Re: [arch-d] IAB Statement on Encryption and Mandatory Client-side Scanning of Content

[Phillip Hallam-Baker <phill@hallambaker.com>]

Windows and OSX both tag files downloaded from the Internet. Is is quite
easy to approve executables to run, the only difficulty being that the
means of doing it tends to move about.in the UI.

There is no 'scanning' going on. The files are simply tagged according to
how they were obtained. There is no communication with a third party.

These mechanisms are entirely different in intent because they are part of
a default deny infrastructure, The goal is to only run programs that have
explicit approval. The CSAM systems are attempting to 'look for badness' as
Marcu Ranum put it.

IETF doesn't get involved in that area very deeply because it isn't an
INTERNET concern. But there is a clear need to have an industry wide
discussion about a common approach because the current system has reached
its limits. We are training users to click the box to make the system work.
Been there, done that.




On Tue, Dec 19, 2023 at 4:13 AM Vittorio Bertola <vittorio.bertola=
40open-xchange.com@dmarc.ietf.org> wrote:

>
>
> Il 18/12/2023 23:14 CET Eric Rescorla <ekr@rtfm.com> ha scritto:
>
> ISTM that this is an example of a setting in which we have a term of art
> which is used in a way somewhat different from its literal meaning.
>
> Specifically, it is very common right now to have clients of various kinds
> scan for material that the recipient doesn't want to receive, such as in
> the case of spam filtering, virus scanning, or Apple's sensitive content
> warning [0]. In many if not most of those cases, the operator of the device
> opted into or at least actively wants that kind of scanning. I think we can
> agree that this type of scanning works to some extent and isn't
> incompatible with open source or open protocols. This is, of course,
> scanning that happens on the client, and I believe it's what Brian is
> referring to.
>
> What the IAB statement is referring to is something different, which is to
> say scanning which is imposed upon the operator of the device whether they
> want it or not, and is designed to stop the operator from sending and
> receiving certain classes of content.
>
> Great! So, could the IAB please tell Apple to stop preventing me from
> running on my MacBook Pro executables that didn't go through their app
> store or vetting process? A few days ago I tried to run "rar" via command
> line after getting it via Homebrew, and my laptop simply refused to do so
> because rar's developer isn't a friend of Apple, and in the end I had to go
> through a seven click process at the third level of the computer's settings
> just to be able to run rar. I never asked for this check, but apparently
> there is no way, not even a cumbersome one, to disable it permanently.
>
> Somehow, however, this kind of client-side scanning and blocking of
> content "imposed upon the operator of the device whether they want it or
> not" does not seem to be a problem for the IAB, but blocking CSAM is.
>
> --
>
> Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
> vittorio.bertola@open-xchange.com
> Office @ Via Treviso 12, 10144 Torino, Italy
>
> _______________________________________________
> Architecture-discuss mailing list
> Architecture-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/architecture-discuss
>