The impact on civil liberties is in fact a technical issue because the flim-flam artistes peddling these alleged technologies are insisting that there is absolutely no possibility of there being any compromise to civil liberties resulting from their use.
When a commercial vendor attempts to mandate purchase and deployment of their product by seeking government regulation requiring it's use, it is entirely appropriate for organizations affected by same to point out that the technology on offer is snake oil and the promises that it is safe are entirely unsupported. Nor does the subterfuge of wrapping said commercial offering in a 'non profit' mean a damn thing. Last week, I was invited to invest in a well known organization that has also led people to believe it is a not-for-profit.
Like Barzini, I am not a communist. There is nothing wrong in a technology provider having commercial interests or lobbying governments in pursuit of those interests. But I certainly object to parties in a political debate attempting to conceal their commercial interests by posing as a disinterested party whose only interest is the welfare 'of the children'.
The US government spends over a hundred million dollars a year promoting the development of software infrastructures to support civil society in other countries. The fact that client side scanning would introduce vulnerabilities that could be exploited by dictatorships and other authoritarian regimes is certainly relevant to the debate.
While it is entirely appropriate for the IAB to comment on the false claims being made by the vendors in this initiative, attention should also be given to the technical commitments that have given rise to this resumption of the cryptowars.
Common to all the current regulation initiatives are demands on THE service provider. The model that has emerged for service provision is the walled garden for messaging and (as a consequence of spam) an effectively closed cartel for SMTP email.
Every one of the regulation proposals targets the service provider, demanding that they effect the gap in the stack. The proposals collapse in an architecture where anyone can establish a service provider and users can choose any service provider and communicate with any other user willing to accept their messages.
This architecture is of course the architecture I adopted in the Mesh. Resisting extraneous regulatory requirements is one of the reasons I took this approach. Another reason being that the EU is demanding interoperation between messaging providers.
Any situation in which communication services are limited to a small group of providers is going to be susceptible to extraneous regulatory demands. As Ithiel de Sola Pool argued in Technologies of Freedom, opening up the provision of communication services is the best guarantor of freedom.
On Fri, Dec 15, 2023 at 7:32 PM Mark Nottingham <mnot=40mnot.net@xxxxxxxxxxxxxx> wrote:
[ n.b. to those on the ietf@ list -- I am not subscribed there, so if you want me to see your reply, please CC: me ]
IAB,
I'm surprised this statement was published. It might be appropriate as a press release from a civil society org, but to me (as a former member is the IAB) it falls short as an IAB statement.
It begins:
> A secure, resilient, and interoperable Internet benefits the public interest and supports human rights to privacy and freedom of opinion and _expression_. This is endangered by technologies, such as recent proposals for client-side scanning, that mandate unrestricted access to private content and therefore undermine end-to-end encryption and bear the risk to become a widespread facilitator of surveillance and censorship.
This is an appeal to human rights impacts, not impact on the Internet infrastructure. While I suspect most IETF participants care deeply about human rights, no one comes to the IETF or IAB to get a read on the human rights impacts of an action. Those who are designing and implementing the laws you express concern about already have access to a variety of resources (internal and external) with far more expertise regarding human rights impact.
People _might_ pay attention to the IAB and IETF when we highlight impact on the Internet infrastructure. The remainder of the statement touches on some, but does so in a way that loses nuance.
For example, while the statement cites RFC6973 when saying that "surveillance of any form [is] a threat to Internet user privacy", it fails to note that very RFC qualifies this warning with "If an individual authorizes surveillance of his own activities, for example, the individual may be able to take actions to mitigate the harms associated with it or may consider the risk of harm to be tolerable." That is very relevant to the matter at hand, but it wasn't acknowledged or explored in the statement.
That's not to say that the IAB shouldn't or couldn't construct a statement that offers arguments as to why mandatory client-side scanning is harmful to the Internet. However, the focus of such a statement should be on the impacts on the Internet, and the tone should be that of a reasonable and expert technical advisor.
Of course, that’s just my opinion; the IAB can publish what it chooses to. However, if the IAB becomes known for publishing statements like this one, it may find that it loses the ability to effectively communicate a considered technical perspective when it needs to do so in the future.
Cheers,
> On 16 Dec 2023, at 6:45 am, IAB Executive Administrative Manager <execd@xxxxxxx> wrote:
>
> The Internet Architecture Board has posted a new IAB Statement on Encryption and Mandatory Client-side Scanning of Content.
>
> Read the full text in the Datatracker: https://datatracker.ietf.org/doc/statement-iab-statement-on-encryption-and-mandatory-client-side-scanning-of-content/
>
> Abstract: A secure, resilient, and interoperable Internet benefits the public interest and supports human rights to privacy and freedom of opinion and _expression_. This is endangered by technologies, such as recent proposals for client-side scanning, that mandate unrestricted access to private content and therefore undermine end-to-end encryption and bear the risk to become a widespread facilitator of surveillance and censorship.
>
> _______________________________________________
> IETF-Announce mailing list
> IETF-Announce@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/ietf-announce
--
Mark Nottingham https://www.mnot.net/
