RE: Last Call: <draft-farrell-perpass-attack-02.txt> (Pervasive Monitoring is an Attack) to Best Current Practice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>       We should not approve an IETF policy statement
>      until we have a good idea of the way we will use it.

I'm struggling a bit with this statement -- it seems just as broad as the
draft under discussion, and just as much of a "policy" as the draft under
discussion. 

What does a "good idea," actually mean? That we have a fairly well defined
way to accomplish any particular goal before going about stating those
goals? That we should not go about trying to accomplish something until we
already have a good idea of how to accomplish it? If so, I don't think this
is a good result. The point of engineering seems, to me, to be that you
choose a goal, then you find a way to get to that goal. You might, on
stating the goal, find there's no obvious way to fulfill the goal, but
that's when you turn to research and lots of thinking, rather than simply
declaring the goal unreachable, and hence not worth articulating.

As for the politics piece -- I don't read this draft as political. The
problem is, rather, a more practical one -- if the Internet is made up of
systems and protocols that are essentially completely open to anyone reading
anything you send, post, or otherwise place into an IETF designed protocol
at any time by anyone, then the Internet isn't a place where anyone is going
to want to actually do much of anything at all. The general objections to
this are twofold:

- If you've not done anything wrong, you have nothing to hide. Refuted on
multiple occasions. You can begin by observing that "wrong," is, in the
modern world (and unfortunately), a completely relative term. It might mean
something completely different tomorrow than what it means today, but the
electronic record, as things stand today, is generally permanent.

- If you don't want to hide it, then don't put it on the Internet. Ten years
ago, no-one thought information about who your friends are (or what you eat
for dinner on a regular basis) had any economic worth. Today, this
information is considered valuable, and hence information you might actually
want to be careful to control in some way. What will suddenly be discovered
to be valuable in ten years' time? We can't even guess, so the better
statement is -- you should hide everything unless you've made a conscious
decision to unhide it. The default shouldn't be, "let everyone see," the
default should be, "let no-one see." 

There is an elephant in the room that I think needs to be brought out and
recognized: people don't make millions/billions on this information just by
knowing it. No-one pays a search engine provider to find out what's in your
email just because they want to know. They pay to know what's in your email
so they can (hopefully) change your behavior in some way (buy this rather
than that, you need that even though you hadn't thought of it before), or
your beliefs (vote for Joe rather than John). We are playing with something
that's more than just "I don't want people to know stuff about me," here.
This comes down to a fundamental level of trust -- who am I revealing
information to that might be used to shape my thoughts and actions in the
future, and how can I control the revelation of that information?

The fact is that the IETF has designed a suite of protocols that are mostly
unsecure, and widely used in a world where we're just starting to see the
importance of security around not only your credit card number, but also
your address book. That the IETF should make a statement saying, "we seem to
have something backwards here, and it's about time we reverse our
assumptions," isn't a political statement at all -- it's a facing of
reality. That the facing of reality has come about through any particular
political situation shouldn't imply that the statement is generally
political -- reacting to a political situation with a statement of a change
in policy isn't a political reaction, nor even (necessarily) a reaction
against the politics. Rather, it's just saying, "hey, we didn't think about
this problem before now, but now that we've thought about it, we need to set
some new goals."

Don't confuse the on list argument about politics with the actual point of
the draft; they're two different things entirely.

Anyway, that's my 2c. I've read the opposing arguments, and I'm still in
support of this draft.

Russ 





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]