More encryption is the goal
IETF 119 wraps up in Brisbane
Check out the best of IETF 119 (on 1.5x speed, obviously):
- IAB Open session featured a talk on why perceptual hashing in end-to-end encryption, eg client-side scanning, isn't good enough and never will be https://www.youtube.com/watch?v=eDYF_tpBcJE
- Detecting Unwanted Location Trackers working group featured some real-world scenarios https://www.youtube.com/watch?v=h9srSlwsS8s
- If you have strong opinions about identity you're going to want to watch SPICE https://www.youtube.com/watch?v=yw4OL2wnQ_g
- AI comes to the IETF but not how you'd expect. Researchers could use AI to better access information from the RFC series https://www.youtube.com/watch?v=atC6XLnvKZ8
That's quite enough binge watching for one weekend.
New this week
- A new space race is taking shape as sovereign and newer satellites compete for world domination https://fortune.com/europe/2024/03/08/new-space-race-taking-shape-sovereign-new-satellites-compete-for-world-domination
- Documentation for would-be admins on how to federate with Bluesky https://docs.bsky.app/blog/self-host-federation
- WhatsApp's portal to learn about end-to-end encrypted messaging interoperating https://developers.facebook.com/m/messaging-interoperability
- In the news: Meta Encryption Privacy Fight Begins in Nevada State Court https://news.bloomberglaw.com/privacy-and-data-security/meta-encryption-privacy-fight-begins-in-nevada-state-court
- The DOJ's new antitrust lawsuit against Apple alleges they degrade user experience with third party apps by failing to provide interoperable end-to-end encryption https://www.wired.com/story/apple-doj-antitrust-imessage-encryption
- If any of you are involved in community centred connectivity projects (English, other languages available) take this 10-minute survey from APC: Community-Centred Connectivity Survey 1
- At the UN General Assembly an AI resolution introduced by the US came up for a vote this week and it passed successfully https://www.whitehouse.gov/briefing-room/statements-releases/2024/03/21/statement-from-vice-president-harris-on-the-un-general-assembly-resolution-on-artificial-intelligence/
- If you missed Shir Hever talking about Israel's shutdown start up economy (a trend pre-dating October 2023) you can watch it online https://www.youtube.com/@stopthewall.campaign/videos
- Next week: Don't miss the last installment of the Palestine+Tech series, featuring a panel of experts from the field on Thursday, 28 March. Register: https://tinyurl.com/Palestine4Tech
Originally published on the CDT blog today, I gave some context to a recent RFC on an Internet Architecture Board workshop:
More Encryption is the Goal: The Internet Architecture Board Holds a Workshop on Managing Encrypted Networks
The privacy and security benefits of network traffic encryption have become much more common through the adoption of TLS, the technology responsible for the security lock when a user visits HTTPS secured sites. However, as more protocols use encryption, points of friction for network operators are heating up and preventing their ubiquitous adoption.
With an eye toward solving these problems, the Internet Architecture Board held a three-day virtual workshop on October 17-21, 2022 on “Management Techniques in the Encrypted Networks,” and the workshop report published as RFC9490 earlier this year. The workshop aimed to speed the adoption of encryption on the Internet by focusing on barriers to adoption. The workshop generated ideas to enhance network management methods, emphasizing the need to evolve these methods to better their efficiency and reliability in the face of ubiquitous traffic encryption. The idea was to promote and motivate security and user privacy by platforming collaborative ideas at the intersection of network management and traffic encryption. The workshop addressed the actionable requirements in network management, identified the actors who are willing to work on collaborative solutions, and suggested starting points for such solutions.
I joined the workshop as part of the Program Committee representing CDT in the IAB and presented my ideas on the state of users and privacy, including guidelines for performing safe measurement on the Internet. This work is a result of my collaboration with Iain Learmonth and Gurshabad Grover as part of the privacy research group at the Internet Research Task Force, and it outlines guidelines for academic and internet researchers who use the internet as part of their scientific experimentation and research, to mitigate risks to the safety of other users.
This work first locates these guidelines in relation to threat models, measurement studies, and user impact. It puts forward three main categories of considerations:
- Consent, such as informed consent, proxy consent, and implied consent;
- Safety considerations, including highlighting the need for dedicated testbeds, respect for other actors’ infrastructures, and a commitment to data minimization; and
- Risk analysis.
Other work presented in this area included traffic-classification techniques that use machine learning at a high level to identify patterns. While these techniques look a lot like invasive “deep packet inspection,” this type of classification attempts to understand high-level network patterns rather than individual packets. Avoiding privacy and tracking issues is certainly a concern. This approach can be done without coordination from the applications users and services run at the end points.
Another aspect of the solution space does involve introducing trusted second- or third-party intermediaries that would coordinate with network operations. For example, billing zero-rated services, parental controls, redirection and fraud prevention could be features that users opt into when they use services or applications. Through relay-like intermediary services, those second- or third-parties could give the network limited information about the user and what the user is doing with their connection.
In conclusion, proponents of strong and ubiquitous encryption are often put on the back foot when network operators get together to talk about the challenges associated with opaque network traffic. Similar workshops held in other contexts might implicitly and explicitly consider the trend to encrypt network traffic an outright assault on network security. However what was different about this IAB workshop, beyond the fact that encryption advocates like me were part of the programming, is that it not only assumed that transport encryption is desirable, but that it addressed these tensions with networks so as to ensure transport encryption becomes the new norm.