Re: [ietf-privacy] Research Note on NSA/Snowden for EuroParl PRISM inquiry
Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 29 September 2013 18:03 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ietf-privacy@ietfa.amsl.com
Delivered-To: ietf-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0111511E813A for <ietf-privacy@ietfa.amsl.com>; Sun, 29 Sep 2013 11:03:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.299
X-Spam-Level:
X-Spam-Status: No, score=-102.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_21=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hvLQNJoVg7bD for <ietf-privacy@ietfa.amsl.com>; Sun, 29 Sep 2013 11:02:58 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id F1A1C11E8132 for <ietf-privacy@ietf.org>; Sun, 29 Sep 2013 11:02:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 6F2A8BE60; Sun, 29 Sep 2013 19:02:54 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u3-J+9FjVJeW; Sun, 29 Sep 2013 19:02:52 +0100 (IST)
Received: from [10.87.48.11] (unknown [86.42.27.255]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id D8F7EBE5F; Sun, 29 Sep 2013 19:02:51 +0100 (IST)
Message-ID: <52486B4B.2050408@cs.tcd.ie>
Date: Sun, 29 Sep 2013 19:02:51 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: Caspar Bowden <caspar@PrivacyStrategy.eu>
References: <52457A8E.9090105@casparbowden.net> <524830AA.8080409@PrivacyStrategy.eu> <52483A3D.5060104@cs.tcd.ie> <52485F4A.8070805@PrivacyStrategy.eu>
In-Reply-To: <52485F4A.8070805@PrivacyStrategy.eu>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: ietf-privacy@ietf.org
Subject: Re: [ietf-privacy] Research Note on NSA/Snowden for EuroParl PRISM inquiry
X-BeenThere: ietf-privacy@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Internet Privacy Discussion List <ietf-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-privacy>
List-Post: <mailto:ietf-privacy@ietf.org>
List-Help: <mailto:ietf-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Sep 2013 18:03:04 -0000
Hiya,
On 09/29/2013 06:11 PM, Caspar Bowden wrote:
> On 09/29/13 15:33, Stephen Farrell wrote:
>> I've only skimmed the recommnedations/conclusions so far but have
>> two comments. (I'll read the rest later, honest:-)
>
> thanks for feedback
>
>> - I don't see why a "euro cloud" (section 3.1) would be any less
>> surveilled, e.g. by .eu governments on their own behalf of on behalf
>> of their partners.
>
> There's two reasons
>
> 1) most people in a democracy prefer to be spied on by their own govts.
> not a foreign govt (rather not be spied on at all obviously)
Eh... not convinced by that one. Most people have a pretty low opinion
of their own government - familiarity, comtempt and all that:-)
>
> 2) the "political" purposes in the defn. of FII I point at would be
> illegal in EU (they don't exist in corresponding EU laws, and the
> Belgacom/GCHQ case will be a real test case on this point). The fact is
> that it is not illegal (in US) for the US to do that to (say) Belgium,
> but is it is illegal for one European state to do that to another
> (political spying rather than "genuine" national security)
>
> This is an incredibly important point which I still not think is widely
> understood (especially by people in US)
>
>> There could be jusrisdictional reasons for that
>> maybe (not that I'd understand those) but I don't think such a
>> recommendation really touches on pervasive monitoring at all unless
>> you're under the misaprehension that .eu governments are all far too
>> nice for that kind of thing or something. Can you explain that one?
>
> It is "niceness" actually, to the extent European human rights law
> prohibits this (really, it does)
>
> If they do it, they are breaking the law (ECHR)
So the benefit of a euro-cloud would be that it'd maybe (yes, Belgacom
will be mighty interesting) de-motiviate other EU govts from surveilling
EU citizens via data in that cloud. Isn't that making the same error
that your document rightly says the US are making in considering only
the rights of US citizens?
So fwiw, I'm not at all keen on that recommendation. Note that I only
mean I disagree with the recommendation for this purpose, there are
probably lots of other good reasons why locally provided services are
a good thing. (Actually, I'd like this to go towards its logical
conclusion that everyone have their own server box in their home,
and that all "cloudy" businesses have to deal with that. But that's
some way off;-)
>> - I think you could add a recommendation to work with the Internet
>> community on better technical solutions that can perhaps dramatically
>> increase the costs for pervasive monitoring.
>
> I agree but it;s hard to put that in legislation ? ("work with the
> Internet community"). Best I could get was the free-software recommendation
I don't see any reason why legislation couldn't say "work with
the Internet community." Maybe that's because I'm ignorant of
how to write legislation (which is the case).
So while I don't know much about what makes good legislation, I do
know that the reality of making widely-deployed Internet protocols
more privacy friendly is that such work is most likely to be
formalised here in the IETF if at all. Getting that message over
to legislators would be good, even if no legislation resulted.
(But again, the IETF cannot "solve" the problem and its important
to say that too.)
In terms of what else legislation might say, one could imagine
some well crafted law saying that services have to do their best,
and that governments and e.g. EU research funding should work with
those who can have most impact on that.
>> That's not a purely
>> cryptographic thing, and is something on which work is being done
>> e.g. here in the IETF. Note, nobody's claiming that changes made in
>> the IETF can fully "fix" this problem, but there are things we can
>> do that can help if they get deployed.
>>
>> BTW, I think it'd be useful for us as well if the IETF had a way
>> to learn more about the non-technical reactions to all this stuff,
>> any ideas there welcome.
>
> Happy to help with that any way I can
Ditto. Let's keep that in mind.
S.
>
> Caspar
>
>
- [ietf-privacy] Research Note on NSA/Snowden for E… Caspar Bowden
- Re: [ietf-privacy] Research Note on NSA/Snowden f… Stephen Farrell
- Re: [ietf-privacy] Research Note on NSA/Snowden f… Caspar Bowden
- Re: [ietf-privacy] Research Note on NSA/Snowden f… Paul Ferguson
- Re: [ietf-privacy] Research Note on NSA/Snowden f… Stephen Farrell
- Re: [ietf-privacy] Research Note on NSA/Snowden f… SM
- Re: [ietf-privacy] Research Note on NSA/Snowden f… Avri Doria
- Re: [ietf-privacy] Research Note on NSA/Snowden f… Caspar Bowden
- Re: [ietf-privacy] Research Note on NSA/Snowden f… Caspar Bowden
- Re: [ietf-privacy] Research Note on NSA/Snowden f… Caspar Bowden
- Re: [ietf-privacy] Research Note on NSA/Snowden f… Josh Howlett