Re: [saag] Fwd: ubiquitous encryption draft feedback
Joseph Lorenzo Hall <joe@cdt.org> Thu, 26 March 2015 22:14 UTC
Return-Path: <jhall@cdt.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 970C91A00EC for <saag@ietfa.amsl.com>; Thu, 26 Mar 2015 15:14:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.201
X-Spam-Level:
X-Spam-Status: No, score=0.201 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RM8fLPmwQNlQ for <saag@ietfa.amsl.com>; Thu, 26 Mar 2015 15:14:05 -0700 (PDT)
Received: from mail-lb0-f178.google.com (mail-lb0-f178.google.com [209.85.217.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C9C41A00F8 for <saag@ietf.org>; Thu, 26 Mar 2015 15:14:00 -0700 (PDT)
Received: by lbbxe10 with SMTP id xe10so91541lbb.2 for <saag@ietf.org>; Thu, 26 Mar 2015 15:13:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=JpJwQ7EWRnVgX025yMmNsmy+DgDHBk7zyk8jlwjOPT4=; b=CZTJLZd7u+2ym8wj89/aYhfbQ7nB66D976rvHV2yKxttACkMpvPYjaQ0+JMva9pz1h Jt/ZgghFyssfamMBR6fHFqzy9moUcDAOPxiHsxRC/RASr1iMBIg+by+qo3Ksl2qlfYfJ bnO3IdWiYqrkrqok515H/Hn4mWXX7Dq9WUfEZHlVWAWPL+JtW6v3EMRJDq+H2NbKNOsX iktux+611Ex200lTXy70xaJHtl+nGMjJZk+GNTY29hiu8tX6Ynq/tDE4F+NhVbzxzJng H0wCKaZ92h2yXgFei0wLI15evyyh7Pn7B2YdSeJfU48VU7trEc5Ki7Sz39eHDTbQwoK9 vq/w==
X-Gm-Message-State: ALoCoQliT02W+f7TPMEe8NStDtvreh7m/5yX/9SLH96ZWhhc+blVQ9UQ2iGJ8yOyEJS2nXEbZ1rF
X-Received: by 10.112.17.36 with SMTP id l4mr10352893lbd.123.1427408039022; Thu, 26 Mar 2015 15:13:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.37.4 with HTTP; Thu, 26 Mar 2015 15:13:38 -0700 (PDT)
In-Reply-To: <4B3D2CEE-BEB9-4BD3-A305-E1D79F8C5FD3@gmail.com>
References: <D124DCA9.483CC%wesley.george@twcable.com> <4B3D2CEE-BEB9-4BD3-A305-E1D79F8C5FD3@gmail.com>
From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Thu, 26 Mar 2015 17:13:38 -0500
Message-ID: <CABtrr-XJU3_RNH0278da2dCjcrGxtNHLRh9LioBjXxnFHB4x3Q@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/tEMPEUUNxfNiRJKXFIramgtBpgQ>
Cc: saag@ietf.org, Wes George <wesley.george@twcable.com>
Subject: Re: [saag] Fwd: ubiquitous encryption draft feedback
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 22:14:06 -0000
(this was Kathleen forwarding Wes' feedback quoted here) > Liability – I realize that IETF does not trade in legal advice, so this > would have to be caveated pretty heavily, but I think it's a worthwhile part > of the discussion since it's a direct result of a specific set of technical > actions and should be weighed when considering whether the ends justify the > means. > > Duty to take action – encrypted traffic (or unencrypted traffic that is not > subject to DPI) comes with a hidden benefit for the SPs who carry it- > plausible deniability. If a service provider or enterprise is decrypting > traffic with intent to inspect it, whether with or without its users' > knowledge, it can be argued that it is responsible for the traffic's content > such that it is required to take action on content or activities that are > banned by policy or law, including enforcing copyright, preventing > exploitation of children, threats of violence, reporting potential > violations to the proper authorities, etc. An SP must be ready to take > responsibility for traffic that flows across its network if it chooses to > inspect it. Heya, as one of the resident policy wonks at IETF I should point out that the above certainly isn't the case in the US, where intermediaries generally have broad immunity from liability for hosting or transmitting third-party content.* As for the rest of the world, a recent and great UNESCO report by Rebecca MacKinnon et al. summarizes the landscape by describing three regimes: strict liability like in China and Thailand where even ignorance is no excuse, conditional liability where upon receiving notice the content has to be blocked or the intermediary risks a lawsuit, etc., and broad immunity such as the case in the US. I'll stop typing now as I doubt anyone on the SAAG list is as deep into this stuff as we are at CDT... here's the report, you can start reading a few pages around PDF p. 40: http://unesdoc.unesco.org/images/0023/002311/231162e.pdf All this is saying that I doubt a duty to monitor is a strong argument here since nothing much exists like that now (and even in the strict liability cases, which are few, you don't get much by monitoring over other things like denying access at the onset). best, Joe * (Content hosts are required to report instances of child sexual abuse imagery to the National Center for Missing and Exploited Children (NCMEC) when they become aware of them, and to retain some data about the image, but otherwise intermediaries typically don't have a legal obligation to take action even when they become aware of potentially unlawful content. The DMCA provides protection from potential secondary copyright liability -- if the content host takes down an allegedly infringing file upon notice from a rightsholder, it can't be sued as having contributed to that infringement. But technically an intermediary could ignore a DMCA demand and try its luck in the courts.) -- Joseph Lorenzo Hall Chief Technologist Center for Democracy & Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p) 202-407-8825 (f) 202-637-0968 joe@cdt.org PGP: https://josephhall.org/gpg-key fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871
- Re: [saag] ubiquitous encryption draft feedback Kathleen Moriarty
- Re: [saag] Fwd: ubiquitous encryption draft feedb… Joseph Lorenzo Hall
- [saag] Fwd: ubiquitous encryption draft feedback Kathleen Moriarty