Re: [perpass] perens-perpass-appropriate-response-01

Pranesh Prakash <pranesh@cis-india.org> Fri, 06 December 2013 04:53 UTC

Return-Path: <pranesh@cis-india.org>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAEB11AE2B8 for <perpass@ietfa.amsl.com>; Thu, 5 Dec 2013 20:53:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pgNXUtn_-ONR for <perpass@ietfa.amsl.com>; Thu, 5 Dec 2013 20:53:30 -0800 (PST)
Received: from mail.cis-india.org (mail.cis-india.org [202.190.125.68]) by ietfa.amsl.com (Postfix) with ESMTP id 194091AE2B6 for <perpass@ietf.org>; Thu, 5 Dec 2013 20:53:30 -0800 (PST)
Received: from [192.168.1.210] (unknown [162.243.72.125]) by mail.cis-india.org (Postfix) with ESMTPSA id DC2ABA7C804; Fri, 6 Dec 2013 04:53:19 +0000 (UTC)
Message-ID: <52A15835.2070901@cis-india.org>
Date: Thu, 05 Dec 2013 23:53:09 -0500
From: Pranesh Prakash <pranesh@cis-india.org>
Organization: Centre for Internet and Society
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Bruce Perens <bruce@perens.com>, perpass@ietf.org
References: <E2DA1477-C86E-441E-A33D-D47A0D67AFF3@iab.org> <EF9BD1E4-6EF3-4035-AC4E-1A2D3CADE615@mnot.net> <529E8494.7000806@perens.com> <20131204111309.GB11727@nic.fr> <529F61D8.6030105@perens.com> <20131204171207.GC19914@thunk.org> <529F63C0.3040804@perens.com> <529F88AC.3090904@appelbaum.net> <529F90A0.8000706@perens.com> <529F9205.30906@appelbaum.net> <529F98C0.9090808@perens.com> <529F9F14.8050805@appelbaum.net> <529FB61A.7090604@perens.com> <529FBEF9.7030205@appelbaum.net> <529FC347.3080806@perens.com>
In-Reply-To: <529FC347.3080806@perens.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7bqA7OoD8p4pflw82BeSrQl7T4GkoLtLl"
Subject: Re: [perpass] perens-perpass-appropriate-response-01
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2013 04:53:33 -0000

Bruce Perens [2013-12-04 19:05]:
> On 12/04/2013 03:47 PM, Jacob Appelbaum wrote:
>> So basically, you were just blowing smoke?
> No. The organization is charged to protect us. 

1. Speak for yourself. The NSA is not charged with protecting
non-Americans, i.e., the bulk of the population of the world, I may add,
of the bulk of the users of the Internet standards that the IETF works
on.  The clue is in the word "National".  India's National Technical
Research Organization is not charged with protecting Chinese or
Americans either.

2. Try telling that to the folks at Petrobras and all the diplomats at
the UN HQ, the Indian Embassy in DC, the EC/CoE/European Council, G20
leaders, and those people whose porn habits were recorded for blackmail
purposes.

This is not a debate about whether surveillance is good or not.
(Targetted surveillance which is allowed by a law, has a legitimate aim
in a democratic society, is not arbitrary, is necessary to achieve those
aims, is proportionate, authorized by a judicial process, etc., would be
legitimate.)  This is a debate about whether it is technically (and
politically) desirable for protocols to prevent mass surveillance.

> Throwing deliberate hurdles in their way is like spreading nails in the path of 
> a police car. Cops have more than enough abuses, but most people accept that 
> they do good stuff too, and nobody sensible suggests getting rid of them.

That analogy is woefully inadequate.  Spreading nails in the path of a
police car is a targetted attack on the police car.  Increasing
encryption to improve confidentiality of communications is not a
targetted attack against anyone.

This, on the other hand, is like ensuring that you write *all* your
communications in coded language instead of just some of your communication.

Will it frustrate targetted surveillance that complies with the standard
set in the International Covenant on Civil and Political Rights of being
"non-arbitrary" and "lawful"?  Probably not, since there are other ways
of getting to such targets by gaining access through their service
providers or by gaining access to their person or to their communication
devices.

Will it frustrate mass surveillance / dragnet surveillance?  Yes.  The
choice is clear to me.

>> Good luck with a Man-On-The-Side attack on .se. domains that are properly configured.
> OK. But I'm horrified that .se is the best demo you can cite.
>> What political solution do you envision exactly?
> Given the choice, I would roll increases in executive authority related to the 
> pursuit of war or espionage back to what we had before the PATRIOT act. This is 
> something we can state in one sentence and that makes sense. IMO it is a 
> workable campaign and one you should join.

I can't join it; I'm not a US citizen.  Nor do I want to make the lack
of security of the protocols that I use hostage to the some 'workable
campaign' run by well-meaning Americans.  I will whole-heartedly support
you in your campaign to reform the law and policies in the USA.

I don't see why you see technical and political solutions as being
mutually exclusive.

There is no reason why the 'default' insecurity of HTTP cannot be
handled at the technical level.  Do I believe all HTTP2 traffic MUST be
encrypted?  Perhaps, and perhaps not.  But most certainly, the 'default'
for HTTP2 traffic should be encryption.

You can opt out of the Concealment Society if you want to.  But please
don't force me to stay within the Surveillance Society.

-- 
Pranesh Prakash
Policy Director
Centre for Internet and Society
T: +91 80 40926283 | W: http://cis-india.org
PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash
--------------------
Access to Knowledge Fellow
Information Society Project, Yale Law School
T: +1 520 314 7147 | W: http://yaleisp.org