A little over a year ago, we learned about pervasive monitoring and interception of Internet traffic by governments. The biggest surprise wasn’t that these tools and programs exist, but the scope and scale of them that indicated to the technical community that this is a major threat to all users. In this post, we look at the responses from the technical community so far to mitigate this attack. There is also a companion piece on our Public Policy Blog examining policy responses to date.
Early on, the Internet Society expressed deep concerns about online surveillance and the need for an open global dialogue on online privacy and security, noting: “This kind of collection of user information is at odds with the commitments that governments around the world have made with respect to protection of personal data and other human rights.”
The Internet technical community has galvanised in its resolve against pervasive monitoring and is working to make the Internet more resilient in the face of such attacks. In November 2013, the Internet Engineering Task Force (IETF) declared that pervasive monitoring represents an attack on the Internet. This was followed by the adoption of RFC 7258: “Pervasive Monitoring Is an Attack,” which indicates that monitoring “should be mitigated in the design of IETF protocols, where possible.”
Even before we learned of widespread surveillance, the technical community was working to reduce users’ exposure to the results of mistaken or malicious certificates. Certificate transparency provides a system where certificates used to protect Internet communication can be monitored and audited in an open manner. It helps make connections using HTTPS, for example, less susceptible to interception or impersonation, and is used as a general security measure by guarding against broad Internet security attacks to make Web browsing safer. The Internet Society runs the log server code and we look forward to extending the service as both code and protocols are advanced. We are collaborating with organizations such as Google and NorduNET in this work.
The IETF is also pursuing work regarding the viability of more widespread encryption. Some believe that encryption with strong authentication should be used extensively. Others believe there are practical obstacles to this approach, including a lack of reasonable tools and understanding of how to use the technology, plus obstacles to scaling infrastructure and services with existing technologies. As a result, the discussion within the IETF has focused on addressing opportunistic encryption and weak authentication. “Weak authentication” means cryptographically strong authentication between previously unknown parties without relying on trusted third parties. The ability to deploy such solutions is much easier, and while it shouldn’t give a user higher confidence in the authenticity of a resource, it helps against pervasive passive monitoring.
Another example of technical community action is the organization of CRYPTECH.IS – a loose international collection of engineers working to improve assurance and privacy on the Internet. We are excited support this work that aligns with Internet Society goals (a) to advance the work of open standards bodies such as the IETF and W3C, (b) to strengthen the Internet, (c) to limit the corrosive effects of mass surveillance, and (d) to improve privacy on the Internet. This group is developing open source tools for cryptography that are used as building blocks for Internet communications. The initial projects are an open crypto chip design and prototype(s), and an assured tool chain (basic elements such as compilers, operating systems, and hardware design tools). The intent is that the resulting open-source hardware cryptographic engine can be built by anyone from public hardware specifications and open-source firmware. (Stay tuned to this Internet Technology Matters blog for a future post about the Cryptech effort.)
The Internet has flourished and expanded because it is open, resilient, interconnected, and interdependent. It’s an ecosystem based on collaboration and shared responsibility from all stakeholders, including governments, the technical community, civil society, the private sector, and academia, among others.
We’re already making important progress within and across communities on a variety of technical and policy initiatives that share the common goals of:
- Striving to protect Internet users’ communications from unwarranted monitoring and interception; and
- Restoring trust in the Internet, its technologies, applications, and services.
There is no single answer to preventing massive surveillance. The only way to make the Internet more secure, more resilient, more robust, and with more privacy is through all of us working collaboratively to make it that way. It’s time for us all to do our part to make the Internet stronger.