The ultimate solution to provide ultra-high assurance IT privacy and security
while still ensuring due cyber-investigation capabilities.
AIMS: The CivicRoom is a revolutionary IT standard, conceived as part of the Trustless Computing Inititiative, to build and manage hosting room for ultra high assurance end-2-end IT services, in way that both maintains radically unprecedented, and constitutionally-meaningful levels of assurance, as well as enabling prompt and garantee capability to exceute lawful access orders authorized by a authorized civilian courts. (These would be extended to military courts (FISA courts), for service provider that chose to host the service and/or their headquarters in the USA.
HOW: All IT services certified by the Trustless Computing Certification Body, such as those of our spin-off startup TRUSTLESS.AI, will provide mandatory key recovery service to all its customers in order best ensure trustworthy handling of the user data in case of user death or user’s loss of passwords, as well as a way to comply to legal AND constitutional lawful access requests. Although the technical architecture is pure P2P, neverthless partial temporary encryption keys are mandatorily saved daily to a redundant set of hosting rooms, CivicRooms, whose physical access is under the direct management, certification and oversight of an international Trustless Computing Certification Body (TCCB). The IT provider would have no way to direct the actions of such jury, nor overwrite their decision. The validity of civilian court orders AND absence of blatant unconstitutionality of other supposed legal authroity or executive orders, will be evaluated on-site by a trained citizen-jury-like body, assisted by expert legal counsels. The supply chain and operations of such civicRooms will be subject to radically unprecedented technical and organizational safeguards will guarantee both users’ rights and the crucial needs of the public security agencies. In their primary function, the citizens-jury would not be evaluating the motivations of the lawful access authorization, which could not be legally disclosed, but only its genuinity.
WHAT: The CivicRoom is a dedicated server hosting room inside the CivicLab, where all TRUSTLESS devices are assembled, and users are authenticated. It is set up and managed by a CivicProvider, certified provider of services. Its function is primarily to guarantee the integrity of the code repository of all certified devices, as well as all code and sensitive server-side equipment involved in the entire lifecycle and supply chain of a CivicService. It also hosts all privacy-sensitive services.
SAFEGUARDS: It implements hosting room access-control management with extreme socio-technical safeguards that provide constitutionally-meaningful protection against remote or onsite attacks by even the world most powerful and determined entities, state and non-state, including insiders. It will overwhelmingly shift the risks from the remotely-exploitable technical systems to onsite organizational processes,In addition to state of the art high-assurance hosting room access arrangements, . A key provision, for example, is that remote admin access is permanently disabled, and physical access by anyone is conditional on the physical presence and approval of at least 5 randomly-selected citizen-witness, in addition to 2 system administrators.
DETAILED SAFEGARDS OF THE CIVICROOM:
- provides a dedicated urban streel-level spaces, or CivicLab, where all TRUSTLESS devices are publicly assembled, verified, flashed, and transferred to their users. It will be street facing in crowded urban street and subject to 24/7 high-assurance live streaming oversight, and monitoring.
- provides a server room, or CivicRoom, located inside aCivicLab, where all privacy- and security-sensitive code,CivicLab equipment and customer registration data must be hosted. It’s physical access for any reason will be subject to extreme access control management socio-technical processes:
- Shall be subject to provider-managed extremely high-assurance, public and transparent hosting room access management procedures, that are standardized and certified by an international independent and citizen-accountable body, the CivicAuthority.
- Shall disable remote admin access, and physical access by anyone is conditional on the physical presence and approval of at least 5 randomly-selected citizen-witness, in addition to 2 system administrators, through dedicated keypad locks (CivicLocks). Citizen-witnesses are entitled to record anything and ask for a dump of all code before and after. Shall deploy onlyTRUSTLESS compliant servers.
- Shall use secret sharing cryptographic techniques, threshold cryptography, or other similar advanced but time-tested protocols –– in addition to such offline authorization procedures – to enable 10 or more citizen-witnesses participating through via video stream to also approve; therefore adding an additional redundant layer of security.
- Shall enable audit in one or more complete replicas, including CivicRoom and end-points, for verification by anyone who might substantiate even a low to moderate capacity to do so.
- Shall allow any willing provider to offers different CivicRoom and TRUSTLESS service provisioning modes, which respond to a limited range of different legislative regimes, and ethical and political approaches on how to best promote citizens’ civil rights and safety. These include different opinions on the ethical necessity and/or technical safety of providing, or not providing, either of the following: (A)
- Shall provide “remote attestation” to guarantee a user that its interlocutors devices have not been insecurely modified. For example, the entire local archive of a highly-private mailing list of frontline political activist group, or of top executives of a corporation, may be totally jeopardized if only one of their interlocutors applies the wrong software modification.
- Shall maintains copies of time-limited encryption keys of data or metadata of users, or each user persona, in order to provide socio-technical systems with extremely-careful safeguards that enable the highest user-control and secruity in data recovery in the scenarios of user death or user loss of password, as well as enabling constitutional – no more, no less – lawful access, that allows for voluntary compliance (i.e. in addition to what is required by all relevant laws) to limited and targeted due process lawful access requests, with extremely-careful safeguards. Such access will be subject to these additional extreme safeguards, and more that will be developed during R&D:
- Shall enable the CivicRoom citizen-witnesses to launch a “Scorched earth procedure” with plausible deniability, which allows a qualified majority of such citizen-witnesses – in cases of extreme abuse attempts – to physically burn all sensitive data in the hosting room, and trigger a system update to all CivicDevices to turn them in P2P devices, which transfers hosting-room services to UVST onion routing hidden services. CivicRoom service may be restored in a different country.
- Shall be offered only after the service has been used successfully and without breach for 6 months, in publicly-accessible pilot deployments, with real data, that involve highly-sensitive communications by state employees and officials, as wellas by highly expert ethical hackers. Such pilots will be aimed to make so that such communications are, on one side, not subject to undetected illegal espionage and blackmail by even low- or mid-level threat actors, while on the other, that they are interceptable when mandated by a court warrant.
- Shall offer the service only where Provider, CivicRoom and end-user are located in at least 2 different nations. All encryption keys of all security- and privacy-sensitive data will be shared between the 2 CivicRooms, so that even if, through unconstitutional or illegal action, attackers prevail in one nation, they would only have half of the keys required, unless they prevail also in the other country. Eligible nations will be such that:
- the service can be offered as a service that is not subject to state mandatory lawful intercept or access legislation(such as those typical of phone operators under US CALEA);
- mandatory key disclosure, and other legislation, or known practices, do NOT make it illegal to withhold access (with or without gag order) to warrant-based or state-security-based government requests, that may be believed by involved citizen-witnesses to be illegal or unconstitutional;
- liability for citizen-witnesses, provider staff or for attackers (both state and non-state actors) to the malicious or gravely negligent breach the laws or regulations are substantial and proportionate to the damage done
- they are not part of the same first degree military or Intelligence/Surveillance alliances (Five eyes, etc.);
- When and if a nation does not comply with conditions (1) to (4) above, then the Provider must give a choice to each individual user to either (a) agree to transfer such services to other nation where it is legal; or (b) turn off such server-side services.
- Shall have an technological limit in the maximum number of users and percentage of total users whose personal data or keys may be extracted within a given time frame;
- Shall utilize the highest precautions minimize leakage of non-public information related to the lawful access requests, through video and other oversight processes.
LEGALITY OF THE CIVICROOM
Is it legal to selectively decide to comply to lawful access requests to the hosting room? On a passing analysis, it appears that the process described about for compliance to lawful access request is legal in several EU member states.
IN ITALY: (Preliminary Analysis) In Italy, after a deeper analysis, it would appear initially that it would be illegal to not comply to a request of a court-warrant or a request from Dipartimento Informazioni per la Sicurezza, authorized by the local “procuratore generale”. Such non compliance is a “resistance to public official” (art. 650 Italian penal code) amounting to a few hundreds of euros; a record may also be inscribed in the Citizen Criminal Record (with consequences for a few public staffing application requirements and a few other nuisance). But that is the case, unless the citizen can demonstrate that he did not comply because he had valid suspicions that an illegal or unconstitutional act was about to be committed. The citizen-witnesses will be sampled with techniques similar to those that guide the creation of high profile citizen juries in US judicial system, in order to exclude citizens that may be in a position to fear substantially the consequences of such mark on their Citizen Criminal Record. Theoretically, citizen-witness may be accused of “favoring” a criminal (378 del Codice Penale) with dire criminal consequences, but motive need to be established, which evidently does not apply to the CivicRoom case.
IN GERMANY: (To be analysed) In Germany, the CivicRoom process, in broad terms, there are no mandatory key disclosure laws for both law enforcement and state security needs, nor other laws impeding the legality of the service.
IN SWITZERLAND: (To be analysed)
LEGALITY IN THE USA?: (ongoing) After 9/11 the US legislature has gradually legislated former “extensions” of Presidential executive orders that brought large abuse of citizens’ privacy everywhere. Currently any suject that is able to provide access to data or encryption keys that are considered to be of national security interest – even without a civilian or military court order – is mandate to comply and subject ot a gag order. As opposed to the Italian scenario above, where an “intention to hide a crime” needs to be substantiated, under current US law and practice, any breach of that is automatically a federal crime. A solution maybe in the case in which a majority of the citizen-jury which thinks that a blatant unconstitutional act is being committed could “accidentally” type the wrong password. If a majority of juror make such mistake, all crypto keys are physically burned in the CivicRoom, and the agency cannot prosecute because it is not beyond a reasonable doubt that any of those citizens just made a mistake. But even if that worked, maybe the company that has conceived, enacted or installed such system could be prosecuted fro some reasons?
NEED & FEASIBILITY OF INTERNATIONAL DECISION MAKING: The Trustless Computing Certification Body could enter into an agreement with the International Criminal Court  which basically founded it), in which the Body pays ICC a moderate amount per year to evaluate within 2 hours if the submitted lawful access request documentation complies with international standards. But then ICC would only take into account international civil rights regime, which ignores mostly the societal need for public safety and national security. So therefore such agreement could be extended to both ICC and Interpol, which would jointly make the call.
 Bill Pace, Exec. Dir. of WFM, the convenor organization of the International Criminal Court , has come to talk about such prospects at our Free and Safe in Cyberspace in New York 2016.