Re: [hrpc] FCC's new Internet regulatory gambit and human rights

[Tony Rutkowski <trutkowski.netmagic@gmail.com>]

Hi Vittorio,

It is indeed a certification scheme.  It is important to encourage 
software development and deployment best practices to minimise risk.  
FIRST and the related communities have been doing this for the past 30 
years.

How this is done is the concern. Enormously complicated and costly 
bureaucratic regulatory schemes promulgated by government agencies 
driven by political objectives with criminal penalties are not useful.  
Outright banning of providers because of their origins or routing of 
traffic is known as xenophobia. Implementing the schemes on through 
closed processes that require enormous resources and standards purchases 
costing thousands of Euros to participate contravene most human rights 
acts.  Requiring costly recertification every time software or 
processing is updated will result a reduction in patching - which is 
already occurring in some sectors.  Harmonising the regulations globally 
is almost impossible and a barrier to entry, innovation, and "software 
expressions."  Perhaps most significantly, continuing good user "cyber 
hygiene" combined with establishing risk appetite is even more essential 
to reducing risk.

Packaging this all under "INTERNET FREEDOM" seems tantamount to cyber 
fraud.  But, please read what is inside! You can just click and download 
(except if you want to know about surveillance, that will cost you 155 
Swiss Francs. :-)

--tony



On 3/28/2024 10:54 AM, Vittorio Bertola wrote:
>
>> Il 28/03/2024 15:05 CET Tony Rutkowski <rutkowski.tony@gmail.com> ha scritto:
>>
>>   
>> https://circleid.com/posts/20240327-the-fcc-cyber-trust-label-gambit-part-ii
>>
>> HPRC and the IETF might wish to weigh in on this gambit - incredulously
>> promulgated under a regulatory section called "Internet Freedom."  It
>> rather makes a mockery of the phrase.
>>
>> Note the FCC delegation of surveillance authority to private "CLAs"
>> based on vague references to a CFR 155 ISO/IEC standard. That's
>> remarkable non-transparency.  There are enough human rights abridgements
>> here to write a book.
> I don't know what is inside this regulation, but by trying to extract the facts from the prose of the article you link, it looks like a self-certification scheme of adherence to a set of security best practices, similar to the regime just introduced in Europe by the CRA but with a more limited scope (the European regulation also applies to pure software and not just to connected devices).
>
> We - meaning, the open source industry including anything from SMEs to the Linux Foundation - just came out of a 1-year interaction with the European Commission on the CRA. We managed to make it substantially better than the first draft, yet the regulators were firm on the fact that Internet software and devices are now a vital industry, and much like you can't distribute (not even for free) a car or a hairdryer to European customers without appropriate security certifications (the CE mark), you shouldn't be allowed to distribute insecure software.
>
> We tried to play the card of "software as literature / as a form of free expression" but we were sort of laughed at. This is now a multi-billion euro industry and a bug in key software libraries (even volunteer-based, open source ones) can bring the entire society to a halt. The risk of underfunded, volunteer-based software projects used at large scale is just not socially bearable any more, they think; someone must take liability for their security, which needs to be based on some kind of standard practices (the EU ones will now be developed by CEN-CENELEC). On the other hand, we succeeded in making this a self-certification requirement for almost any type of software.
>
> It looks like most countries around the world will follow suit under the same approach.
>