Re: [arch-d] IAB Statement on Encryption and Mandatory Client-side Scanning of Content

Brian E Carpenter <> Mon, 18 December 2023 19:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 229EFC14CF0C for <>; Mon, 18 Dec 2023 11:22:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.199
X-Spam-Status: No, score=-7.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SMbg4M85Uq-E for <>; Mon, 18 Dec 2023 11:22:10 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id BAA80C14CEFF for <>; Mon, 18 Dec 2023 11:22:10 -0800 (PST)
Received: by with SMTP id d9443c01a7336-1d2e6e14865so14785875ad.0 for <>; Mon, 18 Dec 2023 11:22:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1702927330; x=1703532130;; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=30M+C+iTkbLtz2HkFj+k/A0oNsLyTWv0YX/HSrpxc7U=; b=DK/wXVzKD3vuoKf27+XtbhgFQLBM4TOp6z6uQg6IjCi/Mu6xkemVawCq5NydGvh3sh irzbAt7u6zGP178KGHm8fEkldReIvqmBDF0sedBgKFzmeyql+vVQL1EymbG61cd9LlQ7 WjD9eNdkc2HOW8WNjBmTTRruRu5EOcxdEJXwzWtBVtLX3XTh+4rw4EhjbTd7kK9c77SB YVgKsBF+BgGnQdhg817aGeg/YpwPyCOK14Xdtj/ztXlQhWTPCFSwaS50t3/Cxuldx2K2 jW9M3tAJYzyZsm+OvbIECMnwEJDGVwtTFYgj9r7yjiY2Im1UlbxSPX9yLD55kxPebYTW 6TTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1702927330; x=1703532130; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=30M+C+iTkbLtz2HkFj+k/A0oNsLyTWv0YX/HSrpxc7U=; b=Pcq7GKp2t/pKyOyGU31X0iheA21IpZx8dDpssKLskScvdG7x5QOzhg42hVeAEP/Ow0 agrzkTncW1XuGdFDCnEh0etM+1uvuQYIvR0DLnER06LxlKHpkdB0jDk7gi8wIHAktHaG gyhGtc7IUyeABj3oWxyuuQwneeODGuSfdHC2BbiG1OCegU7DWfUnAxlhhRbE/b1dSUgU C/ywkTb9FZG15wRTxXMbAC16iSGxrKnUvGMGXIDFx6zAmoTXvB9Paf7rAuLnjxEH38PZ 3QLh4nlvjeIkFDVNU5x5y0qoZANO1/xnA/b1bUlxR7uUv2nxoZWqgHTGTMj/QUuEyORQ XfqQ==
X-Gm-Message-State: AOJu0YwTaHzo0fJ9Qizll9C0rnZYGSxO4qxdnEn7lF6kwjulqhAC+r8B pmaXHywUnGwXJzeyrqYmK1kxF16Ad2b0Qw==
X-Google-Smtp-Source: AGHT+IEwmJICpDz/Ik+MesXLsEu0QLwbT+Tfs6ZU03xXo/e63TvnKQmT4TQSFhTA+JKEUFiS5djhXA==
X-Received: by 2002:a17:90b:905:b0:28b:5a47:761d with SMTP id bo5-20020a17090b090500b0028b5a47761dmr999834pjb.26.1702927330195; Mon, 18 Dec 2023 11:22:10 -0800 (PST)
Received: from ?IPV6:2404:4400:541d:a600:44b7:2c2e:2bc6:8707? ([2404:4400:541d:a600:44b7:2c2e:2bc6:8707]) by with ESMTPSA id pt10-20020a17090b3d0a00b0028afd8b1e0bsm2883996pjb.57.2023. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 18 Dec 2023 11:22:09 -0800 (PST)
Message-ID: <>
Date: Tue, 19 Dec 2023 08:22:05 +1300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Andrew Campling <>, George Michaelson <>
Cc: "" <>, "" <>, S Moonesamy <>
References: <> <> <CWXP265MB5153610FBB98A7B06AF81040C290A@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <> <CWXP265MB515381523714FF99524410CFC290A@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM>
From: Brian E Carpenter <>
In-Reply-To: <CWXP265MB515381523714FF99524410CFC290A@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [arch-d] IAB Statement on Encryption and Mandatory Client-side Scanning of Content
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Dec 2023 19:22:11 -0000


On 18-Dec-23 23:43, Andrew Campling wrote:

> Reflecting further on the IAB statement, I do believe that the lack of inclusion of a clear definition of client-side scanning within the IAB's statement is problematic.  I suspect that the real issue relates to the results of that scanning being shared with a third party without the knowledge of the user rather than the scanning per se.

The statement is about *mandatory* scanning, which clearly implies that an official third party is involved.

IMHO, it should be my choice whether my email agent is set up to detect occurrences of "Scunthorpe" in incoming email. Alternatively, it should be my choice whether my mail service provider performs that check for me. But none of this is a protocol issue, or a protocol security issue, so however bad one believes the societal harm to be, I'm at a loss to see why it's an IETF issue.

The IAB statement is about the effect of specific government requirements that "undermine end-to-end encryption", and that *is* a protocol security issue, so it's a legitimate topic for the IAB and the IETF.