Actionable technical outcomes for privacy online

Fred Baker, Internet Engineering Task Force; Cisco Systems

PUBLISHED ON: 29 Jul 2013

This week the Internet Engineering Task Force (IETF) meets in Berlin. Prior to the official meeting Fred Baker, long time IETF chair, calls upon technical community, legislators and researchers to make a stronger effort in advancing privacy online. In his guest commentary for the Internet Policy Review he marks lines of conflict and details how to achieve operational improvements for privacy.

When seeking to address the intersection between technology, and especially internet-related technology, and public policy relating to privacy, the biggest disconnects are conceptual – policy-makers and consumers come from their various perspectives and technologists from theirs, and expectations vary significantly.

A motivational example

To give an example, let me tell a story. I attended a meeting with the UN’s al-Qaeda Task Force several years ago. In short, they wanted to prevent the growth of terrorism, and specifically that terrorist organisation. They observed that Internet Relay Chat, a form of instant messaging, was used to distribute the location of their propaganda, and people would be invited to look at it. Some subset of those people became al-Qaeda operatives at some level. So, they asked: could we in the internet please identify any instance of al-Qaeda propaganda in transit over the network and interdict it?

There are several levels of problems with this.

From a policy perspective, it is a request for content control: if a type or instance of content is frowned upon, legally or otherwise, there is a desire to capture metadata and therefore map a presumably-criminal organisation, gather evidence of wrong-doing, or simply block the transfer. Substitute terms like “child pornography”, “Falun Gong”, “news stories”, “discriminatory speech”, or “speech that violates someone’s privacy”, and one will quickly recognise that we each have some kind of content that we would like to curtail, and some kind of content that bothers someone else that we don’t have an issue with. Content control in any form automates decisions that human beings should make for themselves, and invariably fails to solve the problem at hand. People find ways around it, and it may itself become the basis of controversy.

From a technological perspective, there are a variety of other matters, including simple possibility and possibility of protecting or massaging information in transit at scale, and the cost of doing so. We can in fact route traffic past a collector or inspector if we wish. Routing generally doesn’t cost money, although the equipment and the service might. As with billing cars tagged with a toll-service responder, or the observation of addresses on postal mail envelopes, we can observe some kinds of information about packets easily and at scale. However, looking at content to classify it is difficult (Skype, for example, tries hard to remain unidentified, so that identification of a Skype call in progress requires the sampling of a number of messages and observation that they follow a specific pattern), and can often be virtually impossible, especially at scale.

If the request, for example, is to identify traffic containing the words “Falun Gong” or “al-Qaeda” written in a specific character set, one must first find the various possible spellings in that character set, which might include the substitution of 'ue' for 'ü' or use of capital and lower case letters, and then literally scan every packet as it passes – and it is further complicated by the fact that the words can be split across pairs of packets in a variety of ways, and that data can be encrypted. Equipment that can perform that level of analysis at high speed is costly, and frankly such a service is not going to be performed at any scale unless there is a supporting business case. Who might care about Skype? The King of Morocco, a defender of his people’s historical faith, wants to prevent insults to the prophet or proselytising. Parents may want to monitor their children’s relationships. ITU-T D.50 wants to account for it and charge for it. The list goes on.

I was once told “all things are possible, to him who doesn’t have to do it.” It is equally fair to say “nothing is possible unless someone is willing to try.” But some things are not in fact technically feasible, and even if something can be done, that doesn’t imply that it is cost-effective or even a good idea.

Actionable Outcomes: what are we looking for?

What we can bring forward is an “actionable outcome”. My dictionary defines “actionable” in two ways

  • giving sufficient reason to take legal action, or
  • able to be done or acted on; having practical value.

What is an RFC?

A Request for Comments (RFC) is a publication of the Internet Engineering Task Force (IETF) and the Internet Society, the principal technical development and standards-setting bodies for the internet. A RFC is authored by engineers and computer scientists in the form of a memorandum describing methods, behaviours, research, or innovations applicable to the working of the internet. It is submitted either for peer review or simply to convey new concepts and information. Some of the proposals published as RFCs are adopted by the IETF as internet standards.

Source: Wikipedia.

I am thinking in the latter sense: having discussed privacy, law and policy related both to protecting it and to sanctioned invasion of it under some set of circumstances, so what? Can we describe considerations that apply to privacy, or sanctioned invasion of privacy, that the technical community can give effect to? In a related area, security, one possible example is RFC1984 of 1996, which recommends against policies that reduce the security of the internet, and specifically the escrowing of encryption or signature keys, and gives arguments. Another is RFC2804 of 2000, which states that the IETF chose not to standardise tools for Lawfully Authorized Electronic Interception (LAES), and calls on those that do to publicly document their solutions so they can be analysed and commented on. A third is RFC3924 of 2004, which is such a public statement of architecture for LAES. In the area of privacy, a recent outcome is the recently published RFC6973, which looks at privacy questions in Internet Protocols and makes suggestions on analysing them.

I would like to see outcomes of a discussion on privacy between legal, policy, and technology people include a document that, at minimum, adds to the literature and advances mutual knowledge and understanding of what is desired and desirable in both the protection of and sanctioned invasion of privacy from a policy perspective, and what is feasible and cost-efficient technically. It is easy to whine about loss of privacy, or to make statements about what someone else should do. What should we do? What considerations, legal and technical, should we bear in mind?

Understand that there are two basic ways that privacy can be violated: people can observe what we say, and they can observe what we do. Frankly, if we publish an embarrassing picture of ourselves or someone else, privacy has been discarded. Technology is no match for stupidity.

On the other hand, there are technical tools we can use to enhance the likelihood that our data will remain private, that it comes from or goes to the peer we intend, or at least that it is irrepudiable (it is provably ours or not ours). These include the use of encryption on content, and cryptographic authentication of communication peers and data sources, including cryptographic authentication of network layer routing information, a technology called Resource Public Key Infrastructure (RPKI). Stronger and more effective cryptographic technology, such as unencumbered Elliptic Curve Cryptography RFC6090, will help there; what will also help is simplified user access to such technologies. S/MIME encryption of electronic mail using PGP used to be reasonably straightforward; because it was free software, it eventually fell into one of two business models – PGP itself became proprietary and licensed, and tools for use of GPG have been unable to track recent OS changes on Apple computers, because Apple didn’t recognise a supporting market. The issue is not the availability of standards: OpenPGP exists, as do others. The development of such a market might influence deployment of the standard, and provide reasons for the scalable deployment of S/MIME technology.

Each of these tools was designed by someone concerned about a problem, and subsequently standardised. Standardisation is an important step; human initiative is invariably required first.

I have a son in the US military. He asked me why he had to log into web sites and prove his identity, but mail delivery to him didn’t have to prove anything to him. His military email system uses S/MIME RFC2634 of 1999, and gmail uses DKIM RFC5585 of 2009. The issue is not that mail is not signed; it is that policies are not in place to validate email and discard dubious mail. I told him to tell his mail providers to install policies that did so.

Another place for policy relates to service transparency. The issues in DoubleClick, Facebook, and Google related to information analytics are legend. Coming from a perspective that privacy is lost by human action and protected by human choices, I would argue that transparency in their analytic and business models is required to enable people to choose wisely.

Who is empowered?

As noted, there are numerous technical solutions in place already. The issue in security technologies tends to be the complexity of use and deployment. This can be surmounted, and Skype is an example of an application that attempts to do so. I would argue that the same is true of privacy. If people ask questions about the privacy issues of the tools and toys they use, and spend their money on tools and toys that preserve privacy, one can expect business to respond to demand. I have nowhere near that level of confidence in governmental institutions; as an American I am inherently skeptical of government in any form, and I understand that Europeans are beginning to understand why.

Add new comment