Re: IAB Statement on Encryption and Mandatory Client-side Scanning of Content

[David Lake <d.lake=40surrey.ac.uk@xxxxxxxxxxxxxx>]

Stewart

 

“We need to be clear that it is not the Internet itself that is under threat. The infrastructure works just fine and will continue to do so. The issue is with some classes of application that are deployed using the Internet for communication.”

 

I sat in at-least two Side Meetings during the last IETF where some people asked for application awareness in terms of its content to be handed to ‘the network.’   Whilst couched in terms of enhancing network delivery capabilities we do need to be aware that there are some governments around the world that would very-much like to be able to equate user->content->location and that there are some classes of effectively government-controlled network [1] that could be a position to supply such data.

 

David

 

[1] That is a broad term that I do not reserve just for ‘state-owned’ operations. 

 

From: ietf <ietf-bounces@xxxxxxxx> on behalf of Stewart Bryant <stewart.bryant@xxxxxxxxx>
Date: Monday, 18 December 2023 at 09:19
To: iab@xxxxxxx <iab@xxxxxxx>, ietf@xxxxxxxx <ietf@xxxxxxxx>
Subject: Re: IAB Statement on Encryption and Mandatory Client-side Scanning of Content

> On 15 Dec 2023, at 19:45, IAB Executive Administrative Manager <execd@xxxxxxx> wrote:
>
> The Internet Architecture Board has posted a new IAB Statement on Encryption and Mandatory Client-side Scanning of Content.
>
> Read the full text in the Datatracker: https://eur02.safelinks.protection.outlook.com/?url="">
>
> Abstract: A secure, resilient, and interoperable Internet benefits the public interest and supports human rights to privacy and freedom of opinion and _expression_. This is endangered by technologies, such as recent proposals for client-side scanning, that mandate unrestricted access to private content and therefore undermine end-to-end encryption and bear the risk to become a widespread facilitator of surveillance and censorship.
>
> _______________________________________________
> IETF-Announce mailing list
> IETF-Announce@xxxxxxxx
> https://eur02.safelinks.protection.outlook.com/?url="">

I do not believe this to be a balanced position.

Whilst there is a clear human right to privacy and freedom of _expression_ and opinion there is also a clear human right to be protected from harm by those of evil intent. This is glossed over in this IAB statement.

The primary purpose of the legislation referred to is not to surveil civil society but to protect the weak and vulnerable, and to enable law enforcement to protect us from those that would do us harm. Those that ask the cited governments for this visibility do it under a set of legally enforceable privacy laws.

I find the language associated with this discussion unnecessarily emotive. We need to be clear that it is not the Internet itself that is under threat. The infrastructure works just fine and will continue to do so. The issue is with some classes of application that are deployed using the Internet for communication. The dilemma is how we get the right balance in protecting the spectrum of human rights that are under threat as a result both of the use of encryption and the use of an imperfect security model. As a responsible organisation I think that we need to make this dilemma much clearer in the text and in particular in the introduction and conclusion.

As a technical organisation we need to focus our minds not on pushing back on the compromise approach that is proposed in the legislation but instead in solving the admittedly hard problem of simultaneously providing both communications privacy and legitimate visibility of harmful activities. There will undoubtedly be a compromise solution, but compromise is a core component of the engineering process and regrettably I see no attempt in this statement to articulate this.

- Stewart