* Although some progress has been made in fighting the infowars, much remains to be done; the effort tracks a moving target. There is, however, cause for optimism that fight can be won.
* At present, the new information world is in a state of chaos that is only slowly being resolved. Core issues include data security, data rights, and control of disinformation.
The first thing to be said about data security is that can be said is that citizens will obtain strong encryption; the technology is there, and the case for it is solid. Although there will be restrictions on the right to strong encryption, nobody will be selling smartphones with backdoors built into them. Indeed, vendors have a strong need for an IDSCO to certify that they don't; anybody who doesn't have certification won't sell product.
It should be noted that in 2021 it was revealed that AMON, a secure smartphone system used by criminal networks, turned out to be under the control of international law enforcement, resulting in a wave of arrests. The busts underscored the reality that law-abiding citizens, with a clear need for data security, should not be forced to rely on bootleg software that may be weaponized against them; if the authorities can run a con, so can criminals, criminals being good at cons.
Citizens should instead have robust encryption tools that have been validated by an IDCSO -- with such an organization mandated under an international data rights treaty. The treaty should also ban the unwarranted government use of "spyware" against citizens, an issue underlined in 2021 when spyware named "Pegasus" from the NSO Group was linked to efforts by heavy-handed governments to suppress dissidents.
As far as dealing with the bad actors infesting the global internet, commercial and government data security operations have become more adept at detecting them and taking them down, but the challenge remains. There's a question of improving data-security technology, but there's also a question, Ransomware attacks have often been against businesses whose data-security procedures were weak to the point of nonexistent.
Along with education, there's a need for changes in culture; for example, limiting insurance awards for damages from ransomware attacks if the business did not have a credible data-security plan. It may be useful to develop AI systems that can warn users of possible threats and propose corrective actions.
* The other side of the coin to data security is the creation of standardized and robust multi-factor E-ID systems. In 2024, as a major example, the EU kicked off an effort to establish a "Digital Identity Wallet (DIW)".
While Estonia was a notable pioneer in E-ID, Ukraine has become dependent on Diia, and India has its Aadhar -- they are all national E-ID systems that don't work across borders. From 2021, EU lawmakers pushed to develop a single ID system that covers the entire European Union, with the effort going into full gear in 2024. EU countries are expected to issue the first DIWs by the end of 2026.
Europeans will be able to download a wallet app to their smartphone or other device, and use it to store and selectively share credentials when they need to verify their identity or prove their age. The wallet will work both for ID checks online and in the material world. It's also intended as a digital repository for official documents -- such as a driver's license, medical prescriptions, educational qualifications, passports, and so on. Legally binding e-signing functionality will be supported, while online services will be obliged to accept the Pan-EU credential; the DIW will support secure online transactions. In addition, it will perform signup validation for social media, helping to screen out trolls.
Another big EU digital policy push is focused on removing barriers to the sharing and re-use of data, across both external and internal borders, by setting up infrastructure and rules for "Common European Data Spaces". A universal EU E-ID that promises citizens privacy and autonomy could enable greater and more efficient info-sharing -- while leaving users with control of what data they share and who they share it with. For example, it could give citizens a means to share their verified age but not their identity, allowing a wallet app user to sign into an age-restricted service anonymously.
The EU Digital Identity Wallet proposal was adopted by the European Commission in the middle of the coronavirus pandemic, when apps that could display a person's COVID-19 vaccination status were a high public priority. One issue that came up at that time was that tech giants such as Apple and Google set their own rules on how COVID-19 exposure notification data could be exchanged. With the EU DIW, everyone has to obey the same rules.
The EU introduced the "Digital Identity Regulation" in 2024 to ensure development of a secure technical architecture, common standards, and specifications for the DIW. A common EU Toolbox was set up, the EC published an architecture reference, and code was released as open sourced. Further work will flesh out the DIW system. The EU expects the DIW to be fully established among the almost half-billion citizens of the EU by 2030 -- which considering the magnitude of the task, is not that far away.
* The USA is not nearly as far along in E-ID. In 2021, the US Congress did pass a "Digital Identity Act (DIA)", which proposed a set of measures toward a national E-ID system, including setting up a national task force to investigate the concept; mandate the National Institute of Standards & Technology (NIST) to develop appropriate technical standards; and provide funds to the Department of Homeland Security (DHS) to determine how to manage adoption of E-ID.
The DIA did not mandate E-ID, but established a framework for it. A number of US states have introduced E-ID apps; state and Federal governments have also gone to a commercial ID operation named "ID.me" to prevent welfare, entitlement, and tax fraud. Although ID.me proved successful, adoption of the system was not at all smooth, with many welfare recipients spending days trying to get validated. The rush eventually ended and operations became smoother. We're still stuck with a patchwork system instead of national E-ID, but we're getting there.
We can't have online security until every American has E-ID. Once we have it, we will be able to perform all legal transactions online, or for that matter securely vote online. That would neatly bypass the difficulties of the 2020 US election. It would also be nice to be able to access any formal records -- birth certificate, military discharge, vaccination records -- online, without having to access paper copies.
There are protests against E-ID systems, on the basis that they pose a huge threat to privacy. Yes, but right now we're worse off, given that we have fragmented ID systems and personal information scattered all over the internet, with very little security. "Identity theft" remains a problem. With a robust E-ID system, citizens would be the owners of their accounts, with the government having limited access without a warrant, say to conduct a census -- which would be easy with the E-ID system. Security would still be an issue, but clearly not as much as it is now, and the personal benefits would be substantial. Of course, national and regional E-ID could lead to global E-ID, with an international, interoperable E-ID network specified as part of a global data rights treaty.
BACK_TO_TOP* As for data rights, in 2018 the EU established the "General Data Protection Regulation (GDPR)", which defined how businesses were to handle the personal data of European residents. The rules covered almost everything that could be linked to an individual: addresses, charge card numbers, travel records, web search history, computer ID codes, biometric data, and so on. Major requirements under the GDPR included:
One thing it did not cover were proposals that consumers be given compensation for use of their personal data. In a sense they were, through the discounts and such provided by loyalty card programs. Analysis showed that the value of the personal information of any one consumer was not very great -- but people like discounts, and the idea of compensation deserves to be investigated further.
As for rights of government surveillance, government agencies could process personal data without consent if there was a "national security," "defense," or "public security" concern -- terms the regulation did not define. However, national and international human-rights laws still applied any such intrusive handling of data. That implied little or no change in the status quo for democratic governments, but left the ugly issue of misuse of surveillance by authoritarian governments as something to be discussed in the future.
The GDPR led to the EU "Electronic Commerce Directive 2000", which covered many of the same issues, adding a focus on coordination between EU states. It was essentially a basis for discussion. Discussions led to the authoritative "Digital Services Act (DSA)" and the "Digital Markets Act (DMA)".
DSA was intended to impose order on the hodge-podge of national regulations that had arisen across the EU. DSA required that most online platforms feature:
The requirements were tougher for online platforms that had at least 10% of the EU population in their user base. These "very large online platforms" had to give users the right to opt out of recommendation systems and profiling, share key data with researchers and authorities, cooperate with crisis response requirements, and conduct external and independent auditing.
The DSA maintained the EU rule in which companies that hosted others' data were not liable for the content -- unless they actually knew it was illegal, and on finding out it was, did not remove it. This "conditional liability exemption" was stricter than the broad immunities given to hosts under the US Section 230 CDA rule.
EU member states also obtained access to the mechanisms of recommendation algorithms, with platforms required to briefly explain why specific ads were directed to specific users, and also to justify why they removed specific content. In addition, platforms had to release a biannual report on their content moderation efforts, and were prohibited from using "dark patterns" -- that is, misleading user interfaces that tricked users into inadvertently agreeing to, for example, share their data.
The DMA applied to a much smaller subset of companies, specifically those with 45 million monthly active users and / or an annual turnover of at least 7.5 billion euros. Such "gatekeeper" firms included Alibaba, Amazon, Apple, Google, Meta, Microsoft, TikTok, Wikipedia, and X/Twitter. While the DSA focused more on protecting the rights of individual users, the DMA gave European regulators the power to crack down on anticompetitive and unfair business practices, including over how large Big Tech platforms collect and use data. The DMA prohibited platforms from combining data sources without explicit opt-in, as well as from preferencing their own products and services.
The overriding principle of the DSA / DMA was to protect consumer privacy, and in particular to protect children. The European Commission is the primary enforcer of the DMA, but EU member states will have to coordinate their own governing bodies for DSA enforcement.
* As something of a follow-up to the DSA / DMA, in early 2024 the European Parliament passed a pioneering law regulating artificial intelligence, to go into effect in 2026. The AI law was only indirectly linked to the DSA / DMA, banning AI systems that presented "unacceptable risk" -- for example those that use biometric data to infer sensitive characteristics, such as people's sexual orientation.
High-risk applications, such as using AI in hiring and law enforcement, had to meet certain requirements -- for example, developers had to show their models were safe, transparent and explainable to users, that they adhered to privacy regulations, and did not discriminate. For lower-risk AI tools, developers still had to tell users when they were interacting with AI-generated content. The law applied to models operating in the EU, and any firm that violated the rules would risk a fine of up to 7% of its annual global profits.
* The USA is lagging Europe on data rights legislation. Some US states have passed data rights laws, but it's hung up at the Federal level on the battling between Right and Left. As an indication of the confusion, in 2023 a Rightist Federal judge slapped an injunction on the Biden Administration, saying administration officials couldn't talk to social media firms about disinformation and moderation. At the same time, several US states passed laws attempting to override moderation on social media, claiming that moderation infringed on the freedom of speech of conservatives. The US Supreme Court rejected both arguments in 2024. Over the longer term, the dysfunction is likely to be resolved, with the USA catching up to the EU.
However, so far, there hasn't been much noticeable work towards an international data rights treaty. There is no evident work towards a comprehensive international treaty system whose signatories will be obligated to ensure data security and, significantly, respect the data rights of citizens. Nations that don't sign up could find their access to the global internet restricted.
BACK_TO_TOP* Even in the absence of a proper international treaty system, work goes to impose order on the new global information world. The most prominent at the moment is the fight against disinformation -- the "5th Horseman of the Apocalypse" as it has become known.
There are many ideas for dealing with disinformation. One of the more interesting was "Bot Sentinel", developed by a group led by an American software engineer named Chris Bouzy, which monitored trolling activities on Twitter, it seems using AI technology. After Twitter was taken over by Elon Musk, Bouzy led the creation of a competitor to Twitter named "Spoutible" that kept users informed of their Bot Sentinel rankings with a letter grade, "A" through "F". Spoutible also did not use engagement algorithms, contributors being instead promoted by "word of mouth" among the community. Spoutible eventually introduced "Accuracy Alerts" – which were GAI-produced fact checks on postings, generated when enough users requested one.
Although Spoutible hasn't graduated into the same league of global users as X/Twitter yet, Bot Sentinel proved competent at keeping out trolls. Obviously more can be made of the concept if the will is there. Microsoft has also invested serious funds in data security, one major program being the "Azure Sphere" effort to devise standards and technology for computer security. Microsoft's educational software system also emphasizes teaching students how to recognize disinformation.
Beyond new technology, there are more general suggestions, not all of them credible. There's been talk of revoking Section 230 and allowing social media outlets to be sued, but that would be immediately weaponized by the Black Hats. Talk of bringing back the Fairness Doctrine is just as dubious; Donald Trump would have greatly liked to have the Fairness Doctrine to use against his enemies.
A better idea is to realize that the weaponization of disinformation implies its criminalization. The flood of disinformation relative to the COVID-19 pandemic helped get a lot of Americans killed. Surely there must be existing legal measures to fight back. It's obviously not legal to maliciously interfere with the work of the fire department; it can't be any more legal to interfere with the work of public-health authorities.
Similarly, the wild lies told about senior public-health officials led to death threats against them -- and it is obviously not legal to incite attacks on government officials, such malign propaganda being labeled "stochastic terrorism". The successful lawsuits against Alex Jones and Fox News were encouraging steps towards the criminalization of disinformation, demonstrating the emergence of a cadre of lawyers willing to take on high-profile trolls, and finding it profitable to do so. Could that be expanded, by ramping up traditional policing of mail fraud on the internet? It's already done to a degree, but the resources for the effort are modest.
The disinformation plague will almost certainly not have any one big solution, just a big set of little ones: no silver bullet, but many silver pellets. As with data security it general, it will demand a change in mindset and culture. Disinformation can't be made to disappear, but it can be sent off to the fringe, where it can do much less harm. In a generation, given improvements in data security and global treaties on data rights, the global internet will be a much more orderly place, though it can never be completely bullet-proof.
Incidentally, from the time of the 2016 election, almost all of the legacy news media, from the venerable NEW YORK TIMES to Fox News, went into sharp decline, as printed newspapers and cable TV began to die out. The journalistic standards of the legacy media, never perfect to begin with, declined in pace, and it is obvious the legacy media is collapsing. Exactly what will come after it remains to be seen.
BACK_TO_TOP* This document started life in the form of a history of cryptology that was originally released in 2001. It grew over time, and in 2021 I split into two documents, one on classical cryptology, and the other modern cryptology. Having done that, I decided to sift out discussions of cryptology-related law and politics, and arrange them more coherently in a third document.
There are no major sources for this document, in large part because there aren't many documents out there like it, at least for the present. It was mostly scavenged in bits and pieces from online sources, with a lot of it written off the top of my head, on the basis of the information I had accumulated. It's been evolving, and it will evolve further.
* The banner image in this document was by one Vu Hoang, who released it under the Creative Commons Share Alike License. I was pleased to find it, since I was desperate to get a good free-use image appropriate to the document.
* Revision history:
v1.0.0 / 01 sep 21 v2.0.0 / 01 oct 23 / General rewrite. v3.0.0 / 01 sep 23 / Extended, went to 3 chapters. v3.1.0 / 01 dec 24 / General polishing.BACK_TO_TOP