Technical community debates over taking back the internet

Rather than ex-NSA employee Edward Snowden it was security and crypto expert Bruce Schneier who kick-started a raucous debate in the Internet Engineering Task Force (IETF) about "pervasive monitoring." Schneier had called on the engineering community to take back the internet following the revelations about how much state agencies circumvented or broke security in their effort to collect "intelligence." At the 88th IETF meeting starting today in Vancouver engineers discuss reactions to mass surveillance.

Cautious, or rather: diplomatic, words were used by the IETF's current Chair, Ericsson engineer Jari Arkko, in his talks on “pervasive monitoring” at the recent internet governance related conferences from Athens to Bali. The IETF community was “concerned” about the scale of the operations and considering “hardening” the infrastructure, e.g., by securing all instead of just financial and similar sensitive communication. Arkko also hinted at the responsibilities of governments and legislators. Transparency and the rule of law, he concluded at the Bali Internet Governance Forum, were “very good things, and worthwhile to work towards.”

Engineers struggle over their role in privacy protection

Engineers preparing the IETF in Vancouver have filed more than a dozen draft documents targeted at better securing various parts of the networks: from protecting traffic by default (as mentioned by Arkko) to eliminating weak cipher suites and attempting to remove so-called fingerprints in applications that may facilitate identification, e.g., by eliminating time stamps (which might help with location).

Even the question of how meta data information (derived from email headers for example) could be blurred, has been raised. One recent proposal by Microsoft engineer Christian Huitema included the idea of sending messages with the source address not in the email header but as an encrypted part of the payload.

Making a person less visible on the net comes at a cost, however, warned other engineers on the perpass mailing list - which is devoted to the discussion. Michael Demmer from the University of California cautioned that obfuscating sources would not only provide less metadata to spies but also to system administrators using them to protect systems against viruses, spam and hackers. If too much information was removed, "you have simply exchanged one problem for another, larger one."

Fiercely opposed is former ITU-official – now ITU critic – and former Network Solutions manager, Anthony Rutkowski. Rutkowski accused the group on the perpass list of "imped[ing] good actors." He called privacy a "religious issue" and the activities of the group "one of the worst examples of IETF upper layer excesses witnessed over many decades."

Could a gay kid in Uganda stay safe with this?

Many experts on the perpass list rejected Rutkowski's attacks, underlining that the IETF had to provide security and a choice for those interested in keeping their communications private. "The approach to get access to meta-data as well as to communication content has taken forms that are largely indistinguishable from ordinary attacks," Hannes Tschofennig, a member of the Internet Architecture Board (a peer body of the IETF), notes dryly in his draft for the perpass effort. Certainly it would be difficult to deny that preventing attacks would be in the IETF's "making the internet work better" remit.

Statements sounding more like "politics," such as the one made by the well respected IETF participant Ted Hardie, will nevertheless fuel the discussion about the IETF being a technical standardisation body. In a very personal statement, Hardie appealed to the engineers: "Beyond these thoughts of the Internet infrastructure changes required to restore trust in the network, I believe Internet engineers need to have a focus on the users of their systems and protocols in order to see the impact of the tradeoffs they are making. An example for me is this: 'Can a gay kid in Uganda use this safely?'"

If the answer was yes, Hardie wrote, chances were that the proposal met reasonable requirements of confidentiality and integrity. "If the answer is 'no', the default response for me will be to take it back to the forge for a bit more fire and shaping. In extraordinary circumstances, another response would be a very strong statement of the limits on when this tool could be used," Hardie recommended.

Technical standardisation is caught up in politics

Many engineers are critical of the scale of monitoring activities – the most recent revelations about the secret tapping of cables inside the Google and Yahoo networks (which move traffic between data centres in the clear) may only add to the anger.

Google and Yahoo meanwhile published an angry letter. Given these developments, the IETF is faced with a fundamental question: "Should the IETF discuss politics?" But perhaps the question should rather be whether technical standardisation can escape politics, or whether it can afford to escape satisfying certain interests. "Code is law," wrote Lawrence Lessig a decade ago, seemingly settling that question. Choices engineers make in their work delimit what users can do in the end – at least if they want to interoperate on a public network.

There have certainly also been complaints about interest imbalances in the IETF standardisation process. Eran Hammer and Blaine Cook, the defected authors of the Oauth Working Group - which standardised ways to authenticate users on the web more easily - warned that the IETF was too inclined to address the interests of the big IT companies. The 2.0 version according to Hammer was less secure due to developing into a patchwork that would adjust to "enterprise frameworks." To the hugely disappointed Hammer, the fact that most engineers "show up to serve their corporate overlords" makes the IETF a broken process.

The standardisation processes at IETF, ITU, ISO, IEEE were also too susceptible to the interests of the developed world, French engineer and "trouble-maker" Louis Pouzin said, taking another slash at the organisation. But the IETF in fact has started to welcome more diversity in an attempt to qualify as a "global" standardisation body.

Moreover, the question of participation in the development of encryption standards – as well as the potential problem of more clandestine manipulation – was raised when the US National Institute of Standards (NIST) announced it would take another look at the weaknesses of its specifications.

So when the engineers discuss Schneier's appeal to take back the internet, one might very well ask to whom they will take it back.