Ok, I've calmed down perhaps enough to respond constructively.
I'm going to try to NOT address the misandry and racial bias in
the message, at least in this thread, mostly because I think it's
not likely to lead to a productive discussion - or at least, I
think talking about the other parts of the blog post is more
likely to be productive. If people want to discuss the prejudices
with me via private email, feel free. If people really want to
discuss them on the ietf@ list, I'll ask that they use a different
subject line.
I'm also going to resist the temptation to talk about the problems
associated with prosecution of CSAM-related offenses, and of
surveillance powers granted to law enforcement ostensibly to fight
such crimes. Again, if you want to discuss in private email,
feel free, but I think it would be a rathole here and somewhat
distant from IETF's scope.
***
- The author points out that strong challenge is "tolerated" in
IETF. Whether he realizes this or not, to be intolerant of
strong challenge would be detrimental to IETF's work in several
ways. In no particular order: such intolerance actually
discriminates in favor of the status quo (good or bad) since it
often is quite frustrating to argue against what everyone is
accustomed to. Such intolerance discriminates against people
with less power than others (for whatever reason), and in favor of
people who represent or are supported by powerful organizations
(including large corporations). Such intolerance discriminates
against people who are dealing with various kinds of adversity for
other reasons, including but not limited to creative people,
intelligent and twice-exceptional people, neuro-divergent people,
and anyone who sees things from an unconventional
point-of-view. Such intolerance discriminates in favor of
people from cultures which are hostile to challenging the status
quo. IETF desperately needs input from "challenging"
points-of-view, because often it's only the challenged individuals
who are willing to speak truth to power.
I would argue, based on the past few years' experience, that IETF
has become very intolerant and hostile to divergent voices,
especially those of neuro-divergent and twice-exceptional persons,
and that this is directly counterproductive to IETF's mission.
This for me is IETF's biggest current problem by far. By
contrast, when IETF's radical tolerance of even those who
occasionally made other participants uncomfortable used to be
IETF's biggest strength (again, IMO).
- Re: "IETF takes things that are 70% done and takes them that
last 30%". While this is sometimes true, I don't like it as a
generalization, because when people see that as a template it
unnecessarily constrains the work. I would agree, though, that
IETF works best when it has at least one concrete proposal for
initial discussion, whether or not it uses that proposal as a
basis for its finished work.
- It's certainly the case that an IETF WG participant needs to
subscribe to and keep up with the WG's mailing list. This is a
mixed blessing. The heavy use of mailing lists is both inclusive
(at least in theory participants should not have to travel to
face-to-face meetings to participate effectively) and exclusive
(because it's generally necessary to get "in the loop" early, and
commit significant time to stay in the loop for years, in order to
usefully influence the outcome). Heavy use of interim meetings
(whether virtual or not) degrade the inclusiveness, as does
over-use of design teams. Use of mailing lists has become less
effective than it once was for several reasons: increased use of
HTML email, increased use of handheld mobile devices to
read/answer email (and correspondingly shortened attention spans
for both reading and replying), and differentiation in user
interface between mail user agents (including but not only
webmail). Use of github also has degraded the once-inclusive
nature of mailing list conversations, and at least the expectation
of using xml2rfc has added barriers to effective participation,
because not everyone is skilled at using those tools. (By
contrast, I'd judge the datatracker to be a huge positive.)
- I note that the author's ability to set up a side meeting to
discuss an area of the author's concern demonstrates that there's
still some inclusive spirit in IETF, and willingness to discuss
controversial (and in this case actually quite threatening)
topics.
- The problem of rehashing old discussions is a longstanding
problem in IETF, one that I've seen for the entire history of my
participation. We can't endlessly rehash old discussions because
that's exhausting, and because it tends to lead to decisions being
overturned due to exhaustion rather than because of any kind of
merit. A related problem is that the people who originally made
such decisions may have passed away or moved on from IETF, and not
be in a position to explain why those old decisions still have
merit. So over the long term there's an alarming tendency for
IETF to favor naivete over experience, and also to favor change
for change's sake over stability, that I'm seeing more and more.
And yet, clearly we need to be able to both retain memory of
reasons for old decisions AND be able to reconsider old decisions
once in awhile. Just not continuously.
- "the IETF itself does not develop
anything, it creates\debates\ratifies new or existing internet
technologies that are seeking standardisation. I proposed that
even if the community as a whole does not agree with
filtering, if it is happening or going to happen, then the
IETF does have a role in documenting best practice, creating
standards which do not impinge on user privacy."
First of all, the premise is misinformation. IETF does
develop some things and SHOULD develop some things. IETF
SHOULD NOT constrain itself to only refining ratifying
technologies developed by others. This is one of many bits of
unfortunate and misleading but commonly-repeated IETF lore,
and I wish we'd quash it somehow.
I would tentatively and cautiously agree with the author of
that post that IETF should have a role in documenting best
practice. If I use the somewhat-less-controversial example of
spam filtering, there's a tremendous amount of poor practice
in deployment, that has a tremendous adverse effect on the
reliability of email as experienced by users. I believe IETF
could at least somewhat improve this situation by citing some
good practices (if any can be found) and calling out poor
practices.
On the other hand, it's always dangerous for IETF to make
statements of the form "if you must do this bad thing, please
do it this way rather than this other way". One very real
danger is that such a statement will be taken as an
endorsement of the bad thing, or inadvertently encourage that
bad thing, no matter how that statement is labeled (say,
informational vs. BCP).
In making such decisions, IETF should always consider BOTH
balance of harm AND likely long-term effects. While
production of CSAM is no doubt a heinous crime, it would be
dangerously naive to assume that surveillance capability won't
be misused AND that mechanisms intended to protect people's
privacy won't be deliberately degraded over time, because
those attacking such mechanisms (whether or not they are
considered to be on the side of "good") have a nearly-inherent
long-term advantage over those developing the protective
mechanisms. And even if one strongly believes that the cause
is just, it may be naive to assume that the surveillance
capability will have any positive benefit at all.
One question that IETF should always ask is: If this
technology were deployed and found to do far more harm than
good, could it be effectively prevented from doing further
harm, without trusting the parties benefiting from the
technology to Do The Right Thing?
And for those who think IETF has no business having an opinion
about such tradeoffs, I respond that we're some of the few
people in a position to effectively advocate for people's
legitimate privacy interests. Governments, in particular,
will always be biased against such interests (no matter what
they claim). Governments' desire for (the delusion of)
omniscience is too great to keep people safe, just like many
governments' desire for nuclear weapons is too great to keep
people safe. As for big corporations, even those claiming to
care about their customers' privacy, seem to really be more
interested in monetizing customers' data for their own
benefit. And quite often they collude with governments to
the detriment of everyone's privacy.
(Note that it's a huge stretch to imply that support for
detecting or suppressing CSAM in the Internet is in any
way "best practice". That's at best a very one-sided
argument. It's also a huge stretch for the author to
claim that he represents "civil society" any more than
anyone else.)
- "I described how privacy enhancing
technology has demonstrated that two bits of information (such
as URLs) can be compared, matched, and actioned without knowing
anything of value about either part or communicating anything to
third parties."
This is specious and irrelevant. It's like arguing that if
the lock on your front door is secure, you don't need to worry
about the security of your first-floor windows.
You have to take a comprehensive view of the whole system to
meaningfully evaluate it and any risks that it presents.
Another part of the problem with these arguments in IETF
context is that IETF generally only concerns itself with
protocols, but protocols are only one piece of the whole
system, which necessarily has human (and therefore
corruptible) elements. Even if IETF managed to approve a
"secure" protocol for exposing use of CSAM, that protocol can
likely be exploited in the context of a modified or different
system. That whole system is NOT something that IETF is
likely to be able to usefully influence, and it absolutely
will have exploitable flaws. So it is inevitable that any
"back door" that IETF endorses, helps develop, or assists will
be misused - and likely, eventually, on a large scale.
- "I believe the side meeting would have
benefitted from a practical example of how privacy-preserving
web filtering could be done at a network level to move beyond
the theoretical ‘slippery slope’ arguments to a more technical
(rather than ideological or emotion) assessment of real-world
solutions."
Another tremendously naive statement, but it at least
acknowledges the need to have a reasonably-complete example to
discuss instead of just making handwaving arguments.
- "The nature of the debate can, at
times, be very robust and I can see why many would be deterred
from contributing or even participating as a result."
I won't argue with this, but I will emphatically state that
many subjects that IETF deals with require
robust debate. For example, the issues surrounding
encryption are tremendously important, and it's
counterproductive in the extreme to squelch the voices of some
participants for arbitrary or poorly defined reasons. We need
to encourage robust debate even if it sometimes becomes
strident, and encourage all parties to be able to speak their
minds about these important topics even if
(perhaps especially if) their voices shake, while still looking
for ways to enable those who are less confident, or who are less
free to speak their minds for other reasons (say government or
corporate pressure) to be able to be heard.
Another thing that this statement fails to acknowledge is that
intolerance of robust debate can also deter many people from
contributing or participating. Many engineers will
quickly realize when an environment won't let them contribute
usefully, and many of them will prefer to instead invest their
energy where they can make a useful difference.
- "Similarly, there is very limited diversity amongst
participants, be that in terms of gender, ethnicity, or
background, with a large percentage of people being white, male
attendees from Western Europe or North America, mainly working
for companies in the tech sector."
I won't argue with this statement either (even though it bugs me
in a way - see below), and agree that IETF could improve in
diversity of various kinds. I'm especially concerned about the
over-influence of corporate-sponsored participants, AND of the
lack of representation from parts of the world for which
Internet access is perhaps less capable than elsewhere, and a
few other categories.
But I also can't help but observe that one person's notion of
diversity or balance, is another person's notion of prejudice.
I tend to believe IETF should ideally not favor or repress any
particular set of people, but rather something closer to: maximize
the chance that all points-of-view are represented and heard.
But I also recognize that this goal that will also be found to
have shortcomings given enough scrutiny.
- This blog post illustrates a growing
problem for IETF, which is that IETF (and with it the Internet
itself) is increasingly subject to public attack from naive
parties who (quite naturally and perhaps unintentionally) bring
their own prejudices into the discussion without those
prejudices being subject to scrutiny. It's an asymmetric attack
that has a potential to do tremendous harm to the Internet.
Oppressive governments and corporations will use such methods as
well if they think it helps them degrade Internet privacy or
security. I suspect that IETF needs to find a way to compete
with those voices more effectively than having individual
participants or even IETF office holders respond to blog posts.
Keith
