Session
Schedule FOSDEM 2020
Decentralized Internet and Privacy

RFC 1984

Or why you should start worrying about encryption backdoors and mass data collection
UA2.220 (Guillissen)
Esther Payne
In 1996 Brian E. Carpenter of IAB and Fred Baker of IETF wrote a co-statement on cryptographic technology and the internet. This RFC wasn't a request for a technical standard, it was a statement on their concerns about Governments trying to restrict or interfere with cryptography. They felt that there was a need to offer "All Internet Users an adequate degree of privacy" Since that time successive governments around the world have sought to build back doors into encrypted apps and services to access more citizen and visitor data. As of July 2019, the AG of the United States William Barr stated: “Some argue that, to achieve at best a slight incremental improvement in security, it is worth imposing a massive cost on society in the form of degraded safety,” i.e For security Americans should accept weakened encryption. The head of the FBI also claimed that weakened encryption wouldn't break it. At the moment the US Government is actively trying to stop Facebook implementing end to end encryption across it's suite of apps. In Australia the metadata retention laws have been abused against journalists with 58 searches carried out by the AFP. In 2015 ACT police carried out 115 metadata searches. UK officials have a cavalier attitude to the EU SIS database which tracks undocumented migrants, missing people, stolen cars, or suspected criminals. The EU isn't immune to this either with France considering implementing Facial Recognition on its government services. IETF Session 105 mentioned privacy and concerns with the mass collection of data. While the IAB and IESG were worried about US export controls on cryptography there is an argument for RFC 1984 to be updated to include the unnecessary mass collection of data and to use it as a term for IT professionals, privacy advocates and the public to rally behind. In this talk let's recount a brief history of governments around the world wanting to weaken encryption as RFC 1984 warned us about. We live in a time where citizens put data into commercial, healthcare and Government systems to access services, some services are only accessible online. From CCTV to Facebook people have little understanding of why mass collection of data is dangerous. There is little scrutiny of who can access that data, from Scotland to the US. Open Surveillance is only a small part of the picture when profiling citizens. It still counts as personal data, when combined with metadata and the actual data that people put into social media and services like ancestor DNA test kits. Businesses who use CCTV have to put up signs to warn the public they are recording. So called anonymized data still contains identifiers that can tie to individuals. Let's talk about Ovid and peacocks. Let's explore how to expand the RFC to cover recent developments in surveillance capitalism with governments accessing that data, but not securing it. We need to make it clear weakened encryption, the mass collection and careless retention of data isn't acceptable. RFC1984 became Best Practice in 2015, we need to do more to raise awareness and to implement it in our projects.

Why we need to implement RFC 1984:

"The Internet Architecture Board (IAB) and the Internet Engineering Steering Group (IESG),[...] are concerned by the need for increased protection of international commercial transactions on the Internet, and by the need to offer all Internet users an adequate degree of privacy. "

I'd like to start by briefly mentioning Ovid and the legend of Io. Ovid was anti authoritarian during the time of Augustus as he'd been exiled by the Emperor. He wrote The Metamorphoses; an epic poem about Greek myths with the theme of transformation. The myth is often used as a metaphor for surveillance. With Io suffering restriction of liberty and being abused by authority. Being turned into a cow was bad enough, to make things worse she was constantly watched by the agent of Hera another authority Argus (Argus Panoptes) the 100 eyed giant. Argus is a great name for a security firm in fact there are quite a few firms that use an eye in the logo.

Pop culture like Neil Gamien's American gods on Amazon have also referenced this legend to show surveillance and how it can convey power to authority. In the end a modern interpretation of the myth could argue that Hermes sending Argus to sleep to kill him is a good metaphor for opposing actors using exploits to subvert and disable surveillance to access information to Citizens data. We focus more on Argus the agent of Surveillance rather than Io, who was violated, changed and then incarcerated with surveillance against her will.

Argus Panoptes inspired the idea of the Panopticon. A building design by English Philospher Jeremy Bentham as a prison that could be observed by a single guard. Our Internet is in danger of being a virtual panopticon for future citizens. The EFF already started thinking about this with panopticlick so that you can test who's tracking you through your browser. So who's watching us?

Of course this explanation and the metaphor is from a Western Perspective. Privacy doesn't mean the same thing to all countries and cultures. Neither does the symbolism of the Peacock.

Many IT professionals consider RFCs are more like guidelines, see RFC Clueless.org. Popular email services like Me.com, Outlook.com and even gmail.com have been listed on RFC ignorant, then it's successor RFC clueless . Sadly the giants often ignore RFCs. Which breaks the idea of interoperable standards and protocols and leaves us in danger of being at the mercy of large hosting giants.

There is a narrative that threads through the media since that time. Privacy is dead, you need to give up that freedom to stay safe. Politicians like the UK Prime Minister David Cameron in 2015 stated:

."In our country, do we want to allow a means of communication between people which even in extremis, with a signed warrant from the home secretary personally, that we cannot read? “Up until now, governments have said: ‘No, we must not'." "

Malcolm Turnbull the Australian Prime Minister in 2017 stated that " the laws of Australia take precedence over the laws of mathematics."

With organizations like Palantir providing information to ICE to target illegal immigrants in the US; The UK Home Office deliberately destroying data in the the Windrush scandal; It's clear that human rights, specifically the right to privacy is in danger. Recently the EU confirmed that UK Border Force officials had illegally copies Shengen SIS data to third party Organizations based in the US.

That's before I even start on repressive regimes where that data can and will be used to oppress citizens of that regime.

The recent IETF Session 105 this month mentioned privacy and concerns with the mass collection of data. While the IAB and IESG were worried about US export controls on cryptography there is an argument for RFC1984 to be updated to include the unnecessary mass collection of data and to use it as a term for IT professionals, privacy advocates and the public to rally behind.

I propose a brief history of governments around the world wanting to weaken encryption as RFC1984 warned us about:

" The IAB and IESG are therefore disturbed to note that various governments have actual or proposed policies on access to cryptographic technology that either:

(a) impose restrictions by implementing export controls; and/or

(b) restrict commercial and private users to weak and inadequate mechanisms such as short cryptographic keys; and/or

(c) mandate that private decryption keys should be in the hands ofthe government or of some other third party; and/or

(d) prohibit the use of cryptology entirely, or permit it only to specially authorized organizations."

RFC 1984 was explicitly named to reference an Orwellian Society that uses mass surveillance. Let's expand that beyond encryption to the mass collection of data and ask how do we limit this? How do we limit access to this data? How do we stop the nightmare?

Additional information

Type devroom

More sessions

2/2/20
Decentralized Internet and Privacy
Tim Dittler
UA2.220 (Guillissen)
Today, hard disk encryption only protects user's data when their machine is shut down. "Close lid to encrypt" aims to enhance this protection also to suspend mode.
2/2/20
Decentralized Internet and Privacy
Eyal Ron
UA2.220 (Guillissen)
Almonit is a project for decentralized websites and web services. Decentralized websites and web services are an alternative to the way the web functions today. They combine decentralized storage (like IPFS), decentralized name services (like ENS) and P2P networks in order to replace the server-based model of the web. This lecture describes the Almonit project, its architecture, the technical details of the technology and the ecosphere in which it is created. Come discover the state-of-the-art ...
2/2/20
Decentralized Internet and Privacy
Marcin Czenko
UA2.220 (Guillissen)
Society is becoming increasingly more aware of the importance of protecting digital information and it is becoming clear that the current centralized model has came to an end. The future of the Internet is distributed. Unsupervised, unmoderated access, affordable storage, data-replication, and security and privacy built-in are the most important aspects of the Internet of the future. Unfortunately, a global, reliable, decentralized network cannot be built without actual physical nodes, as the ...
2/2/20
Decentralized Internet and Privacy
Friedger Müffke
UA2.220 (Guillissen)
Inspired by the concept of sharing data between apps on Android devices through Content Providers, this talk explains how this can be achieved on the Web today using decentralized identity and storage (identity hubs). This talk has been accepted late to replace "Decentralized object storage An open source decentralized object storage" by Ivan Fraixedes. Due to health issues Ivan's talk had to be cancelled. We wish him a speedy recovery.
2/2/20
Decentralized Internet and Privacy
Brett Sheffield
UA2.220 (Guillissen)
Written in 2001, RFC 3170 states: "IP Multicast will play a prominent role on the Internet in the coming years. It is a requirement, not an option, if the Internet is going to scale. Multicast allows application developers to add more functionality without significantly impacting the network." Nearly two decades later, multicast is still largely ignored and misunderstood. This talk explains why multicast is the missing piece in the decentralization puzzle, how multicast can help the Internet ...
2/2/20
Decentralized Internet and Privacy
Mateusz Kowalski
UA2.220 (Guillissen)
Please note this is a lightning-fast version of our full talk taking place on Saturday at 18:00 in the Main Track Do you know where your internet traffic flows? Does it go through China even if you don't want it to? SCION is a new internet architecture aimed at solving this problem. We will show how you can easily join the already existing worldwide network.
2/2/20
Decentralized Internet and Privacy
Steven van der Vegt
UA2.220 (Guillissen)
In The Netherlands we have a interesting problem: in 2011, weeks before going live, the national electronic health record system got shut down by our senate. They decided not to interveine and let the market fix the problem. Now, 9 years later, the market has made a mess out of it: there is no uniform way of exchanging medical data in The Netherlands. Architects write countless of pages with solutions, the government pours millions into subsidised programs, but the problem is only getting ...