Re: [arch-d] IAB Statement on Encryption and Mandatory Client-side Scanning of Content

Adrian Farrel <> Mon, 18 December 2023 20:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1CF3BC14CF13; Mon, 18 Dec 2023 12:41:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CvE_-zyBJ2wE; Mon, 18 Dec 2023 12:41:39 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 675CAC14E515; Mon, 18 Dec 2023 12:41:01 -0800 (PST)
Received: from ( []) by (8.14.7/8.14.7) with ESMTP id 3BIKew7V022371; Mon, 18 Dec 2023 20:40:58 GMT
Received: from (unknown []) by IMSVA (Postfix) with ESMTP id 098034604B; Mon, 18 Dec 2023 20:40:58 +0000 (GMT)
Received: from (unknown []) by IMSVA (Postfix) with ESMTP id F1BE646048; Mon, 18 Dec 2023 20:40:57 +0000 (GMT)
Received: from (unknown []) by (Postfix) with ESMTPS; Mon, 18 Dec 2023 20:40:57 +0000 (GMT)
Received: from LAPTOPK7AS653V ([]) (authenticated bits=0) by (8.14.7/8.14.7) with ESMTP id 3BIKeuVR011810 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 18 Dec 2023 20:40:57 GMT
From: Adrian Farrel <>
To: 'Mallory Knodel' <>, 'Andrew Campling' <>
References: <> <> <CWXP265MB5153610FBB98A7B06AF81040C290A@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <> <CWXP265MB515381523714FF99524410CFC290A@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <> <>
In-Reply-To: <>
Date: Mon, 18 Dec 2023 20:40:55 -0000
Organization: Old Dog Consulting
Message-ID: <02ae01da31f2$80580630$81081290$>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-gb
Thread-Index: AQEQxlywR+sCx8ldf6Tu2EsEnrfqRAG17YFcAbAHvoUCwea6YQIG1N6uAjm0EokCH+eZ/LHeFIzQ
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed;; h=reply-to :from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding; s= 20221128; bh=v2hs36flmiGD1jYeyzZ+FP0wDoC2LB2XgcwiOfiWr5o=; b=D6U QjYEYjnkDeR7/tvzGMslsjMVno6uGGJ1zmH1IKvbM+c+AIZrKCUvEQP8g94ctkN1 SMw6iVJKyqp5+GseNoVtIYLXlEkyvwf3aLCVISXsKqTsdjLYPmcvhDsls/VWbn3J y6xAylE1g7ALjZmaWL1jgMy9ETmUzYUQZotiXtnoMNIjQEa5tiNGmVWDkbihlW86 F4iMkFEDzTUbMjLPMXlJ6FVXGqWLiT8x9dAdqDA5mxxaLMztqxTaKk1ztO8Dhfkd px5VYPjiR1kOmdB4OXVT0g1qHhWHohDsJmPaaga7BwkwZ7B5YcVioD+yt/HEqjgP CrqxtzG+0NDxFvdSnYg==
X-TM-AS-Product-Ver: IMSVA-
X-TM-AS-Result: No--22.728-10.0-31-10
X-imss-scan-details: No--22.728-10.0-31-10
X-TMASE-Result: 10--22.727700-10.000000
X-TMASE-MatchedRID: 9d2LtCNB3NLxIbpQ8BhdbHZWSA6Ll+DQeLLCA0PD7aitBiS9hFeaTBaE RsAuK/owXh8DJBBUarNZjnW/DKiiZ7NUVnqixiMOKwi7MItzaY3La0eANE7Nz/M0QxN8HRXbJAk gY9XZ74v+Zp3uapSWpaOcOrg4r8JweIWtaoT+rz4ea0JeKHt/04kT1Or73o1yVo0lrxbM8atfJY f9rEJ1cCqq0O5S3DJ83w5NYaRpy6mcfX6Ug1yFMJU7Bltw5qVLlNbIBwEV/h7qRZM+lE8qdkGcp gp6gRE7HLrzHeTN/TmH+JfGStEzSZN/i/+M0xRD9Ib/6w+1lWTIlPL1nAKsI5YaGUdeitddUArJ nwHoG3TDFTAyHGiUXQrGaaNGo+ewzO35OKTxh+UEAUk+qoQrN+9JpCgmOKeGcFfbHRo0Wfe8kR4 iq2HYAO13CaNVATVi6dv1kJE0wjIxjl0MrQJYVJ4CIKY/Hg3AWQy9YC5qGvy2s0ar5ZAS9AV1uw b6J5fH7ni+GTUS+xHEQdG7H66TyH4gKq42LRYkXwjXatEZKHoyx9QrmQlnaH3ZDOpoC1B7vuGy5 GMZQHR+3BndfXUhXQ==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
Archived-At: <>
Subject: Re: [arch-d] IAB Statement on Encryption and Mandatory Client-side Scanning of Content
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Dec 2023 20:41:44 -0000


Let's cool it a bit. Saying that someone's argument is "just utter smoke and mirrors" is coming on too strong for debate in our environment.

It might be helpful to provide a pointer to a definition that you find helpful and clear. (We can argue about whether the IAB statement would have been better including the definition or a pointer to it, but since the statement has been published, we must focus on the discussion that follows). 

I find to be helpful both in definitions and reasoned discussion.


PS, If someone wants to fix the citation indexes at, that would be very welcome

-----Original Message-----
From: Architecture-discuss <> On Behalf Of Mallory Knodel
Sent: 18 December 2023 20:17
To: Brian E Carpenter <>; Andrew Campling <>; George Michaelson <>
Cc:;; S Moonesamy <>
Subject: Re: [arch-d] IAB Statement on Encryption and Mandatory Client-side Scanning of Content


On 12/18/23 2:22 PM, Brian E Carpenter wrote:
> Andrew,
> On 18-Dec-23 23:43, Andrew Campling wrote:
> ...
>> Reflecting further on the IAB statement, I do believe that the lack 
>> of inclusion of a clear definition of client-side scanning within the 
>> IAB's statement is problematic. I suspect that the real issue relates 
>> to the results of that scanning being shared with a third party 
>> without the knowledge of the user rather than the scanning per se.
> The statement is about *mandatory* scanning, which clearly implies 
> that an official third party is involved.
> IMHO, it should be my choice whether my email agent is set up to 
> detect occurrences of "Scunthorpe" in incoming email. Alternatively, 
> it should be my choice whether my mail service provider performs that 
> check for me. But none of this is a protocol issue, or a protocol 
> security issue, so however bad one believes the societal harm to be, 
> I'm at a loss to see why it's an IETF issue.
I just came back here to address the scanning, too. This line that 
client-side scanning "isn't well defined" or "means too many things" is 
just utter smoke and mirrors. Quite the opposite-- because there are so 
many ways to violate a person's civil liberties by breaking into their 
agents and devices means that *all* of them are to be rejected, early 
and often, despite their inner workings.


> The IAB statement is about the effect of specific government 
> requirements that "undermine end-to-end encryption", and that *is* a 
> protocol security issue, so it's a legitimate topic for the IAB and 
> the IETF.
>     Brian
> _______________________________________________
> Architecture-discuss mailing list

Mallory Knodel
CTO :: Center for Democracy and Technology
newsletter ::

Architecture-discuss mailing list