Hi Yoav, Thanks for reading the draft; some comments in-line.
On Sun, Oct 20, 2013 at 1:47 AM, Yoav Nir <[email protected]> wrote: > > On Oct 20, 2013, at 4:21 AM, Ted Hardie <[email protected]> wrote: > > Like most folks involved in this list, I have a personal response to > the current situation and some thoughts on how it will impact my or our > work in the future. Since I expect we will pretty short of mic time in > Vancouver for thoughts like these, I decided to write them out. > > http://tools.ietf.org/html/draft-hardie-perpass-touchstone-00 > > is the result. It's quite short but a quick summary is this: > > Pervasive monitoring induces self-censoring which harms the Internet and > its users. At the scale of the modern Internet, that means it harms > humanity. > > We can and should change our approach to Internet engineering and system > design to deal with this. There will be costs for that, but we should pay > them. > > It helps me, personally, to focus on a single user when asking whether a > system or protocol is appropriate in the current environment. The draft > lays out why. > > regards, > > Ted Hardie > > > Hi, Ted > > In your draft, you propose we ask ourselves a question about any > protocol we design, and that question can be something like "Can a gay kid > in Uganda use this safely?" > > IMO nothing we do here can yield an unqualified "yes" answer to that > question. Nothing here relates to public statements such as personal blogs > or Internet Drafts. Those are obviously public and the authors are > identified, and the state apparatus can read them just fine, regardless of > how secure we make them. > > I think we agree that there can be no unqualified "yes"; even if the protocol and application are secure, there is always the risk of the camera looking over your shoulder. But I want to point out something about blogs or similar public statements; while some systems require real names, not all do. It's quite possible to have an online journal or blog that uses a pseudonym and it's actually relatively easy for that to be an okay outlet for a gay kid worried about pervasive surveillance. If that kid connects to largeblogsite.example over a TLS protected link, the metadata shows the connection, but not the content. If largeblogsite has blogs on knitting, agriculture, and custom cars, there is no signal to those engaged in surveillance that the blogs of interest are LGBT in nature. The authentication of largeblogsite.example within TLS to the user needs to be secure (pinned to a CA, for example, to avoid MiTM proxies), but there are various ways of making this more trusted (again, no way to avoid all risk; if the CA is compromised, most bets are off). This doesn't gainsay the main point about safety, but it shows how thinking about a particular user or group of users may actually make the general privacy considerations more concrete. > So there are two kinds of communications that we would seek to protect. > public statements made anonymously, and private statements made either > person-to-person or within a small group. You can't avoid any kind of > monitoring, pervasive or otherwise, without having both encryption and > authentication. This is regardless of whether the encryption and > authentication are with the communications peer or with an anonymizer. > Encryption and authentication with a middlebox (such as using a web-based > mail service with TLS) is not sufficient, as the privacy of the > communications depends on both the trustworthiness of the intermediary and > strength of the authentication that the intermediary performs. I think it > would be naive to expect an intermediary providing a web service to resist > the government. So we're left with mandatory mutual authentication. > > > I think this presumes that there is a single government and a single potential response from a web service. That may not be valid. If it is, and you don't trust a particular service provider, then mutual authentication doesn't actually do much for you. You need confidentiality among participants without the participation of the service provider. There are ways to achieve that, but they are not common nor are they currently deployed at scale. That may change. That may help with the point you raise below, that the use of some techniques is currently a signal to deepen the level of surveillance on an individual; if they become common, that signal is lost to those who wish to follow those trails. > And that's the issue. We (meaning the people who work on Internet > infrastructure) have never been able to deploy an identity management > system good enough that everyone will use it. > > I am not familiar enough with Ugandan politics to know to what extent > the anti-gay laws are enforced or investigated. Most European countries and > US states had such laws for decades without the police ever expending any > resources to catch the criminals. But from what I've read in Wikipedia, the > human rights situation is pretty grim for gays. So although it's tempting > to think that using a US-based service like GMail would be safe from the > local government, I don't think that's good enough to merit an unqualified > "yes" answer to your question. > I agree that it may never be unqualified. But we can make it stronger. > The thing about pervasive monitoring, is that even if it was set up to > catch terrorists, once the system is in place, it's very tempting to use > the collected information to fight crime. > > If the Ugandan government has decided to investigate a specific person, > they can big his phone, install spyware on his computer, and follow him > around. They will find evidence. The best we can do is to make our > protocols such that pervasive surveillance is impossible. We can only hope, > that if surveillance resistance is made such that the US government has the > resources to spy on 10,000 people while Uganda has the resources to spy on > 9 people (based on the ratio of national budget expenditures), that the > Ugandan government will not waste its precious 9 "slots" on tracking down > homosexuals. > > So while I don't think we can make any particular protocol safe for a > suspect, we can make it so that the average person feels safe enough to > risk private communications as long as they believe they are "under the > radar". Ideally, the steps to reach that goal would be enough to obscure > the few who do use strong person-to-person authentication. > > But even with strong person-to-person authentication, a gay Ugandan > would still have to avoid discussing anything that is illegal in Uganda > with people he's not familiar enough with, for fear they are government > agents. > But can she see the videos of the Trevor Project? Can he read medical resources about HIV? Can we assure [email protected] that they are really in a chat session with [email protected]? All of those will help. There can be no online support group helping teenagers, and there can be no > Internet dating sites. Nothing we do can make that happen. > > I appreciate that you have thought so deeply about this particular user; thank you. I hope it convinces you that thinking through a specific user case can help us make concrete the steps we need to take to make our protocols and systems more usable in the light of pervasive surveillance. thanks, Ted > Yoav > > >
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
