Re: [perpass] politics and the ietf

Harry Halpin <> Thu, 05 December 2013 13:47 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 381E71ADFE2 for <>; Thu, 5 Dec 2013 05:47:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tYut5W5NjCJl for <>; Thu, 5 Dec 2013 05:47:02 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 34C441ADF99 for <>; Thu, 5 Dec 2013 05:46:58 -0800 (PST)
Received: from ([] helo=[]) by with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <>) id 1VoZGV-0000dP-7D; Thu, 05 Dec 2013 08:46:51 -0500
Message-ID: <>
Date: Thu, 05 Dec 2013 14:46:42 +0100
From: Harry Halpin <>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Hannes Tschofenig <>, Robin Wilton <>, Elijah Sparrow <>
References: <20131205072546.2740.2142915422.0@crow> <> <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------040803070708010608090505"
Cc: "" <>
Subject: Re: [perpass] politics and the ietf
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Dec 2013 13:47:07 -0000

On 12/04/2013 09:24 PM, Hannes Tschofenig wrote:
> Robin, Elijah,
> I am always curious how one manages to make a clear distinction 
> between political decisions, technical decisions, economical 
> decisions, and other decisions.

Political decisions have to deal with sovereignty: Who makes binding 
decisions. I think what has escaped lots of folks in Internet governance 
is that now the Internet is at the centre of rather important political 
struggles over decision-making.

The problem is "who" is making these decisions. Right now, for standards 
it's an open multi-stakeholder process that at least we who are involved 
in places like the IETF believes make technical decisions, but these 
decisions only have binding force insofar as they provide enough 
economic advantage that vendors implement them uniformly.

However, we should never forget that the very process of making 
decisions means that standards bodies are *always* political in this 
large sense of making decisions. After all, it is very possible that 
some vendors and countries can go away and make their own decisions 
without the traditional Internet open and voluntary standards bodies, 
and bind their new technologies via the threat of coercive violence. 
While we have name-calling on IETF mailing lists, I'm not aware of 
coercive violence anywhere.

I'm hoping we can bear the responsibility of creating an Internet free 
of pervasive surveillance. And we should be aware that even if we are 
successful in this, other pre-Internet political bodies ranging from 
nation-states to vendors will try to strip out whatever safeguards we 
try to put in in order to continue the value they gain from 
surveillance. A conflict between different bodies, each with its own 
plans for the future and its own overlapping sphere of decision-making, 
is self-evidently a political struggle.

> The perception that "in the early days of the Internet" the decisions 
> were purely technical as too simplistic. If you look at specific 
> decisions of individuals in the IETF it is hard to put them into 
> specific categories. Even if you believe you see a purely technical 
> decision it may have economical implications, or at some time 
> interfere with other design goals. Take the HTTP state management work 
> as an example. The introduction of cookies was a technical mechanism 
> to keep state for the otherwise mostly stateless HTTP protocol. As we 
> now know, the way how cookies have been used later by various Web 
> companies lead to privacy concerns. This lead to the famous technical 
> work on Do Not Track, which has technical components, business 
> implications, and raises legal questions.

In the "early days" of the Internet, to my knowlege, the Internet was 
more of a research project amongst co-operative researchers at places 
like MIT, SRI, and CERN with the Web so security and privacy concerns 
were minimal at best. I'm not sure what else can explain early RFCs :) 
Obviously this has changed, and now folks have to retro-fit these 
security on top the system.
> I wouldn't call the discussions on the list necessarily as "political" 
> but rather non-actionable statements. Here is what I mean by that.
> Some of us try to take specific actions and that requires that you 
> identify who needs to do what. There are things the IETF can do, but 
> there are other communities as well. I tried to explain a simplified 
> version of the Internet protocol development process in 
> As you can see different communities deal with different type of 
> security vulnerabilities. Security problems are not a new thing - just 
> check the OWASP top-10 security vulnerabilities of the last couple of 
> years. These vulnerabilities are obviously be exploited by various 
> folks (state actors, criminals, script kiddies, researchers, 
> enterprise network administrators, etc.). A software that is 
> vulnerable to, let's say, an SQL injection vulnerability is 
> unfortunately not kind enough to take the motives, the organization, 
> the hair colour, etc. of the attacker into account.
> Of course it would be possible to could come up with suggestions for 
> other communities. But you have to start somewhere first. I don't see 
> it as my task, for example, to tell the European Commission, the 
> European Parliament, or the Council what they should be doing. I doubt 
> that the IETF community would be interested in producing such 
> recommendations.

I think they'd want to create broad mandates based on policy decisions 
(hopefully made with consent or even involvement of general population) 
that then are respected by the details of technical standards bodies. Of 
course, that's not usually how it works in practice with governments, 
who tend to either overspecify technical details or do not actually 
represent the consent of their population in any meaningful sense of the 

> For everyone on the list who believes that regulators should take some 
> actions then they should just approach them. It is just lame to say 
> that others should do some work without even providing enough detail 
> about what they should be doing.
> Ciao
> Hannes
> PS: I dislike the use of the term "politics", "policy makers", and 
> alike. It just hides what you are really trying to say. Use other, 
> more specific terms instead. For example, if you believe there is an 
> action required by regulators then say "regulator". If you mean that 
> the job is with enforcement agencies then say that.
In general, regulators are at the bequest of their government, who at 
the present moment is often in thrall of lobbies that prevent anything 
resembling effective regulation. There are political processes that do 
not have regulatory power per se but have the power to nonetheless 
mobilize actors (thinking ACTA/SOPA protests) that have the ability to 
change the decisions of sovereign bodies.

  So I don't think "politics" is the wrong word or empty word. Hopefully 
the IETF - with the help of ISOC of course - and others can continue to 
interface open, meritocratic political Internet processes with 
traditional per-Internet political actors.



> On 12/05/2013 09:55 AM, Robin Wilton wrote:
>> Thanks Elijah, this is a very useful perspective on the whole question of technologists' role - especially when the technology in question is so woven into our political, economic and personal lives.
>> As you say, much of the work of the IETF has an inescapably political dimension - whether we choose to acknowledge that ourselves, or have it thrust upon us (Dual_EC_DRBG being a case in point).
>> I apologise for re-using a well-worn phrase, but I think this reinforces the argument in favour of an open, multi-stakeholder process. That doesn't mean forcing economists and policymakers into the drafting sessions for RFCs, but it does mean creating a process that can take their (and others') input into account - and being able to articulate what we do in terms that make sense to other stakeholders.
>> That approach isn't a guarantee against 'bad actors' exploiting the open nature of the process for their own ends, but compared to alternative ways of architecting and governing the Internet, it offers the best prospects of detecting and mitigating that kind of harm.
>> Best wishes,
>> Robin
>> Robin Wilton
>> Technical Outreach Director - Identity and Privacy
>> On 5 Dec 2013, at 07:25, Elijah Sparrow<>  wrote:
>>> As an outsider to the IETF, and one-time sociologist, I found the repeated calls in Vancouver 88 and on this list for decisions to be made based solely on technical merit and not political argument to be extremely fascinating.
>>> There was once a time when the design of a protocol or standard could be done in a manner that benefited nearly everyone who might be touched by it. These days are surely past. Nearly every single debate or question that has come up on this list is deeply political, if for no other reason than whatever decisions are made will create winners and losers, people who benefit from the choice and people who are harmed by the choice.
>>> In the sweep of history, information capitalism has come to a moment of truth, where the material infrastructure that the IETF and technologists the world around have helped to create has now matured into both an economic engine and a state intelligence system based on mass surveillance. Perhaps the most distinguishing political debate of our time is how the power of the state and of business with respect to citizens and customers has been radically transformed under this new regime of ubiquitous surveillance. Obviously, I feel a particular way about this, but I am just stating the obvious: these issues are deeply political because the fragile balance of powers in liberal democracy and in our capitalist economies have been inexorably rocked by technological changes.
>>> In this context, the question of "how much encryption" is a technical question that is also deeply intertwined with the major political debates of our day. One only has to note the major headlines around the world about the ietf calls for encryption in http 2.0. How often have ietf meetings garnered such global coverage?
>>> Scientists and engineers are often forced into political arenas without their desire or foresight. Take, for example, the history of genomics, climate change, or nuclear physics. Historically, the scientists and engineers have clung desperately to the cloak of objective science, even as their work took on increasingly obvious political ramifications. My hope for the internet is that we could perhaps bypass such silliness and embrace the obvious political nature of our work. Being honest with ourselves does not push anyone toward any particular technical or political stance, except that perhaps we can be more transparent in our justifications.
>>> In the immortal words of Voltaire, and Spiderman, with great power comes great responsibility.
>>> -elijah
>>> --
>>> I prefer encrypted email -
>>> _______________________________________________
>>> perpass mailing list
>> _______________________________________________
>> perpass mailing list
> _______________________________________________
> perpass mailing list