Why we need to implement RFC 1984:
"The Internet Architecture Board (IAB) and the Internet Engineering Steering Group (IESG),[...] are concerned by the need for increased protection of international commercial transactions on the Internet, and by the need to offer all Internet users an adequate degree of privacy. "
I'd like to start by briefly mentioning Ovid and the legend of Io. Ovid was anti authoritarian during the time of Augustus as he'd been exiled by the Emperor. He wrote The Metamorphoses; an epic poem about Greek myths with the theme of transformation. The myth is often used as a metaphor for surveillance. With Io suffering restriction of liberty and being abused by authority. Being turned into a cow was bad enough, to make things worse she was constantly watched by the agent of Hera another authority Argus (Argus Panoptes) the 100 eyed giant. Argus is a great name for a security firm in fact there are quite a few firms that use an eye in the logo.
Pop culture like Neil Gamien's American gods on Amazon have also referenced this legend to show surveillance and how it can convey power to authority. In the end a modern interpretation of the myth could argue that Hermes sending Argus to sleep to kill him is a good metaphor for opposing actors using exploits to subvert and disable surveillance to access information to Citizens data. We focus more on Argus the agent of Surveillance rather than Io, who was violated, changed and then incarcerated with surveillance against her will.
Argus Panoptes inspired the idea of the Panopticon. A building design by English Philospher Jeremy Bentham as a prison that could be observed by a single guard. Our Internet is in danger of being a virtual panopticon for future citizens. The EFF already started thinking about this with panopticlick so that you can test who's tracking you through your browser. So who's watching us?
Of course this explanation and the metaphor is from a Western Perspective. Privacy doesn't mean the same thing to all countries and cultures. Neither does the symbolism of the Peacock.
Many IT professionals consider RFCs are more like guidelines, see RFC Clueless.org. Popular email services like Me.com, Outlook.com and even gmail.com have been listed on RFC ignorant, then it's successor RFC clueless . Sadly the giants often ignore RFCs. Which breaks the idea of interoperable standards and protocols and leaves us in danger of being at the mercy of large hosting giants.
There is a narrative that threads through the media since that time. Privacy is dead, you need to give up that freedom to stay safe. Politicians like the UK Prime Minister David Cameron in 2015 stated:
."In our country, do we want to allow a means of communication between people which even in extremis, with a signed warrant from the home secretary personally, that we cannot read? “Up until now, governments have said: ‘No, we must not'." "
Malcolm Turnbull the Australian Prime Minister in 2017 stated that " the laws of Australia take precedence over the laws of mathematics."
With organizations like Palantir providing information to ICE to target illegal immigrants in the US; The UK Home Office deliberately destroying data in the the Windrush scandal; It's clear that human rights, specifically the right to privacy is in danger. Recently the EU confirmed that UK Border Force officials had illegally copies Shengen SIS data to third party Organizations based in the US.
That's before I even start on repressive regimes where that data can and will be used to oppress citizens of that regime.
The recent IETF Session 105 this month mentioned privacy and concerns with the mass collection of data. While the IAB and IESG were worried about US export controls on cryptography there is an argument for RFC1984 to be updated to include the unnecessary mass collection of data and to use it as a term for IT professionals, privacy advocates and the public to rally behind.
I propose a brief history of governments around the world wanting to weaken encryption as RFC1984 warned us about:
" The IAB and IESG are therefore disturbed to note that various governments have actual or proposed policies on access to cryptographic technology that either:
(a) impose restrictions by implementing export controls; and/or
(b) restrict commercial and private users to weak and inadequate mechanisms such as short cryptographic keys; and/or
(c) mandate that private decryption keys should be in the hands ofthe government or of some other third party; and/or
(d) prohibit the use of cryptology entirely, or permit it only to specially authorized organizations."
RFC 1984 was explicitly named to reference an Orwellian Society that uses mass surveillance. Let's expand that beyond encryption to the mass collection of data and ask how do we limit this? How do we limit access to this data? How do we stop the nightmare?