A Swiss and German push towards International Digital Human Rights?

In this long post, we analyse recent legislative developments in Switzerland and Germany that show progress in their positioning to promote international human rights in the are of IT, by radically improving IT security standards and certifications for the most sensitive domains. We analyse how ensuring legitimate lawful access within such new standards remains a crucial requirement for public security, the current challenges of security agencies ensuring such access, and how such need can be reconciled while increasing overall the ability of such agencies to fulfil their missions.

————————————

Recent intelligence revelations, supreme court rulings and referendum initiatives in Switzerland and Germany are pointing to an increasing will by their elected officials and citizens to differentiate themselves from the US, China, Russia in finding ways to protect public security while concurrently protecting international human rights, at home and abroad.

In this day and age, when trust in institutions and digital technologies is at an all-time low, this may turn into a key for economy growth and positioning in the most crucial and emerging IT sectors, increase digital sovereignty, protect the democratic process, and increase their soft power globally, in a time when both China and US soft power are rapidly decreasing.

There is an opportunity for Germany and Switzerland, and other EU nations, to lead the EU and then NATO in finding new ways – more resilient and transparent ways - to reconcile the needs to enforce a constitutionally-meaningful levels of digital liberties to citizens (and elected officials, journalists and politicians!) - and the need to ensure effective cyber-investigation ability nationally and internationally to prevent grave crimes.

Swiss citizens want to mandate Swiss firms to respect human right globally

After a long process including counterproposals by Swiss public entities, we learned last month that the Swiss Responsible Business Initiative will be put to vote to the Swiss people this November. Such Swiss referendum initiative submitted in 2016 by dozens of Swiss and international NGOs to mandate that Swiss firms and international firms they control must “respect internationally recognized human rights and international environmental standards, also abroad”.

As of May 2020, ““78% of eligible voters would vote in favour of the Responsible Business Initiative”, growing from 65% last year.

The terms of the initiative would relate very much to the activity by Swiss firms that sell cyber-defence solutions (such as Crypto AG, Crypto International, InfoGuard) that may greatly compromise human rights by including backdoors that could enable some governments and other third parties to illegitimately intercept other government, firms or individuals.

The initiative text (pdf) states “Companies are required to carry out appropriate due diligence. This means in particular that they must: identify real and potential impacts on internationally recognized human rights and the environment; take appropriate measures to prevent the violation of inter- nationally recognized human rights and international environmental standards, cease existing violations, and account for the actions taken”. “The scope of the due diligence to be carried out depends on the risks to the environment and human rights. In the process of regulating mandatory due diligence, the legislator is to take into account the needs of small and medium-sized companies that have limited risks of this kind.

Swiss government refuses to reinstate Crypto International AG export licenses

Last week, the Swiss Federal Council has decided to extend blocking all pending individual export requests by Crypto International AG until the ongoing criminal investigations have been completed.  Such block extends a December 2019 suspension of the general export license mandated the Swiss Minister of Economics, Guy Parmelin, former Minister of Defense.

Crypto International AG was purchased in 2018 by the Swedish entrepreneur, Andreas Linde, during the liquidation of Crypto AG – the Swiss provider of top-security IT to 130 nations governments and intelligences, which we officially learned last February was owned by the CIA, and 50% by German BND till 1994, which created his company (for sales abroad) and CyOne for sales only to the Swiss government. The company last month decided to fire all their 80 Swiss-based staff, while the owner this week re-established the company under a new name, Asperiq AG.

How will this decision affect the image of Switzerland as a leader in IT security and privacy solutions for governments, firms and persons? What will be the principles to be applied to approve future export license requests? If they license IT services/devices that are not interceptable by allies security agencies, they risks promoting terrorism, and breaching the Wassenaar Agreements. If they license IT services/devices with backdoors, then they risk breaching the democratic sovereignty of nations and the good faith of innocent users.

Maybe our Trustless Computing Certification Body could provide an alternative?

German Supreme Court extends Germans’ humans rights to all

Following a recent ruling of the German Supreme Court, a Der Spiegel article reports that the leading German think-tank on surveillance and intelligence has suggested that the legislative enactments mandated by such ruling, include extensive strengthening and democratization of intelligence oversight mechanisms and safeguards.

Such ruling states that oversight is insufficient and it should be applied equally to German and foreign citizens, unprecedented in intelligence regulation globally. From such article:

"The study also suggests creating an advisory board to the new control council. In addition to representatives from science, civil society and the private sector, this advisory board will also include IT experts who can ensure that intelligence services control also meets the latest technical developments." "The study suggests that the proposed control architecture should ensure that the protection of fundamental rights is no longer differentiated on the basis of nationality, but "purely functional."

Why Security Agencies need new ways to ensure their top-end non-governmental targeted lawful hacking

Crypto AG was a perfect solution for law enforcement and intelligence agencies of US, Germany and Switzerland - and for the Five Eyes and Maximator alliances - until it lasted.

Long before the public revelation last February that Crypto AG being owned by CIA and German BND, state adversaries, terrorists and top criminals stopped trusting Swiss top secure IT for their most sensitive communications. With the end of the Cold War, with the progressive emergence of the truth about Crypto AG after the 1992 Hans Buehler scandal, the rich and powerful started increasingly using a wide variety of ever-changing and more complex IT systems - which such agencies do not directly control, as they did Crypto AG and similar. Many kept purchasing them for lack of less bad solutions, and because of network effect, but nearly all used them while assuming they were intercepted.

Since then, these powerful western nations have had to rely on a patch work of vulnerabilities embedded in all tech and standards, at birth, by design, with unreliable access, and severe collateral damages.

Therefore it has become much more messy and complicated for CIA, BND, Swiss Intelligence, and other intelligence agencies to carry on their legitimate work in intercepting criminals and rogue nations.

In this new Wild West, intelligence agencies have no other choice but to increase their investments and shrewdness in a race to far outcompete nations and resourced criminal syndicates as the greatest stockpilers of multiple critical vulnerabilities of exploits in ALL systems. This is achieved by trying to stay the first buyers, inserters, and stockpilers of fresh, new, and "plausibly deniable" critical vulnerabilities. 

Their legitimate hacking capability is less consistent and produces less reliable evidence and intelligence, due to the high probability of concurrent undetected hacking by multiple entities - and the fact that such systems are often designed to make forensic analysis harder rather than easier - so much so that evidence so acquired is structurally contested by highest civilian courts in Germany and France, as well as in Italy.

As highlighted by Rami Efrati, former Head of Cyber Division of Prime Minster Office of Israel, during a university lecture (from min 9.35) as a consequence of everything being broken, intelligence agencies’ legitimate hacking capability is less consistent and produces less reliable evidence and intelligence, due to the high probability of concurrent undetected hacking by multiple entities - and the fact that such systems are often designed to make forensic analysis harder rather than easier.

Often law enforcement or intelligence need to resort to parallel construction to acquire evidence that will stand in court, but at variable cost in terms of compliance to regulations.

The problem is even more significant because it is becoming ever more apparent that we cannot choose between freedom and public safety. That is because, in the process of maximizing their mission security agencies have not only eliminated the privacy of citizens and active citizens but even broken by design even the technologies, standards and certifications that are used by their own government for the most critical system to maintain a genuinely democratic regime - and therefore, in turn, public safety, favouring the fraudulent undemocratic emergence of autocratic regimes in western nations.   

Examples of that are the continued compromisation of by NSA of the US NIST standardization body, and the hacking of the US Office for Personnel Management, of western elected officials and heads of state like Angel Merkel, of the US Democratic National Committee, the terrible state of electronic electoral voting systems, and the 2016 and 2020 US Presidential elections as well as the utter vulnerability of mainstream social media networks, like Facebook, to large-scale hacking and illegal manipulations.

New Standards for Human Digital Right

Many initiatives have emerge in recent years to approve new manifesto, calls and high-level standards to improve the security of Cyperspace. The Paris Peace Call for Trust & Security in Cyberspace, the Charter of Trust, but also EU initiatives for new IT security standards, and national initiatives to improve upon those standards t.o find a competitive advantage, such as “Security made in XXX” pushed forward in Germany, Israel, Switzerland.

Following on the trails of the Swiss Digital Initiative, another Swiss public-private initiative emerge last June, Trust Valley, to promote digital sovereignty and economic development base don bette IT security. In the words of its Director, Lennig Pedron, it is aimed to "set the benchmarks for digital trust on an international scale”.

On the trails of the scandal of Crypto AG affair, these Switzerland initiatives are a necessary first step to gather build and expand consensus around the need and on a joint definition of better ways to build and assess IT security. These initiatives produced very good analysis and consensus on new principles. Yet, they did not produce yet institution and labeling that is suitable to comfort IT users - persons, companies, banks, governments - that the IT they are using is fitting to the security requirements of sensitive use cases.

Conclusions

There may be a case for Switzerland, and a few other Western nations, to turn the Crypto AG affair, from a public image and economic development disaster, into an opportunity to clearly re-establish their moral authority and soft power in digital civil liberties surveillance affairs, in the face of emerging eastern autocratic regimes, while also reaping the economic benefits of increased market trust.

Such nations could join together replace methods that worked greatly in the past and until they lasted, while concurrently improve the ability of intelligence agencies to pursue their essential mission to surveil private individuals and governments, when they have legitimate right and need to do so, under Swiss law.

They could join to lead in the creation of a new Switzerland-based international standards-setting and certification body – for secure digital communications systems and only for use by private non-governmental individuals and organizations - that will safely and transparently reconcile the legitimate cyber-investigation needs of law enforcement and intelligence agencies, with the need of meaningful privacy of ordinary and politically-exposed citizens.

Since 2015, our Trustless Computing Association and its spin-off startup have been building a uniquely accountable, resilient and independent Trustless Computing Certification Body (“TCCB”) – and an initial compliant open ecosystem, computing base and 2mm-thin human computing device – aimed to achieve radically-unprecedented levels of trustworthiness for the confidentiality and integrity of the most critical IT systems, for private non-governmental entities, while concurrently ensuring legitimate lawful access, to prevent criminal abuse. We detail such a vision in a recent blog post: From Crypto AG to Trustless Computing: a Vision for Swiss Leadership in Digital Trust.

In a September 2019 survey, carried out by Digital Switzerland, well before the Crypto AG Affair Swiss revealed that nearly two-thirds of Swiss citizens are worried about the loss of privacy online. A majority (62%) “want to see more regulation for new technologies and the Internet”. There was even support among those surveyed for ”an independent oversight body set up by the state”.

In regards to the traction of such Trustless Computing Certification Body initiative, I encourage you to review and a recent blog post, that summarises the 7th Edition of the Free and Safe in Cyberspace Conference series, that we hosted last January 29th in Zurich. As for previous edition, its only focus has been to expand the consensus around the TCCB initiative. A Pre-Conference was held the same day reserved to entities actively interested to join as founding members, adhered by Digital Switzerland, Swiss Ministry of Finance, Credit Suisse, Sberbank, Accenture, InfoGuard, ETH, SATW, and others. A new edition will be held next January 2021, still in Zurich.

Come join our moment!

Rufo Guerreschi