Citadels Protect Personal Information for Citizens and Companies Alike: Verifiably Ending Use of Sensitive Citizen Information for Mass Surveillance Can Foster (International) Commerce and Law Enforcement

24 Pages Posted: 9 Sep 2016

See all articles by Carl Hewitt

Carl Hewitt

Massachusetts Institute of Technology (MIT)

Date Written: September 7, 2016


Developing solutions that are ethically, commercially, politically, and technically sound over the long run is is of the biggest challenges for proposals addressing issues of national and individual security. This article presents a proposal with arguments that it meets the challenge. The proposal protects a citizen’s most sensitive information while at the same time providing tools adequate for law enforcement to catch and prosecute suspects including alleged “terrorists.”

Intercitadel(TM) is a system for citizens to coordinate with IoT devices and other citizens while protecting their sensitive health, legal, political, and social information and fostering (international) commerce by enabling conclusive verification that foreign governments are no longer conducting mass surveillance using IoT manufactured products and Internet company service provider datacenters.

IoT poses extreme security and privacy challenges for sensitive personal information, including psychological, sexual, social, financial, legal, and medical. Enormous amounts of sensitive information that can be used against citizens is being stored in datacenters controlled by foreign-domiciled companies and extensively sold on multiple markets by data brokers. Within 10 years, hologlasses (holographic glasses) are projected to become as common as cell phones because they offer heads-up, hands-free, transparent operation. Consumer health and medical IoT involve the some of the most sensitive of information that can be used against citizens. For example, pacemakers and insulin pumps are becoming ever more common. Further out, DARPA is developing an implantable neural interface able to provide unprecedented signal resolution and data-transfer bandwidth between the human brain and the digital world. Many workers and military personnel may someday not be competitive if they lack a brain prosthetic.

IoT will soon be in almost all manufactured devices thereby threatening the economic survival of tans-national manufacturers as well as Internet companies because of their current Internet business model of storing the most sensitive of personal information in their datacenters from IoT devices. Cyberspace Administration of China, European Court of Justice and other national governments have announced their intention to verifiably end mass surveillance of their citizens by foreign governments using datacenters of foreign-domiciled companies because information stored in the datacenters of foreign-domiciled corporations can at some future time become accessible to the government of the country in which the company is domiciled. Consequently, companies that store sensitive information in their datacenters must be domestically incorporated to be able to verify that foreign governments do not have bulk access to the information. Citadels are a means for trans-national companies (including both IoT manufacturers and Internet service providers) to escape this trap by storing sensitive information of users' IoT devices in Citadels and storing only non-sensitive information in their datacenters.

Sensitive information can be stored locally in Citadels on users' own equipment encrypted with user keys and can be backed up elsewhere encrypted using users' keys. Furthermore, users can share Citadel information that they select with other parties -- encrypted with the public keys of other parties so that it be read only by the intended party. Citadels can improve information coordination over current systems that cannot coordinate among numerous competing services (such as Apple and Google) and numerous fiercely competing merchants (such as Amazon, Home Depot, and Walmart using multiple IoT devices from competing manufacturers (such as LG, Nest, Samsung, and Whirlpool). Citadel-facilitated coordination can include integration of commerce (such as home, retail, food, travel, and auto), wellness (such as recreation, biometrics, nutrition, exercise, spirituality, medical, and learning), finance (such as banking, investments, and taxes), IoT (such as food management, security, energy management, infotainment, transportation, and communication), social (such as schedule, friends, and family), and work (such as contacts, schedule, and colleagues).

Citadels need a convenient, effective, highly-profitable business model, which must be more effective and efficient than the current datacenters system based on consumer surveillance to improve advertising targeting. Instead, a Citadel running on a consumer's equipment can seek out and help evaluate appropriate offers from commerce agents. Such commerce agents can earn commissions and fees from merchants when the referral is exercised. Consequently, merchants will no longer be burdened by having to pay for grossly inefficient advertising that annoys potential customers. Instead, businesses can provide their information to commerce agents that aggregate and package it for users' Citadels to be used in evaluating offers that can be filtered and ranked according to citizen needs and preferences. All of the convenience currently available through individual company access points must be improved in effectiveness and response time including scalable search and operations that can query commercial datacenters (such as Amazon, Facebook, Google, and LinkedIn) as well as other Citadels. (See the appendix “Implementation of Citadels” after the acknowledgements of this article).

Evident is a proposal to implement secure court-ordered collection of information for law enforcement from datacenters (including financial transactions, cell tower tracking, and video recordings in public places). Information obtained from Evident can be decrypted only by court order using both a key kept by the recording establishment and a key provided by the court. If not court ordered within a time set at recording, the recordings cannot read by anyone (enforced by cryptography using a trans-national distributed Internet time authority). In addition to ensuring that outdated information cannot be decrypted, the trans-national time authority can provide continual statistics on the amount of decrypted information as a deterrent to mass surveillance and control. Advanced Inconsistency Robust information technology can be a very powerful tool for catching and prosecuting suspects.. Using Evident is a less risky to civil liberties than requiring IoT mandatory backdoors for all IoT devices. Evident can prevent massive amounts of information from being collected and disseminated with almost no regulation whatsoever, which has led to increasingly severe scandals described later in this article.

Keywords: Actor Model, Backdoors, International Commerce, Inconsistency Robustness, IoT, Citadels, Mass Serveillance, Sensitive Information

Suggested Citation

Hewitt, Carl, Citadels Protect Personal Information for Citizens and Companies Alike: Verifiably Ending Use of Sensitive Citizen Information for Mass Surveillance Can Foster (International) Commerce and Law Enforcement (September 7, 2016). Available at SSRN: or

Carl Hewitt (Contact Author)

Massachusetts Institute of Technology (MIT) ( email )

77 Massachusetts Avenue
50 Memorial Drive
Cambridge, MA 02139-4307
United States

Register to save articles to
your library


Paper statistics

Abstract Views
PlumX Metrics