{"id":35730,"date":"2013-10-28T12:00:33","date_gmt":"2013-10-28T12:00:33","guid":{"rendered":"http:\/\/www.transcend.org\/tms\/?p=35730"},"modified":"2015-05-05T22:21:18","modified_gmt":"2015-05-05T21:21:18","slug":"in-response-to-nsa-revelations-the-internets-engineers-set-out-to-prism-proof-the-net","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2013\/10\/in-response-to-nsa-revelations-the-internets-engineers-set-out-to-prism-proof-the-net\/","title":{"rendered":"In Response to NSA Revelations, the Internet\u2019s Engineers Set Out to PRISM-Proof the Net"},"content":{"rendered":"<p><i>Greatly disturbed by the recent revelations of mass internet surveillance, the Internet Engineering Task Force (IETF) has announced plans to ramp up online security. You may never have heard of them, but the IETF are the creators and engineers of the internet\u2019s architecture. Is there a technical solution to the problem of mass surveillance? <\/i><i><\/i><\/p>\n<p>For the <a target=\"_blank\" href=\"http:\/\/www.ietf.org\/\" >IETF<\/a>, Edward Snowden\u2019s revelations were \u201ca wake-up call,\u201d said Jari Arkko, the task force\u2019s chair. Arkko spoke at this week\u2019s UN-initiated <a target=\"_blank\" href=\"http:\/\/www.intgovforum.org\/cms\/\" >Internet Governance Forum<\/a> in Bali, Indonesia. Surprised by the scale and tactics of surveillance, Arkko stated the engineers are \u201clooking at technical changes that will raise the bar for monitoring.\u201d<\/p>\n<p>\u201cPerhaps the notion that internet is by default insecure needs to change,\u201d he said. The IETF\u2019s will is there, and Arkko believes significant technical fixes\u00a0 \u201cjust might be possible.\u201d<\/p>\n<p><strong>Technical, not political<\/strong><\/p>\n<p>The engineers of the IETF keep a low profile, but they have been crucial to creating and setting the standards on which the internet was built, ever since its birth in 1969. They have developed email, instant messaging, and many protocols that hide behind acronyms that sound familiar yet mysterious to most Internet users, like HTTP and TCP\/IP.<\/p>\n<p>As the internet evolved from an academic project into a global network, the role governments and companies played in how it functions grew dramatically. But the IETF maintained its well-respected role, thanks in part to its fervently apolitical stance and focus on technical issues.<\/p>\n<p>That focus remains in the current plans to make the internet more resistant to mass surveillance, Arkko emphasised in an interview with RNW: \u201cThis is a technical, not a political decision.\u201d<\/p>\n<p>In his speech, Arkko chose his words carefully as he addressed an audience comprising representatives from governments that perpetrate the same mass-surveillance he hopes to curtail.<\/p>\n<p>\u201cI do not think we should react to specific cases,\u201d Arkko stated during the forum\u2019s opening sessions. \u201cBut our commerce, business and personal communications are all depending on the internet technology being secure and trusted.\u201d<\/p>\n<p><strong>More, new and better security<\/strong><\/p>\n<p>Ideas about how the internet might be secured against mass surveillance are currently discussed over the IETF\u2019s <a target=\"_blank\" href=\"http:\/\/www.ietf.org\/mail-archive\/web\/perpass\/current\/maillist.html\" >publicly accessible mailing lists<\/a>, to which anyone can subscribe and contribute. While nothing is set in stone yet, Arkko sketched out a few of the IETF\u2019s ideas in his public address.<\/p>\n<p>Firstly, the IETF wants to eventually apply encryption to all web traffic.<\/p>\n<p>\u201cToday, security only gets switched on for certain services like banking,\u201d Arkko explained, referring to IETF-developed standards like SSL <em>\u2013 <\/em>the little lock that appears in the upper left corner of your browser to secure online purchases. \u201cIf we work hard, we can make [the entire internet] secure by default.\u201d To this end, the IETF might make encryption mandatory for HTTP 2.0, a new version of the basic web protocol.<\/p>\n<p>Secondly, the IETF plans to remove weak algorithms and strengthen existing algorithms behind encryption. This means that the US National Security Agency and other surveillors will find it harder to crack current forms of encryption.<\/p>\n<p>In other words: the IETF proposes putting locks in more places and making existing locks harder to pick. If the protocols are applied, intercepting the traffic between any two points on the internet\u2014 the sender and receiver of an email, the visitor and owner of a website, the buyer and seller of a product\u2014will be close to impossible.<\/p>\n<p>Starting November 3, the IETF will hold a week of meetings in Vancouver, Canada to concretise the online security plans in person.<\/p>\n<p><strong>Raising the bar for surveillance<\/strong><\/p>\n<p>The IETF is confident that their plans will make a difference, but what do other experts on the internet\u2019s technical infrastructure think?<\/p>\n<p>Axl Pavlik, managing director of the Europe\u2019s Internet Registry (RIPE NCC), is guardedly optimistic.<\/p>\n<p>\u201cIt wouldn\u2019t stop the problem, but it would make the effort [of surveillance] more expensive.\u201d<\/p>\n<p>Pavlik likens the plans to a successful countermove in an indefinite arms race between internet users and snoopers.<\/p>\n<p>\u201cYou and I have limited resources, and the surveillor has limited resources \u2013maybe more than we have \u2013 but if millions of users of the internet raise the bar a little bit, the requirements to surveil every little bit of internet traffic would be much higher,\u201d he explained to RNW.<\/p>\n<p>The IETF\u2019s plans also benefit people who are already encrypting their online activities themselves, argued Marco Hogewoning, technical adviser to RIPE NCC. According to him, these people currently stick out like a sore thumb to the very surveillors they hope to evade.<\/p>\n<p>\u201cIf you see an armoured car now on the street, you know there must be something valuable inside,\u201d Hogewoning explained. \u201cIf everybody drives around in an armoured car, I can go around and put a lot of effort into breaking into each and every car, and hope I get lucky and find something valuable inside, but it might be empty. If everybody encrypts everything, all you can see is armoured cars.\u201d<\/p>\n<p><strong>Take it or leave it<\/strong><\/p>\n<p>Yet while the IETF can propose standards and protocols, it has no power to enforce their adoption. The onus to adopt the standards lies with the software developers who make browsers and web servers, as well as website owners, and everyday internet users who need to heed browser updates.<\/p>\n<p>\u201cIt\u2019s a great initiative,\u201d said <em>Gillo<\/em> Cutrupi, a digital security trainer at Tactical Tech. \u201cBut it if it\u2019s not adopted<em>, <\/em>it\u2019s just a piece of paper.\u201d<\/p>\n<p>A standard like HTTPS, for instance, can already be applied by every website to improve security. Cutrupi explains that many websites unfortunately still make use of unsafe options.<\/p>\n<p>Such options might be popular because they are easier to use. Some websites don\u2019t care for security, and ignore the standard; Yahoo Mail will only make HTTPS encryption the default setting starting January 2014.<\/p>\n<p>Yet Arkko, the IETF chair, doesn\u2019t see universal adoption as a big hurdle. \u201cI have no worry about that,\u201d he said. \u201cOur standards are very widely applied.\u201d<\/p>\n<p>He stressed that in addition to increased security, newer standards offer multiple advantages.<\/p>\n<p>\u201cHTTP 2.0 has many other improvements.\u201d In one example, he pointed out that \u201cfor the users, websites would load faster.\u201d<\/p>\n<p>These improvements would no doubt serve as an incentive for websites to implement the new protocol.<\/p>\n<p><strong>The end point of trust<\/strong><\/p>\n<p>Yet one major caveat remains. While the IETF might be able to secure the pipes through which users\u2019 data travel, users must also be able to trust the parties where their data is stored: software, hardware and services such as Cisco, Gmail and Facebook. These parties can hand over user data directly to government agencies.<\/p>\n<p>Arkko stressed the limitations of what the internet\u2019s engineers can do. \u201cWe are trying to do as much as we can,\u201d he explained, \u201cwhich will help situations where there\u2019s someone in the network monitoring you. It will not help situations where someone has direct access to your email provider.\u201d<\/p>\n<p>Axl Pavlik identifies the problem of trust at another level altogether<\/p>\n<p>\u201cIn the end, it\u2019s down to public policy, governments, secret services. And maybe the secret court orders to release a key [which] we will never know about. That shatters the trust of the internet as we know it. That\u2019s the very bad situation that we need to get out of.\u201d<\/p>\n<p><a target=\"_blank\" href=\"http:\/\/www.rnw.nl\/english\/article\/response-nsa-revelations-internet%E2%80%99s-engineers-set-out-prism-proof-net\" >Go to Original \u2013 rnw.nl<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Greatly disturbed by the recent revelations of mass internet surveillance, the Internet Engineering Task Force (IETF) has announced plans to ramp up online security. You may never have heard of them, but the IETF are the creators and engineers of the internet\u2019s architecture. Is there a technical solution to the problem of mass surveillance? <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-35730","post","type-post","status-publish","format-standard","hentry","category-whistleblowing-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/35730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=35730"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/35730\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=35730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=35730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=35730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}