Categories
Building Trust Encryption Human Rights Improving Technical Security Privacy

Imagine an encrypted world! A workshop at the IGF 2015

What would a world of pervasive encryption look like?  How would it change the ways in which we use the Internet? How do we get to that world? And how would law enforcement work?

In the aftermath of Snowden disclosures on pervasive surveillance, there has been a growing interest in the role of encryption as a tool that can protect the confidentiality of users’ communications online.

For those among you who are not following closely this issue, let’s take a step back: encryption (from the latin word crypt, meaning hidden place) is a means to protect your data from prying eyes. It is basically a way to encode information between two points so that only authorized parties can see it.

In the current debate, many governments and law enforcement agencies are arguing that they need access to people’s data in order to prevent crimes or to advance investigations. From that point of view, they don’t necessarily see encryption from a very keen eye.

An Internet that cannot offer secure online communications will likely undermine trust in online trade, put activists in challenging countries at risk, and just undermine people’s privacy expectations. At the same time, law enforcement agencies need to do their job and using targeted data can be a means for this objective, within the boundaries of the rule of law and the respect of fundamental rights (which, as reflected in the latest Freedom on the Net report, is not always the case as national security arguments are sometimes used for political censorship).

So how can we reconcile both sides of this equation?

We will try to answer this question during the 2015 Internet Governance Forum this week, in Joao Pessoa, Brazil.

To do that, we are going to project ourselves in a hypothetical future where all Internet communications are encrypted; a world of ubiquitous encryption. After all, engineers are already working towards that end, more companies are enabling encryption, and most civil society organisations are aspiring for it.

So how would we get to this possible future? When could this happen and what would lead to this alternate reality?

What would this encrypted world look like? Would it happen at the level of the Internet architecture and without action needed from users?

And finally, how would law enforcement look like in this scenario? Would they be able to protect citizens, and if yes by what means?

We will have an amazing panel of speakers in Joao Pessoa to try to address these questions:

• Mr. Frank Pace, Sergeant, Digital Forensics Investigative Unit, Strategic Information Bureau, Phoenix Police Department

• Mr. David Kaye, UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression

• Mr. Ted Hardie, Executive Director, Internet Architecture Board

• Ms. Carly Nyst, civil society, former Privacy International, international privacy expert

• Mr. Michael Nelson, Internet-related global public policy issues, CloudFlare

• Ms. Sanja Kelly, Project Director, Freedom on the Net report

• Ms. Xianhong Hu, intergovernmental, Division for Freedom of Expression and Media Development, Communication and Information Sector, UNESCO

Join us, either on site or remotely, on 11 November at 12:00-13:00 BRT (15:00-16:00 UTC), in this forward-looking exercise to find solutions for our present issues.


NOTE: For more information on the Internet Society’s position on encryption and related activites, please see: https://dev.internetsociety.org/encryption

UPDATE – 2 December 2015 – Nicolas Seidler published a post about the results of this session: Encryption and law enforcement: aiming for trust.

Photo credit: Yuri Samoilov on Flickr

 

Categories
Building Trust IETF Improving Technical Security Open Internet Standards Privacy Technology

Rough Guide to IETF 93: Strengthening the Internet

Strengthening the Internet and encryption continue to be active areas for the IETF community. The news stories related to encryption just seem to keep coming. Now some governments are even considering requiring key escrow or banning encryption outright. The stakes continue to rise in this discussion. In this section of the Rough Guide, we will focus on CrypTech, the IAB Privacy and Security program, the Crypto Forum Research Group, and a few relevant IETF work groups happening at IETF 93 in Prague next week.

First, CrypTech (website: https://cryptech.is; wiki: https://trac.cryptech.is/wiki; mailing list: https://wiki.cryptech.is/wiki/MailingLists) is a project to create an open hardware cryptographic engine developed in a transparent manner. While this project is technically outside the scope of the IETF, it was originally started with the support of IETF and IAB leadership. CrypTech is making excellent technical progress, but it needs to establish more robust and stable funding.

At IETF 93, there will be several opportunities to learn more about the CrypTech project and to get involved. First, there will be a hands-on workshop on Saturday, 18 July, to learn more about the current state of the project. A detailed agenda is available here: (https://trac.cryptech.is/wiki/PrahaWorkshop) CrypTech will also be an agenda item in the saag and cfrg meetings mentioned below. This is an interesting project with great potential and many opportunities to participate and contribute.

Moving on, the Internet Architecture Board (IAB, www.iab.org), through its Privacy and Security Program (https://www.iab.org/activities/programs/privacy-and-security-program/) is continuing to work on the topic of confidentiality. A document on “Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement” (https://tools.ietf.org/html/draft-iab-privsec-confidentiality-threat-07) has been approved and is in the final steps of publication. The program is now working on a mitigations draft entitled “Confidentiality in the Face of Pervasive Surveillance” (https://tools.ietf.org/html/draft-iab-privsec-confidentiality-mitigations-02). Now is an excellent time to find some of the program participants and discuss this document with the authors.

While this is not an IETF 93 activity, the IAB is also working with the GSMA to plan a workshop on Managing Radio Networks in an Encrypted World (MaRNEW). There is still time to put together position papers if you feel you have something to contribute in this space. (https://www.iab.org/activities/workshops/marnew/) The workshop is planned for 24-25 September in Atlanta, GA, and there should be interesting results to review in time for IETF 94.

Next, the Internet Research Task Force (IRTF) Crypto Forum Research Group (cfrg, https://irtf.org/cfrg) continues to focus on use of cryptography for IETF protocols. It has been focusing extensively on the selection of new elliptic curves for use in IETF protocols, and rough consensus on this topic is documented in “Elliptic Curves for Security” (https://tools.ietf.org/html/draft-irtf-cfrg-curves-02). Hot topics at the meeting this week will include pake schemes, extended hash-based signatures, and elliptic curve signatures. Anyone interested in the future direction of cryptographic curves and algorithms would be well served to follow these discussions.

There are also a number of IETF working groups progressing efforts related to strengthening the Internet that will be meeting this week. In this post I will focus on tls and uta. Other working groups also working on strengthening the Internet are discussed in the “ DNSSEC, DANE, DPRIVE, and DNS Security” and the soon-to-come “Trust, Identity, and Privacy” Rough Guide posts.

The Transport Layer Security (tls) working group is actively working on an update to the TLS protocol (https://tools.ietf.org/html/draft-ietf-tls-tls13-07). This is a very active working group with a mailing list that is not for the faint of heart. There will be two sessions and a total of 4.5 hours of meeting time devoted to progressing the agenda. Topics for IETF 93 include known configuration mechanisms, 0-RTT, PSK and resumption, client authentication, and cipher suites among others.

Since the last IETF meeting, the Using TLS in Applications (uta) working group has published two RFCs; RFC 7525 ”Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)” (https://tools.ietf.org/html/rfc7525) and RFC 7590 “Use of Transport Layer Security (TLS) in the Extensible Messaging and Presence Protocol (XMPP)“ (https://tools.ietf.org/html/rfc7590). This meeting will focus on enhanced email privacy and TLS/DTLS security modules.

Finally, I’d like to give a quick plug for the Security Area Advisory Group (saag) session. This is an excellent way to get a quick view of some of the security-related conversations ongoing in the IETF. This week’s session will include CrypTech along with the state of transport security in email and http. All in all, there is much to see and do in the world of Strengthening the Internet for IETF 93.

Related Meetings, Working Groups, and BoFs at IETF 93:

cfrg (Crypto Forum Research Group)
Wednesday, 22 July 2015, 1300-1530, Athens/Barcelona
Agenda: https://tools.ietf.org/agenda/93/agenda-93-cfrg.html
Charter: https://irtf.org/cfrg

tls (Transport Layer Security) WG
Tuesday, 21 July, 2015, 1520-1720, Congress Hall III,
Wednesday, 22 July 2015, 0900-1130, Grand Ballroom
Agenda: https://tools.ietf.org/wg/tls/agenda
Documents: https://tools.ietf.org/wg/tls
Charter: https://tools.ietf.org/wg/tls/charters

uta (Using TLS in Applications) WG
Tuesday, 21 July 2015, 1740-1840, Congress Hall III
Agenda: https://tools.ietf.org/wg/uta/agenda
Documents: https://tools.ietf.org/wg/uta
Charter: https://tools.ietf.org/wg/uta/charter

saag (Security Area Advisory Group)
Thursday, 23 July 2015, 1300-1500, Congress Hall II
Agenda: https://tools.ietf.org/agenda/93/agenda-93-saag.html

Follow Us

There’s a lot going on in Prague, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf93.

Categories
Human Rights Improving Technical Security Privacy Public Policy

Does A Digital Society Have To Become A Surveillance Society?

A few years ago, a series of revelations about widespread surveillance of Internet communications by government security agencies sent shockwaves across the digital world, prompting renewed debates about the right to privacy in the digital age. While innovations in communication technologies have increased the possibilities for individuals to share information and ideas across borders, they have also generated opportunities for state surveillance of users’ personal exchanges.

With increasing national security threats, political leaders in a number of different countries are promoting measures that ultimately have the effect of reinforcing Internet surveillance. The latest example is France. Despite the fact that the country has a long history of supporting the open Internet, advocating for individual privacy and freedom of expression, it is now getting closer to adopting a new intelligence law that risks jeopardising fundamental rights.

On 5 May, the French National Assembly approved by 438 votes to 86, a proposed surveillance law drafted in the aftermath of January terrorist attacks in Paris. Despite the strong opposition of civil society groups, including Internet Society (ISOC) France and local industry stakeholders, who warned that the bill’s provisions would de facto allow mass surveillance, the law won the support of a majority of the Assembly deputies. Rejecting allegations that the law is a French variant of the US Patriot Act, Prime Minister Manuel Valls highlighted that the new measures are needed to provide the country’s intelligence services with powers to be more effective in the fight against terrorism and serious crime.

While it is generally agreed that an individual’s right to privacy must, in appropriate circumstances, give way to matters of public interest (law enforcement, safety and security), other factors must be respected, such as necessity, legitimacy, proportionality and fairness, to determine whether a lower level of protection is justified in the particular case. In France’s case, the new provisions would, among other things, authorise bulk collection of Internet communication metadata via Internet providers, paving the way towards disproportionate and potentially limitless online surveillance of the population.

ISOC has long advocated the idea that security should not be sought at the expense of individual rights, and we do not accept the notion that security has to be the product of a trade-off with privacy and freedom of expression. In line with this, the ISOC Board of Trustees endorsed the principles in the International Principles on the Application of Human Rights to Communications Surveillance and we underline the importance of proportionality, due process, legality, and transparent judicial oversight.

We believe that mass Internet surveillance not only threatens privacy and the free flow of information, but also generates chilling effects on the Internet architecture as such, undermining the trust that users have in the network as a global, interoperable and resilient platform of communication. The Internet is global; therefore the impact of laws like the new French bill would not be limited to a specific country, but would reverberate across the world to users everywhere.

We have always maintained the importance of an open and inclusive dialogue on online privacy, including in the realm of national security, and the need for all stakeholders to abide by the norms and principles outlined in international agreements on data protection and other fundamental rights.

Governments should engage fully with their citizens in an open dialogue on how to reconcile national security objectives and the fundamental rights of individuals. We have repeatedly called on the global Internet community to stand together in support of open Internet access, freedom, and privacy. Building upon a principled vision and substantial technological foundation, ISOC promotes open dialogue on Internet policy and technology among users, companies, governments, and other organisations.

The principles and values of the French Revolution inspired great political and social transformations and had a major impact on the development of liberty and democracy in Europe and worldwide. So has the Internet. However, the building stones of the Internet as a free and open space would be undermined by new laws introducing disproportionate surveillance.

The French bill will now be examined by the Senate, and also reviewed by the country’s Constitutional Court. Let’s hope that in constructing a new framework for its intelligence services, they will not forget to respect the values for which France stands.


Related reading:


Photo credit: jpellgen on Flickr

Categories
Privacy

Surveillance: Is this the beginning of the end of data trawlers?

Last 21 December, we published a post entitled When Law Isn’t Enough [1]. with a hope that 2014 would be the year that the global community unites to confine the ambit of data collection for national security purposes to those truly exceptional circumstances where the public interest objectively outweighs an individual’s right to privacy.

One year on, it’s time to reflect on the progress that has been made towards this goal.

The potential privacy impact of metadata has been formally acknowledged at the UN level in the resolution The right to privacy in the digital age [2] adopted by the Third Committee this month. This means that “… respecting and protecting the right to privacy …” (one of the calls upon States contained in the resolution) should include metadata.

The Office of the High Commissioner on Human Rights, in the report on the right to privacy in the digital age [3] concluded that:

Even the mere possibility of communications information being captured creates an interference with privacy, with a potential chilling effect on rights, including those to free expression and association.

Unfortunately, this conclusion is not specifically reflected in the recent UN resolution. This would have been a very useful addition because a formal recognition by UN members might have finally put an end to one of the arguments made by States in defence of pervasive observation and data collection, namely that privacy only becomes a concern at the point where data is actually “used”.

UN members emphasize in both resolutions that unlawful or arbitrary surveillance or interception of communications violates the right to privacy. However, they stop short of saying what is or is not unlawful or arbitrary. Consequently, we have to ask, are we actually any closer to achieving the objective? Or, is it business as usual because States interpret lawful and not arbitrary as it suits their national security needs? Given the inherent covert nature of pervasive surveillance, its probably going to be impossible to gauge whether pervasive surveillance practices have materially changed.

In Europe, where data protection is a fundamental right, the EU Article 29 Working Party goes further in its recent declaration [4], stating that:

Secret, massive and indiscriminate surveillance of individuals in Europe, whether by public or private players acting in an EU Member State or from elsewhere, is neither lawful with regard to the EU Treaties and legislations nor ethically acceptable.

This is a significant statement for two reasons. First, it is a declaration that pervasive surveillance is not lawful. Second, it purposefully raises the ethical dimension. This important aspect is reinforced in the third paragraph of the declaration:

Technology is a medium that must remain at the service of man. The fact that something is technically feasible, and that data processing may sometimes yield useful intelligence or enable the development of new services, does not necessarily mean that it is also socially acceptable, ethical, reasonable or lawful.

The Internet Society has been arguing for some time now that the standard the international community should apply with respect to surveillance, and data governance in general, is not one of strict legality, but rather what is ethical.

While diplomatic and policy communities have been considering the legal and ethical dimensions of surveillance, other communities have been exploring their own attitudes regarding pervasive surveillances and what action (if any) they would take. We’ve already discussed many of these initiatives in earlier blog posts, so I’ll just mention a growing recognition among some groups of the societal value in offering Internet users (from all sectors) the option of protecting the confidentiality of their online communications through encryption. For example, the Internet Architecture Board recently issued a statement [5] that encryption should be the norm for Internet traffic.

So, in summary, where do we stand one year on?

Pervasive surveillance of online communications is probably still a reality for many Internet users. Even if the position of the Article 29 Working Party were to be held unanimously internationally, there would still be a spectrum of views as to what constitutes massive or indiscriminate surveillance. The situation is unlikely to change appreciably unless states, of their own volition, wind back their mass surveillance programs in favour of a more case-by-case targeted approach. The question then is, what would persuade states to move on from the status quo.

If we, as a global community, are to make any meaningful progress towards protecting the privacy rights and expectations of individuals on the Internet, in the context of surveillance in pursuit of national security objectives, we face hard questions about what is and is not acceptable. We will not only have to understand and face up to those questions, but also find answers which persuade policymakers that change is both necessary and in their longer term interest for a trusted global Internet.

[1] Blog: When Law Isn’t Enough

[2] United Nations General Assembly: The right to privacy in the digital age (Document)

[3] The right to privacy in the digital age, Report of the Office of the United Nations High Commissioner for Human Rights (PDF)

[4] Joint statement of the European Data Protection Authorities Assembled in the Article29 working party

[5] IAB Statement on Internet Confidentiality

Categories
Deploy360 Improving Technical Security IPv6 Privacy

IPv6 Privacy Addresses Provide Protection Against Surveillance And Tracking

IPv6 BadgeRecently we’ve seen several articles, such as one out today, that assert that IPv6 addresses will make it easier for security services and law enforcement to track you. Surprisingly, these articles seem to miss that when IPv6 is implemented today on mobile devices or other computers, it is almost always implemented using what are called “privacy extensions” that generate new IPv6 addresses on a regular basis.

To put it simply – almost every mobile device or computer using IPv6 in 2014 changes its IPv6 address on a daily basis (usually) to prevent exactly this kind of surveillance.

To step back a bit – if you read any of the documents explaining the basics of IPv6, they inevitably mention that the “auto-configured” IPv6 address for a device is created using the network address and the MAC address assigned to the device’s network interface. This gives a theoretically globally unique address for your computer, mobile phone, or device.

If this were the only IPv6 address your device had, it would be something that could be easily tracked.

But…

The engineers who created IPv6 were very concerned that IPv6 could be used in this way and so way back in 2007 they published RFC 4941 defining “privacy extensions for IPv6” autoconfiguration. This standard defines a mechanism where a device generates a random host address and uses that instead of the device’s MAC address.

The device also changes that IPv6 address on a regular interval. The interval can be set to anything, but typically is configured on most operating systems to be one day. In mobile networks, the IPv6 address may change based on the link to which you are connecting, so as you move around you will be generating and using new IPv6 addresses all the time throughout the day.

As we wrote about in a resource page about IPv6 privacy extensions, the following operating systems use IPv6 privacy extensions BY DEFAULT:

  • All versions of Windows after Windows XP
  • All versions of Mac OS X from 10.7 onward
  • All versions of iOS since iOS 4.3
  • All versions of Android since 4.0 (ICS)
  • Some versions of Linux (and for others it can be easily configured)

So if you are using a Windows or Mac OS X computer, or any of the major mobile devices, you are already using IPv6 privacy addresses.

I know from my own network analysis in my home office network that all my devices are constantly changing their IPv6 addresses. (In fact, these IPv6 privacy addresses can cause problems for some applications that expect IP addresses to be stable – which brought about RFC 7217 this year suggesting a way to create a random address when your device is on a given network but then have that change when you move to another network.)

In the end, the ability of security services to track you on IPv4 versus IPv6 is pretty much about the same. With IPv4, you generally have a public IPv4 address that is assigned to the edge of your network, perhaps your home router or the router at the edge of your corporate network. You then use NAT to assign private IPv4 addresses to all devices on the inside of your IPv4 network. On the public Internet, all that an observer can see and track is your public IPv4 address – there is no further information about the device on the inside of the network beyond a port number.

With IPv6, you typically have a public IPv6 network address assigned to the edge of your network and then the devices internally configure themselves using IPv6 privacy extensions. On the public Internet, an observer can see and track your public IPv6 address, but that will be changing each and every day, making any kind of long-term tracking rather difficult or resource-consuming.

We definitely want to see more articles about IPv6 security appearing out in the mainstream media as these are extremely important conversations to have – but when talking about IPv6 addresses and surveillance, let’s please try to focus on how IPv6 is actually being implemented rather than how it could theoretically be done.

NOTE: For a lengthier technical discussion on this topic, please view this Internet Draft: draft-ietf-6man-ipv6-address-generation-privacy

For more information on how to get started with IPv6, please visit our Start Here page to find resources focused on your role or type of organization.

P.S. From a privacy perspective, I am personally far more worried about the application-layer tracking that occurs through “cookies” (including the new “super cookies” deployed by some mobile network providers) and other mechanisms. For these tracking mechanisms, the underlying IP address is completely irrelevant.

 

Categories
Improving Technical Security IPv6 Privacy

IPv6 Privacy Addresses Provide Protection Against Surveillance And Tracking

IPv6 BadgeRecently we’ve seen several articles, such as one out today, that assert that IPv6 addresses will make it easier for security services and law enforcement to track you. Surprisingly, these articles seem to miss that when IPv6 is implemented today on mobile devices or other computers, it is almost always implemented using what are called “privacy extensions” that generate new IPv6 addresses on a regular basis.

To put it simply – almost every mobile device or computer using IPv6 in 2014 changes its IPv6 address on a daily basis (usually) to prevent exactly this kind of surveillance.

To step back a bit – if you read any of the documents explaining the basics of IPv6, they inevitably mention that the “auto-configured” IPv6 address for a device is created using the network address and the MAC address assigned to the device’s network interface. This gives a theoretically globally unique address for your computer, mobile phone, or device.

If this were the only IPv6 address your device had, it would be something that could be easily tracked.

But…

The engineers who created IPv6 were very concerned that IPv6 could be used in this way and so way back in 2007 they published RFC 4941 defining “privacy extensions for IPv6” autoconfiguration. This standard defines a mechanism where a device generates a random host address and uses that instead of the device’s MAC address.

The device also changes that IPv6 address on a regular interval. The interval can be set to anything, but typically is configured on most operating systems to be one day. In mobile networks, the IPv6 address may change based on the link to which you are connecting, so as you move around you will be generating and using new IPv6 addresses all the time throughout the day.

As we wrote about in a resource page about IPv6 privacy extensions, the following operating systems use IPv6 privacy extensions BY DEFAULT:

  • All versions of Windows after Windows XP
  • All versions of Mac OS X from 10.7 onward
  • All versions of iOS since iOS 4.3
  • All versions of Android since 4.0 (ICS)
  • Some versions of Linux (and for others it can be easily configured)

So if you are using a Windows or Mac OS X computer, or any of the major mobile devices, you are already using IPv6 privacy addresses.

I know from my own network analysis in my home office network that all my devices are constantly changing their IPv6 addresses. (In fact, these IPv6 privacy addresses can cause problems for some applications that expect IP addresses to be stable – which brought about RFC 7217 this year suggesting a way to create a random address when your device is on a given network but then have that change when you move to another network.)

In the end, the ability of security services to track you on IPv4 versus IPv6 is pretty much about the same. With IPv4, you generally have a public IPv4 address that is assigned to the edge of your network, perhaps your home router or the router at the edge of your corporate network. You then use NAT to assign private IPv4 addresses to all devices on the inside of your IPv4 network. On the public Internet, all that an observer can see and track is your public IPv4 address – there is no further information about the device on the inside of the network beyond a port number.

With IPv6, you typically have a public IPv6 network address assigned to the edge of your network and then the devices internally configure themselves using IPv6 privacy extensions. On the public Internet, an observer can see and track your public IPv6 address, but that will be changing each and every day, making any kind of long-term tracking rather difficult or resource-consuming.

We definitely want to see more articles about IPv6 security appearing out in the mainstream media as these are extremely important conversations to have – but when talking about IPv6 addresses and surveillance, let’s please try to focus on how IPv6 is actually being implemented rather than how it could theoretically be done.

NOTE: For a lengthier technical discussion on this topic, please view this Internet Draft: draft-ietf-6man-ipv6-address-generation-privacy

For more information on how to get started with IPv6, please visit our Start Here page to find resources focused on your role or type of organization.

P.S. From a privacy perspective, I am personally far more worried about the application-layer tracking that occurs through “cookies” (including the new “super cookies” deployed by some mobile network providers) and other mechanisms. For these tracking mechanisms, the underlying IP address is completely irrelevant.