> On 15 Dec 2023, at 19:45, IAB Executive Administrative Manager <execd@xxxxxxx> wrote: > > The Internet Architecture Board has posted a new IAB Statement on Encryption and Mandatory Client-side Scanning of Content. > > Read the full text in the Datatracker: https://datatracker.ietf.org/doc/statement-iab-statement-on-encryption-and-mandatory-client-side-scanning-of-content/ > > Abstract: A secure, resilient, and interoperable Internet benefits the public interest and supports human rights to privacy and freedom of opinion and expression. This is endangered by technologies, such as recent proposals for client-side scanning, that mandate unrestricted access to private content and therefore undermine end-to-end encryption and bear the risk to become a widespread facilitator of surveillance and censorship. > > _______________________________________________ > IETF-Announce mailing list > IETF-Announce@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf-announce I do not believe this to be a balanced position. Whilst there is a clear human right to privacy and freedom of expression and opinion there is also a clear human right to be protected from harm by those of evil intent. This is glossed over in this IAB statement. The primary purpose of the legislation referred to is not to surveil civil society but to protect the weak and vulnerable, and to enable law enforcement to protect us from those that would do us harm. Those that ask the cited governments for this visibility do it under a set of legally enforceable privacy laws. I find the language associated with this discussion unnecessarily emotive. We need to be clear that it is not the Internet itself that is under threat. The infrastructure works just fine and will continue to do so. The issue is with some classes of application that are deployed using the Internet for communication. The dilemma is how we get the right balance in protecting the spectrum of human rights that are under threat as a result both of the use of encryption and the use of an imperfect security model. As a responsible organisation I think that we need to make this dilemma much clearer in the text and in particular in the introduction and conclusion. As a technical organisation we need to focus our minds not on pushing back on the compromise approach that is proposed in the legislation but instead in solving the admittedly hard problem of simultaneously providing both communications privacy and legitimate visibility of harmful activities. There will undoubtedly be a compromise solution, but compromise is a core component of the engineering process and regrettably I see no attempt in this statement to articulate this. - Stewart