Trust is an important part of the GÉANT strategy and has been identified as one of our core values as an Association. Our services use a variety of technical and policy-based trust structures to ensure that our federated services are safe, secure, and appropriate for our users. Trust is also an important part of my job and my job title – my team takes responsibility for helping to define and shape this trust, whether through compliance statements (eduroam), policy frameworks (eduGAIN), policy management authorities (TCS) or specifications (REFEDS).
Trust is a very nebulous concept – it is the belief that you can rely on something. In our community we build this trust through our interactions and engagements. Sometimes, getting to this shared understanding can be a long process: endless working group discussions, many drafts of documents, and extensive consultations are needed to make sure we have that shared belief. There are, however, many environments we work in that have pre-existing trust models and the battle for who should regulate this trust is heating up.
The internet grew out of a trust building approach that is very similar to GÉANT’s: for decades, organisations like the IETF have brought together the brightest technical and policy minds to discuss, debate, draft, and define standards that can be used to shape the internet. IETF have always been clear that they in no way govern the internet… it’s a trust model. Proponents of these approaches are robust in their defence of tech neutrality and believe that governments and politics should be kept away from internet governance.
But how neutral are the defenders of this space? Our access to the internet is increasingly being filtered through very specific windows, in the form of a small set of browser options and the prevalence of apps. These systems are normally owned and therefore governed by the five big tech companies, who all have very specific agendas and cannot necessarily be trusted to make neutral decisions but are heavily influential in the spaces where internet specifications are being defined.
A recent example of this can be found in the world of browser certificates which are, on paper, governed by the CA/B Forum. Despite a ballot to reduce the maximum lifetime of a certificate failing, the major browsers went ahead and implemented the reduced timeframe. This is not the only way in which browser decisions are causing issues for everyday users of the internet, as Hank Nussbacher has previously written about in CONNECT. Recent changes to S/MIME certificates are also causing significant issues due to a Western-centric approach to the process (for example, requiring organisations to have a unique identifier, lack of support for different approaches to human name structure, poor understanding of address constructs in different part of the world etc.). GÉANT has previously expressed its concern about governance of digital certificates and the lack of European representation in decision making.
Browsers are also making a show of getting rid of third-party cookies. This is seemingly a good thing; the backlash against mass tracking activities by digital platforms and the fines levied against the big tech companies are understandable. However, tracking a user across sites is not inherently a bad thing – there are many workflows in which it is useful and positive to maintain the state of a user, such as single sign-on (SSO) processes. The decisions being made by browsers around these changes may significantly impact services such as eduGAIN, and the FEDCM working group within REFEDS is trying to have a voice and influence those decisions, but we are a small voice. Maintaining any influence over the direction of internet governance decisions has become significantly harder.
Many people think that internet regulation can and should solve this problem. A recent UNESCO conference asked for a global dialogue on internet regulation and looked at a variety of important topics, such as building an internet of trust, regulating digital platforms, supporting content moderation, transparency, and supporting freedom of expression. These are important discussions, but the moves towards regulation have not achieved the desired goals. Examples include:
- The ePrivacy Directive resulted in a poor user experience, with badly implemented and confusing pop-up boxes about cookies that did not help or better inform the user.
- Many elements of the GDPR do not translate well to the very transactional nature of the internet and technologists are struggling to implement safeguards to meet these requirements, meaning that in many places the requirements are being ignored.
- The eIDAS regulation has not made good progress in aligning implementations across member states, with certificates issued in one state not being accepted into the scheme in different states… invalidating the stated purpose of the approach.
- The introduction of QWACs (Qualified Web Authentication Certificates) is a very specific attempt by legislators to fill a gap they felt was missing since the move away from EV certificates, but the approach has been dismissed as unworkable by many involved in the space.
So, what is the solution? Big tech companies can no longer be seen as trusted partners in tech neutrality approaches, but attempts at regulation have shown poor understanding of technical implementations and the non-geographically bound nature of the internet.
It seems that organisations such as GÉANT, that already have a strong trust framework and trust culture in place with their communities, could have a role to play here. Finding the right trust brokers and giving them a voice is paramount. We are already trying to influence and be heard in many of the fora I have mentioned in this article, but there is more work to be done if we want to preserve the service ecosystem we have built for our users.