IETF Logo Mail Archive

Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies

Dave O'Reilly <rfc@daveor.com> Tue, 24 April 2018 12:49 UTC

Return-Path: <rfc@daveor.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E901E126CC4 for <int-area@ietfa.amsl.com>; Tue, 24 Apr 2018 05:49:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=daveor.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hei0mz4M5uaE for <int-area@ietfa.amsl.com>; Tue, 24 Apr 2018 05:49:29 -0700 (PDT)
Received: from vps.ftrsolutions.com (vps.ftrsolutions.com [5.77.39.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A9A412762F for <int-area@ietf.org>; Tue, 24 Apr 2018 05:49:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=daveor.com; s=default; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type:Sender:Reply-To:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=9xUdgGrkoPMSAxDXk3IlhWnyu2ZVxZCKvrD7AiAGXvU=; b=g0tLvkJKuwKzIMuQaUkBbx58SL vLrAdi2JvUw1YvRc1pPHScFERq10ziKb60IGlMFpURNk9zO29JEvQ8TNKjcCDcIpN2yw8YkAtfBPX DBoXX4Jj/7B22YnrsNFEP9qLueGmEOzQARoSvu7CHfDIfeI4UCj7I5hvIu9Pj+UNrhPI=;
Received: from [37.110.219.98] (port=63346 helo=daveoreomputer3.asavie.com) by vps.ftrsolutions.com with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.89_1) (envelope-from <rfc@daveor.com>) id 1fAxNv-00035l-AU; Tue, 24 Apr 2018 13:49:27 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Dave O'Reilly <rfc@daveor.com>
In-Reply-To: <744bb330-5a56-f675-3814-6b7d20faca0d@article19.org>
Date: Tue, 24 Apr 2018 13:49:26 +0100
Cc: "int-area@ietf.org" <int-area@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Ted Lemon <mellon@fugue.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <AA580018-6A56-4D13-AAC4-3DDABA2AFCC5@daveor.com>
References: <a231b336-7e6d-bef1-92ab-001ae05eef0c@cs.tcd.ie> <34138484-94cc-9de8-0221-dfd05f4c05a5@gmail.com> <492a4225-60d3-a3fe-18d7-f44d8deb2825@cs.tcd.ie> <2A16E034-009F-40AD-BF3A-A8DF16456366@fugue.com> <CC5D38CE-5AB8-4273-B4AD-8A8372F918D4@daveor.com> <c8006066-e013-c838-219e-5d809c5bc4c7@cs.tcd.ie> <744bb330-5a56-f675-3814-6b7d20faca0d@article19.org>
To: Amelia Andersdotter <amelia@article19.org>
X-Mailer: Apple Mail (2.3124)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps.ftrsolutions.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - daveor.com
X-Get-Message-Sender-Via: vps.ftrsolutions.com: authenticated_id: dave@daveor.com
X-Authenticated-Sender: vps.ftrsolutions.com: dave@daveor.com
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/d2YQn7mMmMO7U-AJS4WIMNSzN2Y>
Subject: Re: [Int-area] WG adoption call: Availability of Information in Criminal Investigations Involving Large-Scale IP Address Sharing Technologies
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2018 12:49:31 -0000

Amelia,

I have read this draft now and, once again, it seems there has been no consideration of the implications for law enforcement of these recommendations. A further example of the "privacy is good, more privacy is better" philosophy. 

I also reviewed RFC6973 and the exact same problem is present there. The privacy threats highlighted in RFC6973 are reasonable from a privacy advocate’s perspective and worthy of consideration, and the mitigants listed also make sense in the context of the listed threats. However, to intimate that the representations of RFC6973 are the only possible perspective, or in some objective sense the “right” perspective, or indeed in any way a complete perspective, misses out important societal issues such as those that are being discussed in this thread.

The considerations that appear to be foremost in RFC6973 are the issues relating to the collection and use of personal data for commercial purposes and the impact of data breaches - the crime attribution characteristics are hardly considered at all. Only surveillance is mentioned and this category, crime attribution per se is not considered at all. It is also sort of implied that surveillance is always a bad thing (it is, after all, listed in the privacy threats section with no consideration of if, or why, there might be a legitimate use for surveillance, subject to appropriate legal safeguards of course) - another point that should be debated and not automatically accepted.

The only trade-offs that are suggested for consideration are (ref. section 4.a)  "privacy and usability, privacy and efficiency, privacy and implementability, or privacy and other design goals”. What about, for example, privacy and potential for misuse, privacy and potential for concealing criminal activity, etc. etc.?

Coming back to the Internet Draft for a moment, there are other points that I could raise but I only want to draw out one rather glaring misrepresentation for now:

"Earlier recommendations contained in [RFC6302] relied heavily on observations made in Section 12 of [RFC6269] that regulatory requirements could imply a broad obligation to log identifiers.”

RFC6302 has nothing to do with regulatory requirements to log anything. RFC6302 relates to recommendations that Internet-facing servers log source port information alongside IP address. The overwhelming majority of Internet-facing servers are subject to no form of regulation at all. The fact that RFC6269 highlights a regulatory requirement to maintain subscriber identity, and the subsequent striking down of the data retention directive, is immaterial to the substance of RFC6302 and RFC6302 does not rely on it in any way. Attempting to throw out the existing recommendations in RFC6302 because of the ECJ ruling on data retention directive is disingenuous. 

daveor

> On 23 Apr 2018, at 09:10, Amelia Andersdotter <amelia@article19.org> wrote:
> 
> I've tabled a similar draft but with a different scope. Happy to discuss
> with members on the list:
> 
> https://datatracker.ietf.org/doc/draft-andersdotter-intarea-update-to-rfc6302/
> 
> -- 
> 
> Amelia Andersdotter
> Technical Consultant, Digital Programme
> 
> ARTICLE19
> www.article19.org
> 
> PGP: 3D5D B6CA B852 B988 055A 6A6F FEF1 C294 B4E8 0B55
>

v2.23.0 | Report a Bug | By Email