On Tue, Apr 24, 2018 at 2:11 AM, Dave O'Reilly <[email protected]> wrote: > Tom, > > I think the points you raise below need to be challenged because (a) they are > not a priori true and (b) they oversimplify a much more nuanced situation. > See below. > >>> >>> However, I agree with you that a broader discussion within the IETF of the >>> balance between privacy and the societal need for law enforcement access to >>> data is certainly required. From what I can see in my research so far, the >>> philosophy within the IETF appears to heavily favour privacy over other >>> issues (such as societal rights or rights of victims of crime - represented >>> in this case by law enforcement access to data). I cite as just two >>> examples of this (and believe me I can provide many more): >>> >> >> I think the term "societal need for law enforcement" is euphemistic. > > Not euphemistic at all. The sense in which I meant it was as follows: > > Suppose a member of my family was murdered. Nobody would expect me to conduct > my own investigation into the murder, find the murderer and exact my own > justice. Why not? Two reasons - Firstly because I am in a country that is > governed by the principle of the rule of law and secondly because in such an > environment we (societally) delegate responsibility for the investigation, > prosecution, adjudication and punishment of unlawful acts to the criminal > justice system. There is a tradeoff in this societal deal; I, as an > individual, give up my right to get together a vigilante group and avenge the > murder of my family member but in exchange I have an expectation that the > criminal justice system will look after my rights as a victim of crime (or in > my example, the rights of my dead family member). > > So, I put it to you that in this sense, which is the sense in which I > intended, there is a societal need for law enforcement…unless you’d rather > vigilante justice? > > Out of curiosity, what did you think I was using it as a euphemism for? > >> That seems to presume that the laws are universally just in the first >> place, and that access to the information is always controlled by a >> reasonable legal process like warrants. That is not reality. There are >> hundreds of legal jurisdictions in the world each with their own >> concept of what constitutes a crime. Yes, there are clearly cases >> where the information is warranted when a serious crime has been >> committed for which a reasonable person would say the law enforcement >> access to the information is warranted. However, we've also seen many >> case where the information is be used to investigate "crimes" that >> many reasonable people would not consider meritable to allow access. >> For example, in many regions of the world it is considered a crime >> speaking out against an unjust government. To a lot of people that is >> considered a violation of human rights and such laws are considered >> unjust. I would expect that any proposal that enables governments to >> crack down on freedom of speech, even if the proposal is otherwise >> beneficial, will get a lot of push back in IETF! >> >> > > Although not explicitly stated, your message is certainly implying that the > conclusion of your argument is … and therefore we should do nothing. > > I agree with you that the world is not perfect - when I’m in an optimistic > state of mind (which is most of the time!) I like to think of it as a work in > progress. However, the position that as long as there are repressive regimes > out there where freedom of speech is not respected we should do nothing, is > one that I think needs to be challenged. What about the rights of the rest of > us in the meantime? > > This is the point I’m trying to make: the situation is more nuanced than a > simplistic privacy is good, more privacy is better, total privacy is best > position - this being, at least as it appears to me, the prevailing opinion > within the IETF. All I’m trying to do here is find an appropriate forum > within which to stimulate this discussion. > > Part of the problem that I have noticed is that the discussions of privacy > vs. law enforcement access to data are very ideologically motivated - on both > sides - with neither side apparently willing to accept that the other side > has any validity to their position. Not the first time in the history of > humanity that we’ve had that problem. As with all of the most interesting > problems, there isn’t a right or wrong answer, when considering the conflict > between individual right to privacy and law enforcement access to data - the > solution is not one or the other, but much more likely to be somewhere in the > middle. > Dave,
Sure, then propose a solution for that. As others have pointed out this current draft is one sided and although acknowledges the fact that a balanced approach is warranted, it does nothing to try to find a balance. I'd also ask that you be a little more careful in framing this as a "privacy" versus "law enforcement" issue. They are not mutually exclusive. Many of us believe that privacy is a necessity for liberty, security, and crime prevention. Tom > I don’t expect that I’ll change the mind of most people who have decided that > privacy is the best, boo for law enforcement, and that’s the end of the > discussion - but maybe there are a few people out there who are reading this, > hadn’t thought of this position before, and will think “good point”. That > would be progress of a sort! > > Coming back to my draft document for a moment - it is not intended to address > any of these bigger privacy vs. law enforcement issues. There is a specific > challenge with crime attribution and carrier grade nat that can (perhaps) be > addressed to some extent, in a reasonably privacy sensitive way, with a minor > refinement of existing best practice. The privacy implications of the > proposed solution are already discussed in the document and compared to the > alternative of centralised connection logging. > > Regards, > daveor > > > > > > > > _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
