Security Experts:

The Hidden Danger in Berners-Lee's Contract for the Web

World Wide Web inventor Tim Berners-Lee has concerns over the state and future of the internet that are well-known. He fears that a technology developed to provide universal access to free information has developed a distinct dystopian miasma that unchecked could simply get worse. The primary culprits are excessive government surveillance and wanton corporate personal data collection.

To counter this, Berners-Lee has launched a Contract for the Web (PDF). It has been a year in the making, and is already supported by 160 organizations, including the governments of France and Germany. Its purpose is to make the internet a safer place to be and a more trusted resource to use.

The Contract is in three sections, describing the responsibilities of governments, companies, and citizens. Each section has three basic principles. The principles for governments and companies focus on providing and maintaining universal access to the whole internet, and protecting user rights and privacy. Companies have the additional responsibility to "develop technologies that support the best in humanity and challenge the worst." Citizens' responsibilities are to treat the Web well, to "respect civil discourse and human dignity," and -- where and when necessary -- to "Fight for the Web."

There is noticeably nothing politically overt in this contract. There is no attempt to outlaw nations attacking other nations in cyberspace, nor conducting cyber espionage for military or political secrets. There is nothing to prohibit national governments stockpiling zero-day vulnerabilities for offensive or defensive purposes (the requirement for which is probably the main reason for Microsoft's proposals first for 'norms of behavior' and later for a 'Digital Geneva Convention' to have met with little acceptance).

Similarly, there is no attempt to prohibit government surveillance of its own or other citizens, other than such surveillance should be legal, proportionate, limited in time and subject to judicial overview. Given this national security let-out, and that much of the remaining privacy content is already enshrined in state, national and international laws (such as GDPR and the CCPA), governments should have little difficulty in agreeing to the Contract.

But it won't be that easy. Although there is little overt political content, there remain numerous provisions that will cause great difficulty for individual countries. There is an implied requirement (Principle 2, "Keep all of the internet available, all of the time") for an end to the Balkanization of the internet. Russia and China, and of course Iran, North Korea and other countries, will not accept this. Even countries like the United Kingdom, with its ISP-level censorship of websites like The Pirate Bay, will have difficulty complying.

Furthermore, it would require governments to refrain from meddling in the elections of geopolitical foes -- not because it is a political act, but because it involves activity against the privacy and security of individuals (the voters). In the current geopolitical atmosphere, this is unlikely.

No method of enforcement

Of course, even without governmental conformance to their own three principles, there will still be much of benefit if companies and citizens comply with the remaining six principles. But even here, we must ask if this is likely. One potential weakness in the Contract is there is no immediately apparent method for enforcing it. This means that organizations can publicly subscribe to the ideals while privately ignoring them with impunity. Without the ability to call such companies to account, the contract fosters a false sense of security -- users will believe that a service is protecting their privacy while in reality it is not.

Google and Facebook are the obvious examples. While they are already required by numerous international laws -- notably GDPR -- to obey many of the principles contained within the Contract, they are repeatedly called out for transgressions by both security researchers and government agencies.

Last week, Amnesty International described both the Facebook and Google business models as being "predicated on human rights abuse." It describes these business models as being "inherently incompatible with the right to privacy." Principle 5 of the Contract states that companies will "Respect and protect people's privacy and personal data to build online trust." Principle 3 states that governments will "Respect and protect people's fundamental online privacy and data rights."

In July 2019, the FTC famously fined Facebook $5 billion for deceptive disclosures about privacy settings, after an investigation prompted by the Cambridge Analytica scandal.

Earlier in November 2019, it became clear that Google had received 50 million U.S. healthcare records from Ascension. Google claimed everything was legal and above board, but the healthcare records were transferred without their owners' knowledge or specific permission. Paragraph 1 of Principle 5 states that 'people's privacy' will be supported, "By giving people control over their privacy and data rights, with clear and meaningful choices to control processes involving their privacy and data."

The basic problem is that the Contract is voluntary. "Berners-Lee's 'Contract for the Web' is a laudable effort but enforcement is always going to be a question," Thomas Hatch, CTO and Co-Founder at SaltStack told SecurityWeek. "Moral contracts are notoriously difficult to enforce, which is why this might seem like a 'pie in the sky' idea."

Hatch subscribes to the common but alternative view that since technology is the fundamental cause of the problems, technology must also find the solution. "A real fix for the web," he continued, "is more likely to come through technical means -- a combination of tools and technical restraints that prevent bad actors. Relying on human enforcement and goodwill may work at first, but will likely wear out over time. The community should certainly support any and all efforts, this included; but for real security gains, we need to consider this just the tip of the iceberg."

As it stands, it is clear big tech companies could publicly ascribe to the Contract while not actually abiding by it -- and it is difficult to believe that they will change their current business models to conform. The result, without adequate enforcement from the Contract for the Web, is that companies could publicly support and privately ignore it -- and the user will be the loser. It would be great to be proven wrong over time. 

SecurityWeek has asked the Contract for the Web for its response to such concerns, but has not had a response. If one is received, it will be appended to this article.

Related: Geopolitical Tensions Fuel Worsening Cyberattack Scenario 

Related: 2020 Presidential Candidate Campaign Websites Fail On User Privacy 

Related: New Cybersecurity Bills Promote CISOs and Privacy 

Related: 400 Mn Facebook Users' Phone Numbers Exposed in Privacy Lapse: Reports

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.