New ultra-high assurance IT certifications, the Safe Harbour issue and eIDAS

Thanks to the recent ruling by the EU Court of Justice on Safe Harbour, there may now be a large demand, need and opportunity for the aims of our Free and Safe in Cyberspace creation of new international socio-technical standards and certification bodies for IT systems and lawful access schemes that deliver ultra-high and constitutionally– meaningful levels of trustworthiness/assurance, while increasing cyber-investigation capabilities, preventing significant malevolent use and overall increasing public safety. Such new standards and systems would be in full compliance with such ruling.

The establishment and gradual uptake of such certification bodies by an initial set of critical IT private or public IT communications domains, could at least make available to citizens a solutions, in compliance to the Safe Harbour problem that are sector-specific, as suggested by Max Schrems, the Austrian citizen that filed the lawsuit that generated the ruling.

Such certified service providers – within the legislative frameworks of most EU nations – would provide citizens, using sector-specific IT systems, a reasonable assurance that, not only legislations, but also that  socio-technical oversight mechanisms of its operation and lifecycle by public institutions and/or trustworthy third parties would be meaningfully respectful of the EU and US Constitutions and the EU Charter of Fundamental Rights.

Nonetheless, an obvious additional benefit would come to citizens if such new standards/certifications may in the near future be uptaken as a mandatory standard, initially limited only to sector-specific  IT services offered by the state to state agencies, namely the most assurance-sensitive IT systems and services by EU, EU Members state, or even the US. It would be enacted in 12-18 months to give industry time to adapt services to match such standards.

Nations would therefore test on top state employees and officials such ambitious standards, and then  roll them out to citizens when and if they are proven to adequately protect both civil rights and cyber-investigation capabilities.

Such standards could inform a revision of the eIDAS regulation and implementation documents to recognize what is needed and possible to provide high-assurance level in compliance to the EU Charter of Fundamental Rights.