Re: [Mtgvenue] Australia and its encryption laws

[John C Klensin <john-ietf@jck.com>]

Adam,

I think you missed my point, for which I acknowledge that this
might not be the right discussion list.  As far as meeting
planning is concerned, I agree with Eliot Lear's rather nice
analysis (posted minutes before your note below) and
appreciation George Michaelson's note posted a few minutes ago.
I would add to both that our own requirements for openness in
conjunction with IETF work (see BCP 78 and assorted "Note Well"
comments) are such that, if it is necessary to protect meeting
materials and conversations from falling into the hands of law
enforcement or the like, we have more serious problems or to
quote a professor colleague from long ago, "maybe they will
learn something".  I can imagine a company being concerned about
an employee conducting confidential company business while at an
IETF meeting, but, we have never made that a criterion for not
holding a meeting and, as Eliot more or less points out,
companies feeling sufficiently secure about their own
communications is not part of RFC 8718.

I was, and remain, concerned about something else, something
that has little or nothing to do with where we hold meetings.
In recent years, the IETF has been very strongly (and
increasingly, IMO) committed to more use of encryption in
support of individual privacy, including privacy from interested
governments.  If Australia's apparently heavy-handed rules
(independent of how they are actually applied) restricts use of
cryptography (or restricts its use without government/ law
enforcement access or back doors) then, if our protocols do not
make provisions that allows people subject to those laws to
conform with them, we are essentially making it impossible for
those people or associated companies to use the Internet while
conforming to our protocols.  That would encourage fragmentation
and/or development of other protocols elsewhere.   It that is
not obviously a good idea (at least to me) and I wish we were
more explicitly considering the tradeoffs involved (thanks to
Eliot for raising a related issue on another list).

best,
 john


--On Thursday, June 10, 2021 09:30 -0700 Adam Roach
<adam@nostrum.com> wrote:

> On 6/10/21 00:08, John C Klensin wrote:
>> It is a slightly different question but, if we accept your
>> description of the "top-line issue" and follow your reasoning,
>> does it not obligate us to be certain that there are
>> plain-text versions of all of our protocols
> 
> 
> No, it does not.
> 
> 
>> Without trying to take a position on Jay's question, my
>> recollection is that we made our meeting in Beijing
>> conditional on unrestricted access to the global public
>> Internet, including the use of encrypted traffic
> 
> 
> And TOLA, of course, does not prevent this. HTTPS, VPNs, and
> the use of other encryption technologies remains legal. For
> the sake of clarity, here's a fairly concise summary of the
> controversial provisions of the TOLA Act:
> https://corrs.com.au/insights/australias-security-monitor-reco
> mmends-changes-to-controversial-anti-encryption-legislation
> 
> It is egregious overreach, of course, but has no bearing on
> the work we do during a meeting. Even in the Kafakaesque
> scenario of Australia attempting to issue a TCN for someone
> visiting for a week, the end result would be meaningless:
> development of the envisioned capabilities happens in weeks
> and months, not hours and days. Setting foot in a country does
> not bind its laws to you forever: I've visited Japan, and yet
> my possession of pseudoephedrine in Texas doesn't put me at
> legal risk from Japanese authorities.
> 
> /a
>