Towards solutions to Challenge A and B: the “Trustless Computing Certification Body”


Necessarily, after Snowden and recent hacks, any new standardization and certification paradigms will need to assume that highly-skilled state and non-state attackers, with very limited actual liability risk, are willing to devote tens of million of euros to sustainably compromise at least a few parts of the life-cycle or supply chain of a given end-2-end IT services, in order to gain and maintain remote access, preferably and mostly highly-scalable (NSA Turbine, NSA FoxAcid, Hacking Team RCS)

Such new standards will therefore need to renounce the need for or assumption of trust in anything or anyone that is critically involved in any critical IT service life-cycle component, from certifications governance to hardware fabrication oversight; except in the assurance quality of the overall organizational governance bearing on all entities critically involved in the entire life-cycle.

In such context, achieving meaningful privacy for citizens and assurance for societal systems may require radically more stringent and comprehensive standards for complete end-2-end IT services – which independently and transparently assess ALL hardware, software, and organizational components critically involved in its provisioning and lifecycle – as well as initial compliant open computing platforms.

Compliance to such new standards may well necessarily provide only extremely basic in features and performance, at least initially, but will be suitable to guard a limited but adequately trustworthy digital private sphere, equivalent of our that traditionally enjoyed home communications and private assemblies. This digital private sphere may only be supplementary, and not alternative to current ordinary commercial IT systems, which may intrinsically be suitable only for public and semi-public spheres, equivalent of our city streets and squares.

The resulting IT standards and governance models may also inspire attempts to improve the accountability of state lawful access systems, the accountability of global IT giants in their bulk handling of consumers’ private data and their lawful access compliance processes, and contribute to safer and more accountable advanced artificial intelligence systems.

Finally, recent global public opinion surveys make it clear such a level of IT security/assurance will stay legally and politically sustainable in time only if they will somehow manage to substantially reconcile meaningful privacy and the need of cyber-investigation. Most experts and researchers believe it impossible to do, so much that even discuss about possibilities may imply its, although a few researchers and states have deployed and are working on solutions to such crucial dilemma.

IT Security Economic Potential

The event aims at fostering a proactive approach deploying trustworthy and transparent innovative technologies bridging the gaps between available techniques and practice. This is seen as necessary to sustain a further growth of the data-driven economy. To this end, it is also crucial to break out of the “privacy vs safety” zero-sum game mindset and, instead, decisively converge on win-win approaches and standards that will substantially reconcile, on the one hand, basic human rights and control of sensitive data, and on the other, the legitimate needs for cyber-investigation to get more effective protection against crimes in cyberspace and in the physical World. The resolution of this apparent dichotomy is seen as necessary if meaningfully-secure high-assurance IT is to be let legally available in the market.

Certification Governance Models

In synergy with the Trustless Computing Certification Campaign, the Free and Safe in Cyberspace event series aims to jump-start adequate constituent organizational processes for the future governance of such bodies, well aware of the fact that by far the most crucial factor affecting the success in achieving and sustaining such assurance levels is the ability to achieve and sustain extremely high-levels of technical-proficiency, citizen-accountability and presumable altruistic intentions of its key decision-making bodies. Such bodies would therefore likely need to be international non-profit, only partly-governmental, and self-financed by the costs of certifications to IT services offered by private and public entities. They could constitute for the digital world, for example, what the International Democratic and Electoral Assistance represents for global elections (OMC blogpost).

Positive Societal Impact

In the medium term, our visions is to build that an informed consensus and a wide adoption of the envisioned standards will spur substantial R&D projects and open ecosystems to lead participating actors and nations in a solid actionable path to achieve: (1) a renewed digital sovereignty of citizens and public institutions; (2) a global business leadership in the most strategic security-sensitive IT sectors, such as autonomous vehicles, advanced AI, critical infrastructure; (3) a reference for the protection of critical assets and infrastructures, strategic defense communication, intelligence and lawful access systems, through an international trustworthy computing base; and (4) a sound low-level IT computing base and governance models for advanced AI.

Possible Paths to adoption

Although such bodies are meant to be highly effective within current legislative and constitutional frameworks – i.e. without governmental recognition or legislative changes – they will hopefully aims to provide the socio-technical oversight, standardization and certification basis for the enforceability in future scenarios of recognition or adoption as voluntary or mandatory for certain classes of services by the EU or single national governments – in order to solidly comply to their Constitutions and human rights charters – by intergovernmental agreements and treaties. Examples of such treaties could the Geneva-Convention like treaty proposed by the UN Special Rapporteur on the Right of Privacy, the proposed Snowden Treaty, or standard bodies for the “so-called” World-Sized Web called for by Bruce Schneier. They may constitute an example (OMC post) of the “sector-specific” solutions to Safe Harbour issue, and other EU/US privacy issues, as suggested by Max Schrems. Constituent processes for the creation of the mentioned intergovernmental treaties could get inspiration from those of the Coalition for International Criminal Court, lead by the World Federalist Movement, that created the International Criminal Court, or a proposed constituent process based on UN Caucuses, which was approved by the World Federalist Movement 2008 Congress (post).


The Free and Safe in Cyberspace events series is wholly solution-oriented. We are solely aimed at finding a solution to Challenges A and B, through a concrete plans for new international socio-technical standards and certification body – meant to be effective within most current democratic legislative and constitutional frameworks – but coupled with non-essential and policy suggestions.

Months before our 2015 EU Edition, held in Brussels on Sept 24th and 25th, we requested proposals from speakers. In the week before the event, we collected and integrated such contributions, and we integrated suggestions speeches in keynotes and panels on the 24th, until, on Sept 25th, we produced a first comprehensive proposal that was presented by the Open Media Cluster, and discussed in its core requirements during in a dedicated Panel 5.

Here it is in its orginal version and in its latest LIVE version of a Proposal for a new international certification body for ultra-high assurance IT communications services and targeted lawful access schemes Version 1.0 (gdoc)(originally presented in Brussels on Sept 25th 2015) Version 1.6 ((gdoc)(latest LIVE version, open for suggestions, by all)

Are wide investments in Challenge A realistic or sustainable in the absence of a concurrent solution to Challenge B?

It has emerged that almost all western nations, including the US and most EU countries, have one or more lawful ways under which state security agencies can intrude on the privacy of millions of citizens without a court order, including some sort of mandatory key disclosure legislation.

Although their existence has been hidden, they are currently politically based on two justifications:

  • (1) to preserve or restore the traditional lawful intercept capabilities that have been lost in cyberspace;
  • (2) to perform dragnet or large-scale targeted surveillance in order to prevent or prosecute grave crimes.

The surprising public acceptance of the second justification is arguably dependent on the fact that currently it is the only way to achieve the first justification. The auspicable wide-market uptake of new high-assurance ICT standards and solutions is a challenge that may need to be solved concurrently with the challenge of devising ways to restore legitimate criminal investigation capabilities in cyberspace. It has become clear that citizens will choose perceived physical safety over cyber-privacy if given a stark choice. In fact, political and public opinion pressures to extend the outlawing or allowing subversion of such techs and standards would be huge, as they’ve been for decades, and would surely increase to become unbearable after major terrorist attacks, largely attributed to the use of such technologies. Such grave risks of legal sustainability comprise a major obstacle to private investment and public commitments in wide deployment of such high-assurance technologies and standards for the civilian market.

Current legislative frameworks

The legislation affecting high-assurance IT systems and lawful access systems is constituted of national laws, which are mildly influenced in their regulatory implementations by voluntary international public and/or private standards (Common Criteria, ETSI, NIST, etc.).

High-assurance IT services are regulated with the over-riding aim to prevent malevolent use, and therefore focused on limiting export (crypto export laws) and use of certain technologies, and increasingly their research (such as in the ongoing Wassenaar Agreement national implementations).

Lawful access processes, in both state security and civilian scenarios, are instead subject to very limited or inexistent technical regulation of the security of their technical infrastructure against abuse by state agencies on their citizens, or by external actors against such state agencies. They are subject to articulated, though largely inadequate, organizational and socio-technical regulations and oversight procedures. Multiple “Mutual legal assistance” treaties regulate the often-crucial international cooperation in pursuit of cyber-crimes. Such arrangements are so insecure and slow, taking often months, that most times workarounds “at the edge of legal” are deployed3 , which are overwhelmingly unregulated.

Linking Challenges A and Challenge B

Although solving Challenge A would provide substantial societal benefits, the concurrent solution of Challenge A and Challenge B would provide substantially higher and more-sustainable societal benefits because of: the interdependency of constitutional mandates for public safety and constitutional rights for personal privacy; the need to reduce the chance of abuse of Challenge A by criminals, including third state actors; and the need for effective provisioning and investments in Challenge A to be legally sustainable, even though grave public safety crimes might be substantially aided, allegedly or actually, by the use of Challenge A.

Most law enforcement agencies (LEAs) in their (possibly self-serving) public claims and most e-privacy experts believe that Challenge A is already available to ordinary citizens, willing to sacrifice substantial money and/or usability. Almost all privacy experts believe Challenge B is completely impossible, and all discussions or proposals to find a solution are either nonsense, insincere or both.

Many believe that Challenge A is impossible or very uneconomical. Most privacy experts, even those privately admitting there may be some way to solve Challenge B right, believe that such a possibility is so remote that we should not publicly investigate it, as it would increase the risk that states may deploy the wrong solutions.

A few experts believe that Challenge A is possible, or economical, but will never be or should never be sustainably widely available unless Challenge B is also substantially solved. Almost all LEAs and very few privacy experts believe Challenge B may be feasible by deeply exploring innovative socio-technical paradigms, relying on concepts such as: secret-sharing, multi-party computation in different jurisdictions, secret-sharing relying on-site processes rather than IT, provider management, independent standardization and oversight, citizen-witness processes, and more.