At yesterday's Internet Archive Decentralized Web Summit, the afternoon was given over to questions of security and policy.
I gave the opening talk, "How Stupid Laws and Benevolent Dictators can Ruin the Decentralized Web, too," which was about "Ulysses pacts": bargains you make with yourself when your willpower is strong to prevent giving into temptation later when you are tired or demoralized, and how these have benefited the web to date, and how new, better ones can protect the decentralized web of the future.
EFF's Jeremy Gillula and Noah Swartz — who were there to present Certbot, a tool that produces free cryptographic certificates — wrote up the afternoon, including my talk, and did a good job summarizing it:
He called on the audience to act now to make a Ulysses pact for the decentralized web, because everything eventually fails or falls on hard times. If we want to make sure that the principles and values we hold dear survive, we need to design the systems that embody those principles so that they can't be compromised of weakened. In other words, we need to build things now so that five or ten or twenty years from now, when what we've built is successful and someone asks us to add a backdoor or insert malware or track our users, it simply won't be possible (for either technological or legal or monetary reasons)—no matter how much outside pressure we're under.
After all, "The reason the web is closed today is because…people just like you made compromises that seemed like the right compromise to make at the time. And then they made another compromise, a little one. And another one." He continued, pointing out that "We are, all of us, a mix of short-sighted and long-term…We must give each other moral support. Literal support to uphold the morals of the decentralized web, by agreeing now on what an open decentralized web is." Only by doing this will we be able to resist the siren song of re-centralization.
And what sort of principles should we agree to? Cory suggests two. First, when a computer receives conflicting instructions from its owner and from a remote party, the owner's wishes should always take precedence. In other words, no DRM (that means you, W3C). Second, disclosing true facts about the security of systems that we rely upon should never ever be illegal. In other words, we need to work to abolish things like the DMCA, which create legal uncertainty for security researchers disclosing vulnerabilities in systems locked behind DRM. The crowd's response to this passionate call to action? A standing ovation.
[Jeremy Gillula and Noah Swartz/EFF]