Hi Alissa,
I'd like to challenge your challenge. :-)
The environment here seems much more
complex than you portray. It is, however,
still all about risk management.
Most users make their choice of provider
and platform based on factors such as:
cost, performance, ease of use, SPAM
and malware reduction, image (i.e.,
account/domain name), mobility,
identity theft mitigation, familiarity,
and social feature sets. Like credit
card fraud protection, some of those
features require a lot of invasive knowledge.
Fortunately, there are a lot of providers
competing in the marketplace.
A much smaller number of users who
for reason of employment and need to
protect sensitive information, will be
using designated platforms/providers
- frequently implementing their national
government security agency techniques
and practices.
An even smaller set of people who are
engaged in serious criminal and terrorist
activities will employ a variety of security
methods to prevent detection and interception.
Typically, the more dangerous the activity,
the more secure the communications employed.
An even smaller set who are paranoid about
government - which may be context dependent
- will also want to employ a variety of readily
available security methods.
Since the inception of messaging networks,
governments and societies worldwide have
instituted surveillance for all kinds of
essential legitimate purposes - especially
where the potential harm to people is great.
There are few if any exceptions, and some
like Italy purport to be the world's leaders.
Most citizens want that to continue because
the risks of not doing so are great. What is
perhaps new is the ability for providers
to make use of some of the same technologies
for commercial services of substantial use
by their customers. Big Data analysis is
growing by leaps and bounds.
So we come full circle back to the subject
of risk management. You can probably assume
that wherever you are, your message traffic
is being seen by at least a half dozen parties
who are at least extracting meta data along
the way. In some contexts, it may be more.
Even in 1995, Scott MacNeally urged the
paranoid to "get over it."
So as many have opined, the IETF is a
technical standards body, not an evangelical
organization for socio-political views, and
hopefully will continue to do what it
does well - produce usable protocols - and
leave the implementation choices to others
based on their assessment of the risk.
--tony
On 10/13/2013 5:35 PM, Alissa Cooper wrote:
Hi Steve,
I'd like to challenge your assertions that because Gmail and Facebook have
billions of users, the bulk of Internet users do not care about pervasive state
surveillance of all or most of their of their Internet communications, and
therefore the IETF's attempts at promoting strong security have thus far been
sufficient. Privacy is often valued contextually. The fact that a user accepts
the trade-offs that Gmail presents (accepting that a private company will scan
her emails in exchange for a snappy interface or beneficial network effects)
does not mean that the same user is comfortable with pervasive government
surveillance that could allow her to be pursued (using police force) under
legal standards that are often vague or uncertain for anything she writes in
every email she sends. The state's ability to impinge on a wide range of
individual freedoms surpasses by far the ability of any single private company
to do so. The line between private and public sector data collectio
n has obviously blurred as more and more data is exchanged between the two, but
that does not make the two of them equivalent.
For the list: much of this thread's discussion seems to presume that the
business considerations behind individual companies' decisions about whether to
deploy secure protocols or not are unchanged from what they were four months
ago prior to the beginning of the revelations. Yet elsewhere there seems to be
a whole lot of hand-wringing going on about how much business is being lost or
how nervous various customers are in the wake of the revelations. Can we really
assume that no IT managers in charge of enterprise SIP deployments or
middlebox-based backwards-compatability solutions are even considering
re-evaluating how they balance competing requirements?
Alissa
On Oct 10, 2013, at 5:57 PM, Stephen Kent<[email protected]> wrote:
>
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
