Trustless Computing Association

View Original

A Case for Apple, Google, Facebook, etc. to promote an international standard for high-assurance IT for wide public use

In a recent open letter to the UN, a main lobby group of major US IT giants (Google, Facebook, Apple, Yahoo, Microsoft, etc.), the Global Network Initiative (GNI), has suggested (my bold):

The GNI’s guidelines indicate that companies should:
– Establish human rights risk assessment procedures and integrate the findings into business decision-making
– Require that governments follow established domestic legal processes when they are seeking to restrict freedom of expression and privacy
– Provide users with clear, prominent and timely notice when access to specific content has been removed or blocked
– Encourage governments, international organizations and entities to call attention to the worst cases of infringement on the human rights of freedom of expression and privacy
– Utilize independent assessments of company implementation of the GNI’s principles

This goal, in principle is perfectly aligned with our Trustless Computing  Certification Initiative, and related event Free and Safe in Cyberspace, that suggests the establishment of international independent non-governmental standards for a sub-set of IT solutions, initially with limited adoption,provides constitutionally-meaningful levels of user-trsutworthiness, and therefore liberty, in ways that are independently  and reliably user verifiable.

In fact, a meaningfully reliable or comparable “independent assessments of a company implementation of GNI’s principle” can be done only as far as ToS and other internal formal procedure, but it is not technically feasible for their adherence through their actual technical and socio-technical implementation of mainstream services.

After the Snowden and Hacking Team affairs, enacting such assessment for the actual service implementation would require a level of transparency and actual independent oversight and auditing of all SW, HW and processes critically involved in the service offering, that is so extreme as to be incompatible with the offering of current complex commercial computing infrastructures.

For this reason, we believe GNI should support the establishment of international standards for a subset of end-2-end service and device – for sensitive use by all citizens and businesses – meant as a complement in features and user experience to mainstream commercial devices and services, which are hopelessly beyond adequate independent auditability.

In such vision, the billions of users of GNI Members will keep using current systems with some level of moderate protection, against some low or mid-level threats, state and non-state, but basically assuming the confidentiality (and integrity to lesser extent) can be compromised easily. They will use it as a (mostly) public sphere of communication, for communications that they do not consider particularly sensitive.

Meanwhile, they’ll be able to purchase – from those same members and others, companion adjunct end-2-end services or devices – that actually provide constitutionally-meaningful assurance for those they consider as sensitive communication to self or others. This will be their private sphere.

This vision assumes that citizens are fine in having an open digital public sphere (as the streets and squares of a city), as long as they can access a private sphere (such as the home and private meeting places), through supplementary highly user-friendly and portable devices that offer constitutionally-meaningful privacy for extremely basic and limited communications and transactions.

The current strategy of GNI Members, especially device/OS makers, in broad terms, claims to offer all citizens and businesses, at once, an engaging, effective and rich public sphere, and also a meaningfully secure private sphere.  Apple and Google argues, with the current support of a lot of media, that since they have stopped keeping a master-key that they can give to law enforcement or intelligence agencies under a legal due process, than magically their technologies are impregnable to targeted (but highly scalable!) end-point malware and malware management systems (such as those of Hacking Team and NSA, and many more private and state), which are mostly legal in the US and EU states.

But that is clearly untrue, and truth may be filter out as it often does, with more and more IT breach scandals, including of major worldwide malware makers, which has dumped in the open Internet large stashes of state-grade end-point malware, exploit, malware management tools and techniques to generate more.