The 1st Edition of the Free and Safe in Cyberspace conference series was held in Brussels on Sept 24th-25th, 2015.
Organized by the international NGO Open Media Cluster [renamed Trustless Computing Association], with the financial support of the Privacy, Security & Trust Department of EIT Digital, an IT innovation agency of the European Union lead by Jovan Golic.
Debaters and keynoters included: Bruce Schneier, arguably the most recognised IT security experts in the world; Michael Sieber, Head of Informational Superiority at the European Defence Agency. Richard Stallman, the founder of the free and open source movement; Bart Preneel, the foremost EU cryptographer; Wojciech Wiewiórowski, deputy head of the EU privacy authority EDPS; Eric Drexler, senior researcher at the Future of Humanity Institute (FHI), and father of nanotechnology; and many other distinguished speakers. See below for the full list.
The conference was centered on how we can breaking out of the “privacy vs safety” zero-sum game mindset in Cyberspace via new win-win approaches and certification governance models, in order to substantially reconcile digital human rights with legitimate needs for cyber-investigation. Core assumption of the event was that the resolution of this apparent dichotomy is fundamental, a necessary element if we are ever to see meaningfully-secure IT for human communications available to citizens and and safe and democratic Artificial Intelligence realized, and so therefore reliably protect and foster civil freedoms, democracy and human progress.
The conference was structured into 5 panels or debates, for of which became the Four Challenge of Free and Safe in Cyberspace, that made the core of the following 10 editions of FSC:
- Challenge A. Is it feasible to provide ordinary citizens access to affordable and user-friendly end-2-end IT services with constitutionally-meaningful levels of user-trustworthiness, as a supplement to their every-day computing devices? If so, how? What scale of investments are needed? What standards/certifications can enable a user to reliably distinguish them from other services? (youtube).
- The role of the Free Software movement for the prospects of wide availability of computing with meaningful user control. (youtube).
- Challenge B. Provided that Challenge A can be met, can new voluntary international IT certifications – within some nations’ current legislative frameworks – provide safeguards that are sufficiently-extreme to reconcile meaningful personal privacy, effective lawful access and prevention of malevolent use? If so, what are the core paradigms of such certification processes? (youtube).
- What can be the role of new high-assurance international IT certifications and governance models in promoting short and medium-term safety and human “value alignment” in advanced Artificial Intelligence? Can standards for radically more trustworthy IT define a European actionable path, from the short to the long-term, to: (1) restore meaningful digital sovereignty to EU citizens, businesses and institutions, (2) cement a EU leadership in the most security-sensitive IT and “narrow artificial intelligence” sectors, and (3) substantially increase the chances of utopian rather than dystopian long-term artificial intelligence prospects? (youtube).
- Solving Challenges A and B: Joint definition of paradigms, and high-level certification requirements and processes, for constitutionally-meaningful computing services and lawful access systems and processes.
You care read the whole program below. The event and its challenges derived from a 9/2015 R&D initiative, conceived and coordinated by the Trustless Computing Association, that described a vision of how to tackle those four challenges, named “Trustless sociotechnical systems for trustworthy critical computing and organizations”
08.30 – Intro to the event and Intro to Panel 1 by the organizers Rufo Guerreschi, Exec. Dir at Open Media Cluster [now Trustless Computing Association] (youtube) and Jovan Golic Head of EIT Digital Action Line for Privacy, Security & Trust (youtube)
09.00 – Keynote by Michael Sieber. Head of Information Superiority at the European Defense Agency. “EU-domestic prospects of a trustworthy Information and Communication environment, to protect citizens, knowledge and critical infrastructures, and to support security and defence. Architectural vision and necessary processes to maximise and sustain the effects of EU investments, especially on innovation” (youtube).
09.15 – Keynote by Peter Ide-Kostic, Senior Policy Analysts at EU Parliament Science and Technology Options Assessment unit (STOA), and Melle Van den Berg, Managing Consultant at CapGemini CyberSecurity Consulting. “Context and follow-up to the EU Parliament report on ‘Mass Surveillance – Part 2: Technology foresight, options for longer-term security and privacy improvements’ (link), commissioned by the EU Parliament LIBE Committee on 2015″ (youtube).
09.30 – Keynote by Andreas Wild. Exec. Dir. ECSEL JU. “Cyber-security: Is software alone enough?. Most widely publicised cyber attacks happen through unauthorized access and malicious software alterations in connected operational systems. In reality, security must be a constant preoccupation throughout the whole life cycle. A secure system needs robust design methodologies, trustworthy supply chains, controlled manufacturing sites, and safe methodologies in deploying and operating it, and this with regard to both hardware and software. What are key challenges and possible responses?” (youtube).
09.45 – Keynote by Pierre Chastanet. Deputy Head of Unit, Trust & Security, DG Connect, EU Commission “A Competitive and Innovative Cybersecurity Industry in Europe” (youtube).
10.00 – SPECIAL Keynote by BRUCE SCHNEIER. “Trust, Society, and Technology” (youtube)
10.30 – Panel 1: Challenge A. Is it feasible to provide ordinary citizens access to affordable and user-friendly end-2-end IT services with constitutionally-meaningful levels of user-trustworthiness, as a supplement to their every-day computing devices? If so, how? What scale of investments are needed? What standards/certifications can enable a user to reliably distinguish them from other services? (youtube).
- Moderator: Rufo Guerreschi
- Debaters: Bruce Schneier, Bart Preneel, Richard Stallman, Andreas Wild, Jovan Golic, Bjoern Rupp, Michael Sieber, Melle Van den Berg, Pierre Chastanet.
11.30 – SPECIAL Keynote by Richard Stallman. “Free software, computing freedom, and privacy (youtube excerpts).
12.00 – Panel 2. The Role of Free Software. The role of the Free Software movement for the prospects of wide availability of computing with meaningful user control. (youtube).
- Moderator: Bart Preneel
- Panelists: Richard Stallman, Bjoern Rupp, Michael Hohmuth, Rufo Guerreschi, Kai Rannenberg, Pierre Chastanet, Melle Van den Berg.
12.45 – Q&A
13.00 – Lunch for speakers and audience
13.45 – Keynote by Raoul Chiesa (video conf). “Authoritative reports have been proposed recently on possible formalization and socio-technical regulations of existing state lawful cracking that can render it reasonably accountable and respect of the right of citizens. Is it possible given the nature of such systems? What are the main safeguards? Views from an ethical cracking expert.” (youtube).
14.00 – Intro to Panel 3 by Golic or Guerreschi
14.05 – Keynote by Michel Jaccard “Which state legal and liability frameworks are today suitable for user-transparent high-assurance IT services? Policy options and recommendations” (youtube)
14.20 – Keynote by Steven Bellovin (video conf.). “Law enforcement worldwide have proposed new legislation to mandate backdoors in Internet services, along with the lines of the “lawful intercept” requirements that apply to phone networks. This is a very bad idea; such back doors will be buggy and insecure and will hinder innovation. Instead, we propose to formalize and thoroughly regulate existing lawful cracking (or “”lawful hacking”) authorities: after obtaining a proper warrant, law enforcement should hack into endpoints and plant their taps there using existing vulnerabilities. Such software could pick up communications before encryption or after decryption. Safeguards should be extreme and independently certified since computer taps are very invasive” (youtube).
14.35 – Keynote by Marcos Mazoni, (video conf.). “The experience of SERPRO in reconciling meaningful privacy of need of law enforcement via “offline in-person secret-sharing”, by requiring 4 officials of different state agencies to be physically present and approving an order to access. Next steps to increase assurance post-Snowden” (youtube).
14.50 – Panel 3. Challenge B: Provided that Challenge A can be met, can new voluntary international IT certifications – within some nations’ current legislative frameworks – provide safeguards that are sufficiently-extreme to reconcile meaningful personal privacy, effective lawful access and prevention of malevolent use? If so, what are the core paradigms of such certification processes? (youtube).
- Moderator: Kai Rannenberg
- Panelists: Bart Preneel, Richard Stallman, Michael Sieber, Steven Bellovin (video conf.), Jovan Golic, Michel Jaccard, Rufo Guerreschi, Yvo Desmedt, Alberto Pellicione.
16.10 – Break
16.25 – Intro to Panel 4, by Rufo Guerreschi
16.30 – Keynote by Eric Drexler. Researcher and Internal Advisor to the Future of Humanity Institute (FHI) “Secure Computing for Safe AI: How can secure computing contribute to AI safety? Control of computational resources and access to information can provide critical tools, not only for conventional computer security but also for implementing strategies for safe access to superintelligent AI capabilities.” (youtube).
16.45 – Keynote by Roman Yampolskiy (video conf.) Professor, AI expert and Author of “Artificial Superintelligence. “AI Safety Concerns and Possible Solutions. In order to properly handle a dangerous Artificially Intelligent (AI) system, it is important to understand how the system came to be in such a state. In this talk, I survey, classify and analyze a number of circumstances, which might lead to the arrival of malicious AI. I will also introduce some currently possible solutions including AI Confinement” (youtube).
17.00 – PANEL 4. What can be the role of new high-assurance international IT certifications and governance models in promoting short and medium-term safety and human “value alignment” in advanced Artificial Intelligence? Can standards for radically more trustworthy IT define a European actionable path, from the short to the long-term, to: (1) restore meaningful digital sovereignty to EU citizens, businesses and institutions, (2) cement a EU leadership in the most security-sensitive IT and “narrow artificial intelligence” sectors, and (3) substantially increase the chances of utopian rather than dystopian long-term artificial intelligence prospects? (youtube).
- Moderator: Jovan Golic
- Panelists: Eric Drexler, Roman Yampolskiy (video conf.), Michel Sieber, Rufo Guerreschi, Alberto Pelliccione.
17.45 – Q&A
18.00 – Closing remarks
18.15-21.00 – Dinner for speakers’ and special guests’
Board member at Electronic Frontier Foundation, Open Technology Institute and EPIC. Fellow at Harvard Law School. CTO at Resilient Systems. Arguably the world’s most-renowned and recognized IT security expert.
Director at COSIC TU Leuven. President at International Association for Cryptologic Research. Arguably EU’s most peer-recognized IT security expert and researcher.
President of the Free Software Foundation. Founder of the Free Software movement. Inventor of the Free/Open Source Software licenses. Creator of the GNU/Linux OS, basis a majority of mobile and server computing devices.
Executive Director of ECSEL JU, the largest EU R&D public funding program for microelectronics, with projects exceeding 150M€ per year.
Deputy European Data Protection Supervisor. Previuosly served as Inspector General for the Protection of Personal Data at the Polish Data Protection Authority.
Marcos Vinicius Mazoni
President of SERPRO. Main Brazilian IT public agency, delegated by President Roussef to develop state-surveillance-proof email systems for government officials.
Privacy, Security and Trust Action Line Leader of EIT Digital. Privacy, Security and Trust Action Line Leader of EIT Digital. Renowned cryptanalyst and cryptographer. EIT Digital manages, through Innovation and Education action lines, about 80M€ yearly of EU funds for close-to-market IT innovation, research and education co-funding.
Executive Director at Trustless Computing Association. Project Lead at the User Verified Social Telematicsproject and the Trustless Computing Initiative. Long-time activist for the promotion of democracy within and through the use of IT.
A pioneer of threshold cryptography. Fellow of the IACR. Jonsson Distinguished Professor at University of University of Texasat Dallas, USA and Chair of ICT at University College London, UK.
Chair at Deutsche Telekom Chair of Multilateral Security at Goethe Univeristy; Privacy, Security & Civilisation AoI leader at EU NIS Platform. Member at ENISA Permanent Stakeholder Group.
Melle Van Den Berg
CapGeminiCyberSecurity Consulting. Co-author of the “Mass Surveillance Part 2 – Technology foresight, options for longer-term security and privacy improvements” commissioned in 2014 by EU Parl STOA.
Senior Policy Analysts at EU Parliament Science and Technology Options Assessment unit (STOA) and the EU Parliament LIBE Committee Secretariat.
Swiss-based attorney at corporate and tech boutique firm Id Est Avocats, specialized in open innovation, data privacy and security, free and open source licenses, and “crypto law”.
CEO of GSMK Cryptophone, mobile end-to-end encryption and mobile device security pioneer. GSMK makes the only cryptophone whose SW stack is publicly verifieable withouth NDA.
Senior Policy Analysts at EU Parliament Science and Technology Options Assessment unit (STOA) and the EU Parliament LIBE Committee Secretariat.
World-renowned AI superintelligence safety expert and professor. Author of Artificial Superintelligence. Focused on AI Containment (isolation). Active in popular media channels.
Senior Visiting Fellow at the Oxford Martin School, Oxford University, and a researcher and Internal Advisor to the Future of Humanity Institute (FHI), led by Prof. Nick Bostrom. A pioneer of nanotechnology. Member of FHI’s Oxford Martin Programme on the Impacts of Future Technology.
A widely recognized IT cracker, hacker and IT security expert. President of Security Brokers. Formerly consultant and advisor to ENISA, Nato, Italian MoD,UNICRI.
As Dir. of the Singularity Weblog he conducted over 160 interviews with the world’s best known AI experts. Graduate in economics, philosophy, and Singularity University. Has written over 800 articles and papers on the subject.
Today there are over three billion internet users worldwide. For many, half of their awake life spent online in wide-ranging activities, spanning from a personal email to grocery shopping, from political activism to enjoying best cat videos. Privacy seems a far away dream to most. But, is it?! Can’t a limited but truly private sphere created and protected! Can new standards and technologies, supplementary to overly complex mainstream devices, allow ordinary citizens to reach meaningful levels of privacy and security, at least for the most critical and personal parts of their online lives? If so, can these be made user-friendly and affordable for all, and still prevent grave risks for public safety and cyber-investigation capabilities?
These are the urgent challenges being addressed by a new public event series through the launch of the first of such events with the Free and Safe in Cyberspace 2015 workshop, held in Brussels on September 24-25th 2015, a Latin America edition to be held next Oct 16th, in Brazil, and a North American version in the works. The Brussels event included: EU and US most recognized IT privacy and security experts, Schneier and Preneel, the father of free software, Richard Stallman, senior officials of leading civilian and military EU institutions, high-assurance IT executives, and experts in advanced artificial intelligence. The workshop aimed specifically at building consensus on innovative techno-organizational certifications and certification governance models for next-generation high-assurance IT services, as well as targeted (endpoint) lawful access systems. Slides and videos of this event are available on the program page.
“Perfect privacy and perfect security are impossible, and most likely will always be so. Nevertheless, it is essential to define some very high and measurable levels of trustworthiness that are compatible with the exercise of civil rights in cyberspace”, said in his introduction Rufo Guerreschi, executive director of Open Media Cluster (now called Trustless Computing Association), a small R&D non-profit based in Rome. Jovan Golic, from the co-organizing EIT Digital Privacy, Security and Trust Action Line, said: “It is frequently said that there is a trade-off between cyber-security and cyber-privacy, but that is misleading and blocking for both cyber-privacy and also for business in this area. In fact, if you don’t have cyber-privacy you cannot have real cyber-security because the data will be vulnerable to cyber attacks“. Golic went on clarifying that: “There is indeed a trade-off between cyber-surveillance and cyber-privacy, but cyber-surveillance is not the same as cyber-security. … So, we would like to have both cyber-security and cyber-privacy and also lawful cyber-surveillance. In order to achieve that, we need secure and trustworthy technologies.”
In his keynote speech, Michael Sieber (European Defence Agency) addressed a hot and controversial topic, particularly after the widespread surveillance programs revealed by Edward Snowden and more recent hacks. “Among EU member states it’s hilarious: they claim digital sovereignty but they rely mostly on Chinese hardware, on US American software, and they need a famous Russian to reveal the vulnerabilities”. Most importantly, he envisioned an exciting step forward for the EU: “We can create a joint vision, big in ambition and funding; concentrate on our strengths; effectively combine ‘smart clustering’ and ‘smart regulation‘”.
Bruce Schneier, the world-renowned security expert, focused on trust as a key feature to better understand the main challenges laid out for this event (and the entire “Free and Safe in Cyberspace” project). “Trust is essential to human society and we, as a species, are very trusting. But what are the security mechanisms that make this work, particularly in the IT world? Mostly we rely on transparency, oversight, and accountability,” explained Schneier. “And so in order to avoid some mechanism failure, as was the case with the recent Volkswagen cheat, we must integrate them – along with verifiable standards, liability measures, and institutional drive to encourage cooperation. We’d strive to apply this formula also to these challenges, aiming at ultimately providing affordable, user-friendly IT-related services for all.”
In his trademark style, Richard Stallman, founder of the Free Software Foundation, proposed a few interesting insights: “We should stop thinking about security as against third parties, we should stop assuming that program developers are on our side. Actually, the programmer can be the enemy, so we must be sure that there is no one with that much control”. More controversially, during Panel 2 on the role of free/open source software, Stallman said that computing trustworthiness is a “practical advantage or convenience” rather an additional requirement for computing freedom. Guerreschi opposed a different opinion by which the lack of meaningful trustworthiness turns inevitably the other four software freedoms into a disutility to their users. According to Michael Hohmuth (CEO at Kernkonzept, Dresden), one obstacle preventing user control is the “complexity of our operating systems…and of course the solution is trying to reduce this complexity, something that we try to address by putting all the components that user cannot trust any more in its own little compartment“, thus enabling some simpler verification steps.
On the hardware side, Kai Rannenberg (Professor of Business Informatics at Frankfurt’s Goethe University) focused on the importance of “embedding” trust in the same manufacturing process, and “today EU seems to have only a limited capacity to come up with its own value chain to build trust in hardware, and companies should definitely move forward in this direction“. And Stallman highlighted the essential part of “developing free hardware designs for the kind of chips that you need…and people are working on such projects“.
In wrapping up on the hardware security issue, Andreas Wild (executive director of ECSEL JU) insisted on a broader and integrated strategy for a possible solution: “Most widely publicized cyber-attacks happen through unauthorized access and malicious software alterations in inter-connected operational systems. Therefore, a secure system needs robust design methodologies, trustworthy supply chains, controlled manufacturing sites, and safe methodologies in deploying and operating it, and this with regard to both hardware and software”.
On the related topic of IT certifications for safe methodologies, two engaging panels covered the new high-assurance international certifications and governance models (Panel 1) and the prospect voluntary certification procedures for lawful access (Panel 3). The panelists agreed that this is a long-term process, and we’d always stay focused on providing safeguards that are at least good enough to reconcile meaningful personal privacy, effective lawful access and prevention of malevolent use. The leading cryptographers Ivo Desmedt and Jovan Golic presented some broad options for key recovery options, that may enable public or private entities to voluntarily provide compliance to lawful access requests, through independent and offline third-party processes based on decades of experience with secret sharing cryptographic protocols, which can also ensure the so-called forward secrecy. The president of the Brazilian IT agency SERPRO, Mazoni, presented his plans for delivering meaningful privacy and enabling lawful investigations for public employees.
The last panel on Day 1, number four, looked into the role of new high-assurance IT standards to promote the benefits and prevent the risks of advanced AI (Artificial Intelligence), as well as considering its role in state public security activities as both a tool and threat to freedom and public safety. A concluding panel on the second day attempted to merge the various perspectives emerged in the two-day workshop – insisting, among other things, on the need to broaden the international cooperation on these complex topics, particularly on IT certification procedures.
Finally, Rufo Guerreschi announced that “probably next spring we will have a similar workshop in Washington DC”, and introduced the upcoming Free and Safe in Cyberspace – LatAm Edition event in Iguazu, Brazil (October 16th 2015), as part of LatinoWare 2015, one of the largest free software conferences in the world.
The Trustless Computing Association is a non-profit organization, based in Zurich, that has aggregated World-class partners and advisors to build open IT technologies, certifications and ecosystems that can deliver levels of trustworthiness that are radically higher than state-of-the-art. Together with its spin-off startup TRUSTLESS.AI – based in Zurich – the associaiton has been building (1) Trustless Computing Certification Body, a new IT security standards-setting, certification body, aimed at radically-unprecedented levels of trustworthiness, while at once solidly enabling legit lawful access and (2) building the Seevik Pod and Net, an initial open computing base, ecosystem and IT device, compliant to such new certifications.