogpost).

Positive Societal Impact

In the medium term, our visions is to build that an informed consensus and a wide adoption of the envisioned standards will spur substantial R&D projects and open ecosystems to lead participating actors and nations in a solid actionable path to achieve: (1) a renewed digital sovereignty of citizens and public institutions; (2) a global business leadership in the most strategic security-sensitive IT sectors, such as autonomous vehicles, advanced AI, critical infrastructure; (3) a reference for the protection of critical assets and infrastructures, strategic defense communication, intelligence and lawful access systems, through an international trustworthy computing base; and (4) a sound low-level IT computing base and governance models for advanced AI.

Possible paths to adoption

Although such bodies are meant to be highly effective within current legislative and constitutional frameworks – i.e. without governmental recognition or legislative changes – they will hopefully aims to provide the socio-technical oversight, standardization and certification basis for the enforceability in future scenarios of recognition or adoption as voluntary or mandatory for certain classes of services by the EU or single national governments – in order to solidly comply to their Constitutions and human rights charters – by intergovernmental agreements and treaties. Examples of such treaties could the Geneva-Convention like treaty proposed by the UN Special Rapporteur on the Right of Privacy, the proposed Snowden Treaty, or standard bodies for the “so-called” World-Sized Web called for by Bruce Schneier. They may constitute an example (OMC post) of the “sector-specific” solutions to Safe Harbour issue, and other EU/US privacy issues, as suggested by Max Schrems. Constituent processes for the creation of the mentioned intergovernmental treaties could get inspiration from those of the Coalition for International Criminal Court, lead by the World Federalist Movement, that created the International Criminal Court, or a proposed constituent process based on UN Caucuses, which was approved by the World Federalist Movement 2008 Congress (post).

(Definition: We define as having a “constitutionally-meaningful level of trustworthiness”, a given end-2-end IT service that is confidently resistant to persistent attempts worth tens of millions of euros to compromise its life-cycle and tens of thousands to compromise a single user, by actors with high plausible deniability and very low actual liability.)