Today there are over three billion internet users worldwide. For many, half of their awake life spent online in wide-ranging activities, spanning from personal email to grocery shopping, from political activism to enjoying best cat videos. Privacy seems a far away dream to most. But, is it?! Can’t a limited but truly private sphere created and protected! Can new standards and technologies, supplementary to overly complex mainstream devices, allow ordinary citizens to reach meaningful levels of privacy and security, at least for the most critical and personal parts of their online lives? If so, can these be made user-friendly and affordable for all, and still prevent grave risks for public safety and cyber-investigation capabilities?
These are the urgent challenges being addressed by a new public event series through the launch of the first of such events with the Free and Safe in Cyberspace 2015 workshop, held in Brussels on September 24-25th 2015, a Latin America edition to be held next Oct 16th, in Brazil, and a North American version in the works. The Brussels event included: EU and US most recognised IT privacy and security experts, Schneier and Preneel, the father of free software, Richard Stallman, senior officials of leading civilian and military EU institutions, high-assurance IT executives, and experts in advanced artificial intelligence. The workshop aimed specifically at building consensus on innovative techno-organizational certifications and certification governance models for next generation high-assurance IT services, as well as targeted (endpoint) lawful access systems. Slides and videos of this event are available on the program page.
“Perfect privacy and perfect security are impossible, and most likely will always be so. Nevertheless, it is essential to define some very high and measurable levels of trustworthiness that are compatible with the exercise of civil rights in cyberspace”, said in his introduction Rufo Guerreschi, executive director of Open Media Cluster, a small R&D non-profit based in Rome. Jovan Golic, from the co-organizing EIT Digital Privacy, Security and Trust Action Line, said: “It is frequently said that there is a trade-off between cyber-security and cyber-privacy, but that is misleading and blocking for both cyber-privacy and also for business in this area. In fact, if you don’t have cyber-privacy you cannot have real cyber-security because the data will be vulnerable to cyber attacks“. Golic went on clarifying that: “There is indeed a trade-off between cyber-surveillance and cyber-privacy, but cyber-surveillance is not the same as cyber-security. … So, we would like to have both cyber-security and cyber-privacy and also lawful cyber-surveillance. In order to achieve that, we need secure and trustworthy technologies.”
In his keynote speech, Michael Sieber (European Defence Agency) addressed a hot and controversial topic, particularly after the widespread surveillance programs revealed by Edward Snowden and more recent hacks. “Among EU member states it’s hilarious: they claim digital soverignty but they rely mostly on Chinese hardware, on US American software, and they need a famous Russian to reveal the vulnerabilities”. Most importantly, he envisioned an exciting step forward for the EU: “We can create a joint vision, big in ambition and funding; concentrate on our strengths; effectively combine ‘smart clustering’ and ‘smart regulation‘”.
Bruce Schneier, world-renowned security expert, focused on trust as a key feature to better understand the main challenges laid out for this event (and the entire “Free and Safe in Cyberspace” project). “Trust is essential to human society and we, as a species, are very trusting. But what are the security mechanisms that make this work, particularly in the IT world? Mostly we rely on transparency, oversight, and accountability,” – explained Schneier. “And so in order to avoid some mechanism failure, as was the case with the recent Volkswagen cheat, we must integrate them – along with verifiable standards, liability measures and institutional drive to encourage cooperation. We’d strive to apply this formula also to these challenges, aiming at ultimately providing affordable, user-friendly IT-related services for all.”
In his trademark style, Richard Stallman, founder of the Free Software Foundation, proposed a few interesting insights: “We should stop thinking about security as against third parties, we should stop assuming that program developers are on our side. Actually, the programmer can be the enemy, so we must be sure that there is no one with that much control”. More controversially, during Panel 2 on the role of free/open source software, Stallman said that computing trustworthiness is a “practical advantage or convenience” rather an additional requirement for computing freedom. Guerreschi opposed a different opinion by which the lack of meaningful trustworthiness turns inevitably the other four software freedoms into a disutility to their users. According to Michael Hohmuth (CEO at Kernkonzept, Dresden), one obstacle preventing user control is the “complexity of our operating systems…and of course the solution is trying to reduce this complexity, something that we try to address by putting all the components that user cannot trust anymore in its own little compartment“, thus enabling some simpler verification steps.
On the hardware side, Kai Rannenberg (Professor of Business Informatics at Frankfurst’s Goethe University) focused on the importance of “embedding” trust in the same manufacturing process, and “today EU seems to have only a limited capacity to come up with its own value chain to build trust in hardware, and companies should definitely move forward on this direction“. And Stallman highlighted the essential part of “developing free hardware designs for the kind of chips that you need…and people are working on such projects“.
In wrapping up on the hardware security issue, Andreas Wild (executive director of ECSEL JU) insisted on a broader and integrated strategy for a possible solution: “Most widely publicized cyber-attacks happen through unauthorized access and malicious software alterations in inter-connected operational systems. Therefore, a secure system needs robust design methodologies, trustworthy supply chains, controlled manufacturing sites, and safe methodologies in deploying and operating it, and this with regard to both hardware and software”.
On the related topic of IT certifications for safe methodologies, two engaging panels covered the new high-assurance international certifications and governance models (Panel 1) and the prospect voluntary certification procedures for lawful access (Panel 3). The panelists agreed that this is a long-term process, and we’d always stay focused on providing safeguards that are at least good enough to reconcile meaningful personal privacy, effective lawful access and prevention of malevolent use. The leading cryptographers Ivo Desmedt and Jovan Golic presented some broad options for key recovery options, that may enable public or private entities to voluntarily provide compliance to lawful access requests, through independent and offline third-party processes based on decades of experience with secret sharing cryptographic protocols, which can also ensure the so-called forward secrecy. The president of the Brazilian IT agency SERPRO, Mazoni, presented his plans for delivering meaningful privacy and enabling lawful investigations for public employees.
The last panel on Day 1, number four, looked into the role of new high-assurance IT standards to promote the benefits and prevent the risks of advanced AI (Artificial Intelligence), as well as considering its role in state public security activities as both a tool, and threat to freedom and public safety. A concluding panel on the second day attempted to merge the various perspectives emerged in the two-day workshop – insisting, among other things, on the need to broaden the international cooperation on these complex topics, particularly on IT certification procedures.
Finally, Rufo Guerreschi announced that “probably next spring we will have a similar workshop in Washington DC”, and introduced the upcoming Free and Safe in Cyberspace – LatAm Edition event in Iguazu, Brazil (October 16th 2015), as part of LatinoWare 2015, one of the largest free software conferences in the world.
For further information, please contact us at info@free-and-safe.org