Re: privacy and IETF meetings in US

[Nico Williams <nico@cryptonector.com>]

On Fri, Jun 07, 2019 at 12:42:17PM -0400, Paul Wouters wrote:
> ps. at least for me, I will already know in my home city of Toronto,
> whether or not I will be refused for not handing out my social media
> or web browser history, since we clear immigration at the airport :P

So, CBP asking to see your social media or mobile is not remotely a new
thing, and was happening before 2016.  The U.S. is not the only country
to have done that sort of thing, either.  But CBP is also naturally
bandwidth limited as to how many visitors they can apply that treatment
to...

What's *new* here is that those who need a _visa_ to visit now can be
subjected to this treatmeant with a higher natural bandwidth limit at
the applicable U.S. consulate, so more such visitors can expect to be
subjected to it.  I imagine consular officials were always able to
request additional data, such as social media identifiers, but now the
State department will be requiring that information of all visa
applicants.

Now, not every visitor to the U.S. needs a visa.  And other countries
have applied this same treatment at the border.  We can probably expect
other countries to apply this same treatment at visa application time.
Often this happens as a tit-for-tat; Argentina used to have a US$100 fee
for American visitors.

Some data would be nice:

 - How many active IETF participants will be affected?

   "However, you do not need a visa for your business meeting or for
   vacation if you are a citizen of the 38 countries participating in
   the Visa Waiver Program."

   https://www.usa.gov/enter-us
   https://www.dhs.gov/visa-waiver-program-requirements

   Canada is not included in that list, but then:

   "In most circumstances, Canadian citizens do not require visitor,
   business, transit or other visas to enter the United States, either
   from Canada or from other countries. There are, however, some
   exceptions to this situation. These exceptions (and the visa category
   they require) include: ..."

   https://ca.usembassy.gov/visas/do-i-need-a-visa/

   IANAL, but the exceptions for Canadian visitors do not include
   visiting to attend a conference, so I think Canadian IETF
   participants will not be affected.


 - How many countries that host IETF meetings have implemented similar
   policies that we don't know about or are publicly considering it?

   (See above comment about tit-for-tat policies.)


Also, I wouldn't expect that a new U.S. administration would handle this
any differently.  The CBP experience has gotten worse over time for
some, and it's happened under a variety of U.S. administrations from
both parties.

When the Texas Alcoholic Beverage Commision (TABC) started spending its
resources arresting people for public intoxication at hotel bars,
eventually they had to back off when Texas started losing many
conferences, including high-profile conferences.  Of course, the scale
here is larger, as there are probably fewer international conferences
(as a proportion of total conferences) hosting meetings in the U.S., so
I expect that refusing to host meetings in the U.S. will likely have no
effect on the policy.

Then again, I think this new policy is a bit useless.  Finding a visa
applicant's social media is relatively simple given their names and
pictures (which the consulate already demands and long has, and besides,
they have cameras).  And it's not like consular officials can easily
find pseudonymous social media if it lacks easily identifiable contents
like pictures that can be matched by facial recognition.  Yes, it would
be a violation to fail to tell them about things they can't find, so the
rule is still invasive, but from a practical point of view, those that
State might exclude aren't going to be disclosing pseudonyms that State
can't doxx on its own.  I.e., this is just more mostly-ineffective
security theater.

Nico
--