Why would western security agencies gain from coming together to promote much more secure IT with a multi-national procedural "front door"?!

January 27th 2022. Today, as Trustless Computing Association and its startup spin-off TRUSTLESS.AI - with another 4 startups, selected among hundreds - we graduated from the Fall 2021 program of MACH37, the premiere and leading US cybersecurity accelerator, based in Washington DC.

The main reason we accepted to join MACH37 is the opportunity to engage even more with US diplomatic and security agencies - as we have done with European countries - to convince them of the benefits of participating as early nation-state governance partners of the Trustless Computing Certification Body (TCCB) - a new IT security certification body that we established last June in Geneva during the 8th Edition of our Free and Safe in Cyberspace.

The Trustless Computing Certification Body will certify IT systems that ensure the utmost levels of privacy AND concurrently ensure international legitimate lawful access, by applying to both problems the extreme battle-tested trustless socio-technical safeguards - such as the Seevik Pod (video) and Seevik Phone (video of PoC), being built by our startup spin-out, and future IT systems produced by others.

After an intro by Steve Weinstein, and then 6-8 minutes pitches each by the 5 graduating startups, a 50 minute Q&A Session followed by participation by about 60 people in the audience, made up mostly of VCs and US officials.

After our pitch, a few questions helped us clarify why wide adoption of TCCB and TCCB-compliant would not only benefits law-abiding citizens worldwide but all democratic security agencies, and especially early-adopting ones, that would come together to promote much more secure IT with a multi-national procedural "front door".

Here is the video link and timeline of our 8-minute video and deck presentation and replies to 3 questions

  • 00.58.35: Our 8.30 minutes video presentation with slides.

  • 01.09.00: Question 1: "How are you going to compete with Apple on mobile security?"

  • 01.12.00: Question 2: "Where is the product built?"

  • 01.19.54: Question 3: "How are you going to convince the CIA and similar agencies worldwide to come knock on a door in Switzerland if they need to hack for example a Swedish journalist?"

Given the importance of Question 3 the feasibility of our Trustless Computing Certification Body, and therefore of the Seevik Pod, we thought of drafting a longer version of the question and of the answer below.

“Assuming you can make mobile IT solutions that may not be independently undetectably hacked (remote or in presence) even by the CIA, Mossad or German BND if properly used:

  1. Are you saying that the CIA would be OK with being required to knock on a door in Switzerland to ask authorization to some international democratic multi-lateral body in order to be able to intercept someone like a Swedish parliamentarian, journalist, or a venture capitalist, that is client of you Seevik Pod?

  2. Are you saying that the FBI would knock on a door in the US and need to convince a private jury of 5 randomly-sampled US citizens, accountable to such international body (instead of a company's attorney like in Apple's case) - in order to have lawful access to the private data of a US journalist, business man or venture capitalist?”

OUR ANSWER

Yes, that that is what we are doing.

And we believe to be well on our way to convince a critical mass of nations that engaged us in 1-to-1, and joint close-doors and public events, including several relevant current and former officials from the USA and other leading allied nations.

Why are we so optimistic?

  1. First, those nations already work in a multilateral and bilateral ways to manage those issues, albeit in an obscure and complex patchwork of written and oral agreements, and de-facto practices.

    1. For example, the NSO Group, the state-regulated Israeli leader in spyware for nations in the World - recently publicly declared that it has technical limitations that prevent it from spying on US mobile numbers or mobile users while on US territory. So, similar agreements are likely in place between intelligence agencies in the US and Israel and with other allies.

    2. It is today's news that NSO Group - after being sued by 3 Big Techs, trashed by Financial Times on a weekly basis, and blacklisted by the US government (A similar story as that of Inslaw Promis in the 90s) - is negotiating a sale to a company owned by US-soldiers and the executive chairman of KoolSpan, the leading Israeli endpoint security company, Elad Yoran, practically making NSO Group "a multi-national state-controlled company that will continue to serve national security and other geopolitical interests in the Arab World.

  2. Secondly, the current way such cooperation happens creates huge collateral damages for national security, citizens’ privacy, critical infrastructure security, and the resilience of the democratic system.

    1. The evidence acquired through targeted endpoint hacking has often dubious validity, and standing in court, as it is often very hard to prove "beyond a reasonable doubt" that others may have tampered with the device or evidence. For these reasons, the supreme courts of Italy, France and Germany for years consistently refuse to accept evidence so acquired, forcing security agencies to break the law by engaging in parallel construction, while the highest Israeli officials are calling out for that problem.

    2. Firmware or software upgrades, or sophisticated tampering or behaviour by the user, makes access to user data or comms at times unavailable.

    3. The sustenance of this process and access requires those nations to ensure that all IT and standards be weakened, in plausibly deniable ways, which causes critical infrastructure and citizens communications to be vulnerable to criminal and state adversaries.

  3. Thirdly, in addition to all that, democratic nations that join as early governance partners to the Trustless Computing Certification Body, would enjoy many additional benefits:

    1. Be able access all needed data at rest or in transit on the device, if valid rationale is shown:

      1. with near certainty of actually obtaining access;

      2. within 1-2 hours if the urgency is warranted, and

      3. with much higher evidence integrity assurance.

    2. Radically increase the protection that law-abiding journalists, politicians, elected officials, political activists can enjoy against hacking by enemies "both foreign and domestic" for their communication, within and across nations, while at once having higher assurance to be able to investigate if duly legally authorized, as validated by a trustworthy democratic international body. (For example, NSO Group was allegedly abused to spy on political opposition inside Israel without judicial authorisation).

    3. Increase protection of their most sensitive governmental agencies and officials from hacks of the most democracy-critical or national- security-critical systems, [such as those involved in OPM hacks, SolarWinds, DNC hack, 2016 US Presidential election hacks, feed and recommendation sub-systems of dominant social media.

    4. By joining early on, they can have more influence control in the body's governance - than other nations that will join later to - to best ensure its continued ability to ensure both systems security and legitimate lawful access.

  4. Fourth, for a detailed case for why the US and other leading democratic nations would benefit from joining as early governance partners of the Trustless Computing Certification Body, please refer to this page on our Trustless Computing Association website.

    1. If you want to learn more about this opportunity, please reach out to info@trustlesscomputing.org and look into our plans for a 9th Edition of the Free and Safe in Cyberspace when we’ll gather other nations interested in joining such a body.

    2. Here is our 8-minute video pitch with slides to MACH37 Demo Day.

    3. If you think that only a few thousands are those law.abiding citizens that are hacked on their iPhone, we invite you to read this sobering White Paper that we have compiled with the latest information of how wide the client endpoint hacking problem is.

Rufo Guerreschi