Re: [hrpc] FCC's new Internet regulatory gambit and human rights

[Vittorio Bertola <vittorio.bertola@open-xchange.com>]

> Il 28/03/2024 15:05 CET Tony Rutkowski <rutkowski.tony@gmail.com> ha scritto:
> 
>  
> https://circleid.com/posts/20240327-the-fcc-cyber-trust-label-gambit-part-ii
> 
> HPRC and the IETF might wish to weigh in on this gambit - incredulously 
> promulgated under a regulatory section called "Internet Freedom."  It 
> rather makes a mockery of the phrase.
> 
> Note the FCC delegation of surveillance authority to private "CLAs" 
> based on vague references to a CFR 155 ISO/IEC standard. That's 
> remarkable non-transparency.  There are enough human rights abridgements 
> here to write a book.

I don't know what is inside this regulation, but by trying to extract the facts from the prose of the article you link, it looks like a self-certification scheme of adherence to a set of security best practices, similar to the regime just introduced in Europe by the CRA but with a more limited scope (the European regulation also applies to pure software and not just to connected devices).

We - meaning, the open source industry including anything from SMEs to the Linux Foundation - just came out of a 1-year interaction with the European Commission on the CRA. We managed to make it substantially better than the first draft, yet the regulators were firm on the fact that Internet software and devices are now a vital industry, and much like you can't distribute (not even for free) a car or a hairdryer to European customers without appropriate security certifications (the CE mark), you shouldn't be allowed to distribute insecure software.

We tried to play the card of "software as literature / as a form of free expression" but we were sort of laughed at. This is now a multi-billion euro industry and a bug in key software libraries (even volunteer-based, open source ones) can bring the entire society to a halt. The risk of underfunded, volunteer-based software projects used at large scale is just not socially bearable any more, they think; someone must take liability for their security, which needs to be based on some kind of standard practices (the EU ones will now be developed by CEN-CENELEC). On the other hand, we succeeded in making this a self-certification requirement for almost any type of software.

It looks like most countries around the world will follow suit under the same approach.

-- 
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com 
Office @ Via Treviso 12, 10144 Torino, Italy