When the Internet Engineering Task Force (IETF) decided to go to Berlin for its 87th meeting, Edward Snowden still was an employee of Booz Allen Hamilton working for the National Security Agency. But while close to 1,600 internet engineers and researchers were gathered there last week, The Guardian just published one more slide deck on how mass surveillance à la US is organised. Will there be an influence on the IETF's work by the revelations? Listening to debates and individual engineers, you can say, yes and no.

For the first four days, the Berlin IETF meeting worked just like it has worked before, dozens of working groups discussing the latest additions to the basic protocols that made the IETF one guardian of the internet, the Internet Protocol (IP) and the Transport Control Protocol (TCP).

Making the internet a better place – after Snowden?

For years some observers warned that ever more fancy new knobs built on top of existing protocols only added complexity. The regular lunch briefing of the Internet Society, organisational cover and to a big extent also financial back-end of the IETF, touched on that very issue: complexity step-by-step starts to beat bandwidth as the number one limiting factor for good user experience.

Updates  to the ‘http’ web protocol (together with the World Wide Web consortium) or the seamless integration of services into the one stop shop internet browser in the Web Real Time Communication Working group (WebRTC) are supposed to “make the internet better” - that is the motto of the organisation. WebRTC for example has pushed for a new potent open source audio codec (OPUS) where other codecs are mostly proprietary, and hopes to do the same for video. The WebRTC in Berlin also did push back the adding of a technical specification to allow easier, but albeit less privacy friendly key exchange for browser to browser calls.

Crypto expert (and an author of the stronger crypted variant DTLS-SRTP) Eric Rescorla warned that adding that “private keys could be stored by the providers themselves, especially for enabling of “out”-calls to fixed network or mobile phones from the browsers (like Skype out calls)” would allow for easy passive, and retractive snooping.

Rescorla, also an author of Transport Layer Security technology that allows to secure packets going over the wire against surveillance, in his presentations included extracts from the NSA's Xkeyscore surveillance programme, illustrating the need for the strongest possible cryptography.

Strong ties to US agencies

At its Danvers, Massachusetts, meeting some ten years ago, the IETF had pushed for cryptography, said the Chair of the Internet Architecture Board, Russ Housely in one of the rare press conferences of the standardisation body, during the Berlin meeting. “We also said, it would be strong, not weak cryptography.”

The so called Danvers Doctrine was explained in an informational Request for Comment (RFC), which noted that “although the immediate issue before the IETF was whether or not to support "export" grade security (which is to say weak security) in standards, the question raised the generic issue of security in general. The overwhelming consensus was that the IETF should standardise on the use of the best security available, regardless of national policies.“ The RFC also underlined, that confidentiality might not be a must for every communication – or protocol – and everybody should be able to use it – without being an expert.

The rejection of “weak cryptography” for the potential adversaries (or competitors ) outside of the US was not welcomed by all US agencies, Housely said. Despite that doctrine, US agencies clearly still have strong ties to the IETF. Housely himself, a security expert, has been sponsored for his terms as IETF Chair by the NSA.

So the tension between the interests of individual users – including the grown privacy interests - and those law enforcement agencies, especially in the US, have always been there. Only in post-Snowden times, the attention might be bigger. “People might start to think more carefully about the designs and also about their employers or institutional customers,” W3C privacy expert Wendy Seltzer said in Berlin.

Privacy by default

“We know they can get virtually everything. The question is what do we do?,” was the conclusion of Randy Bush, a long-time IETF participant, routing expert at the Internet Initiative Japan, in a discussion of IETF security people with Tor developer Jacob Appelbaum.

Bush recommended to raise the bar for spying on communication by just making it more difficult and thereby much more expensive. Hard encryption in as many spaces as possible on the net certainly did help, said Appelbaum, who for the first time came to the IETF to present the work of the Tor project, a multi-million dollar project that is devoted to that very aim.

The Tor browser bundle for example allows for anonymising one's surfing on the net. Tails is a free operating system that routes traffic over the Tor network. The use of the privacy friendly free and open source tools would also be a first step to get away from those services and providers (like Microsoft, Google and others) that are compromised for the so called state security reasons or for just the plain commercial profiling reasons.

One problem for the Tor network certainly is that the more people will use it, the more distributed Tor servers are needed, in order to help blur the traces and also stem a potential attack from agencies that could consider infiltrating the network. To promote Tor and call for support in the technical community certainly was one reason for Appelbaum to come to the IETF. In several sessions, including the open session of the IETF's Security Area, the Tor representatives and IETF participants discussed the next steps to take in order to offer an alternative to mass surveillance.

Appelbaum's call to the technical community to make strong – using eliptic curve algorithms - and ephemeral encryption is in fact a must for traffic on the net.

Other things are on the way. For example, a much stronger inclusion of privacy considerations – as an aspect of security considerations - into technical design work at the IETF, or a draft document that calls for certificate transparency. Baby steps, these efforts are called by some.

Mandating strict security for just about every http-connection recently failed- It is still only an option which leaves it to operators and users to implement it. To pave the way for more security and confidentiality on the net the IETF should, not only consider privacy by design, but privacy by default, Bush said. The Tor team at the same time recommended to make surveillance more visible, by analysing the mechanics and the instances of spying on communication. Tor campaigner Linus Nordberg said: “When all the pizzas are going to the Pentagon, you know you are at war.”