As in our EU and Latin American editions, this 1st US edition aims to catalyse a constructive dialogue and a wide informed consensus on the role of new international non-governmental standards and certifications for ICT services with ultra-high levels of assurance – for communications, constitutional lawful access and artificial intelligence – that are able to grant unprecedented and constitutionally– meaningful levels of e-privacy and e-security to all, while increasing public safety and cyber-investigation capabilities.
UN Special Rapporteur on the Right of Privacy. Head of the Department of Information Policy & Governance at the Faculty of Media & Knowledge Sciences of the University of Malta. Chair of European Information Policy & Technology Law within the Faculty of Law at the University of Groningen.
Leading Austrian privacy activist. He initiated a lawsuit questioning the compliance of the Safe Harbor agreement between EU and US, which lead to its invalidation by the Court of Justice of the European Union. He proposes “sector-specific solutions” to resolve the Safe Harbor log jam, and beyond.
Co-chair of An Internet Safe and Secure Working Group of the Freedom Online Coalition. FOC is a group of 29 nations “committed to work together to support Internet freedom and protect fundamental human rights – free expression, association, assembly, and privacy online – worldwide“.
William R. Pace
Executive Director, World Federalist Movement-Institute for Global Policy (WFM-IGP). Convenor of the Coalition for the International Criminal Court (CICC) since 1995 . Steering Committee Member of the International Coalition for the Responsibility to Protect (ICRtoP).
Vice President Information Technology and Innovation Foundation (ITIF). Co-author of the recent report on policies Unlocking Encryption:Information Security and the Rule of Law.
Director of the Center of Law and Security at New York Law School. Previously served as Policy Advisor in the US Department of the Treasury’s Office of Terrorism and Financial Intelligence, and Special Assistant to the Joint Chiefs of Staff of the US Department of Defence.
World-renowned AI superintelligence safety expert and professor. Author of Artificial Superintelligence. Focused on AI Containment (isolation). Active in popular media channels.
John C. Havens
World-renowned cryptographer, and pioneer of threshold cryptography. Fellow of the IACR. Jonsson Distinguished Professor at University of Texas at Dallas, USA and Chair of ICT at University College London, UK.
Founder of the Global Privacy as Innovation Network, that views privacy and data ethics as economic and social investments. Founders and member of the board DataEthics.eu. Author of an an upcoming book, The Data Ethical Company.
Privacy, Security and Trust Action Line Leader of EIT Digital. Privacy, Security and Trust Action Line Leader of EIT Digital. Renowned cryptanalyst and cryptographer. EIT Digital manages, through Innovation and Education action lines, about 80M€ yearly of EU funds for close-to-market IT innovation, research and education co-funding.
Executive Director at Trustless Computing Association. Project Lead at the User Verified Social Telematics project and the Trustless Computing Initiative. Long-time activist for the promotion of democracy within and through the use of IT.
08:30 – Reception and Coffee
08:50 – Intro by Rufo Guerreschi and Jovan Golic
09:10 – Special keynote by Joe Cannataci, UN Special Rapporteur on the Right of Privacy.
09:25 – Special keynote by Max Schrems, world-renowned EU privacy activists
09:40 – Flash position statements by panellists with flash QAs
- Is it feasible to provide ordinary citizens access to affordable and user-friendly complete ICT services with levels of trustworthiness that are meaningfully-abiding to the EU Charter of Fundamental Rights, as a supplement to their every-day computing devices? If so, how? What standards, standard setting and certifications processes can enable users to reliably assess their actual trustworthiness? What scale of investments are needed? How likely is it that they would sustainably be legally allowed?
(See Backgrounder on Challenge A)
Moderator: Rufo Guerreschi
Debaters: Jovan Golic, Daniel Castro, Joe Cannataci, Yvo Desmedt, Rufo Guerreschi
11:00 – Coffee Break
11:15 – Special Keynote by Jovan Golic, on “EIT Digital and business opportunities in cybersecurity and privacy”
11:35 – Flash position statements by panellists with flash QAs.
- Can providers of ultra-high assurance ICT devise complaince mechanisms to lawful access requests, voluntarily – i.e. in addition to what’s required by selected jurisdictions – without significantly increasing risks for the privacy of users nor for public safety? If so, how? What are the core paradigms of such certification processes? (Backgrounder on Challenge B)
Moderator: Jovan Golic
Panelists: Daniel Castro, Max Schrems, Zachary Goldman, Joe Cannataci, Simon Halink, Rufo Guerreschi
12:45 – QA with audience
13:00 – Lunch break
14:00 – Intro to Challenge C by Roman Yampolskiy
14:10 – Flash position statements by Challenge C panellists with flash QAs
- How can non-governmental ultra-high assurance ICT standards, and related socio-technical and governance models, spur sustainable AI-driven economic development and foster long-term AI safety? Can ultra-high assurance ICT standards, applied to the most critical deterministic sub-systems, contribute substantially to AI safety? (Backgrounder or Challenge C)
Moderator: Roman Yampolskiy
Panellists: John Havens, Rufo Guerreschi, Gry Hasselbalch, Joe Cannataci, Zachary Goldman.
15:40 – QA with audience
15:50 – Coffee Break
16:10 – Flash position statements by panellists with flash QAs
- What constituent processes can ensure a timely, effective and democratically-efficient implementation – by a critical mass of actors – of meaningfully-enforceable national policies or international treaties for ultra-high assurance IT standards setting and certification processes?! (Backgrounder on Challenge D)
Moderator: Rufo Guerreschi
Panellists: Joe Cannataci, Max Schrems, John Havens, Simone Halink, Zachary Goldman, Bill Pace, Jovan Golic.
18:00 -Summary of the day by organizers and QA with audience
18:45 – END
19:30-23:00 – Dinner for panellists, speakers and special guests
WORKSHOP REPORT: “FREE AND SAFE IN CYBERSPACE” WORKSHOP ON JULY 21ST 2016 IN NEW YORK CITY STRIVES TO BRIDGE THE APPARENT GAP BETWEEN E-PRIVACY AND EFFECTIVE CYBER-INVESTIGATION CAPABILITIES
A small workshop was held on 21 July 2016 in New York City, as part of the Free and Safe in Cyberspace international event series, was focused on discussing and planning possible solutions to provide meaningful levels of e-privacy and e-security for all users, while also increasing public safety and cyber-investigation capabilities. Following the great success of the 2015 Edition, a larger two-days 2° EU Edition will follow on Sept 22-23rd 2016, again in Brussels, where a major comprehensive proposal will be presented by a number of speakers involved in the event series, as well as selected results of innovation projects of EIT Digital.
In introducing the July 21st event, Rufo Guerreschi (executive director of Open Media Cluster (now called Trustless Computing Association) and event co-organizer) summarized a few crucial points for the entire Free and Safe in Cyberspace event series: “Recent episodes showed that, on the one hand, citizens and institutions suffer a great loss of civil rights and sovereignty, while, on the other, EU and US IT companies are struggling to seek ways to offer the levels of trustworthiness required by both National customers and legislations. But this clash about the need of ensuring public safety and security of state-nations and also user privacy actually could be reconciled. In fact, if you had to choose one of the two you will not be able to sustain democracy. Democracy and freedom require both citizen safety and privacy protection. We hope that our discussion events can reconcile such gap and find a common ground to build a more equitable, effective toolkit for all stakeholders involved”.
Expanding on this introduction, Jovan Golic (EIT Digital Privacy, Security and Trust Action Line Leader and renowned cryptographer) provided a general overview of the deeply complex technical issues at stakes: “It is not true that there is a tradeoff between cyber-security and cyber-privacy, they are both on the same side. We need to talk about more of both, and at the same time ensure data protection. If you don’t protect data then you cannot help cyber-security, because the data will be prone to attacks. However, there is a tradeoff between cyber-surveillance and cyber-security. And by talking about these topics, we can try to change the existing trend where governments have their own ways how to control things in the security area, including legislation, and big security companies prefer to just stay quiet and comply with government mandates. This is the reason why we are still lacking good solutions in regards to data protection practices”
In his keynote speech, Professor Joe Cannataci (UN Special Rapporteur on Privacy, SRP) explained that “the safeguards and remedies available to citizens cannot ever be purely legal or operational”. Therefore, a much better option is to “involve all stakeholders in the development of International law relevant to privacy” and to “engage with the technical community in an effort to promote the development of effective technical safeguards including encryption, overlay software and privacy protection”. Both goals are at the forefront of the SRP overall efforts, added Cannataci, while also pointing out an important and recent advancement: “Both the Netherlands and the USA have moved more openly towards a policy of no back-doors to encryption, a step that should be encouraged by the UN and other International bodies”.
In the second keynote speech, Max Schrems (leading Austrian privacy activist) summarized the story of his lawsuit for the invalidation of the Safe Harbor Agreement that allows US companies to store European citizen personal data. “What was the reason for the lawsuit? Even if the European Union talks a lot about mass surveillance, with EU resolutions, angry letters and so on, we knew that this kind of ‘public outrage’ was not going anywhere. Therefore, we looked at what I call ‘public/private surveillance’: companies like Facebook are subject to both US and EU jurisdictions, so this law conflict that must be resolved. In turn, this gave us the possibility to bring a legal case (mostly opposing mass surveillance) in a European Court and even have jurisdiction there, because obviously we cannot have jurisdiction in other countries”. This lawsuit (and it on-going outcomes) was just a first step to make public some problems about global mass surveillance procedures. Another important issue, according to Schrems, is that “given the policies now being adopted and/or rewritten around the world, the de-identification and anonymization of data is no longer a sufficient safeguard if governments & corporations continue to re-purpose data originally collected for one specific purpose”. His possible solutions to move forward? “First we need some codes of conduct that could possibly be drafted by and implemented throughout the industrial sector. And then we should establish shared certification options and make sure that companies are fully compliant (with some help from an independent body monitoring)”.
The event included four discussion panels, or Challenges, focused on a series of inter-related challenges (A – How can we achieve ultra-high assurance ICTs?, B – Can ultra-high assurance ICT services comply with lawful access request while meaningfully protecting civil rights?, C – What is the role of AI in providing ultra-high assurance ICTs? D – What National policies or International treaties can we envision to support ultra-high assurance ICT standards?).
Here are a few highlights:
Jovan Golic delivered an introductory keynote for panel B about the interplay between cyber-security, cyber-privacy, and cyber-investigation, about the need to reconcile cyber-investigation with cyber-security and cyber-privacy by widely accepted transparent solutions, which would foster business opportunities in the area of digital security, and already practical advanced crypto techniques for data protection, including threshold cryptography based on shared key escrow and practical fully homomorphic encryption, as well as innovation & business results of EIT Digital in this area.
Roman Yampolskiy delivered an introductory keynote for panel C on the security threats related to modern AI systems and smart things, on one side, getting more and more powerful and helpful for humans, but possibly threatening their lives and work by improper designs and implementations, on the other
“How do we create a situation where secure software and hardware systems can be developed? Let’s make a comparison with the construction industry, where developed countries established certain types of regulations and guidelines and today we have buildings that can sustain an earthquake or a fire. We got rid of poor standards and introduced a system based on specific building codes, inspectors and so on, thus achieving a level of safety that seemed impossible just a few years ago. We need to promote public-private partnerships and formalize strong standards and accountability in this area and pushing hard to have governments and businesses working together” (Daniel Castro, Vice President of the Information Technology and Innovation Foundation),
“What can you do when you really, really worry about privacy? The answer is very simple. don’t use a smartphone. I do not carry a smartphone. Secondly, if you are worried about being eavesdropped, use paper and pen or do what the Russians have done for decades, use typewriters. But given that these are radical and extreme security options, will most people want to use them? No. Can we achieve today economically-feasible and effective security? The answer is no” (Yvo Desmedt, renowned cryptographer and pioneer of threshold cryptography).
“Today’s ‘smart technologies’ (deployed via wi-fi in our homes or to help in natural disasters, etc.) are not at all resistant to hacking by criminals or by authorities. And despite recent advancement, technologists seem unable to ensure a decent level of individual privacy and there is little hope that National legislations can protect it either”
“We currently do not have solutions which are meaningfully private, even if you pay a lot of money or are willing to deal with the inconvenience. That’s also proven by the fact that the market for crypto devices is completely inexistent. It’s a matter of a few thousand devices. Not to mention the fact that, if buy a crypto-phone, you’re flagging yourself, suggesting that probably you’re trying to hide something and most likely you have no clue about that.”
“We need to look at the reality of data protection at different stages. At the first stage of data collection, there are privacy policies and user consent, but they do not prevent uncontrollable mass data collection by big Internet service providers. What is protected in practice is data communications, typically between a client and a server, rarely end-2-end between two clients. However, data encryption is endangered by various so-called backdoors at different levels of the data security chain, including crypto algorithms and protocols, key generation and management, and software and hardware implementations. Backdoors are by definition secret and proprietary before they get revealed to public and essentially mean that the used cryptosystem is inherently insecure due to them. In practice, they are used for cyber-investigation by privileged parties. But, they are also used by hackers and cyber-criminals, which renders the cyberspace insecure. Instead, for the same purpose, one may use the so-called “frontdoors”, which are by definition transparent and may be based on properly implemented threshold cryptography with shared key escrow providing forward and backward secrecy and focused cyber-surveillance. Data storage is protected by encryption and controlled access, but there are too many breaches of database servers storing sensitive data, because of cryptograhic key management issues and various software vulnerabilities. Data processing is practically not protected at all, not even for sensitive data such as the e-health data, because service providers work on plain data to provide their services, regardless of the emerging practical techniques for fully homomorphic encryption, which enable data processing in the encrypted domain. Consequently, what is needed in order to improve the current unsatisfactory situation and trends is the application of existing, but rarely applied, trustworthy technologies for data protection”
“A large majority of people think that secure products are already out there and easily available, including Apple iPhones and the Tor system. But there’s an incredible alignment of interest between Apple, Tor makers and security agencies. Why? Apple and Tour makers they have an interest that people believes their thing is secure so they buy their stuff instead of our stuff. Security agencies have a huge interest that this security is oversold so that people use this tool, communicate secret stuff and they can spy them using directly implanted backdoors or vulnerabilities that are by them discovered or bought and not publicized”
“I think we can have highly regulated systems, for example financial systems, where we are going to want recovery, in general, to discuss what that looks like and how we enable lawful access. It even might make sense in some regulated communication services. There are multinational companies that have a large user base and we need to consider how to regulate them. In many cases, I can write software and have communications with someone else around the world and we are using software that we’ve written that nobody else has access to. That’s going to be secure and outside of the scope of what law enforcement. But, we still need to figure out how to deal on the policy side with what we are going to do with those situations”
“At least in the US, there are questions about the circumstances under which you can compel individuals to provide decrypted information. There are questions about the circumstances in which you can require the manufacturers of systems to build systems and networks in a way that clear-text data will always be available. There are questions about whether and under what circumstances you can compel device or app manufacturers to provide clear text data. … I don’t feel comfortable living in a world in which the law enforcement community doesn’t have the ability to infiltrate and take down” such communication networks”