* Although some progress has been made in fighting the infowars, much remains to be done; the effort tracks a moving target. There is, however, cause for optimism that the fight can be won.
* The new information world is, at present, in a state of chaos. Core issues include data security, data rights, and control of disinformation.
The first thing to be said about data security is that can be said is that citizens will obtain strong encryption; the technology is there, and the case for it is solid. Although there will be restrictions on the right to strong encryption, nobody will be selling smartphones with backdoors built into them. Indeed, vendors have a strong need for an IDSCO to certify that they don't; anybody who doesn't have certification won't sell product.
It should be noted that in 2021 it was revealed that AMON, a secure smartphone system used by criminal networks, turned out to be under the control of international law enforcement, resulting in a wave of arrests. The busts underscored the reality that law-abiding citizens, with a clear need for data security, should not be forced to rely on bootleg software that may be weaponized against them; if the authorities can run a con, so can criminals.
Citizens should instead have robust encryption tools that have been validated by an IDCSO -- with such an organization mandated under an international data rights treaty. The treaty should also ban the unwarranted government use of "spyware" against citizens, an issue underlined in 2021 when spyware named "Pegasus" from the NSO Group was linked to efforts by heavy-handed governments to suppress dissidents.
As far as dealing with the bad actors infesting the global internet, commercial and government data security operations have become more adept at detecting them and taking them down, but the challenge remains. There's a question of improving data-security technology, but there's also a question of improving data-security procedures: ransomware attacks have often been against businesses whose data-security procedures were weak to the point of nonexistent.
Along with education, there's a need for changes in culture; for example, limiting insurance awards for damages from ransomware attacks if the business did not have a credible data-security plan. It may prove helpful to develop AI systems that can warn users of possible threats and propose corrective actions.
* The other side of the coin to data security is the creation of standardized and robust multi-factor E-ID systems. In 2024, as a major example, the EU kicked off an effort to establish a "Digital Identity Wallet (DIW)".
While Estonia was a notable pioneer in E-ID, Ukraine has become dependent on Diia, and India has its Aadhar -- they are all national E-ID systems that don't work across borders. From 2021, EU lawmakers pushed to develop a single ID system that covers the entire European Union, with the effort going into full gear in 2024. EU countries are expected to issue the first DIWs by the end of 2026.
Europeans will be able to download a wallet app to their smartphone or other device, and use it to store and selectively share credentials when they need to verify their identity or prove their age. The wallet will work both for ID checks online and in the material world. It's also intended as a digital repository for official documents -- such as a driver's license, medical prescriptions, educational qualifications, passports, and so on. Legally binding e-signing functionality will be supported, while online services will be obliged to accept the Pan-EU credential; the DIW will support secure online transactions. In addition, it will perform signup validation for social media, helping to screen out trolls.
Another big EU digital policy push is focused on removing barriers to the sharing and re-use of data, across both external and internal borders, by setting up infrastructure and rules for "Common European Data Spaces". A universal EU E-ID that promises citizens privacy and autonomy could enable greater and more efficient info-sharing -- while leaving users with control of what data they share and who they share it with. For example, it could give citizens a means to share their verified age but not their identity, allowing a wallet app user to sign into an age-restricted service anonymously.
The EU Digital Identity Wallet proposal was adopted by the European Commission in the middle of the coronavirus pandemic, when apps that could display a person's COVID-19 vaccination status were a high public priority. One issue that came up at that time was that tech giants such as Apple and Google set their own rules on how COVID-19 exposure notification data could be exchanged. With the EU DIW, everyone has to obey the same rules.
The EU introduced the "Digital Identity Regulation" in 2024 to ensure development of a secure technical architecture, common standards, and specifications for the DIW. A common EU Toolbox was set up, the EC published an architecture reference, and code was released as open sourced. Further work will flesh out the DIW system. The EU expects the DIW to be fully established among the almost half-billion citizens of the EU by 2030 -- which considering the magnitude of the task, is not that far away.
* The USA hasn't made so much progress on E-ID. In 2021, the US Congress did pass a "Digital Identity Act (DIA)", which proposed a set of measures toward a national E-ID system, including setting up a national task force to investigate the concept; mandate the National Institute of Standards & Technology (NIST) to develop appropriate technical standards; and provide funds to the Department of Homeland Security (DHS) to determine how to manage adoption of E-ID.
The DIA did not mandate E-ID, but established a framework for it. A number of US states have introduced E-ID apps; state and Federal governments have also gone to a commercial ID operation named "ID.me" to prevent welfare, entitlement, and tax fraud. Although ID.me proved successful, adoption of the system was not at all smooth, with many welfare recipients spending days trying to get validated. The rush eventually ended and operations became smoother. We're still stuck with a patchwork system instead of national E-ID.
An E-ID system is essential for online security. Once we have E-ID, we will be able to perform all legal transactions online, or for that matter securely vote online. That would neatly bypass the difficulties of the 2020 US election. It would also be nice to be able to access any formal records -- birth certificate, military discharge, vaccination records -- online, without having to access paper copies.
Unfortunately, the re-election of Donald Trump to the US presidency in 2024 made UN national ID problematic, since the Trump administration demonstrated a contempt for law and the rights of citizens, along with confused efforts to set up a police state. With an authoritarian in the White House, E-ID was out of the questions. Until circumstances change, it is unlikely that E-ID is going to make much progress in the USA.
BACK_TO_TOP* As for data rights, in 2018 the EU established the "General Data Protection Regulation (GDPR)", which defined how businesses were to handle the personal data of European residents. The rules covered almost everything that could be linked to an individual: addresses, charge card numbers, travel records, web search history, computer ID codes, biometric data, and so on. Major requirements under the GDPR included:
It did not cover proposals that consumers be given compensation for use of their personal data. In a sense they were compensated to a degree, through the discounts and such provided by loyalty card programs. Analysis showed that the value of the personal information of any one consumer was not very great -- but people like discounts, and the idea of compensation deserves to be investigated further.
As for rights of government surveillance, government agencies could process personal data without consent if there was a "national security," "defense," or "public security" concern -- terms the regulation did not define. However, national and international human-rights laws still applied any such intrusive handling of data. That implied little or no change in the status quo for democratic governments, but left the ugly issue of misuse of surveillance by authoritarian governments as something to be discussed in the future.
The GDPR led to the EU "Electronic Commerce Directive 2000", which covered many of the same issues, adding a focus on coordination between EU states. It was essentially a basis for discussion. Discussions led to the authoritative "Digital Services Act (DSA)" and the "Digital Markets Act (DMA)". DSA was intended to impose order on the hodge-podge of national regulations that had arisen across the EU. DSA required that most online platforms feature:
The requirements were tougher for online platforms that had at least 10% of the EU population in their user base. These "very large online platforms" had to give users the right to opt out of recommendation systems and profiling, share key data with researchers and authorities, cooperate with crisis response requirements, and conduct external and independent auditing.
The DSA maintained the EU rule in which companies that hosted others' data were not liable for the content -- unless they actually knew it was illegal, and on finding out it was, did not remove it. This "conditional liability exemption" was stricter than the broad immunities given to hosts under the US Section 230 CDA rule.
EU member states also obtained access to the mechanisms of recommendation algorithms, with platforms required to briefly explain why specific ads were directed to specific users, and also to justify why they removed specific content. In addition, platforms had to release a biannual report on their content moderation efforts, and were prohibited from using "dark patterns" -- that is, misleading user interfaces that tricked users into inadvertently agreeing to, for example, share their data.
The DMA applied to a much smaller subset of companies, specifically those with 45 million monthly active users and / or an annual turnover of at least 7.5 billion euros. Such "gatekeeper" firms included Alibaba, Amazon, Apple, Google, Meta, Microsoft, TikTok, Wikipedia, and X/Twitter. While the DSA focused more on protecting the rights of individual users, the DMA gave European regulators the power to crack down on anticompetitive and unfair business practices, including over how large Big Tech platforms collect and use data. The DMA prohibited platforms from combining data sources without explicit opt-in, as well as from preferencing their own products and services.
The overriding principle of the DSA / DMA was to protect consumer privacy, and in particular to protect children. The European Commission is the primary enforcer of the DMA, but EU member states will have to coordinate their own governing bodies for DSA enforcement.
* As something of a follow-up to the DSA / DMA, in early 2024 the European Parliament passed a pioneering law regulating artificial intelligence, to go into effect in 2026. The AI law was only indirectly linked to the DSA / DMA, banning AI systems that presented "unacceptable risk" -- for example those that use biometric data to infer sensitive characteristics, such as people's sexual orientation.
High-risk applications, such as using AI in hiring and law enforcement, had to meet certain requirements -- for example, developers had to show their models were safe, transparent and explainable to users, that they adhered to privacy regulations, and did not discriminate. For lower-risk AI tools, developers still had to tell users when they were interacting with AI-generated content. The law applied to models operating in the EU, and any firm that violated the rules would risk a fine of up to 7% of its annual global profits.
* The re-election of Trump in 2024 of course derailed US data rights legislation along with E-ID, while Trump was willing to give Big Tech companies free leash to do what they wanted with AI. Some US states have passed data rights laws, but the Trump Administration's attitude was that the Big Tech companies call the shots now. The issue is not dead in the USA, but it is definitely in suspension.
BACK_TO_TOP* The third major issue in data security is the fight against disinformation -- the "5th Horseman of the Apocalypse" as it has become known -- with the internet and social media becoming the primary conduit for disinformation. That predominance was enhanced by gradual sidelining of legacy media: traditional news and culture outlets that didn't adapt to the new information environment lost circulation, with their journalistic standards falling in pace.
Countries such as Finland and the Baltic States, under pressure from Russian trolling, took the disinformation threat very seriously, and updated their educational systems appropriately, teaching students how to recognize and deal with it. Laws are also slowly starting to catch up, with the recognition that the weaponization of disinformation implies its criminalization.
The flood of disinformation relative to the COVID-19 pandemic helped get a lot of Americans killed, and the wild lies told about senior public-health officials led to death threats against them. The successful lawsuits against Alex Jones and Fox News were encouraging steps towards the criminalization of disinformation.
However, for the time being, doing much more is problematic. In the USA, content moderation was bogged down in politics even before the re-election of Trump in 2024. The previous year, a TD Right Federal judge slapped an injunction on the Biden Administration, saying administration officials couldn't talk to social media firms about disinformation and moderation. At the same time, several US states passed laws attempting to override moderation on social media, claiming that moderation infringed on the freedom of speech of conservatives. The US Supreme Court rejected both arguments in 2024.
After Donald Trump was re-elected late in that year, his administration proved much more interested in spreading disinformation than in controlling it, actively going after "biased" content moderation that suppressed trolls, while attempting to suppress social diversity efforts as well. Although the EU DSA stipulates content moderation, most of the major social media outlets are of American origin, and the Trump Administration made it clear that their pushback against "bias" transcended borders. Caution prevails for now.
Fortunately, there's a lot going on under the radar. One of the innovations that is gaining steam is "distributed social networking (DSN)" -- in which multiple social media systems could share a common user base; postings on one system will show up on another. One of the big problems with starting up a social media service is building up a user base; with DSN that's not such a barrier to entry, allowing smaller players to co-exist with giants.
The BlueSky social network system supports a DSN "AT protocol", with a number of apps being developed to leverage it. In itself, DSN doesn't have much to do with content moderation, except to give users access to multiple different services with different moderation policies -- allowing them to choose what the service that best suits their needs.
More significantly, BlueSky supports multiple moderation schemes. There is baseline moderation to throw out spammers and the like, but users in principle can also select different moderation schemes. That makes objections to moderation more troublesome, since in principle users can sign up for the moderation policies that fits their needs.
In addition, BlueSky devised a scheme called "labeling" for content moderation -- in which postings failing moderation are not deleted, instead being hidden under labels giving the reason for hiding them. Users can specify if they want labeling or not. Another plus for moderation in BlueSky is cultural: traditionally, users on social media prefer to engage trolls, but BlueSky users tend to block them quickly. A useful related feature on BlueSky are "subscription blocklists", in which a user can maintain a list of troublemakers to be blocked, with other users signing up for the list and automatically using the blocks as well.
BlueSky is far from solving the moderation problem, but it is providing tools that can help. There have also been experiments with using AI to provide fact-checking on social network postings; that hasn't caught on yet, but it appears to be highly effective. The problem is that AIs are known to get things wrong, or "hallucinate", with the problem getting worse as the Black Hats work to corrupt the AIs.
Over the long run, the Trump Administration's backward policies are not sustainable, and will not endure. Disinformation will be dealt with; it can't be made to disappear, but it can be sent off to the fringe, where it can do less harm. In time, given improvements in data security and global treaties on data rights, the global internet will be a much more civilized place -- though it can never be completely bullet-proof.
BACK_TO_TOP* This document started life in the form of a history of cryptology that was originally released in 2001. It grew over time, and in 2021 I split into two documents, one on classical cryptology, and the other modern cryptology. Having done that, I decided to sift out discussions of cryptology-related law and politics, and arrange them more coherently in a third document.
There are no major sources for this document, in large part because there aren't many documents out there like it, at least for the present. It was mostly scavenged in bits and pieces from online sources, with a lot of it written off the top of my head, on the basis of the information I had accumulated. It's been evolving, and it will evolve further.
* The banner image in this document was by one Vu Hoang, who released it under the Creative Commons Share Alike License. I was pleased to find it, since I was desperate to get a good free-use image appropriate to the document.
* Revision history:
v1.0.0 / 01 sep 21 v2.0.0 / 01 oct 23 / General rewrite. v3.0.0 / 01 sep 23 / Extended, went to 3 chapters. v3.1.0 / 01 dec 24 / General polishing. v3.2.0 / 01 may 25 / General update. v3.3.0 / 01 jun 25 / Follow-on fix.BACK_TO_TOP
