TCCB Cloud
The TCCB Cloud is a set of holistic socio-technical system, supply chain and operational requirements for a private cloud system, primarily constituted of a mix of nodes running in a multi-national network of TCCB Hosting Rooms as well as on TCCB-compliant client devices.
It is an integral and essential part of the Trustless Computing Paradigms, the binding socio-technical requirements of IT systems complaint to the TCCB, that complements client-side requirements that a given IT systems ensures radically unprecedented levels of confidentiality and integrity, while concurrently ensuring prompt, safe, in-person and secure legitimate lawful access, national and international.
The Seevik Cloud is insetad the name of an initial private cloud compliant to TCCB Cloud requirements, that will be built and enacted as part of Seevik Net by TCA and the Cofounder Partners of the TCCB and Seevik Net Initiative, comprised of no more than 7 globally-diverse states, 2 IGOs and 2 neutral INGOs.
Triple Aims
TCCB Cloud aims to radically increase its users’ digital rights while also increasing security agencies’ cyber-investigation capabilities. It aims to achieve radically unprecedented and constitutionally-meaningful levels of citizens' actual and perceived trustworthiness of the following:
(A) their data is not copied, erased, or modified by unauthorized parties;
(B) their data is not accessed, analyzed, logged, and manipulated happens except, according to set rules;
(C) their data is securely deleted as requested by the user.
Aims to defend even against the most sophisticated threat actors, private and public, including local and foreign state agencies, that may be interested in illegitimately copying, erasing or modifying such data-driven by motives that are political or financial.
Means
TCCB Cloud will reach such levels of trustworthiness by complying with the Trustless Computing Paradigms via:
(A) Oversight via randomly-selected citizens acting as citizen-jury and citizen-witnesses, and possibly randomly selected elected public officials;
(B) Use in the critical stack only endpoint IT security technologies and cryptographic protocols and that is state-of-the-art, battle-tested, open, and extremely security-reviewed in relation to complexity;
(C) Continuously standardized and certified by a new international body, whose governance ensures very high accountability, competency, and resilience against state pressures.
Process to Vet Lawful Access Requests
TCCB Cloud regulates a cyber-social system that is meant to be used for the storage and access management of integrity- and confidentiality-sensitive data of citizens, including communications data and metadata, social media interactions, transactions, personal, location, health data.
Providers of the TCCB Cloud will not only implement and improve on state-of-the-art technical, procedural, and socio-technical arrangements but also ensure that critically involved servers and access mechanisms will utilize TCCB-compliant systems and processes. Partial temporary encryption keys are mandatorily saved daily to a redundant set of hosting rooms, whose physical access is under the direct management, certification, and oversight of TCCB.
The Providers has no way to direct the actions of such Jury, nor to overwrite its decision. In their primary function, the Jury will not be evaluating the validity of motivations of the lawful access authorization, which could not be legally disclosed, but only its authenticity.
While extensively implementing open source and battle-tested decentralized, peer-to-peer and end-to-end protocols and technologies, all Providers of TCCB-compliant IT systems will be required to mandatorily store all sensitive user data and code in such a TCCB-compliant private cloud system, which will be comprised of at least 4 TCCB hosting rooms, that will:
(A) be located in at least 4 different states that are Cofounder Partners of the TCCB and Seevik Net Initiative and are part of at least 2 different military/intelligence alliances, one of which include the (somewhat) neutral state that will be hosting the headquarters of TCCB.
(B) deploy state-of-the art technologies and human processes, substantially exceeding the highest military, civilian and banking international standards and practices;
(C) use only TCCB-compliant endpoints for its servers' hardware and software, and for their physical access management systems and devices;
(D) are accessible only physically, and after the explicit approval of 5 or more random-sampled citizens of the host country and a local attorney, to manage for national and international lawful access requests.
While TCCB and one TCCB Hosting Room the will be subject to the laws of Switzerland (or possibly other hosting state that will offer more protection, autonomy and possibly some immunity status) each TCCB Hosting Room will be (of course) subject to the laws of the states where they'll be located. In some cases, this will mean having to comply with governmental executive decisions without any meaningful judicial oversight.
States that join as Cofounder Partners may choose to locate a TCCB Hosting Room in their territory and, together with Governance Parners, are guaranteed the ability to submit a lawful access request directly their local TCCB Hosting Room (for "local" requests) or to the TCCB (for "internatioanl" requests). These will be processed according to the TCCB Cloud requirements, as overseen by the TCCB and the host states, as follows:
If the access request is by the local government - and it is in reference to (a) personal computing of one of their citizens, or (b) communications between their citizens, or (c) between foreign citizens while both present in their territory - then such request will be:
vetted by a TCCB Jury in their respect of judicial "due process" (not in the evidence) which will act as both citizen-jury and citizen-witnesses. The jury will be made of 5 or more local random-sampled citizens (and 2 possibly random-sampled parliamentarians), plus a vetted local attorney. Every 3 months, 15 are sampled and instructed. When the need arises, 10 are randomly called, as soon as 5 arrive, the process can begin.
If the request is approved by the TCCB Jury, a specific process will be followed allow access to specific users’ data and/or keys according to the approved part of the request.
For requests that are for communications among certain level of state officials of a certain high levels, it is faculty of the host states to specify in full autonomy a different process that may include, for example, 5-random sampled state officials or elected officials (or even 5 members of the ruling royal family) and just communicate it to TCCB.
If the access request is by a foreign government, - and its is not in reference to (a) personal computing of a local citizen, or (b) communications between local citizens, or (c) between foreign citizens while both present in their territory - then such request will be:
vetted by a TCCB Judicial Board, made of 15 recognized experts in international law, civil rights, and public security, who have been, sometime in the past, elected or appointed to high offices, such as a leading international court, the highest court of a large democratic nation. Deliberation by such members will happen remotely using TCCB-compliant devices to provide the utmost confidentiality safeguard of the submitted evidence being analyzed. The Board decision will assess the “legitimacy” for each request by evaluating the provided and autonomously-acquired evidence to determine to what extent the request (A) complies with the national legislation where TCCB is based (Switzerland currently), and (B) it maximizes:
Compliance to and promotion of international civil rights and civil rights norms.
Promotion and protection of international security and safety.
Complies to laws and constitutions of the jurisdiction of the requesting state or international institution, and that of the user that is target of the request.
If the request is approved in full or in part by the TCCB Judicial Board, then the TCCB Jury will be instructed and ordered to allow access to specific users’ data and/or keys according to the approved part of the request.
General Legal Context
TCCB Cloud is compliant with the current laws of Switzerland, and several EU and non-EU nations, and it is conceived to radically mitigate the risk that state practice in sensitive cases could sometimes or often deviate from laws or constitutions.
Nowadays, lawful access of digital communications of citizens is subject to within a nations’ laws (some based on executive authority, and some requiring judicial branch approval) and across nations via treaties (such as Multilateral Legal Assistance Treaties), and formal and informal arrangement among police and intelligence, most to obviate to the length of MLAT processes.
Private firms can receive requests from their national government or from foreign governments, and sometimes they are subject to contradicting laws if their HQs are in one nation and a given data center in another. TCCB will be into all existing treaties and laws.
Detailed TCCB Cloud Requirements
A Provider of the TCCB Cloud will certifiably abide by the following requirements as prescribed by an international highly independent, expert, and citizen-accountable body, the Trustless Computing Certification Body ("TCCB"):
Shall set up and manage a server-side infrastructure composed of 4 TCCB Hosting Sites replicated in 4 nations of different military/intelligence alliances. Each TCCB Hosting Site is comprised of 3 rooms, each one physically adjacent to the other:
A Storage Room, where all integrity- and confidentiality-sensitive data is stored.
A Software Room, where data from the Storage Room is subject to advanced, complex, and sophisticated big data analysis, including artificial intelligence.
A Human Room, where all data analysis and manipulation will be performed by authorized individuals and entities. Access to the Software Room and Storage Room will be only from the Human Room.
Shall ensure that physical access to the Human Room by anyone is conditional on the physical presence and approval of TCCB Jury, accountable to the TCCB, acting as citizen-jury and citizen-witnesses, which jointly will constitute the committee:
For every request of lawful access, the committee would evaluate the motivations of the lawful access authorization, which could not be legally disclosed, but merely the authenticity and validity of civilian court orders, and the absence of blatant unconstitutionality of other supposed legal authority or executive orders.
Shall enable the committee to launch a "Scorched earth procedure" with plausible deniability, by allowing a qualified majority of them – in cases of extreme abuse attempts and "fire hose" attacks – to physically destroy all sensitive data in the hosting room, and cause such data to remain available only in the remaining Storage Rooms in other nations.
May use secret sharing cryptographic techniques, threshold cryptography, or other similar advanced but highly battle-tested protocols to enable 10 or more citizen-witnesses participating via video stream to also approve; therefore, adding an additional redundant layer of security.
Shall offer the service only whereby TCCB Hosting Sites are located in at least 4 different nations. All data-at-rest encryption keys will be shared between the 4 TCCB Hosting Sites so that even if, through unconstitutional or illegal action, attackers prevail in one nation, they would only have 1/3 of the keys required unless they prevail also in at least 3 other countries. Encrypted data backups are replicated among the Sites to increase unerasability. Eligible nations where Hosting Sites can be located will be such that:
the service can be offered as a service that is not subject to state mandatory lawful intercept or access legislation (such as those typical of phone operators under EU ETSI-LI standards or US CALEA);
mandatory key disclosure, and other legislation, or known practices, do NOT make it illegal to withhold access (with or without gag order) to warrant-based or state-security-based government requests, that may be believed by involved citizen-witnesses to be illegal or unconstitutional;
liability for citizen-witnesses, provider staff or attackers (both state and non-state actors) for malicious or gravely negligent breach of the laws or regulations are substantial and proportionate to the harm caused.
they are not part, formally or in practice, of the same first-degree military or Intelligence/Surveillance alliances (Five eyes, etc.);
when and if a nation does not comply anymore with conditions (i) to (iv) above, then the Provider must notify give a choice to each individual user to either (a) agree to transfer such services to other nation where it is legal; or (b) turn off such server-side services.
Shall ensure that critically involved servers, and room door access mechanisms, will utilize only TCCB-compliant systems. All remote admin access is physically disabled.
Shall enable security review via two complete and always updated replicas of TCCB Rooms available for verification by private or state entities or individuals who might reasonably argue to be among the 200 most competent to do so in the World.
Shall have a technological limit in the maximum number of users, and percentage of total users, whose personal data or keys may be extracted within a given time frame, which is proportional.
Shall utilize the highest precautions to minimize leakage of non-public information related to the lawful access requests, through video and other oversight processes.
Shall, in addition to the above, that state-of-the-art technical, procedural and socio-technical safeguards will implement, which do not contradict the above.
For Governmental Use
National democratic governments that want to provide directly, or through private companies based in their territory, TCCB-compliant IT services for use by their own government officials, elected officials, politicians, political parties, and sensitive e-government systems - such as e-heath, or e-participation - will be allowed to set up a compliant National TCCB Hosting Site in their country, with an additional TCCB Jury made of citizens from such country. This way, any lawful access requests from such nations’ judiciary or security agencies will be assessed for legality by a jury of their own citizens, rather than rely on the TCCB Judicial Board and TCCB Juries in other nations as per the regular TCCB process.