Skip to main content


Periodic Reporting for period 2 - NEXTLEAP (NEXTLEAP)

Reporting period: 2017-07-01 to 2018-12-31

The issue of how to preserve our fundamental rights on the Internet is urgent. In particular, NEXTLEAP is looking at how we send messages everyday across the Internet. There is a saying that email is like a postcard. But, email is much much worse than a postcard. You know people can read your post card, but most people don’t know is that our emails are collected and data mined for our most sensitive and intimate information.

This is important for society as foreign powers and corporations around the world are tracking our social network via email correspondence, threatening the fundamental rights guaranteed all European citizens. It’s not just an problem for individuals. It’s a problem for enterprises: [PAUSE] approximately 90% of successful cyberattacks that cause significant harm to the enterprise come in through email. As threats from surveillance and targeted attacks continue to grow, the status quo will be both unacceptable and untenable. Luckily there is hope. There is a way to make email (mostly) secure. Locally encrypted email using a public key encryption protocol called OpenPGP works. But, OpenPGP is incredibly difficult to use and has not been updated since the 1990s.

The overall objective of the NEXTLEAP project is to build the fundamental interdisciplinary internet science necessary to create decentralised, privacy-preserving, and rights-respecting protocols for the next generation of the Internet, replacing out of date protocols with new and easier-to-user versions with better security and privacy. Importantly, we will fix and make usable secure messaging, including PGP, by building on new research on blockchains as well as the fundamental advances made by the Signal Protocol. For society, NEXTLEAP will contribute to Europe taking the “next leap ahead” of the rest of the world by solving the fundamental challenge of determining both how to scientifically build, and how to help citizens and projects, adopt open-source, decentralized, and privacy-preserving digital social platforms in contrast to proprietary centralized cloud-based services and pervasive surveillance that function at the expense of rights and technological sovereignty.
NEXTLEAP created a fundamental integrated socio-technical science of decentralised and rights-preserving information architecture that takes as foundational decentralized identity, user-centric privacy, provable security, anonymity, and responsible internet governance based on the largest ever study of developers and users of secure messaging applications and a comprehensive study of the models of decentralized governance, as well as an overview and systematization of 15 years of literature in decentralized systems.

We provoked a fundamental re-thinking of the ethical and philosophical foundations of the Internet around these principles, including @@ We have already engaged in 49 at seminars, workshops, and conferences that NEXTLEAP members have participated in, and the engagement around Net Rights has just begun. We have involved both activists inside Europe as well as human rights defenders in countries such as Ukraine and Tunisia.

The concrete standardization implementation of decentralized protocols and loosely coupled, open-source software needed to re-decentralize the Internet in terms of federated identity, secure messaging, and private information retrieval that allows us to use protocols while respecting fundamental rights. . The Project Stakeholder Committee of NEXTLEAP already shows interest from multiple encrypted e-mail providers (3), open source projects (4), CAPS and other EC projects (4), and standards bodies (2).
"NEXTLEAP has started the creation of fundamental science of decentralization. This work began with D2.1 and has resulted in the article “Systematizing Decentralization and Privacy: Lessons from 15 years of research and deployments” in the journal Proceedings on Privacy Enhancing Technologies. This work for the first time defines 'decentralization' as a distributed system under adversarial conditions, and calls for a combination of cryptography, distributed systems, and social science research as the necessary (if difficult) prerequisites for creating a decentralized internet. This work has created the foundation for a book-length edited collection that can be used to teach these topics in universities across the world by the end of the project.

We have started ground-breaking sociological user-studies of encryption, with a focus on developers and high-risk users. This work is delivered in D3.3 and has already resulted in a workshop publication “Can Johnny Build a Protocol? Co-ordinating developer and user intentions for privacy-enhanced secure messaging protocols” jointly by CNRS and Inria at the 2017 European Usable Security Workshop. This is the first large-scale study of the use of encryption to preserve privacy by high-risk activists, and already has informed designers of protocols such as the Signal Protocol (used by over a billion people via WhatsApp).

We have worked on the creation of ClaimChain, a privacy-preserving decentralized federated identity solution. This 'blockchains without consensus' design for federated identity management was first drafted in D2.2 and has been further developed in D4.1 and D4.2. In general, this work presents a revolutionary decentralized alternative to centralized solutions such as CONIKS and Google's Key Transparency, challenging many of the assumptions of the Bitcoin community. At the end of the project, we expect a fully decentralized and privacy-preserving identity solution that can be re-used across multiple contexts, not just secure messaging.

We have helped instigate the ""Autocrypt"" community effort which aims to bring end-to-end encryption to the general public and inform future standardization from a technical perspective. Working with various “decentralized messaging” communities and in particular with the e-mail ecosystem in order to lay the ground for bringing privacy-preserving protocols to the largest federated open identity system, our own inboxes. This work has already attracted the attention of both the IETF and many European SMEs interested in Data Protection. We expect these solutions to be adopted by real businesses and users by the end of the project.

We have also sponsored and organized the first Blockchain Technology Summer School, the first IEEE workshop on security and privacy on the blockchain, and a launch event called the “Political Significance of Cryptography” which combined a discussion with well-known cryptographers, including Tanja Lange (co- coordinator of PQCRYPTO) and Moti Yung (Snapchat), and the European Commission. We plan to engage the European Parliament on these issues, in order to help Europe take the lead in human rights on the net and chart its own unique course in technological development."