[ n.b. to those on the ietf@ list -- I am not subscribed there, so if you want me to see your reply, please CC: me ] IAB, I'm surprised this statement was published. It might be appropriate as a press release from a civil society org, but to me (as a former member is the IAB) it falls short as an IAB statement. It begins: > A secure, resilient, and interoperable Internet benefits the public interest and supports human rights to privacy and freedom of opinion and expression. This is endangered by technologies, such as recent proposals for client-side scanning, that mandate unrestricted access to private content and therefore undermine end-to-end encryption and bear the risk to become a widespread facilitator of surveillance and censorship. This is an appeal to human rights impacts, not impact on the Internet infrastructure. While I suspect most IETF participants care deeply about human rights, no one comes to the IETF or IAB to get a read on the human rights impacts of an action. Those who are designing and implementing the laws you express concern about already have access to a variety of resources (internal and external) with far more expertise regarding human rights impact. People _might_ pay attention to the IAB and IETF when we highlight impact on the Internet infrastructure. The remainder of the statement touches on some, but does so in a way that loses nuance. For example, while the statement cites RFC6973 when saying that "surveillance of any form [is] a threat to Internet user privacy", it fails to note that very RFC qualifies this warning with "If an individual authorizes surveillance of his own activities, for example, the individual may be able to take actions to mitigate the harms associated with it or may consider the risk of harm to be tolerable." That is very relevant to the matter at hand, but it wasn't acknowledged or explored in the statement. That's not to say that the IAB shouldn't or couldn't construct a statement that offers arguments as to why mandatory client-side scanning is harmful to the Internet. However, the focus of such a statement should be on the impacts on the Internet, and the tone should be that of a reasonable and expert technical advisor. Of course, that’s just my opinion; the IAB can publish what it chooses to. However, if the IAB becomes known for publishing statements like this one, it may find that it loses the ability to effectively communicate a considered technical perspective when it needs to do so in the future. Cheers, > On 16 Dec 2023, at 6:45 am, IAB Executive Administrative Manager <execd@xxxxxxx> wrote: > > The Internet Architecture Board has posted a new IAB Statement on Encryption and Mandatory Client-side Scanning of Content. > > Read the full text in the Datatracker: https://datatracker.ietf.org/doc/statement-iab-statement-on-encryption-and-mandatory-client-side-scanning-of-content/ > > Abstract: A secure, resilient, and interoperable Internet benefits the public interest and supports human rights to privacy and freedom of opinion and expression. This is endangered by technologies, such as recent proposals for client-side scanning, that mandate unrestricted access to private content and therefore undermine end-to-end encryption and bear the risk to become a widespread facilitator of surveillance and censorship. > > _______________________________________________ > IETF-Announce mailing list > IETF-Announce@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf-announce -- Mark Nottingham https://www.mnot.net/
