[here's a simplistic plaintext rendering such that Bruce's document itself
will also be cached in the mailing list archives.
original: <http://perens.com/works/ietf/perpass/appropriate-response/01.pdf>]
perens-perpass-appropriate-response-01
Reply to draft-farrell-perpass-attack-00
On Appropriate Response by Internet Protocol Designers to Pervasive Monitoring
Bruce Perens <bruce@xxxxxxxxxx> +1 510-4PERENS
3-December-2013
"If I were my predecessor, I'd order a full-scale attack on Webistan.
Fortunately Webistan doesn't exist, so I've just had to deal." - Barack
Obama [1]
Introduction
Draft-farrell-perpass-attack-00 [2], or “Farrell” for short in this
document, proposes that pervasive monitoring of the internet is an attack,
and that IETF should work to mitigate the attack. [3]
When a standards organization attempts to deal with political issues,
discussion only poorly fits their normal working framework. Organizations
like IETF vastly prefer to develop a virtually unanimous consensus based on
technical merit before going forward with any proposal. Political discourse
yields a majority position but consensus is very rarely achieved.
Farrell is in the form of an Internet Draft. Such drafts are intended to be
technical documents of the best practices of the Internet protocol
designers, and are not particularly appropriate for political discourse.
Thus, in this reply the Internet Draft form is discarded.
The canonical home of this document on the Internet is
http://perens.com/works/ietf/perpass/appropriate-response/
Technical Attacks vs. Attacks Upon Sovereign Powers
Farrell proposes that pervasive monitoring of the internet is an attack. For
a protocol design organization such as IETF, “attack” has a different
meaning than an attack upon a sovereign power. An attack in this case is a
deliberate attempt to defeat the correct technical operation of the
Internet. In this case, the feature of communications privacy [6].
We Can't Ignore The Context
The context, obviously, is Edward Snowden's revelation of NSA's mass
surveilance program. This was discussed at IETF 88 in Vancouver, November
3-8, 2013 and Farrell results from this discussion.
Farrell avoids any discussion of context or intent:
"The term [attack], when used technically, implies nothing about the
motivation of the bad-actor mounting the attack, who is still called a
bad-actor no matter what one really thinks about their motivation."
Thus, Farrell rejects the motivation and identity of the attacker as irrelevant:
"The motivation behind pervasive monitoring is not particularly relevant
for this document, but can range from non-targeted nation-state
surveillance, to legal but privacy-unfriendly purposes by commercial
enterprises, to illegal purposes by criminals."
This is an attempt to transpose what is actually a political problem into a
purely technical one, and thus to arrive at consensus on a technical merit
basis alone within IETF's standards development framework.
Technical Attacks by Sovereign Powers, vs. those by Commercial Entities or
Criminals
The appropriate responses to attacks by sovereign powers, commercial
entities, and criminals are not necessarily the same, because of the legal
framework that applies to them:
Criminal activity is, obviously, covered by criminal law, and technical
responses which deter or prevent criminal activity without otherwise causing
damage are in general on a range from appropriate to required. Failing to
lock a thief out of one's home is seen as a lapse of due diligence.
Marketing a lock which is easily subverted by thieves might be seen as
negligence.
Attacks on consumer privacy by commercial entities are generally within the
domain of civil law. For example, HIPAA is a U.S. law defining civil rights
with regard to the privacy of an individual's medical information. However,
it is important to note that individual privacy is far from universally
guaranteed. In particular, the conduct of an individual using facilities
owned by another entity is not necessarily private, and the overriding
rights may be those of the property owner. Technical responses to attacks on
individual privacy in the context of facilities owned by another entity may
violate the rights of that entity to the extent that they fall under civil
or criminal law, or may be appropriate, depending on the context.
Technical attacks by sovereign powers are in general justified by those
powers as being part of law enforcement. The justice of such enforcement is
the topic of political discourse and the courts. In general, sovereign
powers enact and enforce laws against the hindrance of law enforcement by
technical means. Such laws to some extent override civil rights such as the
right to privacy. Technical responses to attacks on individual privacy by
sovereign entities may be held as acceptable, criminal, or even treasonous
conduct by those entities.
Proposed Implementation
It has been proposed on the HTTP 2 designers email list to implement the
intent of discussion at IETF 88 by encrypting every web access by everyone
in the next version of the HTTP protocol, despite the significant technical
disadvantages that would be caused by such encryption. The explicit purpose
given by more than one proposer on the mailing list was to make it
impractically expensive for a sovereign power, specifically the NSA acting
on behalf of the United States, to surveil the web [4]. As web servers and
browsers adopted the new HTTP 2 protocol and use of the older HTTP version
diminished, NSA and its ilk would be overwhelmed by the amount of data that
would have to be decrypted in order to implement pervasive monitoring. Or so
the proposers think.
Most important about these proposals is their stated intent to hinder NSA
and its ilk in the task of law enforcement. It may be that the means of this
law enforcement are themselves illegal, or they may simply be so repugnant
that they should be illegal. If so, the only acceptable forum for reforming
them are political discourse and the courts.
The Internet is not a Sovereign Entity
It was once popular to think of the Internet as a virtual place outside of
the purview of governments. In reality, there has never been any significant
obstacle to the enforcement of law regarding conduct carried out upon the
Internet by a nation's citizens.
IETF is not acting on behalf of a sovereign power, and has no power to
hinder monitoring for the purpose of law enforcement in contravention of
some nation's laws, no matter how unjust or repugnant that monitoring may
be. The proposers and implementers of systems intended to hinder law
enforcement are arguably a criminal or treasonous conspiracy. Going ahead
with implementation on this basis would be inadvisable.
Exclusively Technical Solutions Do Not Lead To Justice
There are some situations where surveillance by a sovereign entity is
appropriate, for example one in which there is a clear and present danger of
criminal violence which can be avoided if law enforcement is properly
informed. Few would call for absolute protection of the privacy of those who
carried out the Boston Massacre. The overriding right in this case is that
of the common person to bodily integrity as they carry out their
conventional activities in society.
A more mundane, but still important, use of surveillance is the monitoring
by network administrators of their own networks, including in their homes.
For example, this is a significant issue with devices which we have but do
not entirely control, such as the ubiquitous iPhone. Autonomous software on
such devices can make use of the camera and microphone for more invasive
surveillance than Orwell ever dreamed of. Monitoring of our own devices to
prevent such misconduct would be chaffed by the proposed universal
encryption, making good and harmful communication indistinguishable from
each other. [5]
There are, obviously, situations in which surveillance by a sovereign entity
is inappropriate and results in unacceptable injury, in particular
surveillance as part of the prosecution of peaceful political dissidence.
Dissidents are imprisoned or executed in many parts of the world with the
assistance of such surveillance, and the civil rights of entire populations
are curtailed.
Thus:
If we technically hinder appropriate surveillance, we will have blood on our
hands.
If we technically permit inappropriate surveillance, we will also have blood
on our hands.
There is no technical solution to this conundrum. The only thing that can
excuse our conduct is our participation in the political process through
which we can do our best to find a balance and to mitigate the harmful uses
of our technology.
Inappropriateness of Universal Encryption
The universal encryption of HTTP connections proposed on the working group
mailing lists would hinder the technical operation of the internet.
A great amount of Internet content, perhaps the majority, is in the form of
static files or invariant information stored at public URLs that can be
accessed by anyone. I'll call this “static content” for short. Images,
videos, web audio, JavaScript, CSS, and much of the text of the web fall
under this definition. None of these things are secret and there is little
reason to obscure an individual's access to them. The encryption proposed
does not obscure what web server is being accessed or the date and time of
the communication, nor is there a practical way to do so, so it would not
hide much of the “meta-data” which NSA is said to collect.
Much of this static content is the “background” of web pages, and URLs to it
are not actually typed in by the user, but are a part of the web page itself
and are requested automatically by the browser as part of displaying the page.
Transferring this information “in the clear” rather than by using encryption
is the highest-performance means of providing web content. To encrypt all of
this information would actually slow down the web. There is also an energy
cost: the electricity wasted by all of this encryption would likely result
in megatons of additional carbon emitted from the burning of fossil fuel for
electric generation, as well as otherwise-avoidable social and economic
costs of renewable energy sources.
Encrypted content makes caching web proxies more difficult to implement, and
much more likely to be avoided by the user. While such proxies were not
significant in the early years of the internet, the use of transparent
proxies by large internet providers has made their effect more significant
in recent time, as has the advent of commercial outbound proxy providers
such as Cloudflare. Web sites which I manage achieve a 50% bandwidth savings
today due to proxies and caching. Strategies that reduce rather than
increase the use of proxies would be a step backward for the internet,
further slowing down the user experience and increasing system costs. Better
to design strategies that increase caching while curbing its abuses.
Universal Encryption Would Not Hinder Commercial Surveillance
When you get a product for free on the web, you are usually the real
product. Thus, surveillance of web transactions by corporate entities is
ubiquitous, mainly for the purpose of targeting advertising so far.
Companies are collecting a huge database of all of our interests,
preferences, and activities. There are many completely legal uses for this
information that might not really be in our best interest.
Unfortunately, encryption doesn't help with this. The information being
collected comes predominantly from web servers and browser tool bars, which
are on the ends of the communication where it is necessarily decrypted. The
server owners and software providers profit from using or selling user data.
It has been proposed that anonymity be added as a universal Internet
feature, so that no server can identify who is behind the browser at any
moment. However, there is no onus upon web content providers to serve their
pages to anonymous users, and if such service interferes with the profits
derived from surveillance, they will stop doing so and will demand that
users log in or otherwise defeat anonymity. For many sites, this is already
the case. Just try browsing the web without cookies enabled, and you'll
quickly find that many sites won't work at all.
Proposals Would Take Away User Choice
"He will *definitely* be punished severely if he proposes putting security
choices in the faces of ordinary humans; no “probably expect” about it..." -
Tim Bray, to the HTTP Working Group Mailing List, December 3, 2013.
The attitude within IETF working groups concerned with this issue,
unfortunately, appears to be one of contempt for users and even web site
operators. It's almost universally held within the working groups that users
can't be responsible for their own security, even with the assistance of web
browser designers, and that the choice must thus be taken away from them.
Similarly, working group members are not confident that site operators can
ever understand where to use HTTPS vs. HTTP, so the choice must be taken
from them as well. What makes the proposers better able to make this choice
for the whole world was not obvious to me.
Today, users have the option to request HTTPS URLs preferentially, and they
can obtain browsers that do so automatically if they believe that this will
enhance their privacy. Some sites are already set up to always provide
HTTPS, at the site operator's choice rather than the user's.
However, not everyone wants to be a new member of the Concealment Society.
Just look at how much information people share on social networks,
enthusiastically feeding the corporate databases well beyond the reach of
any encryption.
Today's implementation of encryption that is turned on or off per page is a
much better strategy than universal encryption. It lets us have encryption
where it's useful, like on login pages and where we provide personal
information or our credit card number. It allows us to avoid the burden of
encryption elsewhere and not hide what there's no reason to hide. It lets
those of us with special needs turn on encryption preferentially. And it
doesn't help someone to blow you up the next time you run a race. What's not
to like about that?
Conclusion
The HTTP working groups have a lot to do just to make the web operate better
and more efficiently. Having them force unwanted, mostly ineffective, and
sometimes outright harmful extra security on the whole world has already
distracted from the completion of their work.
IETF is not the proper venue to handle pervasive surveillance, which is a
political and legal issue rather than a technical one. IETF participants
simply don't have the right to make decisions about it for the whole world.
But they can help, by participating in political discourse and bringing all
of their knowledge to the table.
Technical people are not politically empowered today, simply because so few
of us have chosen to participate in politics. We must change, or others will
change things in ways we don't like.
Footnotes
1.In a campaign email sent to the Yes Lab list, 11/26/2013. Not a parody as
far as I can tell.
2.At http://tools.ietf.org/html/draft-farrell-perpass-attack-00
3.Defined at http://en.wikipedia.org/wiki/HIPAA
4.Actually, NSA is perfectly capable of getting data from the end-points of
a communication, thus making encryption irrelevant. This is especially
efficient when the end-point is a large entity operating an extremely
popular web destination, for example Google or Wikimedia Foundation, which
can be legally compelled to hand over unencrypted data en masse.
It's also possible for governments to compel the producers of computing
hardware, operating systems, encryption hardware, and web servers and
clients. Features for government access probably exist in most home
computers today.
The entire paradigm of public-key encryption will always be suspect because
it depends on the assumption that fast solutions do not exist to the
mathematical algorithms upon which it is based. Specific encryption
algorithms are also suspect because it is impossible to prevent government
influence upon their design.
5.Chaff, in this context, means the concealment of meaningful information in
the midst of deliberately-created noise. This derives from the military
usage defined at
http://en.wikipedia.org/wiki/Chaff_%28countermeasure%29
6.Communication privacy is a relatively recent feature of a few Internet
protocols, and one that is far from universally guaranteed. Thus Farrnell is
actually a new-feature request.
---
end