In advance to our next Free and Safe in Cyberspace event in Berlin on may 4th 2018, we are engaging with the very active EU and German digital civil rights and ethical hackers NGOs. Some still believe that what we are doing is creating a backdoored system or backdoored IT standards, while we are doing the contrary: creating the first systems that can be plausibly expected not to have one.
At the Trustless Computing Association, we believe that the main challenge for our digital freedoms is not – as most digital rights NGOs believe – to prevent the government to “mandate backdoors” or “ban encryption”, because every single device is already broken, is already backdoored, and vulnerable to all kinds of mid-high levels state and non-state criminals; except for highly complex device setups, used in very limited use cases by highly expert or resourced users.
The main challenge is, which believe, how do we make so that devices with constitutionally-meaningful levels of privacy become available to all citizens and our elected representatives?!. But this means making so that legal, legitimate and constitutional – no more, no less – lawful access is also promptly ensured, otherwise it can be abused to substantially facilitate very grave or socially unaccepted crimes.
With our Manifesto and Position Paper “A Case for Trustless Computing Certification Body”, we have been developing a very deep argument, over the last 3 years, that the same extreme levels of transparency, accountability, oversight and expert ethical security review relative to complexity” – set and certified by an international highly democratic and expert non-profit third party organization – are both required to achieve such constitutionally-meaningful levels of privacy, but also at the same time able to safeguard a key recovery service – an obvious need for nearly all day-to-day users, in case they die or forget their passwords – through an offline in-person process supported by a non-governmental citizen-jury-based process. This, in turn, can be extended to receive and evaluate lawful access requests. In the end, of course adding such voluntary lawful access request compliance would add some additional risk, but the overall risk for abuse of such solution would be substantially or radically smaller than the best solutions that are currently available or foreseeably available in the near future.