The Evolution of Hosting Security Standards and the Impact on Emerging Technologies

Dave Lockie:
Hello and welcome to another episode of Emerging Tech and Open Channels FM podcast. I’m co-hosting today with Robert Jacobi. My name’s David Locke. In fact, today I’m going to be Dave Locke because our guest is David Snead, and it will just get very confusing otherwise.

Robert Jacobi:
Well, at least for me it will.

Dave Lockie:
It will. Welcome, Robert. Welcome, David.

David Snead:
Okay, glad to be here.

Dave Lockie:
Well, everyone probably knows us, but how about you give yourself a bit of an introduction, David? Tell us sure how you came to be in this, this position today.

David Snead:
Uh, so I am director of the Secure Hosting Alliance, which is a group of hosting companies that is part of the Internet Infrastructure Coalition. So I run, uh, the Secure Hosting Alliance for the I2C. The SHA is a working group that focuses on leveling the bar and creating ethical standards for hosts to validate. And so we have a trust seal program that hosts can certify to that is, is part of the work that we do. I came to the SHA and the I2 Coalition as formerly general counsel for WebPros and cPanel, and I also actually helped found the I2 Coalition about 14 years ago. And I’ve been working in the web hosting industry, fortunately or unfortunately, for almost my entire adult life, which is kind of scary to say, honestly, but I can’t change that.

Robert Jacobi:
Given how young you are.

David Snead:
Given how, yes, given how young I appear with all the Vaseline on my camera, yes.

Dave Lockie:
Okay, so, um, what is, uh, like, what is my experience if I choose an SHA Trustmark certified host compared to one of those unethical, unscrupulous hosts? What are the bad guys doing, and how are you gonna protect me and my websites?

David Snead:
What are the bad guys doing? You know, I’m not gonna— I’m not going to open the can of worms about what the bad guys are doing.

Dave Lockie:
That’s what we’re here Be careful, David, that can is getting open.

David Snead:
What I can talk about is what the good guys are doing. So there are a bunch of reasons why you should do business with an SHA-certified host, or as I would put it, an ethical host. The first is there should be no surprises. So, one of the things that we do, and we actually verify this, is that the hosts publish their policies in a place where you can review them. So, that’s a privacy policy and their customer agreements. And we also validate that their customer agreements are presented to the customer before they buy the product. So there’s not a— there’s an opportunity for the customers to actually vet the host before they buy something. There’s not a gotcha moment where somebody says, you know, well, this was in the terms and conditions that you agreed to that were linked at the bottom of, you know, a 3-page contract that you didn’t have the opportunity to be presented before you, before you be purchased. Uh, the second is that all of our certified members have agreed to have policies that address governmental access to data. So that also means that if a government comes to them and asks them for your data, they have processes in place to respond to that and they’ve already tested them. So you don’t have a lot of times, because it actually happens infrequently, you’ll have a host who gets a request for a customer’s records who will have no idea how to respond and just turn over records without any thought. The third thing that we do that I find really cool and important is all of our members agree to have continuing education for their staffs. So they’re not setting up a company based on a technology, say, that’s 5, 5 years old and not continually educating their staff members about security threats, about changes in the regulatory environment, about changes in the customer environment. So you actually have a host that is up to date and is continuing to do their best for you.

Dave Lockie:
Great. So just to recap that, because that was, that was great, that was a deep dive. The first thing that you do, make sure that there are no surprises, that people at least have the chance to review terms and conditions beforehand. Second is to make sure that there are data protection request handling procedures that are warmed up and ready to go, uh, end to end. And the third is, sounds like continuous professional development for their staff to help them stay abreast of the changing technology landscape.

David Snead:
Perfect. Yep, that’s exactly right.

Dave Lockie:
Still got it. I still got that much memory.

Robert Jacobi:
Um, okay, so now the best part is now we get to pick on the attorney because it’s the future of the internet and are we going to need attorneys in the future. Um, but I do have a— when you, when you brought up, you know, the processes for data requests, governmental data requests and all that, uh, brings me back to sort of the dead canaries that a lot of, uh, SaaS providers had in the past. And is there I guess for the broader audience, a dead canary is, oh, nothing has ever, you know, we haven’t had a request, but then all of a sudden we do, and then we don’t talk about the fact that we never had a request because the canary is dead. So obviously something happened. Is that a piece of the SHA puzzle, or is that something that’s sort of left to individual hosts to decide?

David Snead:
There are a couple things to unpack in that question. The first is there is pretty significant agreement now that the canary method isn’t effective or legal, so companies don’t do that anymore. So that’s based on FISA and Which is just a US regulation. I mean, which is just a US regulation, right? And it’s based on the fact that the receipt of certain orders cannot be disclosed. And so the thought was we’re going to not disclose it that we received one, but we’re going to kill the canary as a method of indicating that in fact we have received one. Or maybe none, you know, so that’s, that’s what that’s based on. Uh, the, the very, uh, the very specific answer to your question is we don’t now have a requirement that, uh, that our members disclose the, what they’ve received. There’s not a, a requirement that members have a transparency report. There is this year a proposal to our members that that become part of the certification process, uh, that they, that they be required to have a transparency policy. That’s something that, that personally I believe in. So when I was at, at, at WebPros and at cPanel, we actually launched a transparency policy. I think they’re great. The legal objection that most companies have to transparency policies is that they then become part of the customer contract and you can be sued based on them. And so, there’s some concern that folks have about transparency policies, but Quite honestly, Robert, I think that if I were looking at companies, I would look and see how are they responding to government requests? Do they have policies to validate them? Are they responding? Are they protecting their customers’ information as much as possible? Look at those things. And then Subsidiarily, look for transparency policies.

Robert Jacobi:
So at a minimum, if a host says this is how we handle government requests, we will only handle them under, you know, a legal warrant, blah, blah, blah, that’s probably better than nothing at all.

David Snead:
Absolutely. I think with a transparency report, you will get an idea of how many requests your host receives. Quite honestly, unless you’re looking at the, the really, really large providers, it’s honestly going to not be very many. I did outsourced abuse for 15, 16 years for just probably about 25 different hosts, and the number of governmental requests for data Um, it was probably 10 a year, so it’s, it’s not as many as people seem to think.

Robert Jacobi:
Oh my gosh, because my, my gut feeling is that every host gets at least one request a day.

David Snead:
I’m—

Robert Jacobi:
maybe that’s just how I roll in my head.

Dave Lockie:
Just, just the kind of hosting that you use, uh, or the content I’m posting.

Robert Jacobi:
Yeah, yeah, yeah.

Dave Lockie:
Okay, we’re talking about the good guys here. Yeah, so we’re— our mandate here is to talk about emerging tech. So let’s, like, after that good solid intro, I now understand I’m buying hosting, I’m above board, I’m going to choose an SHA, uh, partnered certified host, TrustSeal certified, TrustSeal certified host. Okay. What is challenging SHA from a technology perspective? Like, what is new? What is coming onto the scene? How is that affecting your members and you as an organization?

David Snead:
So let— I’ll break that down into the, the, the two subsidiary parts that you talked about. So what’s the technology that’s impacting us as an organization. I would say that’s the increase in the ability of governments to influence and access information. So that’s kind of what the I2 Coalition is based on. It’s a policy aspect. How do governments access information? How do they regulate it from a technology perspective? A really great example of that are all the bills that are pending about age verification. So from a technology perspective, let’s say you are a hosting company and you have you know, thousands or let’s say 500 websites on a particular server, one of which has to be age verified. How are you going to facilitate that? How is that going to work? So that’s kind of from an I2 Coalition perspective. They’re breaking down the whole age requirement, verification requirement problem is pretty detailed, but from an I2 Coalition and SHA perspective, that’s where we are. From a, um, hosting perspective, I would say honestly the biggest technology issue that hosts are facing is not, you know, say, how are we going to deal with AI or something like that? It’s more what is hosting going to look like to the customer, right? So if I’m a customer, Is my web browser essentially going to become the, the hosting company? Or like a lot of smaller, smaller, lesser developed countries, most of the companies who are looking for a web presence just go to one of the large platforms like Facebook or Instagram or Twitter. That’s where their hosting is. That’s where they post the hours of their, their business. That’s where they post their menus and things like that. That’s a big technological challenge. And how do you get a restaurant in your town to purchase your services versus just putting a free website up on Facebook?

Dave Lockie:
Or The Fork or any one of a number of platforms. So bring you traffic as well as providing you technical capability. So I’m going to push back a little bit on the first one because is that a technological emerging technological thing or is that emerging regulatory thing or is one driving the other?

David Snead:
I would say it’s technological, right? So age verification doesn’t work, right? So how are you going to mandate that folks provide documentation of their age, right? Is it, are you going to use physical documents that a 13-year-old or say an adult has to upload? Are we going to say, for example, this is a big deal where I live, folks without driver’s licenses or verifiable proof of their age, they can’t access the internet simply because they don’t have the ability to document their age. It’s a technological problem. And from a personal standpoint, I have a hard time understanding the problem that, um, that it’s going to solve. It seems to me that it’s solving a societal problem, um, with a gimmick that seems just too easy to implement and too easy to work around, right? There’s that too.

Dave Lockie:
I mean, these are also regulatory, well, their policy decisions, right? Because you can go to Estonia and they have a government-issued electronic ID that you can use to verify yourself and run your life. So it’s been a choice by the US government to leave identity to corporate interests, essentially, primarily like, you know, Google, Facebook, credit card companies.

Robert Jacobi:
I mean, a lot of age verification is Interestingly credit card based.

David Snead:
Yep.

Dave Lockie:
So there’s that on one side and I’m kind of interested in, I don’t want this to become like an emerging policy podcast so much, but I am interested in what, like if you see that dry, like the, so to me there are two directions that this can go, right? Either you have to do highly trusted, centralized, therefore probably like nation-state digital identities. You know, maybe that makes sense from an email and accessibility and government communication perspective. Or I think you have to go the other way, which is to look at decentralized zero-knowledge type stuff. I don’t know if you’ve looked at like ZK Passport and some of the identity stuff that’s happening in the crypto space. But there you don’t have to— so maybe people are listening to this and very familiar with zero knowledge, or not, but I’ll give a quick recap. So the difference between kind of explicit identity and zero knowledge is that most of the time when you’re trying to sign up for something, then what you have to prove is that you’re not from a sanctioned country and that you fit in a particular age bracket, and, you know, various other details. So you don’t actually have to prove who you are as much as prove that some things are true about your identity. And that’s what a zero-knowledge solution like ZK Passport does, is you upload your passport, it cryptographically encrypts all that stuff, and then when you auth into a website, what it’s asking for is ‘Do you live in one of these countries? Is your date of birth prior to this date?’ And the computation that comes back is, you know, it’s true or false. And on that basis, then you can access that service or not. It doesn’t work for all services, of course, but it can go a long way towards solving age verification, as the example here. So if my straw person is that those are two different directions that I think identity ultimately drives towards. Tell me where I’m wrong and how you see that playing out.

David Snead:
So I don’t think that your hypothetical is wrong. I think that there are multiple ways of determining age from a technological standpoint. The argument that I’m making is that they’re exclusionary. So they exclude members of the community who might actually need access to the services. So you’re talking about a technological solution that in the back of my mind when you’re describing it and I’m trying to process it myself and I have a grasp of how it works, I think, how is my 88-year-old dad going to— how is he going to handle some of this technology? I mean, he just bought a ticket to a concert from a scalper because he couldn’t figure out how to get to his local theater? How’s he going to handle that? And I get that it’s very easy to poke holes in some of these things just by identifying, like I just did, a good analogy. But I do see, you know, the initial question was what technological issues are going to impact hosts. I see this as something that’s going to be a problem for them. Australia already has a law like this. How are hosts in Australia responding to it?

Dave Lockie:
We don’t—

David Snead:
I don’t happen to have any Australian hosts as SHA members, but that would be a really good, a really good question.

Dave Lockie:
I love the fact that your dad is, in my mind, he’s just been buying Metallica concert tickets. So let’s roll with that. Good on my dad.

David Snead:
I should be so lucky that Metallica is in my town.

Dave Lockie:
So I guess, A, could you not just ask an Australian hosting company, or has the SHA really burned its bridges with the Aussies? Have you done something dreadful and they just won’t talk to you? Secondarily, what is fundamentally different about hosting versus any other service provider? I mean, I would imagine that the people who will figure this out are the big tech giants, and they’ll figure it out either by lobbying against the regulation and stopping it, or they will find a solution which is workable and then the hosts can just adopt that? Like, why am I being— where’s that mental model wrong?

David Snead:
So the issue that I am addressing is not necessarily a concern that is unique to the hosting industry. But it is important to the infrastructure stack, right? Where is this particular technology going to sit? But more importantly is, how is it going to be implemented in a way that is consistent across the stack? I get that politicians are trying to address a problem that is important to their constituents. It’s the solution that the technology I don’t think suits the solution to the problem.

Dave Lockie:
Okay. I mean, again, at the risk of getting into emerging policy, if you’re going to have a contract and I’m not a lawyer, so let’s just get that out on the table. If you’re going to have a contract, then the question of identity is fundamental to the enforceability of that contract in the first place. And the presence of terms of service implies is a contract, because otherwise, what are they there for? So let’s say your dad doesn’t have a self-custodian ZK Passport-enabled wallet. Okay, fine. He’s too busy listening to Metallica. On what basis is his hosting company, where he hosts his Metallica fan site, I imagine, and merch store, how are they— on what basis are they contracting with him if they don’t verifyably who he is in the first place? Is this not like an upstream problem?

David Snead:
So your question presupposes that companies have— Pardon me?

Dave Lockie:
I love lawyer language of presupposes.

Robert Jacobi:
Presupposes.

Dave Lockie:
Presupposing.

David Snead:
How about your question is based on the assumption that that a company is obligated to know who their customer is.

Robert Jacobi:
But is there a bunch of know your customer semi— well, at least on the— well, okay, let me take it back one sec. I mean, financial services for sure have a lot of know your customer requirements.

David Snead:
Yeah. So do Does the internet want that level of regulation to be part of its business? I mean, look, Robert, you and I know how difficult it is to open a bank account in the US. And is that how we want to Do we want that level of technology imposed on getting access to information on the internet? So Dave, to use your example, let’s say Metallica, the Metallica concert that my dad is going to, they’re singing some song that’s age restricted. Do we want my dad to be obligated to demonstrate that he’s over whatever age that’s necessary to attend it, or is it sufficient for him to affirm, like with a checkbox or something like that, that he is over that age? Where are we going to draw the line? And if we’re going to require him to demonstrate that he’s over that particular age, where’s that technology gonna lie and how is it gonna work?

Dave Lockie:
Plus, what if I am an AI agent who wants to provision some hosting, but I’m only 3 days old?

David Snead:
But now we’re talking about the age of AI agents. Holy Christmas.

Robert Jacobi:
Uh, welcome to Emerging Tech, Mr. Snead.

David Snead:
I am not— I, I’m not, I’m not sure that I have the, uh, the base of knowledge to answer that question.

Robert Jacobi:
Uh, Dave brings up a great point. Uh, are we gonna have to date our agents for the agentic revolution? Um, and then conversely, just to go back to the Metallica example, because I’m thinking it’s I’m loving the fact that we’re talking about Metallica this much. But B, uh, what if they don’t want old folks at the concert? Can they be like, oh, are you over 33? Uh, no, we can’t sell you a ticket. Just saying, you know, I don’t want to go to a concert filled with white hairs.the

Dave Lockie:
That’s like, uh, age discrimination though.

Robert Jacobi:
But I mean, the tech would allow you to do that theoretically, and then you’d have to go back through the legal processes of legal processes.

Dave Lockie:
Okay. All right. So let’s switch gears a bit because I feel like this is maybe a difficult question and anyone who’s running a hosting company that wants to help solve this problem should probably join the SHA and contribute a much wiser voice. Let’s switch gear to government surveillance and how much they actually need any How, like, which agencies need what kind of data from those kinds of things anyway, when we live in an age where, like, the Pentagon is battling Anthropic publicly about whether they can use their AI to go and— did you read this? Like, the reason that Anthropic said they didn’t want to give their no-guardrails tech to the Pentagon Wasn’t because they disagreed with deploying it in fully autonomous killing machines, but that the AI wasn’t good enough yet. And so they wanted to work—

Robert Jacobi:
Well, because the AI, like 70% of the time, said nuclear war was the correct answer to the problem.

Dave Lockie:
Yeah.

Robert Jacobi:
And so it’s WarGames 1983 all over again. We have our new Whoppers.

Dave Lockie:
Yeah.

Dave Lockie:
So, but like, I guess for the SHA, hosting is extremely relevant. How do you see it fitting into the broader data collection surveillance, law enforcement, national security conversation?

David Snead:
Oh, I really don’t know how to answer that question. So the, um, I see hosting and the— probably not the hosting that, uh, folks recognize on a daily basis. So this would be like the shared hosting context, right? Like the, uh, the restaurant that I talked about, um, earlier. I see more like the unmanaged hosting, that type of hosting as being very, very relevant to how the impact of what you’re talking, right? So how do you, let’s say I’m a host and I want to restrict how the Department of Defense uses my resources. How am I going to do that? Is there technological way to do that, um, those types of things. But I, I don’t see hosting, um, writ small, uh, as largely impacted by this. I see larger providers like AWS and Azure and folks like that being more impacted by your question.

Dave Lockie:
Okay. And I’m just going to fire out wild question after wild question until Robert asks something sensible. So you mentioned AWS. I was listening to this story earlier on, on this brilliant podcast called Risky Business. Anyway, they were talking about how—

David Snead:
I’m not—

Dave Lockie:
it is funny, but bear with me, the first bit’s not very funny. So about one of AWS’s data, what do you call them? Data warehouses?

Robert Jacobi:
Data centers.

Dave Lockie:
That’s the word, data centers in Dubai got bombed. Like, you know, it got hit by a drone or a missile or something. Apparently, the funny bit is that the Amazon press release was that an object had impacted the data center. It’s like very careful wording. Anyway, the follow-up conversation was that actually, AWS may well have to simply scorch earth and start again because of the way that they guarantee integrity and security of those warehouses. They have to certify that everything going in is factory fresh, totally clean. And anything that is, so this is equipment-wise, anything that’s coming out is basically being 50 cal’d to dead and it’s got holes and it’s physically dead and incapable of storing information. And in between those two things, the only thing that is allowed to go in is a person with their clothes, like no electronics, no metal or nothing. And so they have this very tight chain of trust that leads to consumer trust to be able to host their stuff there because they can have confidence that there’s not like a, you know, a Chinese spy box in the rack next to their rack, to like, to use a really dumb kind of example. Um, is that a kind of security and integrity part of SHA’s world?

Robert Jacobi:
Oh, from the data source side? No, that’s actually not a far-out question.

David Snead:
So the, the question is, does the SHA have any requirements— Cybersecurity, more broadly. Yeah, any requirements that our members have cybersecurity standards? Will that be accurate?

Dave Lockie:
That would have been a much shorter way of asking the question, for sure.

David Snead:
Well, it’s often nicer to be the recipient of the question than the asker. So the short answer to that is yes. As I mentioned before, we require our members to have continuing education on issues. One of the very specific requirements is that it be on security. So they all have to be up to date, or they have to have processes to stay up to date on security issues and challenges.

Robert Jacobi:
Since Dave brought up the Dubai scenario, we talked about last time, Dave and I did, we touched on data sovereignty and things. Is that a problem if there’s too much data sovereignty? I guess this is to both the Ds on the call because, I mean, are there standards for redundancy, backup, restores, you know, all those fund, you know, our data center just got bombed situations.

Dave Lockie:
Uh, our data center had an object fall on it, please.

Robert Jacobi:
I’m sorry, an object fell on the data center. An exploding cat fell on the data center.

David Snead:
Understood.

Robert Jacobi:
Um, versus, you know, some of the regulatory things that are going on in Europe, and, and certainly, uh, I2 Coalition now, which is for most of its, uh, life been a U.S.-focused institution, is now also, uh, over the last, what, year, year and a half, uh, dipping its toes into, you know, the European regulatory aspects of the universe. Um, can you have it both ways? Can you have data sovereignty, uh, as well as all the things for, you know, redundancy, recovery, backup, and whatnot?

David Snead:
So you’re asking 3 different questions, Robert.

Robert Jacobi:
God, I hate lawyers. Love you, David. Hate lawyers.

David Snead:
That was, I can say it in a non-lawyerly way if you want.

Dave Lockie:
It’s still 3 questions, Robert, even if it’s an engineer answering.

David Snead:
First of all, about the objects, I do love press releases that are written by lawyers. So that is one of my favorite things. I actually hated that when I was in-house. So let’s talk about resiliency, redundancy, and that issue. So that’s the second of your questions. Yeah, it’s hugely important. Right? Like, and it is something that the SHA requires, that our members have the ability to provide services to their customers in a way that is resilient and redundant. I’m really informed by that. The reason that was included is I had a client a long, long time ago whose idea of backing up their servers and the websites was to stick a thumb drive in the back of the server, and the thumb drive, the memory would very quickly get exhausted and just tons of data just wouldn’t get written. And so that’s one of the reasons that’s part of the SHA trust seal. So the third question that you ask is about data sovereignty, and there’s someone who loves policy and policy issues. This is just a fascinating question to me. And really in my mind, data sovereignty comes down to, as an internet society, as opposed to the societies we all live in, where are we going to draw the line on our on the partitioning of the internet. So are we going to take a very minimalist view, which is kind of the start of the internet was the internet has no borders, nobody can regulate it, there can be nothing done. The US has taken the position, yes, but we’re not going to regulate the internet except You can’t have any, you can’t provide services to folks we don’t like, folks who are on lists, right? Then you go a little bit further to where Europe is and then you go to Russia and China, which essentially are creating their own intranets. On where do we draw the line? The I2 Coalition is involved in Europe and I I have a natural reluctance to think that what Europe is doing is the right idea with the caveat that I felt the same way about GDPR. And honestly, what GDPR has done is it’s raised the the whole internet society writ large’s knowledge about privacy, and that’s been a good thing. And so I think that I’m not as hesitant to look at regulatory issues in Europe as necessarily challenging to the internet. Data sovereignty is going to be a huge challenge for hosting companies because most of the middle of the hosting world is providing services in one particular jurisdiction. And so how are you going to deal if you’re a US hosting company with a data sovereignty issue in Brazil or India or someplace like that.

Robert Jacobi:
So can I extrapolate that and/or expand upon that? And I’m trying to think of the right legal word verbiage that you would like to hear.

Dave Lockie:
Um, go longer, longer words, longer words.

Robert Jacobi:
Uh, uh, can I take it to the next level and say, are— is some of this actually going to be impeding, uh, emerging tech?

David Snead:
Absolutely.

Sponsor Announcer:
Absolutely.

David Snead:
Right.

Dave Lockie:
So that’s the European Parliament’s whole job is to impede progress.

Robert Jacobi:
You know, if anyone stayed through this whole thing, that’s all that you’ve come to the most flammable point made. Europe’s job is to impede emerging tech. Thank you, Dave Lockie.

Dave Lockie:
Apologies. Yeah, um, absolutely.

David Snead:
That— I mean, with, with data sovereignty, uh, and limitations like that, there are— there’s going to be technology that’s excluded. And I, you know, I don’t think that those folks who are making those policy decisions believe that’s a bad thing. I think that they view the trade-off as necessary. In talking about this, one of the things that sticks in the back of my mind is a conversation that I had with one of the EU’s representatives in Washington about speech regulation. And what he said about speech regulation was, look, the European Union is made up of democracies. We’ve been around for a long time. You need to trust us that we know what we’re doing and not just immediately say, you know, okay, this is bad. And we have the knowledge and the background to do that. And I think that that’s the case, right? The European Union in a lot of their policymaking, they understand the trade-offs that are associated with the policies that they’re implementing.

Dave Lockie:
I mean, look, I agree that GDPR has been good in some ways, especially around awareness of your illusion of privacy. But the solution was not—

Robert Jacobi:
Tell us how you really feel, Dave.

Dave Lockie:
Well, you know, allegedly. But like slapping cookie banners anywhere, everywhere was, in my opinion, it’s like an entirely moronic— Like, A, it’s a moronic way to solve the problem when you’ve already got browser settings that already had cookie preference stuff baked in. It’s a degradation of the user experience. And I would argue that that is at least partially the shadow of the result of regulatory capture by centralized tech giants. Because once you accept a Facebook cookie banner, you never see it again. But if you’re out on the open web where Facebook doesn’t want you to be, No, you’d like it. It’s absolute collusion on your entire experience. And so, okay, fine, they spotted a problem, but regulation’s not about spotting— like, half of it’s about spotting a problem and agreeing it’s a problem. Half of it’s about putting rules and guidance into place to solve that problem in the best possible way. And I think, I don’t know about you two, but I definitely don’t feel like that particular recommendation or legislation, whatever it is, was that good. I’m sorry, I just don’t.

Robert Jacobi:
Oh, the, the, the, yeah, the effects of GDPR, especially vis-à-vis— can I use vis-à-vis? Is that fancy enough?

Dave Lockie:
Uh, I’ll let it pass. I’ll let it stand. No objections.

Robert Jacobi:
You know, the, these, uh, you know, cookie bars and pop-ups is not the answer, obviously. And you actually bring a great point up, Dave, about the fact, yes, I can easily be locked into Facebook by just accepting once or rejecting once or whatever.

Dave Lockie:
We’re always— we’re all always logged into Facebook. That’s, that’s the problem, is like, it doesn’t matter whether you’ve actually signed in, it doesn’t matter whether you’ve accepted cookies, because the nature of data collection and brokering It makes it a farce anyway.

Robert Jacobi:
So the emerging tech should be taking some of this, uh, you know, ZK Passport stuff, uh, embedding our cookie preferences into it, and then every site automatically detects whether we want to be, uh, stalked around the internet.

Dave Lockie:
I think it looks a lot more like that, and I think Apple’s actually done a pretty good job of doing that kind of consent stuff. You know, like if you open an app, a new app, it’ll ask you whether you want to get tracked or not, and you They totally hilariously stiffed Facebook’s business model when they did that, when they just blocked this stuff at a platform level. But that only works in a closed ecosystem. Anyway, for the last couple of minutes, what I’d love to pivot to is crypto and not Bitcoin, Ethereum, which we’ve kind of touched upon, but the latest incarnation of the Crypto wars, like the government, like the emergence of, sorry, let me get my words out. One of the lasting irreversible unarguable benefits of crypto, even if you don’t like it, is the technology like cryptocurrency I’m talking about here is it’s been the biggest driver of cryptographic deployments. In years and years. It’s really driven both the cryptographic technology and the implementation of those technologies massively forward. And of course, that is deeply problematic for governments because what happens if you data request a hosting provider and they simply give you a whole bunch of very strongly encrypted data as a result. And it’s the same sort of thing with VPNs. If you want to tell NSA everything you’re up to, go buy NordVPN. If you actually want some privacy, go buy Mullvad that doesn’t log anything. So I’m interested in that part of it. In fact, does SHA- care about that kind of encryption and the availability of, or the ability of these service providers to service those data requests from even a totally lawful and appropriate inbound request? Or is that just way outside of what you care about?

David Snead:
It’s not way outside what we care about. So, the underlying— so, what we talk about, what we talk about our trust sale principles is you have the obligation to provide the data that you have to law enforcement and if they request it in a way that is legal where the data is stored. Right, so in, in, in the circumstance that you’re talking about, if the data is encrypted, then either it’s provided in an encrypted state of it if it can, or not provided because the, you know, the, the host can’t identify it at all as responding to a law enforcement request. That’s just generally the answer. There’s, there’s not a, there’s not an obligation to our members that, you know, you figure out a way to decrypt information, if that’s ever going to be possible, and provide it to law enforcement. That’s law enforcement’s job. That’s not a— that’s not a hosting company’s job. One of the things that you do bring up is the I2 Coalition actually has another working group that addresses these issues for VPNs.

Dave Lockie:
So we have a VPN working group that I didn’t mean to talk bad about your members, David, sorry.

David Snead:
These are legit.

Dave Lockie:
I didn’t mean to talk trash talking of ITC’s members. It is just a hypothetical alleged, uh, yeah, yeah.

David Snead:
But quite honestly, what you’re identifying has been, um, a problem for law enforcement forever, right? They, I mean, how they, they get information and they, they can’t decrypt it, or it’s stored in a way that they don’t have technological access to. That is, this is not a new problem for law enforcement, uh, and they’ve been wrestling with it for years.

Dave Lockie:
And so, like, end-to-end encryption on WhatsApp, let’s imagine for a moment that, you know, that is robust and solid, and unless you’re unless you’re getting nation-stated, and, uh, you know, the content of your communications is like, you know, Facebook can’t legally— let’s imagine that, like, Facebook can’t, like, practically can’t serve, uh, like, respond to a request to serve the data because all they can give you is the metadata and the encrypted, like, payloads. Is it not just cheaper for all hosts to do that? Like, I don’t know, maybe this is a bit off base, but like, you know, do you like give some user-level encryption that’s tied to the like auth, uh, that means like, oh well, you know, here it is, but we can’t access it? Like, is that, is that a strategy that some hosts take?

David Snead:
So There are hosting companies that offer services like that. We don’t have any as members, but there are. They, they provide hosting that is not, it’s not accessible. They’re, it’s not accessible to them, right? It’s just essentially services that protect data in a way that can only be retrieved by the user. There are companies that provide. The pejorative name for them is bulletproof hosts, but I don’t particularly like that name because it assumes ill intent. I think for some of these hosts, there might be a good reason that you don’t want anybody to ever have access to the data that’s on the server.

Dave Lockie:
What do we call them? Object-proof hosting companies for now.

Robert Jacobi:
Oh yes, object-proof. That’s right.

Dave Lockie:
Falling object-proof.

Robert Jacobi:
I think maybe—

David Snead:
FOPs?

Dave Lockie:
A fair place to leave this because you’ve been extremely generous with your time and your generous handling of our variable questioning, um, is if you’re running a hosting company, you’re not yet a member of SHA, give us your pitch.

David Snead:
Sure. So, uh, the, there are two main reasons, uh, for being a member of the SHA. One, uh, your customers want it. Uh, you provide a more customer-friendly experience and you can demonstrate that to your customers with a trust seal. And the second is your larger customers, like your web design agencies and folks like that, can then use you as a trusted partner. So it makes you more marketable to the larger world outside. So those are the two main business drivers. The, the societal driver is, look, we want the internet to be a better place, uh, and what we’re doing is, uh, leveling up the, uh, hosts and making the internet a better place, which is a good societal goal, uh, and that’s something— it sounds like a throwaway remark, but it’s something that I think is really important, uh, in the industry that I work.

Dave Lockie:
And I think in a space like this, you know, we to reflect on the conversation. It’s a space full of complexities. There is very seldom black and white answers. And so when we’re navigating those kind of gray spaces outside of absolutes, then that’s often all we can do, right? Is like try and make things incrementally better with whatever’s in our power to do every day. And I think that’s You know, that is what it is.

Robert Jacobi:
And we’ll get to see you, David, and SHA and iTWO coalition also at the upcoming CloudFest 2026 at Europa-Park.

David Snead:
We will be there. Yep. We’re— I love CloudFest. It is the weirdest, best conference ever.

Robert Jacobi:
It’s a marathon at sprint speed. That’s how I like to look at it.

Dave Lockie:
Sounds like a blast. Well, you two enjoy. David, thank you so much for your time. Mr. Jacobi, thank you for co-hosting. And, um, always a pleasure. And for you listeners, you bravehearted listeners who are still listening, we will see you soon for another variable quality of emerging tech.