Manifesto for a Trustless Computing Certification Body
The world is rapidly turning into a Hacker Republic. On one hand, most political and economic power accrues to those with sustained informational and malicious hacking superiority in critical communications and AI systems, resulting in a huge asymmetry of power between them and all others, creating two sets of citizens. On the other hand, ethical hackers and whistle-blowers serve crucial public service to reign in such power by informing citizens and legislators, through revelations about critical vulnerabilities, unconstitutional state surveillance programs, and unearthing mass-scale crimes and frauds of the rich and powerful.
We believe that meaningful personal freedom and effective public safety in cyberspace may be not “either or” choice, but a “both or neither” challenge that can be radically improved through the same kind of uncompromisingly distrustful oversight and certification processes that produced unimaginable levels of success in the safety of commercial aviation, the integrity of paper democratic election systems, and security of socio-technical systems for defense of weapons of mass destruction.
Neither freedom nor safety are available today because all or nearly all communications IT systems are scalably compromisable – even the most secure ones and cyber-investigation tools – by many critical vulnerabilities and back-doors that a few powerful nations have directly implanted or implicitly sanctioned by hugely financing the zero day market, by deliberate strategic subversion of key IT life-cycles, by not disclosing found vulnerabilities, and by deliberately promoting broken certification standards.
This state of affairs is inevitable for nearly all current systems, even high trustworthiness ones, because their technical and life-cycle complexity is by at least one order of magnitude beyond any sufficient verifiability, no matter what budget. It is not inevitable, on the other hand, for IT systems, services and life-cycle that would certifiably implement extreme levels of transparency, accountability, oversight and ethical security-review relative to complexity for all technologies and processes critically involved; from CPU design to fabrication oversight, from hosting facilities access management to standard setting governance.
Extreme compartmentalization, and minimization of features and complexity, in hardware and software, can economically allow radically-unprecedented and consistently-extreme levels of ethical security review relative to the complexity of all software, firmware, hardware and processes – including hardware design and fabrication, and hosting room management processes – that are critically involved in a TC-compliant IT service, and its life-cycle. The availability of at least one open low-level TC-compliant computing base will instead ensure wide uptake.
Meaningful digital confidentiality and integrity, ultimately, are not a product, nor a service or a process, but the by-product of the relevant organizational and human process that are critically-involved in fruition, provisioning and life-cycle of a given IT service or experience. It is therefore critical that “so called” privacy-by-design and security-by-design paradigms be brought to their ultimate conclusion, by requiring that IT services be trust-free, i.e. devoid of the need or assumption of any unverified trust in anyone or anything, except in quality of self-guaranteeing transparent and accountable organizational processes, that underlie all critical service and technology life-cycle and provisioning, whose quality is recognizable by moderately informed and educated citizens.
The trustworthiness of an IT service should not be assessed according to compliance of part of its critical components to insufficiently comprehensive, state-subverted and self-referential certification standards, or according to reputation – as it is done today through the dominant “trusted computing model”. Rather it should be measured through a trustless fine-grained continuous modeling and real-time transparent monitoring – of all relevant technological and procedural intrinsic constraints – and all relevant organizational, economic, liability, legal and social behavioral disincentives that might cause individuals and to perform unexpected compromising actions.