This week's newsletter catches you up on the last three months in internet standards.

The Star Monitor is a cooperative effort between Global Partners Digital and the Center for Democracy and Technology. Its aim is to help civil society organisations track discussions at internet standards bodies on a quarterly basis. Participation and leadership statistics of major plenary meetings are included, with links to each full report, when available. Hits in mainstream news are included and context provided, as well as links to original sources. Lastly deeper analysis on key developments at each of the core fora are included as well. We always welcome feedback from readers to make this quarterly publication as useful as possible: Please write to mknodel@cdt.org or michaela@gp-digital.org.

Participation and leadership statistics

For a handy guide to internet standards and infrastructure acronyms, use ARTICLE 19’s Internet Standards Almanac. Here is a table that tracks the I-star meetings that occurred in this past quarter:

	Meeting participants	Leadership	All active engagement
IETF 119 16-22 Mar, Brisbane Google / APNIC	33% US, 11% China, 56% all other	Huawei, 4 Nokia, 3 Cisco, 3 Carnegie Mellon (Chair)	1429
ICANN 79 Community 2-7 Mar, San Juan .pr	Statistics for ICANN79 to be published
IEEE 802.11 204 10-15 Mar, Denver	Huawei, > 70 Broadcom, 40 Qualcomm, 40 Apple, < 40 MediaTek, 35	Qualcomm, 7 Intel, 6 Huawei, 5 HP (Chair)	587

Other notable governance-level happenings during this period include 3GPP holding a plenary meeting in Scotland in December.

News monitor

The following pulls together a curated list of the top news clips about any of the I-stars during this period that made the industry or mainstream news, with a focus on sharing reports and reporting rather than press-release style items.

European Commission published on Friday (2 February) its annual work programme for European standardisation, with four out of eight policy priorities addressing standard setting in technology https://www.euractiv.com/section/digital/news/quantum-technology-tops-2024-work-programme-for-eu-standards

ICANN opened a WSIS+20 Outreach Network mailing list for communication and information exchange on that process. To be part of the discussions, complete the acknowledgement form https://community.icann.org/pages/viewpage.action?pageId=311230498

News in the consumer-stalking-device market includes some more privacy-respecting ways to track the trackers, referencing the standardisation work at the IETF in the Detecting Unwanted Location Trackers (dult) working group https://www.wired.com/story/apple-airtag-privacy-stalking-cryptographic-solution/

The European Court of Justice finds that "there is an overriding public interest in the disclosure of the harmonised standards on the safety of toys, since they form part of EU law owing to their legal effects" https://curia.europa.eu/jcms/upload/docs/application/pdf/2024-03/cp240041en.pdf

The cable industry puts its weight behind Internet routing security. The Internet & Television Association, and several large and midsized cable operators are promoting a new framework profile for secure Internet routing that they hope to expand and enhance by engaging with other types of service providers, Internet organizations and IP networking groups. https://www.lightreading.com/security/cable-puts-its-weight-behind-internet-routing-security 

The EU Legal Affairs Committee adopted its position on new rules to support the so-called standard-essential patents (SEPs). Europe’s new rules aim to attract innovators and ensure EU consumers benefit from goods based on the latest cutting-edge technologies. https://www.europarl.europa.eu/news/en/press-room/20240122IPR17029/new-rules-to-promote-standard-setting-innovation-in-new-technologies 

The New Yorker asks, “Can the Internet Be Governed?” amid worries about what Big Tech is doing to our privacy, politics, and psyches. Many stakeholders—from activists to technocrats—are calling for a new rule book, and they’re looking to the UN. https://www.newyorker.com/magazine/2024/02/05/can-the-internet-be-governed 

SSH protects the world’s most sensitive networks but it just got a lot weaker with news of a new attack. https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

The ITU publishes new standards for optical transport up to 800 gigabits per second. https://www.itu.int/hub/2023/12/new-itu-standards-for-optical-transport-up-to-800-gigabits-per-second/

The World Wide Web Consortium is actively seeking comments and implementation feedback for this specification as issues raised in the document's Github repository by 01 April 2024. https://www.w3.org/news/2024/w3c-invites-implementations-of-verifiable-credentials-data-model-v2-0 

Social media app Bluesky makes a public pledge to take its protocol to the IETF for standardisation. https://www.theverge.com/2024/2/6/24062837/bluesky-drops-invite-system-begins-federation-at-protocol

In a landmark judgment for standards and human rights, access to standards documents can now be assured by this EU ruling https://circleid.com/posts/20240314-a-landmark-standards-human-rights-judgment 

Analysis

Broken down by forum, below is a deeper dive into the top items that touch on public interest issues. We include a non-exhaustive list of what’s being discussed and what’s considered controversial, whether the proposal is new or part of a broader effort. We make sure that each brief analysis ends with some action and where to go to learn more from a primary source like a version controlled document or a discussion mailing list.

IETF

Published RFCs of note:

• Just-published RFC 9490 describes the outcomes of the Internet Architecture Board workshop that discussed the network management techniques needed for even broader adoption of encryption on the Internet: https://datatracker.ietf.org/doc/rfc9490 
• Oblivious HTTP has been published as RFC 9458. It is a protocol that uses encryption and a relay to ensure HTTP traffic is more private. The relay cannot read message contents and the service can read content but cannot observe metadata like IP address: https://datatracker.ietf.org/doc/rfc9458
• Opportunistic encrypted transport for recursive resolvers-to-authoritative DNS servers is defined in RFC9539. Where DNS-over-HTTP (DOH) already exists in RFC8484, this specification describes a defense of DNS query privacy against a passive network monitor in the recursive-to-authoritative hop. https://datatracker.ietf.org/doc/rfc9539/ 

The “Barriers for Internet Access of Services (Bias)” workshop was convened by the Internet Architecture Board (IAB) from January 15-17, 2024 as a three-day online meeting. Based on the submitted position papers, the workshop covered three areas of interest: the role of community networks; reports and comments on the observed digital divide; and measurements of censorship and censorship circumvention. Proceedings are online. Continuing discussion amongst participants is focused on how to foster work on censorship and circumvention across the IETF community.

As required by the Digital Markets Act, WhatsApp is making strong encrypted messaging interoperable for a billion people, however its protocol of choice– Signal– is not a standard. In its Reference Offer, Meta describes “other strong protocols” that interoperators can use, which indicates potential use of Messaging Layer Security, an IETF standard described in RFC9420. However MLS as an interoperable protocol is currently under active design and standardisation in the IETF working group More Instant Messaging Interoperability (MIMI), which gets a write-up in a German publication, “Communication without Company Boundaries”. Another German publication on WhatsApp Interoperability discusses MIMI but also the wider end-to-end encryption protocol ecosystem and what it means for users: https://netzpolitik.org/2024/interoperabilitaet-whatsapp-soll-bald-mit-anderen-messengern-reden-koennen 

ICANN and the RIRs

Long used as a practice in cybersecurity hygiene, reputation block lists include IP addresses, domains and URLs of known harmful and unwanted content. ICANN's OCTO provides a helpful framework for evaluation of these lists: https://www.icann.org/en/system/files/files/octo-037-11dec23-en.pdf 

The biggest story about KeyTrap was that it wasn't a big story–the mitigation rollout for the devastating DNSSEC vulnerability was a paragon of cooperation. A quiet and under the radar vulnerability, called KeyTrap, is ‘the most devastating vulnerability ever found in DNSSEC’ but the community mitigated harms, ensuring it was a non-event for the internet. https://domainincite.com/29528-keytrap-the-most-devastating-vulnerability-ever-found-in-dnssec 

Following the post-WHOIS, voluntary RDRS programme, a recorded session at ICANN 79 captures a meeting of the Commercial Stakeholder Group during which time RDRS implementers shared their stories of how the RDRS “experiment” is going so far, and other stakeholders’ reactions to registry and registrar compliance https://icann79.sched.com/event/1a1Ep. Intellectual property groups don’t feel the voluntary RDRS programme and contracted parties are going far enough.

Since ICANN’s establishment, there have been concerns about the potential for the body to engage in content moderation through its control of the DNS root system. Community concern led to a substantial reform of ICANN’s bylaws in 2016 through the addition of a clear prohibition on the action: “ICANN shall not regulate (i.e., impose rules and restrictions on) services that use the Internet’s unique identifiers or the content that such services carry or provide, outside the express scope of Section 1.1(a).”

The scope of this bylaw has come into question following the ICANN board’s adoption of new gTLD policy development process recommendations at ICANN78 in October 2023. These recommendations allow - and in some cases, require - that applicants enter into Registry Agreements containing public interest commitments (PICs) or Registry Voluntary Commitments (RVCs) with ICANN. These commitments implicate the contents within the applicants’ proposed gTLDs, such as a commitment to monitor and restrict certain content, which could therefore violate ICANN’s bylaws as outlined above. 

On one side of the debate are those who argue that these are ‘voluntary’ commitments and therefore ICANN would not be liable for enforcement but rather the registry would be. Others note two counter points: that ICANN would be liable for ensuring enforcement of these RVCs/PICs, as with all contractual agreements, and they may not be considered fully ‘voluntary’ when they are set as preconditions for being awarded a TLD. Overall there are concerns of a ‘slippery slope’ towards issues of content for ICANN's role as a moderator for the gTLDs with which it contracts.

To respond, ICANN has reached out to community groups requesting feedback on a framework document that proposes a path for implementing these commitments in the Next Round. There was a plenary session at ICANN79 that was recorded. They will publish in April 2024 a summary of input and proposed next steps for implementing these Public Interest Commitments/Registry Voluntary Commitments.

ITU

As a follow on from the WRC-23 a resolution on digital sovereignty may affect Starlink subscribers in Iran, ostensibly circumventing Iran's heavy censorship: An explainer, "Islamic Republic v. Starlink: Will the ITU fragment satellite Internet?" https://digitalmedusa.org/islamic-republic-v-starlink-will-the-itu-fragment-satellite-internet/. And a letter to ITU Secretatry General, "ITU Must Press Iran on Internet Shutdowns, Not Enable Them."

During an ITU webinar about human rights in technical standards, a discussion has kicked off about how whether and how to talk about human rights in the ITU https://www.itu.int/cities/standards4dt/ep39-2/. Additionally this discussion relies heavily on the outcomes of a report from the Office of the High Commissioner on Human Rights A/HRC/53/42 "Human rights and technical standard-setting processes for new and emerging digital technologies," as well as the UNGA resolution A/RES/78/213 "Promotion and protection of human rights in the context of digital technologies." The ITU’s Telecommunication Standardization Advisory Group (TSAG) has itself released a proposed approach for how the ITU-T can generate more ideas on how to mainstream human rights, which are starting to gain the necessary traction among Member States: https://www.itu.int/md/T22-TSAG-240122-TD-GEN-0441/en.

W3C

In the W3C the Global Privacy Control is gaining traction, writes Nick Doty for CDT: https://cdt.org/insights/its-time-to-standardize-the-global-privacy-control. Robin Berjon provides an analysis of why it is now time to work on this critical feature for web users’ privacy https://internet.exchangepoint.tech/cybercrime-gpc.

3GPP

Niels ten Oever is watching the watchers in 3GPP and released a research article "Interrogating the standardisation of surveillance in 5G amid US–China competition": https://www.tandfonline.com/doi/full/10.1080/1369118X.2024.2302991

ETSI

Europe has set out a comprehensive standardisation strategy that includes specific interventions in open, global standards as well as national standards bodies like ETSI. For a deep analysis on what this means for a globally governed resource like the internet, author Clément Perarnaud writes a terrific overview of the problem statement while also providing vision, and most helpfully puts his conclusions in a table summary: https://openfuture.pubpub.org/pub/internet-standards#nzfsfss7v6a.