IETF Logo Mail Archive

RE: [Raven] Comments on Draft -- Take 2

Chris Savage <chris.savage@crblaw.com> Mon, 07 February 2000 21:29 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA22243 for <raven-archive@ietf.org>; Mon, 7 Feb 2000 16:29:29 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id PAA02739; Mon, 7 Feb 2000 15:15:13 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id PAA02708 for <raven@optimus.ietf.org>; Mon, 7 Feb 2000 15:15:11 -0500 (EST)
Received: from crbexch.crblaw.com (webaccess.crblaw.com [216.88.51.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA20721 for <raven@ietf.org>; Mon, 7 Feb 2000 15:16:36 -0500 (EST)
Received: by webaccess.crblaw.com with Internet Mail Service (5.5.2448.0) id <1KQ81XLJ>; Mon, 7 Feb 2000 15:22:10 -0500
Message-ID: <D1A6C6C41B4CD311965D00C04F2C8D514526F7@webaccess.crblaw.com>
From: Chris Savage <chris.savage@crblaw.com>
To: 'chefren' <chefren@pi.net>, raven@ietf.org
Subject: RE: [Raven] Comments on Draft -- Take 2
Date: Mon, 07 Feb 2000 15:22:05 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2448.0)
Content-Type: text/plain; charset="iso-8859-1"
Sender: raven-admin@ietf.org
Errors-To: raven-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Raven Discussion List <raven.ietf.org>
X-BeenThere: raven@ietf.org

>-----Original Message-----
>From: chefren [mailto:chefren@pi.net]
>Sent: Monday, February 07, 2000 1:35 PM
>To: raven@ietf.org
>Subject: RE: [Raven] Comments on Draft -- Take 2
>
>
>On 7 Feb 00, at 12:13, Chris Savage wrote:
>
>> Some time ago I pointed out that to actually determine the degree of
>> difference/overlap between the legal requirements of various 
>countries
>> would entail a non-trivial amount of lawyer time and effort. 
> That said,
>> due to various quirkiness-es of US law, I would suspect that 
>what CALEA
>> will require for particular carriers/manufacturers will be 
>different from
>> what other countries will require.
>
>IETF should look primarily at technical side of the 
>problem, that's pretty simple: pass al information to and 
>from an IP address without changing the information. The 
>information should be encapsulated in a timestamped package 
>with details like who had set the tap, which warrant, 
>checksums against modifications and so on. Not that 
>difficult.

You can't avoid the legal problems, unfortunately.

The solution you just described -- ship all the data to someone (LEA?) who
will agree to only look at the stuff they are entitled to -- would probably
affirmatively violate CALEA in the US, which requires (lots of glossing over
of details here) giving the LEAs what they are entitled to, but not more
than they are entitled to.  In the case of IP addresses, most consumers here
(targets of taps) access the 'net via dial-up, and ISPs typically
dynamically assign IP addresses to dial-up users.  So I don't see how your
proposal would give the LEAs either (a) all the information regarding
someone they are legitimately tapping (different IP addresses for different
sessions) or (b) only the information they are entitled to (since different
users would have the same IP address over time).

The discussion above has at least met, and probably exceeded, my actual
technical knowledge.  But if it is even remotely right, your solution might
be okay under Dutch law, or some other country's law, but I don't think it
would cut it in the US.  Here the FCC is in court defending a decision to
approve, on what amounts to an interim (and probably
never-to-be-implemented) basis, a system where the LEA gets full packets
to/from a target when their authorization extends only to address
information, not content.  So you can imagine what would happen with a
system that gave full packets from lots of people in order to allow the
capture of data relating only to one or a few...

>> So, to answer your question directly, no, AFAIK my 
>>proposition has not
>> been "tested" -- the "testing" is what would take a bunch of 
>>lawyers a
>> bunch of (high-cost) hours to confirm.  But it strikes me as 
>>having a very
>> high likelihood of being true.
>
>I don't see the necessity of a bunch of lawyers. This can 
>and should be handled strictly as a technical problem.

This is probably where you experience the greatest disconnect with a lot of
other people on the list, IMHO.  I suppose if we define the problem as,
"What's the most technically efficient way to ensure that LEAs get all the
data they need to find any Bad Guy they need to find?" that's (largely) a
technical problem. But it assumes that the goal of the exercise is as
stated, i.e., that LEAs' data needs are captured by: "getting them all the
data they need..."  In fact, LEAs' data needs (in practical terms) are
constrained by what their respective national laws authorize them to
collect.  Hence the need to know what the laws are.  Hence the need for
lawyers.  (Hey, don't feel so bad.  Most lawyers acknowledge that they need
engineers...)

>> >I see a strong kind of "not invented here" resistance.
>> >
>> >There is no will to think about what wiretap standard could 
>> >be there is only an "against".
>> 
>> It seems to me that the predominant opinion on the list is that
>> wiretapping by LEAs is a (maybe) necessary evil, but plainly 
>> an evil that
>> the IETF should not facilitate.
>
>"Maybe necessary" or "necessary"? That's no question. It is 
>necessary and not up to IETF to decide. It's up to 
>governments and important ones have decided.

My earlier posting was trying to summarize what I think is the consensus of
the list.  You, obviously, disagree (as is your right).  But I think my
summary is more or less an accurate description of what people have stated
here, your disagreement with those statements notwithstanding.

>> Also, that any "legal" wiretapping regime
>> could be abused by either oppressive authorities (insert 
>>your favorite
>> villainous regime here) or by out-of-sanction LEAs (the LAPD 
>>example), not
>> to mention random Bad Guys who somehow get in a position to use the
>> capability.
>
>Since when is the IETF interested in the message? Or in 
>this case specific use of the Internet?

Interesting question.  I think that the Internet community writ large has
long been interested in various uses of the Internet.  As to the IETF's
interest, I think that is explained in the draft...

>> This leads to a consensus that on the whole facilitating the
>> process from a technical perspective is, net-net-net, a Bad Thing, as
>> opposed to a Good Thing.
>
>That's not upon IETF, IETF shouldn't be a political 
>organization.

But it has been asked, in essence, a political question, to which it is, in
its own techie-oriented way, crafting a political response.  That doesn't
make it "a political organization."  That simply means that politics has
impinged on what it does.  In the grand scheme of things, I take this as an
indicator that the 'net is, indeed, continuing to "grow up."

>> The point at this late stage of the discussion 
>
>Late? The proposed text has nothing to do with a solution 
>for the real problem. We still have to start...

Here again, I think there is a disconnect between the problem you see (see
above for my attempt to capture it) and the problem the IETF sees.

>> is not to claim that your
>> counter-arguments have zero persuasive power.  Perhaps by 
>virtue my own
>> (lawyer) training (every issue has at least two sides), it 
>seems clear to
>> me that the persuasive power of your arguments is well above 
>zero.  Even
>> so, those arguments have failed, in this forum, to persuade very many
>> people. Again, maybe due to my training, the notion that 
>good, sensible
>> arguments might lose (and, yes, I know some on the list 
>would not credit
>> yours in that way) is not shocking -- it happens every day.
>
>No problems with that here...
>
>> Either because better, more sensible arguments prevail,
>> or because the decision-maker perceives the actual issue
>> to be one as to which the arguments are not quite as
>> strong or relevant as their proponent would like. 
>
>The decision-maker, IETF, has made standards for a long 
>time happily with little or even no interference with laws. 
>Unfortunately(!) that has ended. The current stuborness of 
>IETF may well be described as childish...

Actually, I think it shows considerable restraint and maturity.

It would have been a different matter if (say) ARPA had originally conceived
of the network it was supporting/inventing as primarily a communications
tool for governments.  If ARPA had demanded that the requisite protocols
being developed (more or less) on its nickel included tappability, and the
ARPA-funded researchers had said "no," that would probably have been
childish.  But the days are long past when the 'net and its protocols could
remotely be considered to be under government "control" or "ownership."  The
guts of the 'net -- the routers, the servers, the pipes -- are owned and
controlled by private parties.

So all the normal concerns attendant on government trying to get private
parties to do things -- is this legal?  who will bear the cost?  -- applies
to making the (current) 'net more easily tappable.

<snip>

Chris S.
All views/opinions my own


*************************************************************************** 
This electronic mail transmission may contain confidential or 
privileged information.  If you believe that you have received the 
message in error, please notify the sender by reply transmission 
and delete the message without copying or disclosing it. 
***************************************************************************

_______________________________________________
raven mailing list
raven@ietf.org
http://www.ietf.org/mailman/listinfo/raven

v2.23.0 | Report a Bug | By Email