IETF Logo Mail Archive

Re: [arch-d] IAB Statement on Encryption and Mandatory Client-side Scanning of Content

Adrian Farrel <adrian@olddog.co.uk> Mon, 18 December 2023 20:41 UTC

Return-Path: <adrian@olddog.co.uk>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CF3BC14CF13; Mon, 18 Dec 2023 12:41:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=olddog.co.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CvE_-zyBJ2wE; Mon, 18 Dec 2023 12:41:39 -0800 (PST)
Received: from mta5.iomartmail.com (mta5.iomartmail.com [62.128.193.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 675CAC14E515; Mon, 18 Dec 2023 12:41:01 -0800 (PST)
Received: from vs2.iomartmail.com (vs2.iomartmail.com [10.12.10.123]) by mta5.iomartmail.com (8.14.7/8.14.7) with ESMTP id 3BIKew7V022371; Mon, 18 Dec 2023 20:40:58 GMT
Received: from vs2.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 098034604B; Mon, 18 Dec 2023 20:40:58 +0000 (GMT)
Received: from vs2.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F1BE646048; Mon, 18 Dec 2023 20:40:57 +0000 (GMT)
Received: from asmtp3.iomartmail.com (unknown [10.12.10.224]) by vs2.iomartmail.com (Postfix) with ESMTPS; Mon, 18 Dec 2023 20:40:57 +0000 (GMT)
Received: from LAPTOPK7AS653V ([85.255.237.34]) (authenticated bits=0) by asmtp3.iomartmail.com (8.14.7/8.14.7) with ESMTP id 3BIKeuVR011810 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 18 Dec 2023 20:40:57 GMT
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Mallory Knodel' <mknodel=40cdt.org@dmarc.ietf.org>, 'Andrew Campling' <andrew.campling@419.consulting>
Cc: iab@iab.org, architecture-discuss@ietf.org
References: <170266952162.33107.14325064798861197261@ietfa.amsl.com> <6.2.5.6.2.20231216110256.18d0acd0@elandnews.com> <CWXP265MB5153610FBB98A7B06AF81040C290A@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CAKr6gn2Hf4N+DgKHKyO+i3T3OJyYRBJhH1AdQf-uXZ0xKmJ4Eg@mail.gmail.com> <CWXP265MB515381523714FF99524410CFC290A@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <790032a6-24f6-60d1-fb60-4b44bd447bde@gmail.com> <fadd9250-4b31-4bf5-aa76-4f37d24fd650@cdt.org>
In-Reply-To: <fadd9250-4b31-4bf5-aa76-4f37d24fd650@cdt.org>
Date: Mon, 18 Dec 2023 20:40:55 -0000
Organization: Old Dog Consulting
Message-ID: <02ae01da31f2$80580630$81081290$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-gb
Thread-Index: AQEQxlywR+sCx8ldf6Tu2EsEnrfqRAG17YFcAbAHvoUCwea6YQIG1N6uAjm0EokCH+eZ/LHeFIzQ
X-Originating-IP: 85.255.237.34
X-Thinkmail-Auth: adrian@olddog.co.uk
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=olddog.co.uk; h=reply-to :from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding; s= 20221128; bh=v2hs36flmiGD1jYeyzZ+FP0wDoC2LB2XgcwiOfiWr5o=; b=D6U QjYEYjnkDeR7/tvzGMslsjMVno6uGGJ1zmH1IKvbM+c+AIZrKCUvEQP8g94ctkN1 SMw6iVJKyqp5+GseNoVtIYLXlEkyvwf3aLCVISXsKqTsdjLYPmcvhDsls/VWbn3J y6xAylE1g7ALjZmaWL1jgMy9ETmUzYUQZotiXtnoMNIjQEa5tiNGmVWDkbihlW86 F4iMkFEDzTUbMjLPMXlJ6FVXGqWLiT8x9dAdqDA5mxxaLMztqxTaKk1ztO8Dhfkd px5VYPjiR1kOmdB4OXVT0g1qHhWHohDsJmPaaga7BwkwZ7B5YcVioD+yt/HEqjgP CrqxtzG+0NDxFvdSnYg==
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.1.0.2090-9.0.0.1002-28066.002
X-TM-AS-Result: No--22.728-10.0-31-10
X-imss-scan-details: No--22.728-10.0-31-10
X-TMASE-Version: IMSVA-9.1.0.2090-9.0.1002-28066.002
X-TMASE-Result: 10--22.727700-10.000000
X-TMASE-MatchedRID: 9d2LtCNB3NLxIbpQ8BhdbHZWSA6Ll+DQeLLCA0PD7aitBiS9hFeaTBaE RsAuK/owXh8DJBBUarNZjnW/DKiiZ7NUVnqixiMOKwi7MItzaY3La0eANE7Nz/M0QxN8HRXbJAk gY9XZ74v+Zp3uapSWpaOcOrg4r8JweIWtaoT+rz4ea0JeKHt/04kT1Or73o1yVo0lrxbM8atfJY f9rEJ1cCqq0O5S3DJ83w5NYaRpy6mcfX6Ug1yFMJU7Bltw5qVLlNbIBwEV/h7qRZM+lE8qdkGcp gp6gRE7HLrzHeTN/TmH+JfGStEzSZN/i/+M0xRD9Ib/6w+1lWTIlPL1nAKsI5YaGUdeitddUArJ nwHoG3TDFTAyHGiUXQrGaaNGo+ewzO35OKTxh+UEAUk+qoQrN+9JpCgmOKeGcFfbHRo0Wfe8kR4 iq2HYAO13CaNVATVi6dv1kJE0wjIxjl0MrQJYVJ4CIKY/Hg3AWQy9YC5qGvy2s0ar5ZAS9AV1uw b6J5fH7ni+GTUS+xHEQdG7H66TyH4gKq42LRYkXwjXatEZKHoyx9QrmQlnaH3ZDOpoC1B7vuGy5 GMZQHR+3BndfXUhXQ==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/CtLt4leZ22IPgshSIcA43jdJXHo>
Subject: Re: [arch-d] IAB Statement on Encryption and Mandatory Client-side Scanning of Content
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2023 20:41:44 -0000

Mallory,

Let's cool it a bit. Saying that someone's argument is "just utter smoke and mirrors" is coming on too strong for debate in our environment.

It might be helpful to provide a pointer to a definition that you find helpful and clear. (We can argue about whether the IAB statement would have been better including the definition or a pointer to it, but since the statement has been published, we must focus on the discussion that follows). 

I find https://www.internetsociety.org/resources/doc/2020/fact-sheet-client-side-scanning/ to be helpful both in definitions and reasoned discussion.

Cheers,
Adrian

PS, If someone wants to fix the citation indexes at https://www.iab.org/documents/correspondence-reports-documents/2023-2/iab-statement-on-encryption-and-mandatory-client-side-scanning-of-content/, that would be very welcome

-----Original Message-----
From: Architecture-discuss <architecture-discuss-bounces@ietf.org> On Behalf Of Mallory Knodel
Sent: 18 December 2023 20:17
To: Brian E Carpenter <brian.e.carpenter@gmail.com>; Andrew Campling <andrew.campling@419.consulting>; George Michaelson <ggm@algebras.org>
Cc: iab@iab.org; architecture-discuss@ietf.org; S Moonesamy <sm+ietf@elandsys.com>
Subject: Re: [arch-d] IAB Statement on Encryption and Mandatory Client-side Scanning of Content

Hi,

On 12/18/23 2:22 PM, Brian E Carpenter wrote:
> Andrew,
>
> On 18-Dec-23 23:43, Andrew Campling wrote:
>
> ...
>> Reflecting further on the IAB statement, I do believe that the lack 
>> of inclusion of a clear definition of client-side scanning within the 
>> IAB's statement is problematic. I suspect that the real issue relates 
>> to the results of that scanning being shared with a third party 
>> without the knowledge of the user rather than the scanning per se.
>
> The statement is about *mandatory* scanning, which clearly implies 
> that an official third party is involved.
>
> IMHO, it should be my choice whether my email agent is set up to 
> detect occurrences of "Scunthorpe" in incoming email. Alternatively, 
> it should be my choice whether my mail service provider performs that 
> check for me. But none of this is a protocol issue, or a protocol 
> security issue, so however bad one believes the societal harm to be, 
> I'm at a loss to see why it's an IETF issue.
>
I just came back here to address the scanning, too. This line that 
client-side scanning "isn't well defined" or "means too many things" is 
just utter smoke and mirrors. Quite the opposite-- because there are so 
many ways to violate a person's civil liberties by breaking into their 
agents and devices means that *all* of them are to be rejected, early 
and often, despite their inner workings.

-Mallory

> The IAB statement is about the effect of specific government 
> requirements that "undermine end-to-end encryption", and that *is* a 
> protocol security issue, so it's a legitimate topic for the IAB and 
> the IETF.
>
>     Brian
>
> _______________________________________________
> Architecture-discuss mailing list
> Architecture-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/architecture-discuss

-- 
Mallory Knodel
CTO :: Center for Democracy and Technology
newsletter :: https://internet.exchangepoint.tech

_______________________________________________
Architecture-discuss mailing list
Architecture-discuss@ietf.org
https://www.ietf.org/mailman/listinfo/architecture-discuss

v2.23.0 | Report a Bug | By Email