Mark Nottingham <mnot=40mnot.net@xxxxxxxxxxxxxx> writes: > > > [ n.b. to those on the ietf@ list -- I am not subscribed there, so if you want me to see your reply, please CC: me ] > > IAB, > > I'm surprised this statement was published. It might be appropriate as > a press release from a civil society org, but to me (as a former > member is the IAB) it falls short as an IAB statement. > > It begins: > >> A secure, resilient, and interoperable Internet benefits the public >> interest and supports human rights to privacy and freedom of opinion >> and expression. This is endangered by technologies, such as recent >> proposals for client-side scanning, that mandate unrestricted access >> to private content and therefore undermine end-to-end encryption and >> bear the risk to become a widespread facilitator of surveillance and >> censorship. > > This is an appeal to human rights impacts, not impact on the Internet > infrastructure. While I suspect most IETF participants care deeply > about human rights, no one comes to the IETF or IAB to get a read on > the human rights impacts of an action. Those who are designing and > implementing the laws you express concern about already have access to > a variety of resources (internal and external) with far more expertise > regarding human rights impact. > > People _might_ pay attention to the IAB and IETF when we highlight > impact on the Internet infrastructure. The remainder of the statement > touches on some, but does so in a way that loses nuance. > > For example, while the statement cites RFC6973 when saying that > "surveillance of any form [is] a threat to Internet user privacy", it > fails to note that very RFC qualifies this warning with "If an > individual authorizes surveillance of his own activities, for example, > the individual may be able to take actions to mitigate the harms > associated with it or may consider the risk of harm to be tolerable." > That is very relevant to the matter at hand, but it wasn't > acknowledged or explored in the statement. > > That's not to say that the IAB shouldn't or couldn't construct a > statement that offers arguments as to why mandatory client-side > scanning is harmful to the Internet. However, the focus of such a > statement should be on the impacts on the Internet, and the tone > should be that of a reasonable and expert technical advisor. > > Of course, that’s just my opinion; the IAB can publish what it chooses > to. However, if the IAB becomes known for publishing statements like > this one, it may find that it loses the ability to effectively > communicate a considered technical perspective when it needs to do so > in the future. > > Cheers, > > >> On 16 Dec 2023, at 6:45 am, IAB Executive Administrative Manager <execd@xxxxxxx> wrote: >> >> The Internet Architecture Board has posted a new IAB Statement on Encryption and Mandatory Client-side Scanning of Content. >> >> Read the full text in the Datatracker: >> https://datatracker.ietf.org/doc/statement-iab-statement-on-encryption-and-mandatory-client-side-scanning-of-content/ >> >> Abstract: A secure, resilient, and interoperable Internet benefits >> the public interest and supports human rights to privacy and freedom >> of opinion and expression. This is endangered by technologies, such >> as recent proposals for client-side scanning, that mandate >> unrestricted access to private content and therefore undermine >> end-to-end encryption and bear the risk to become a widespread >> facilitator of surveillance and censorship. >> >> _______________________________________________ >> IETF-Announce mailing list >> IETF-Announce@xxxxxxxx >> https://www.ietf.org/mailman/listinfo/ietf-announce It's a shame that the statement might be interpreted this way particularly by someone as respected as Mark. It might be good to see some clarifications of how dependency between human interfaces and device integrity can increase risk and decrease accountability and network management reliability. There is a discussion perhaps recursive one to be made between integrity of devices used for communications and human rights and vice versa. In many ways the Internet technical communities have managed this through "open" standards, mechanisms and operating procedures so that errors, attacks and bad behaviour can't hide and so get exposed and hopefully dealt with across the scale of the problem distribution. But if our devices are compromised and our laws force people to compromise devices and infrastructures particularly with serious sanctions for informing even colleagues, risk compliance officers and senior executives then that self healing model cannot heal. Is there anything else to replace it? I don't think so. So QED. Covertly compromising devices on shared infrastructures is risky and potentially if it becomes widespread very risky. ? -- Christian de Larrinaga
