Can A Machine Take Legal Responsibility?

As society wrings its figurative hands over questions of artificial intelligence replacing humans, consider for a moment that AI has been around ever since the first time an IF statement in a program was executed. Execution of an IF statement constitutes a machine making a decision.

You might say that’s still deterministic, as a human being had to define all the conditions for the decision. But if you chain a bunch of IF statements together, you quickly get to the point where no human being can comprehend all of the possibilities. When you leave it to the machine to figure out all those possibilities, it seems to me that that is artificial intelligence. Accounting machines have been doing that since early in the twentieth century.

On March 16, Gartner published a paper entitled Managing Machine Identities, Secrets, Keys and Certificates by Eric Wahlstrom. The paper calls attention to the fact that digital certificates in servers (actually, the private keys accompanying digital certificates) assume even more responsibility than an AI: in a very real sense they perform the kind of attestation that should be considered a legal process.

Of course, it would be completely impractical to have a legally responsible human being sitting at a console, digitally signing every action of the server that met the approval criteria. The server must have the capability to do that autonomously.

But what human being takes responsibility for the actions of that server? Or is the server truly autonomous, that is, legally autonomous? If so, then that’s more than artificial intelligence; that’s artificial personhood.

I’ll leave it to the authors of dystopian fiction to create the stories about where that all leads and how it all ends. For now, the concern is purely practical.

The world is beset by ever-growing security problems: breaches, ransomware, digital fraud, botnets, and on and on. And if you think about those problems, they’re all generated from one root cause. That cause is inauthenticity. People are not who they claim to be, and digital systems are designed such that responsibility for parts of the system is not assumed by anyone.

Consider how responsibility in our digital world differs from responsibility in our physical world. Buildings are not considered habitable until a professionally licensed architect, structural engineer, contractor and building inspector put their good name and their livelihood on the line by personally signing for the issuance of the occupancy permit. Doctors take personal and professional responsibility for diagnoses and treatments. Licensed drivers are personally responsible for the actions of their vehicles.

So the first question in the subject of Managing Machine Identities, Secrets, Keys and Certificates should start with the word “Who”. Who in the organization takes responsibility for the actions of that server.

Every server’s certificate should be signed not only by a certification authority; it should also be signed by the signing officer of the organization that runs it. The signing officer should be a real corporate officer, as opposed to the liberal use of the term “officer” to make people feel good about their title.

Professional licensing can be replicated similarly in our digital world. It has been tried and tested for centuries and has proven to be an effective way of maintaining personal accountability in professional practice. Why don’t professionals in our digital world bear the same responsibility in their work?

Our digital world needs, qualified, certified, licensed, and personally accountable professionals who can guarantee the integrity of the numerous elements of our digital world.

So, how does the professional licensing initiative work?

The Professional Licensing Initiative

A professional license must be linked to the identity certificate of its holder. That provides direct personal accountability for everything signed using that license. If anything goes wrong, there’s one accountable human being who is answerable.

Digital professional licenses can be issued to many different professions. They can be issued to code auditors, penetration testers, blockchain officers, signing officers, and many more.

Code Auditors

A qualified code auditor is supposed to attest to the integrity of a piece of software. They should establish whether the software works properly.

As things are right now, most of the software we use is signed using a private key that’s passed around by developers in a huge software company. In other words, no one person can be held accountable for the integrity of that software. That also provides opportunities for someone to sign software that spies on you or steals data from your computer.

The lack of personal liability can also provide room for code auditors to be complacent. No one will come back asking them questions about the software they audited even if it goes on to cause damage somewhere else.

We all know big tech companies are putting malicious code in their software to spy on their users. No employee in such a company would ever want to be held responsible for such code. If a licensed personally liable code auditor is responsible for everything a piece of code does, they’ll certainly think critically about signing off malicious code.

Also, when a piece of code has been signed using a digital professional license, you will always know that not a single bit has been changed since it was signed. If someone tampers with it, the signature will cease to verify. You will be informed that the software has been tampered with and hence not safe to use.

Blockchain Officers

Everyone is excited about blockchain right now. What most people don’t realize is that blockchain architectures are vulnerable to take over by a coordinated gang effort. Gangs can take over and control the nodes in a blockchain. From there, they can manipulate anything within that blockchain. There’s nobody to be held accountable when that happens.

The blockchain officer's professional license can address that challenge. There should be a professionally licensed blockchain officer behind every node who publicly takes responsibility for the actions of that node.

Penetration Testers

Penetration testing is a big profession right now. Penetration testers, sometimes referred to as certified ethical hackers, test systems and software for security vulnerabilities. They should take personal liability for systems that they sign off as impenetrable.

Signing Officers

Professionally licensed signing officers will protect organizations’ websites from being hacked and loaded with malicious content. Signing officers will publicly take liability for the content and safety of a website. Visitors can be assured that they are on the right website by checking for the signature of a publicly known signing officer.

Professionally licensed individuals are supposed to use their expertise to attest to the security, safety, and privacy of systems and software in the digital world. As such, they do not get to enjoy anonymity. Their professional license is directly tied to their identity certificate. When they sign an attest to anything, they know they are putting their good name on the line.

Licensed professionals, even in the physical world, get paid very well. Architects don’t get paid for their designs. Their designs can be used by anyone. They get paid a lot of money to attest to the integrity of a building when their designs are used.

The professional licensing initiative is a great avenue for getting code auditors, penetration testers, signing officers, etc. paid very well. These professionals should earn seven-figure incomes because they are taking personal liability for anything that could go wrong with a system or software that they’ve vouched for.

Our digital world needs professionally licensed expertly trained individuals. It will be a much safer world when there are experts who are willing to put their reputations on the line to guarantee that the systems, software, and content you are using are safe and original.