Brian,
...
Although I don't represent the clarity or quality of the draft as anything
other than -00, I also don't understand what's not clear here.
For those who don't have 6973 open in front of them:
"Surveillance is the observation or monitoring of an individual's communications or
activities... [and] can be conducted by observers or eavesdroppers at any point along the
communications path."
a reasonable definition, when we are focusing on cyberspace.
The argument is that this definition is deficient, in that it presumes an
individual target. The whole conceptual framework of surveillance as an
activity presumes a target. Legal surveillance requires one in order to get the
necessary documents signed by the necessary oversight authority. Illegal
surveillance generally has one in mind because it's cheaper that way.
I would not interpret the definition that narrowly, just because it
mentions an individual.
Surveillance directed against a class of individuals seems to fit here
as well.
(One could make a case that there are indiscriminate attacks by criminal
networks, e.g. skimming keystrokes from compromised machines to search for
credit-card numbers... while these are untargeted with respect to individual,
they're also not really surveillance per 6973, in that it's specific types of
data that's the goal of the eavesdropping, not the communication or the
activity in general.)
I'd disagree here too. Grabbing keystrokes is one way to get a password
or a credit card number
at the source, an alternative to wiretapping. The goal would be the same
for an adversary, independent
of the means by which it is accomplished.
"Pervasive surveillance" (to mangle the 6973 defintion) is "the observation or
monitoring of all individuals' communications or activities."
I suspect that the Internet is too big even for NSA and its friends to
observe _all_ individuals, so
this definition seems too narrow, in a different way.
Removing the concept of targeting (even if targeting is done after the fact)
changes the character of the activity, both in terms of its impact on the
monitored individual(s) (and -- at the risk of getting too far from the
engineering -- its impact on the civil society of which the monitored
individuals are presumed to be members) and in terms of how the impact it has
on protocol design.
I suspect that the sort of very widespread surveillance that we have
been discussing is still
targeted, in a sense. It may target users of specific providers or
specific web sites, either
because the folks performing surveillance believe those are good places
to gather the data
of interest, or because those are places within their ability to
surveil. (Remember the joke
abut the drunk looking for his car keys under the street lamp, not
because he lost them
there, but because the light was better?)
Specifically, in targetless surveillance, attempts not to become a target are
meaningless. (Which goes back to someone's... I think it was Yoav's... stated
desire to increase the cost of pervasive surveillance to the point that he
dropped out of the target set, which captures nicely the level of sensitivity
we have to infinite versus finite target sets.)
I understand Yoav's model, and it has a rational basis. However, I have
concerns about increasing
the "cost" for all users of some service, to make it easier for Yoav to
avoid being targeted. This
seems like an externalization of cost, not my favorite economic model.
Steve
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
