The Hidden Danger in the Web contract for Berners-Lee

World Wide Web creator Tim Berners-Lee has well-known concerns about the state and future of the Internet. He fears that a technology developed to offer universal access to free information has developed a distinct dystopian miasma that could simply get worse without being controlled. The main culprits are excessive government monitoring and wilful collection of corporate personal data.

In response, Berners-Lee has released a Web Contract (PDF). It has been one year and 160 organizations, including the Governments of France and Germany, have already supported it. This aims to make the Internet a more accessible and trustworthy tool.

The contract consists of three sections, which describe the responsibilities of governments, companies and the public. There are three basic principles in each chapter. Government and business principles focus on providing and maintaining universal internet access, and protecting user rights and privacy. Citizens ‘ responsibility is to treat the web well, to’ respect the civil discourse and the dignity of humanity’ and, if need be, to’ fight for the web.’ Companies are also responsible’ for developing the best technologies in the humanity and for challenging the worst.

In this contract there is noticeably nothing politically open. No attempt is made to ban countries in cyberspace targeting other nations or using cyber warfare for military or political secrets. Nevertheless, national governments have nothing to prohibit from stockpiling zero-day vulnerabilities for offensive or defensive purposes-which is probably the main reason for the Microsoft proposals first for’ conduct requirements,’ and then for little approval of the Virtual Geneva Convention.

Likewise, no attempt is made to prohibit governmental oversight of its own or other citizens except that such oversight should be legal, proportionate, temporary, and subject to judicial review. Because national security drops and many of the majority of the privacy material is already enshrined in State, national and international law (such as the GDPR and the CCPA), the Contract should not be easily accepted by governments.

It’s not going to be that easy, however. Although there is little openness in political content, many provisions remain, which will cause great difficulties for each country. There is an implied condition (Principle 2, “Keep the internet all the time available,”) that the Balkanization of the internet be prevented. Russia and China will not accept this, and of course Iran, North Korea and other countries. Also nations like the United Kingdom would find it difficult to comply with its ISP filtering for websites like The Pirate Bay.

Furthermore, governments should refrain from interfering with geopolitical enemies ‘ elections— not because this is a political act, but because it involves anti-intimateand security activities (voters). This is unlikely in the current geopolitical atmosphere.

No enforcement method 

Clearly there will still be more gain, even if the government does not comply with its three principles, if businesses and individuals comply with the other six principles. But even here, we must wonder whether this is probable. There is no immediately apparent method of enforcing the contract as a potential weakness. This means that organizations can subscribe to the ideals publicly and ignore them impunity in privacy. The contract promotes a misconception of security without the ability to call such companies into account–users will believe that a service protects their privacy, while it is not in reality.

The obvious examples are Google and Facebook. While many foreign law, particularly GDPR, already requires them to comply with many of the principles of the Treaty, they are repeatedly called upon to commit transgressions by both security researchers and government agencies.

Last week, Amnesty International described Facebook and Google as “the predictive models of human rights abuse.” Amnesty Internationally described these business models as “inherently inconsistent with the right to privacy.” The Contract states in Principle 5 that businesses “Respect and protect the privacy of individuals and personal data for the purpose of building digital trust.”

In July 2019, the famous FTC fined Facebook $5 billion for disappointing privacy disclosures following a survey triggered by the Cambridge Analytica scandal.

It became clear earlier in November 2019 that Google provided 50 million U.S. reports of healthcare from Ascension. Google argued that all was legal, but without the consent of its owners, the health records were transferred. Paragraph 1 of Principle 5 states that “People’s privacy will be supported by giving people a control over their privacy and data rights, with clear, meaningful controls on their data and privacy processes.” “The’ internet contract’ from Berners-Lee is a praiseworthy achievement, but compliance always will be a problem,” Thomas Hatch, SaltStack CTO and Co-Founder told SecurityWeek. Hatch subscribes to the common but alternative view that because technology is the fundamental cause of problems, technology must also find solution. “Moral contracts are notoriously hard to implement, and therefore this could sound like an’ pie in the sky ‘ idea.”

“A real remedy for the Internet,” he added, “is more likely to come by technical means— a mix of instruments and technical restrictions that deter wrongful actors. Reliance on human compliance and on the goodwill will work at first but will eventually become exhausted over time. Without adequate web enforcement, companies can publicly support and ignore it privately-and the user will be the loser. It would be great if over time it had been proven wrong.

SecurityWeek asked the Web Contract to respond to these concerns but did not receive a response. If you obtain one, it is attached to this post.