Re: [ietf-privacy] Research Note on NSA/Snowden for EuroParl PRISM inquiry

[Avri Doria <avri@acm.org>]

On 29 Sep 2013, at 14:02, Stephen Farrell wrote:

> 
> Hiya,
> 
> On 09/29/2013 06:11 PM, Caspar Bowden wrote:
>> On 09/29/13 15:33, Stephen Farrell wrote:
>>> I've only skimmed the recommnedations/conclusions so far but have
>>> two comments. (I'll read the rest later, honest:-)
>> 
>> thanks for feedback
>> 
>>> - I don't see why a "euro cloud" (section 3.1) would be any less
>>> surveilled, e.g. by .eu governments on their own behalf of on behalf
>>> of their partners.
>> 
>> There's two reasons
>> 
>> 1) most people in a democracy prefer to be spied on by their own govts.
>> not a foreign govt (rather not be spied on at all obviously)
> 
> Eh... not convinced by that one. Most people have a pretty low opinion
> of their own government - familiarity, comtempt and all that:-)

Another big reason.  Your own government can act on the information in many more ways that a foreign governments.  As an example:, what do I care what info Iran collects on me, as long as I am not planning to go to Iran and it does not affect anyone I know in Iran.  But if my government gets itself in a twist on my talking to people in Iran, you bet I care about the surveillance.

Of course no spying ever on anyone is the Good.  
But that is also the Unlikely.
No matter how many laws, treaties or covenants are inked.


> 
>> 
>> 2) the "political" purposes in the defn. of FII I point at would be
>> illegal in EU (they don't exist in corresponding EU laws, and the
>> Belgacom/GCHQ case will be a real test case on this point). The fact is
>> that it is not illegal (in US) for the US to do that to (say) Belgium,
>> but is it is illegal for one European state to do that to another
>> (political spying rather than "genuine" national security)
>> 
>> This is an incredibly important point which I still not think is widely
>> understood (especially by people in US)
>> 
>>> There could be jusrisdictional reasons for that
>>> maybe (not that I'd understand those) but I don't think such a
>>> recommendation really touches on pervasive monitoring at all unless
>>> you're under the misaprehension that .eu governments are all far too
>>> nice for that kind of thing or something. Can you explain that one?

Does it matter, really who may or may not end up invading clouds' privacy with surveillance - either legally or roguishly.  Isn't making it as difficult as possible at as many layers as possible the goal? 

>> 
>> It is "niceness" actually, to the extent European human rights law
>> prohibits this (really, it does)
>> 
>> If they do it, they are breaking the law (ECHR)
> 
> So the benefit of a euro-cloud would be that it'd maybe (yes, Belgacom
> will be mighty interesting) de-motiviate other EU govts from surveilling
> EU citizens via data in that cloud. Isn't that making the same error
> that your document rightly says the US are making in considering only
> the rights of US citizens?
> 
> So fwiw, I'm not at all keen on that recommendation. Note that I only
> mean I disagree with the recommendation for this purpose, there are
> probably lots of other good reasons why locally provided services are
> a good thing. (Actually, I'd like this to go towards its logical
> conclusion that everyone have their own server box in their home,
> and that all "cloudy" businesses have to deal with that. But that's
> some way off;-)

Wouldn't the question be how to make private really difficult to surveil cloud arrangements for various groupings, whether divided along state lines, regional lines or community lines?  

> 
>>> - I think you could add a recommendation to work with the Internet
>>> community on better technical solutions that can perhaps dramatically
>>> increase the costs for pervasive monitoring.
>> 
>> I agree but it;s hard to put that in legislation ? ("work with the
>> Internet community"). Best I could get was the free-software recommendation
> 
> I don't see any reason why legislation couldn't say "work with
> the Internet community." Maybe that's because I'm ignorant of
> how to write legislation (which is the case).


And legislation can punish efforts that go beyond acceptable infraction levels.
And International treaties can set limits and conditions for international action/sanction in respect to actions that go beyond agreed upon infraction levels.


> 
> So while I don't know much about what makes good legislation, I do
> know that the reality of making widely-deployed Internet protocols
> more privacy friendly is that such work is most likely to be
> formalised here in the IETF if at all. Getting that message over
> to legislators would be good, even if no legislation resulted.
> (But again, the IETF cannot "solve" the problem and its important
> to say that too.)

The IETF should definitely advise the policy and legislative conversations to make sure the limits makes sense. And the IETF can use the policies and legislations as guides to what priority and levels of effort need to be applied to various layers/levels of privacy protections.

> 
> In terms of what else legislation might say, one could imagine
> some well crafted law saying that services have to do their best,
> and that governments and e.g. EU research funding should work with
> those who can have most impact on that.

funding is good.

> 
>>> That's not a purely
>>> cryptographic thing, and is something on which work is being done
>>> e.g. here in the IETF. Note, nobody's claiming that changes made in
>>> the IETF can fully "fix" this problem, but there are things we can
>>> do that can help if they get deployed.
>>> 
>>> BTW, I think it'd be useful for us as well if the IETF had a way
>>> to learn more about the non-technical reactions to all this stuff,
>>> any ideas there welcome.

I think the solution is going to be a complex techno-political mix (including but not limited to) technical solutions at all layers, user education and attention, policy, legislation and enforcement - all in constant interaction and improvement.


avri