Re: [arch-d] IAB Statement on Encryption and Mandatory Client-side Scanning of Content

Nubeva has developed technology to extract TLS keys to be used by 3rd party
tools to decrypt and inspect the traffic [
https://www.nubeva.com/hubfs/Downloadables/Nubeva%20SSL%20Solution%20Brief_Nov%202019.pdf
].

Would this violates client privacy?

Hesham

On Mon, Dec 18, 2023, 1:35 PM Mallory Knodel <mknodel=
40cdt.org@dmarc.ietf.org> wrote:

> On 12/18/23 3:40 PM, Adrian Farrel wrote:
>
> Mallory,
>
> Let's cool it a bit. Saying that someone's argument is "just utter smoke and mirrors" is coming on too strong for debate in our environment.
>
> Hi Adrian,
>
> You're right-- that would be an uncool thing to say in response to one
> person. In this context, that is what happened and I am sorry. In the
> broader context, the argument has been made widely at this point and
> doesn't belong to one person, which is why I felt the need to highlight it.
>
> It might be helpful to provide a pointer to a definition that you find helpful and clear. (We can argue about whether the IAB statement would have been better including the definition or a pointer to it, but since the statement has been published, we must focus on the discussion that follows).
>
> I find https://www.internetsociety.org/resources/doc/2020/fact-sheet-client-side-scanning/ to be helpful both in definitions and reasoned discussion.
>
> Thanks for digging up that resource. The statement includes several
> resources that have the luxury of many pages to carefully elaborate these
> things. I like the "bugs in our pockets"[0] paper, too.
>
> However, the ISOC resource does not include computer vision techniques
> that would detect novel content. Nor does it discuss where on the device or
> at what exact point the scanning occurs. I'm not critiquing the ISOC
> paper-- it's fantastic. I'm merely demonstrating the risk with presenting a
> definition that a slight tweak to the design and that definition no longer
> applies, thus negating the two arguments made in the statement, which do
> not in fact depend on how the scanning is done.
>
> Cheers,
> Adrian
>
> PS, If someone wants to fix the citation indexes at https://www.iab.org/documents/correspondence-reports-documents/2023-2/iab-statement-on-encryption-and-mandatory-client-side-scanning-of-content/, that would be very welcome
>
> Leaving out a definition was not an error.
>
> -Mallory
>
> [0]
> https://www.schneier.com/academic/archives/2021/10/bugs-in-our-pockets-the-risks-of-client-side-scanning.html
>
>
> -----Original Message-----
> From: Architecture-discuss <architecture-discuss-bounces@ietf.org> <architecture-discuss-bounces@ietf.org> On Behalf Of Mallory Knodel
> Sent: 18 December 2023 20:17
> To: Brian E Carpenter <brian.e.carpenter@gmail.com> <brian.e.carpenter@gmail.com>; Andrew Campling <andrew.campling@419.consulting> <andrew.campling@419.consulting>; George Michaelson <ggm@algebras.org> <ggm@algebras.org>
> Cc: iab@iab.org; architecture-discuss@ietf.org; S Moonesamy <sm+ietf@elandsys.com> <sm+ietf@elandsys.com>
> Subject: Re: [arch-d] IAB Statement on Encryption and Mandatory Client-side Scanning of Content
>
> Hi,
>
> On 12/18/23 2:22 PM, Brian E Carpenter wrote:
>
> Andrew,
>
> On 18-Dec-23 23:43, Andrew Campling wrote:
>
> ...
>
> Reflecting further on the IAB statement, I do believe that the lack
> of inclusion of a clear definition of client-side scanning within the
> IAB's statement is problematic. I suspect that the real issue relates
> to the results of that scanning being shared with a third party
> without the knowledge of the user rather than the scanning per se.
>
>
> The statement is about *mandatory* scanning, which clearly implies
> that an official third party is involved.
>
> IMHO, it should be my choice whether my email agent is set up to
> detect occurrences of "Scunthorpe" in incoming email. Alternatively,
> it should be my choice whether my mail service provider performs that
> check for me. But none of this is a protocol issue, or a protocol
> security issue, so however bad one believes the societal harm to be,
> I'm at a loss to see why it's an IETF issue.
>
>
> I just came back here to address the scanning, too. This line that
> client-side scanning "isn't well defined" or "means too many things" is
> just utter smoke and mirrors. Quite the opposite-- because there are so
> many ways to violate a person's civil liberties by breaking into their
> agents and devices means that *all* of them are to be rejected, early
> and often, despite their inner workings.
>
> -Mallory
>
>
> The IAB statement is about the effect of specific government
> requirements that "undermine end-to-end encryption", and that *is* a
> protocol security issue, so it's a legitimate topic for the IAB and
> the IETF.
>
>     Brian
>
> _______________________________________________
> Architecture-discuss mailing listArchitecture-discuss@ietf.orghttps://www.ietf.org/mailman/listinfo/architecture-discuss
>
>  --
> Mallory Knodel
> CTO :: Center for Democracy and Technology
> newsletter :: https://internet.exchangepoint.tech
>
> _______________________________________________
> Architecture-discuss mailing list
> Architecture-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/architecture-discuss
>