 Welcome to my lecture, Globally Unified Governance Framework for Open Source. My name is Christopher Klotz, and I have studied and worked both in the realms of computer and social sciences, and so I have maybe a different perspective on several of the current developments. And today I want to give you an alternative perspective and also a potential approach that can help us to tackle several issues. We will begin with the problems we have in the international society, so the society of sovereign states as of today. Then we will have a look on the open source system, what is it, and in the end we will come to the obstruction, the international arbitration and how it can give us possibilities we have not yet used. So the security providers of today are of course the sovereign states, they are determined by geography, their sovereignty, and obviously they are designed for purely social systems. And this leads to the question, what if the social environment is replaced by a socio-technical one? What does socio-technical mean? It means blurred borders among the technical systems like the internet and the social system. There are no longer clear or distinct points of transition. There are persistent, reciprocal interactions, influences and impacts and so it is no longer possible to separate or split these two systems. They are persistently interdependent and interacting. So are sovereign states in their traditional separations of powers secured by design in this new environment? What does secured by design mean? It is a concept from software engineering and it shifts the focus from the bugs, the errors, the mistakes we have to the architecture and ask whether these are just symptoms of an architectural flaw and so fighting the bugs doesn't make a difference. The first issue for us here is we have to avoid single points of failure, abuse and manipulation by architecture. So in purely social systems we have already the separations of powers that can fulfill this purpose. On the other hand, we need a predictable behavior of the system. So we need to ensure intended input to have predictable output. I need to know what I'm allowed to do to not get punished. Otherwise a system cannot offer me security. And so this is a common approach where we have already two single points of failure. The IT operations and the development of the IT systems affecting the whole social system at once. So a very well example is the SolarWinds hack of 2020 where many public agencies, private customers and people were affected because there was a hack in the build processes in the build environment which is the part where the software we can use is created where finally something usable and we can have a comparable issue in the IT operations for example if there is one week password from one admin which is also was the origin of the SolarWinds hack in the IT development environment. And another issue here is of course the consolidated Federal IT agencies. And another issue or manifest could be the blockchain approach as it is currently used or implemented in Estonia for example where we have many different blockchains to create no single point of failure. Of course affecting one node doesn't make a difference for the remaining but if we have one company that appropriately without external review develops the technology, the software for all blockchains and if there is one IT agency that does the administration of all, we have still the same two points of failure and then anticipating these blockchains offer me security can be very dangerous if I then use them to verify everything, legislative, judiciary, court systems, police files, healthcare and such which is planned and given the public papers we have it cannot be excluded that this will be possible and the absence of full information to everything there also makes it hard to determine whether they have considered everything because of the absence of external review. So what you see here is just an illustration, one manifest of an institutional problem because the traditional system is focusing on responsibility and liability and so it needs one entity that has to take over the responsibility and thus this entity also needs to have the means to full access to possess this responsibility and so also the public review is something that is still partly seen as a vulnerability on itself and so there remains a focus on security through obscurity which consolidates review because external review is also a type of distribution even if I have just one agency for example and the system also anticipates that flaws imply bad work so good work means we won't have flaws and so everything will be fine and we don't need to consider it so this can have many manifests and if I have multiple agencies that distribute this does not necessarily make a difference if every agency can create full harm so this is just one example how I can manifest a much deeper institutional problem and we have also to see that security is much more than not getting hacked but also offer the services people need for example currently we have big issues in Germany with the covid apps that don't are able to really implement the new regulations in an accessible and suitable amount of time so this approach is generally no integral part of the international society it's no formal thing nothing that means getting rid of these problems implies getting rid of the international society or a sovereign state it's an informal thing and it's architectural yes it's an architectural flaw but of a subsystem not of the system as a whole it's an informal problem of the society and the society develops over time it has integrated passive development where the society adjusts its behavior and its interpretations of the norms and its interpretations of laws when their traditional interpretations are no longer competitive so this is something that can happen within the system and where the society can learn and interact with open source public drafts, public standardization which leads to distribution and also an ongoing public review we have already examples like the advanced encryption standard the security in the Linux where public agencies or publicly strong influence agencies like the internet engineering task force or in terms of IAS and SHAR3 the national institute of standardization and technology strongly interact with open source and possess open source institutions they have adopted public drafts, public standardization so we see open source and international society we cannot just say these are two entities it's the institutions that make up what we are up against and so it's also a blurred thing and you can only see is it open source by institutions and so it's also a blurred thing and there are public agencies and publicly strongly influenced entities that are already part of the open source system and so we have also many implementations already systems are using open source supporting it and using publicly reviewed systems for example Linux and have also distributed types of operations or free views so once again the graphics is just an illustration multiple possibilities how I can create distribution but also within an agency not just among different ones so the architecture flaw I see in a subsystem it's not a general issue and so we can mitigate it by alternative subsystems but it's more than just fighting the bugs it's something that means replaceable norms from within how the system tackles approaches it's approaches but it's a bigger issue when we come to here we have in terms of predictable behavior state one a customer he's the customer of a company in state two and this company possesses its data in state three but storage is done in state four and this leads us indirectly to problems to bugs like how to enforce European institutions on telegram which is an UAE a current problem in the European Union but also a very old issue how to enforce European privacy institutions when data is stored in the United States which also wants to protect its territorial integrity and its own laws so we can take each one of these on its own but finally there is an architectural flaw and it's comparable when we have the GPL version two which ever can be different and interpreted in different states and also within a state that can have different interpretations because these are not legal terms and they are so very ambitious and can be interpreted in different ways by a judge and they are not integral in neither state and they are interpreted and derived from the legal constants of the traditional system they are not prepared for the transnational dynamic socio-technical system because this new system has much more dynamics is persistently developing and it has not this integrated development of the society which is passive and so as it's also asynchronous developing if we have a well precedent or a well law on day one on day two everything can have changed and so the system needs to start again by zero and also in a different case things can be differently interpreted so in Germany I can own something I can possess something and I can use something but if I use a library what's the difference to forking code and what's the difference between a static link or a dynamic link of a library so this is heavily probabilistic in terms of a traditional system and so I cannot have security here and so a question for the lawyers how stare is the agency of a stare diseases which is representative for what our current system wants to achieve how stare is it in the socio-technical dynamics of code so only dynamics can balance dynamics and so if I try to seek to get a static condition on one side I cannot foresee how it will act when there is a change on the other side so it will be even worse in the situation possibly so in the current social system we have the interpretation of laws that develops with the society and this gives us a static feel it's a passive process of the society but the code does not develop with these informal dynamics it's a completely different thing but that's not an issue because the code itself is unbiased its math is physics and it has a static dynamics because the dynamics can be anticipated how it will develop above we know what we are up against and so this is not an issue we have the static dynamics of code in this other system that have to be considered as such and that offer us a constant security and so from the perspective of socio-technical the source system, the traditional system contains inconsistency among interpretations and thus among cases and so a judge can anticipate we can anticipate that he knows its law but what is the difference the relation between library and un-executable for him he doesn't really know much about it and his law doesn't help him really so it's very probabilistic again and so we have no reliable consistency here and thus a lack of security and if you input data into a system which it does not intend I have the same thing on our Linux it wouldn't behave different it's unpredictable behavior it will be a kernel panic we are talking here about architectural flaws that have to be considered that way and this leads us to the open source system first as in comparison we have the geographical separations in the dominant sovereign states and we have functional separations which is really a secondary thing it's more about are you a current developer are you a tester of a distribution are you one of the management guys it's a functional thing and everything else is secondary and instead of separations of powers which is a type of command economy in itself we have a distribution of powers which is competition and it captures the dynamics of code the static dynamics of code within this distribution of powers capturing the development so does the interpretation of laws is changing with the society for example so it's a balancing itself balancing thing on the other hand we have also responsibility and liability focus in a traditional system we had initially already talked about it and we have an individual focus chain of trust in open source in many cases which is also a very different thing so the major institution for open source are forking redundancy and transparency which also link already to Lino's law and flaw anticipation so forking means that I can use any code if I disagree with how it develops, how things are done and create something else just by forking using it and create something new and we have a lot of redundancy so build processes we have many different build processes there is much redundancy in review codes are tested, reviewed and such and this also needs transparency otherwise it doesn't work and so these are the major institutions where flaws are anticipated and just one problem that has resolved as any other problem it's nothing where you talk about fault it's something new in the system because it's actively developing itself and not passively and so we have also within the communities rough consensus that is driven by merit pays person so for example Lino's Torvalds was more or less deriving the consensus of the Lino's Kernel community and so this gives a one person a lot of theoretical power where we can have a very efficient development but it's still a very good balanced power because if someone disagrees we have still the possibility of forking through redundancy and transparency and so these people like Lino's Torvalds are still affected by competition with others and the constant obviously remains the code and because of these asynchronous development we are we have a rolling release model in this technical open source system in the social technical open source system it's no anticipation of a static environment because we are doing the development actively and so we are anticipating the development and not seeking something static just we are seeking the static behavior of the development of code we know its dynamics how they will develop so this already catches the dynamics of the code creating competition based distribution of powers with many different communities within with our mouse cases rough consensus driven some different ways and if you disagree with it you can always create forks which happens from time to time and not have to have hostile reasons and forking is easy because redundancy and transparency also in terms of standardization in new protocols and such it's not just software development so this security critical the majority of websites are Linux driven given the fact that just 0.3% are not Linux of those we know you can anticipate that the majority are also Linux when it comes to company who spend money to get security that they can rely on their operating systems 34% rely on Red Hat Linux just one of many different Linux distribution so the Linux market in general will be much more and Cisco and Junipon themselves have 44% in the market of the service providers so the providers of the internet that run the infrastructure where all the traffic of the internet is passed through and their current their new systems are all based on Linux and there are many more providers that are maybe also using Linux but where I couldn't get reliable information and also 70% of the phones people use are Linux driven by a modified kernel and so this is also not just about hacks but about services it's for me today an important part of security to be reachable, to have access to signal what's there to be able to buy something and Amazon to rely that my system is able to manage the output of the Amazon website so this is all probably belonging to security as of today and despite opportunities when I can get malware into the Linux kernel there is no exploitation so there is a reason for that which does also include a chain of trust which is also related institution and despite its dominance the Linux community still has not behaved like a dominant market player this is something we have to consider it has stable competition within and around and there is much more protocol, standardization and software we are using and also libraries and things like WebKit are also part of proprietary system for example Safari uses WebKit in its chorus engine and much software proprietary uses open source libraries so we cannot really foresee how much this is and because of the development this is active unlike the social system where society develops passive the development and maintenance have to be considered on themselves in the development in security aspects because it's done actively so this is also something the traditional system is not prepared for this is how it looks we have the development like for the Linux kernel where the open source system is more or less on itself next to Anarchy doing the work on itself but in most cases of course it's still subordinated to the international society in some cases it even gives security to its communities by managing unseatable precedence or loss of the system so what does technology do in such cases it creates obstruction layers we have running systems we cannot simply replace Windows, Linux whatever we can create an obstruction layer on top that gives us the possibility to have an application that can be run on everything comparable we have it with SAF where we needed simplification where it was no longer possible that one file system could seed any need we have especially in terms of distribution and so everything we had an output was too complicated and so we now just use the systems we already have which we are used to that are running everywhere we cannot get replaced everywhere just within our so and so we can still use them for what we are doing traditionally and just we added another obstruction layer like another application to add the distribution so obstruction layers can make a big difference and they can also help us to give the judge something the system is intended for but we have to consider the institutions that are important for us and not just in this case add another code as we know it so the big issue here is the convention of New York 5859 introduced international arbitration but just gives an international foundation to enforce arbitration awards more or less globally and so the relevant implementation of the arbitration law is always the national one so the law of the arbitration body and it's irrelevant where the parties are placed so we have also much security here and an award can be enforced globally for the state system itself but to give the judge something he knows he's intended for he has just to verify the compliance of the arbitration case to the arbitration agreement and of the arbitration agreement to its national law and in the case of an arbitration body always the national implementation of the law so this is something he's intended for and we can use it more or less globally because you see in blue the majority of states of the world are member states of this convention or what to examples you can get into to have some illustration what this is all about and so some what can we do with the system here what can it be enhanced and how to add this abstraction layer this is what we will have an international arbitration abstraction layer for the open source system for create security for both sides and it will be also complementary for the international society because through the international arbitration it will help the international society through open source system to also fill the remaining gap with this arbitration concept it is used to it, knows how to handle it and so it's a symbiosis more or less we're talking about and in terms of Swiss arbitration just one example we can have also many other states that have suitable laws like UK or such it has two laws but we are free to choose which one we want to apply only the highest curd of Switzerland this one curd treats cases against arbitration other curts are not allowed to do so so we have much specialization experience and knowledge which gives us security also the public and politics in Switzerland tend to facilitate such implementations socio-technical things in ZUK you can already pay public agencies with cryptocurrencies we have the Facebook driven DM association so the regulated Libra currency and we have just passed a new law to further facilitate international arbitration and just a little additional incentive partly related to here can such unregulated cryptocurrency which is also possible in Switzerland be complementary because it can give us the possibility for a global, stable type of transnational currency which is backed by a stable transnational legal framework which gives us the possibility for linking the source and its exchange which is today of course in most cases a service thing which can also drive development because a legal, stable framework and a currency and a stable one so also a big issue that can give us access to even more contributors worldwide and some incentives for this arbitration thing what could prove competitive what we have to maybe consider instead of just adding a new curd it has to be tailored of course for the rolling needs of this new system which also differs strongly because it is based on community and not on deterrence because you can anticipate in this system that people were engaging in the socio-technical open source system have a very high human development and so it's more competitive to anticipate community rather than crime because the system and its dynamics, its efficiency, the flexibility already we know that it automatically gets rid of behavior that is not competitive for the system so it's already very efficient and so here it makes sense to go more towards also within a curd towards collaboration because it's just problems we are up against that have to be solved to have to create security for the future and not punishment which is done by the system already and also by the criminal law which is also something that is not part of the arbitration but where the arbitration can also which can be complimented by it another issue that is already widespread in open source self-certification for example for code coverage or for implementing best practices where you can have rules that just have a shore which means you don't must but where the self-certification means a company says, hey, we are implementing this, we are making the show to a mass and so on arbitration would also treat this entity that way when it comes to arbitration and so there is also something that gives us security, flexibility for future and so constructs like the linux con development or the ITF are maybe more suitable indication than traditional curts here and we have also to consider the back parts so if we make a global rule we have also to think of what will be the differences in local implementations so how does local systems behave to it, how to make local entities aware of what are the differences for you with this new rule so this is something important to be considered on itself in terms of intentional property we already know it becomes more and more services rather than products because it's hard to implement such a system so it makes sense in such an arbitration to simply assume everything is open and the intention of property protection is not our business but has to be done separately in another traditional curt it's important to keep the system transparent redundant and also forkable by statutes and this links also to the question has a lawsuit to be in advance or can it be done just like the development in the system we have debates for example among arbitrators how they will treat a case if it will happen based upon the rules done possibly by maintainers or so because the bureaucracy we want to avoid in the normal system is here not necessary this avoidance because the system already competes towards efficiency in the realms of code anyway we know this so here we can also create or add further security if we keep for sure that there is the distribution given the forkability in such and implement the standards the system, the open source system distribution of powers is used to and of course we have to carefully identify stakeholders, maintainers of the rules arbitrators, the users, developers and whatever and of course the question remains how much of this can be really implemented in a real arbitration law which also has rules and so what I'm talking here about my incentives are really just implicitly legal and nothing explicit so a lawyer can come to the conclusion that maybe much is not possible and of course we have to consider that and the transition of the existing licenses is also a bit problematic which has to be considered on itself and so always consider architectural flaws and bugs are different things and have to be considered respectively and so now I'm looking forward to your questions and given the very short Q&A period we have now feel free to do some background investigation and a further question on the github site I have set up for this or other comments so looking forward to your comments