We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback
00:00

Formal Metadata

Title
RFC 1984
Subtitle
Or why you should start worrying about encryption backdoors and mass data collection
Title of Series
Number of Parts
490
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
In 1996 Brian E. Carpenter of IAB and Fred Baker of IETF wrote a co-statement on cryptographic technology and the internet. This RFC wasn't a request for a technical standard, it was a statement on their concerns about Governments trying to restrict or interfere with cryptography. They felt that there was a need to offer "All Internet Users an adequate degree of privacy" Since that time successive governments around the world have sought to build back doors into encrypted apps and services to access more citizen and visitor data. As of July 2019, the AG of the United States William Barr stated: “Some argue that, to achieve at best a slight incremental improvement in security, it is worth imposing a massive cost on society in the form of degraded safety,” i.e For security Americans should accept weakened encryption. The head of the FBI also claimed that weakened encryption wouldn't break it. At the moment the US Government is actively trying to stop Facebook implementing end to end encryption across it's suite of apps. In Australia the metadata retention laws have been abused against journalists with 58 searches carried out by the AFP. In 2015 ACT police carried out 115 metadata searches. UK officials have a cavalier attitude to the EU SIS database which tracks undocumented migrants, missing people, stolen cars, or suspected criminals. The EU isn't immune to this either with France considering implementing Facial Recognition on its government services. IETF Session 105 mentioned privacy and concerns with the mass collection of data. While the IAB and IESG were worried about US export controls on cryptography there is an argument for RFC 1984 to be updated to include the unnecessary mass collection of data and to use it as a term for IT professionals, privacy advocates and the public to rally behind. In this talk let's recount a brief history of governments around the world wanting to weaken encryption as RFC 1984 warned us about. We live in a time where citizens put data into commercial, healthcare and Government systems to access services, some services are only accessible online. From CCTV to Facebook people have little understanding of why mass collection of data is dangerous. There is little scrutiny of who can access that data, from Scotland to the US. Open Surveillance is only a small part of the picture when profiling citizens. It still counts as personal data, when combined with metadata and the actual data that people put into social media and services like ancestor DNA test kits. Businesses who use CCTV have to put up signs to warn the public they are recording. So called anonymized data still contains identifiers that can tie to individuals. Let's talk about Ovid and peacocks. Let's explore how to expand the RFC to cover recent developments in surveillance capitalism with governments accessing that data, but not securing it. We need to make it clear weakened encryption, the mass collection and careless retention of data isn't acceptable. RFC1984 became Best Practice in 2015, we need to do more to raise awareness and to implement it in our projects. Why we need to implement RFC 1984: "The Internet Architecture Board (IAB) and the Internet Engineering Steering Group (IESG),[...] are concerned by the need for increased protection of international commercial transactions on the Internet, and by the need to offer all Internet users an adequate degree of privacy. " I'd like to start by briefly mentioning Ovid and the legend of Io. Ovid was anti authoritarian during the time of Augustus as he'd been exiled by the Emperor. He wrote The Metamorphoses; an epic poem about Greek myths with the theme of transformation. The myth is often used as a metaphor for surveillance. With Io suffering restriction of liberty and being abused by authority. Being turned into a cow was bad enough, to make things worse she was constantly watched by the agent of Hera another authority Argus (Argus Panoptes) the 100 eyed giant. Argus is a great name for a security firm in fact there are quite a few firms that use an eye in the logo. Pop culture like Neil Gamien's American gods on Amazon have also referenced this legend to show surveillance and how it can convey power to authority. In the end a modern interpretation of the myth could argue that Hermes sending Argus to sleep to kill him is a good metaphor for opposing actors using exploits to subvert and disable surveillance to access information to Citizens data. We focus more on Argus the agent of Surveillance rather than Io, who was violated, changed and then incarcerated with surveillance against her will. Argus Panoptes inspired the idea of the Panopticon. A building design by English Philospher Jeremy Bentham as a prison that could be observed by a single guard. Our Internet is in danger of being a virtual panopticon for future citizens. The EFF already started thinking about this with panopticlick so that you can test who's tracking you through your browser. So who's watching us? Of course this explanation and the metaphor is from a Western Perspective. Privacy doesn't mean the same thing to all countries and cultures. Neither does the symbolism of the Peacock. Many IT professionals consider RFCs are more like guidelines, see RFC Clueless.org. Popular email services like Me.com, Outlook.com and even gmail.com have been listed on RFC ignorant, then it's successor RFC clueless . Sadly the giants often ignore RFCs. Which breaks the idea of interoperable standards and protocols and leaves us in danger of being at the mercy of large hosting giants. There is a narrative that threads through the media since that time. Privacy is dead, you need to give up that freedom to stay safe. Politicians like the UK Prime Minister David Cameron in 2015 stated: ."In our country, do we want to allow a means of communication between people which even in extremis, with a signed warrant from the home secretary personally, that we cannot read? “Up until now, governments have said: ‘No, we must not'." " Malcolm Turnbull the Australian Prime Minister in 2017 stated that " the laws of Australia take precedence over the laws of mathematics." With organizations like Palantir providing information to ICE to target illegal immigrants in the US; The UK Home Office deliberately destroying data in the the Windrush scandal; It's clear that human rights, specifically the right to privacy is in danger. Recently the EU confirmed that UK Border Force officials had illegally copies Shengen SIS data to third party Organizations based in the US. That's before I even start on repressive regimes where that data can and will be used to oppress citizens of that regime. The recent IETF Session 105 this month mentioned privacy and concerns with the mass collection of data. While the IAB and IESG were worried about US export controls on cryptography there is an argument for RFC1984 to be updated to include the unnecessary mass collection of data and to use it as a term for IT professionals, privacy advocates and the public to rally behind. I propose a brief history of governments around the world wanting to weaken encryption as RFC1984 warned us about: " The IAB and IESG are therefore disturbed to note that various governments have actual or proposed policies on access to cryptographic technology that either: (a) impose restrictions by implementing export controls; and/or (b) restrict commercial and private users to weak and inadequate mechanisms such as short cryptographic keys; and/or (c) mandate that private decryption keys should be in the hands ofthe government or of some other third party; and/or (d) prohibit the use of cryptology entirely, or permit it only to specially authorized organizations." RFC 1984 was explicitly named to reference an Orwellian Society that uses mass surveillance. Let's expand that beyond encryption to the mass collection of data and ask how do we limit this? How do we limit access to this data? How do we stop the nightmare?
33
35
Thumbnail
23:38
52
Thumbnail
30:38
53
Thumbnail
16:18
65
71
Thumbnail
14:24
72
Thumbnail
18:02
75
Thumbnail
19:35
101
Thumbnail
12:59
106
123
Thumbnail
25:58
146
Thumbnail
47:36
157
Thumbnail
51:32
166
172
Thumbnail
22:49
182
Thumbnail
25:44
186
Thumbnail
40:18
190
195
225
Thumbnail
23:41
273
281
284
Thumbnail
09:08
285
289
Thumbnail
26:03
290
297
Thumbnail
19:29
328
Thumbnail
24:11
379
Thumbnail
20:10
385
Thumbnail
28:37
393
Thumbnail
09:10
430
438
EncryptionMassendatenHacker (term)InternetworkingInformation privacyWater vaporComputer animation
Water vaporInformation privacyStatement (computer science)
Information privacyInformation securityPoint (geometry)Digital mediaVideo gameFacebookFamilyInformation securityLogicSoftwareSpeciesInformation privacyComputer animation
Water vaporSpacetimeArithmetic progressionCategory of beingCivil engineeringSieve of EratosthenesMultiplication signSocial classComputer animation
Social classQuicksortMultiplication signPrice indexLatin squareFamilyGodWordSound effectInterpreter (computing)Metropolitan area networkPower (physics)Drop (liquid)Moving averageVideo gameMortality rateTransformation (genetics)1 (number)Order (biology)Goodness of fitExecution unitComputer animation
Process (computing)Error messageCovering spacePosition operatorMoment (mathematics)Power (physics)BitPoint cloudComputer clusterComputer animation
Social engineering (security)Touch typingQuicksortBitOrder (biology)Game theoryMultiplication signStreaming mediaComplete metric spaceOptical disc driveWeb serviceGodPoint (geometry)Computer clusterLogical constantoutput
Computer clusterOpen setPhysical systemTowerOffice suitePrisoner's dilemma2 (number)Arithmetic meanState observerCapability Maturity ModelPlanningInformation securityFactory (trading post)Machine visionCellular automatonFamilyRight angleReduction of orderComputer animation
Point (geometry)Cellular automatonRight angleMultiplication signTower1 (number)Prisoner's dilemmaMathematics
Symbol tableElement (mathematics)BitArithmetic meanDifferent (Kate Ryan album)Computer clusterAdditionRevision controlMetropolitan area networkComputer animation
Ring (mathematics)Focus (optics)CryptographyInternetworkingStatement (computer science)Information privacyView (database)Term (mathematics)CryptographyPoint (geometry)InternetworkingProcedural programmingWeb serviceEmailPower (physics)Multiplication signArithmetic meanSemaphore lineComputer animation
Execution unitGoogolVideo gameRule of inferenceStandard deviationEncryptionKey (cryptography)Physical lawComputer animation
InternetworkingStatement (computer science)CryptographyInformation privacyEmbargoDatabase transactionArchitectureWhiteboardLocal GroupGUI widgetMechanism designKey (cryptography)EncryptionGoogolComputer networkFacebookWeb serviceTelecommunicationNon-standard analysisVotingFormal verificationIn-System-ProgrammierungLattice (order)Physical lawInternetworkingMetadataVotingExtension (kinesiology)Mechanism designState of matterBitCASE <Informatik>Multiplication signPrice indexCodeEncryptionInformation privacyEmbargoChemical equationPay televisionFamilyPattern recognitionMobile appPoint (geometry)PlastikkarteRevision controlRight angleDatabase transactionBiostatisticsConnectivity (graph theory)Process (computing)DialectOnline helpDirection (geometry)Key (cryptography)IP addressComputer animation
Server (computing)LeakVideo gameMereologyDesign by contractInformationWater vaporLevel (video gaming)Web serviceIntegrated development environmentLocal ringOffice suiteMarginal distributionArithmetic meanFamilyMultiplication signLeakWeb pageSpacetimeWave packetPlastikkarteInsertion lossThumbnailRight angleVotingLaptopComputer animation
Roundness (object)UsabilitySocial classFamilyRing (mathematics)Computer animation
Pattern recognitionFamilyBuildingMultiplication signComputer clusterComputer animation
Point cloudOpen source
Transcript: English(auto-generated)
Bonjour à tout. Excellent. Alright then, so before we begin, I'd like you to consider this frog here.
He's quite a cute little frog, we had him just in our driveway. And the frog illustrates a very simple metaphor in English where you put that cute guy in some water and then you gradually heat up that water until you cook it
and he doesn't realise what's going on. So I want you to think about froggy here while I say a few statements about privacy to you. So do we actually need privacy? All our family and friends are using social media. Our grandparents, our parents, they're using Facebook. They're listening to their friends, posting on social media and agreeing with everything that they say, whether or not there's logic to it.
And teenagers, they've been on Myspace, they've been on Bebo, they've got their own networks, they've got TikTok and VSCO. So privacy, what's the point of it? It's dead, throw it away.
Everybody's worried about the bad people, the terrorists, people coming in to change your way of life. So we need to give that up for our own personal security. So yeah, how's that water feeling?
I have a problem space that it's very hard to explain to people. But luckily for us, back in ancient Greece, before that, civilisations were trying to tell people how to interact with each other in a civilised way so that we weren't constantly at war. And the way they did that were things like simple stories, like Aseps fables.
We look at them nowadays and we're like, that's children's stories. But at the time, civilisation was in the progress of reprogramming human beings to interact. So with that, I'd like to introduce you to this guy. This is Ovid.
He was a poet during the late reign of Augustus. And he was kind of like considered a kind of cool new kid because he'd followed on from Virgil. He was considered a mate of the emperor. And he was writing during a time when Augustus was hoodwinking the Roman Senate into thinking they were still a democracy.
And he wasn't a dictator, honest. And what Ovid wrote about were the gods and how they interacted with mortals and with people lower down the pecking order, like nymphs, like demigods. And Ovid often took Greek myths and he'd adjust those Greek myths to write about transformation and the effect of imperial power.
Of course, the sad thing for Ovid was because he was writing about this sort of thing, he ended up exiled to the Black Sea in Constanza in modern Romania. And no one's quite sure why he got sent there.
But a good indication might be in the affair that he may have been having with Augustus's granddaughter, Julia. And he also made the huge mistake of writing a piece of work called the Ars Armata, which pick up artists like God. This is brilliant because in it, he takes the piss out of other scientific treaties at the time,
what he details the way you can go and pick a woman's interest, pick her up and then when you're bored, just get rid of her. Classic scholars do not like that interpretation of it. So don't ever do that to them. So the reason why this wasn't a good thing and he got exiled was at the time,
Augustus was trying to bring in a new philosophy to Roman public life, which was traditional family values. The family unit is a man and his wife. And if you study the Cambridge Latin course, there's some children as well. So Ovid fell foul of that. Now, why am I mentioning Ovid?
Well, there's a very good reason why I mention Ovid, because in his work, The Metamorphosis, he wrote about Io and Argus. So Io was a beautiful, lovely, gorgeous nymph just tiptoeing around in the countryside.
And Zeus, who never could resist having a me too moment whenever he could, decided he'd like her to be his next squeeze. She said, no, me too moment. And Zeus realising that very soon he'd be in a little bit of trouble with Hera, who was a little bit jealous and prone to victim blaming, decided to go and cover it up by covering the land in a cloud all over it.
Now, as what happens when people in power try and cover things up, someone's eventually going to notice the process of covering things up. And Hera was up there in Olympus going, there's a big, massive cloud down there.
Zeus isn't around. I'm going to go see what Zeus is up to. So she goes down, finds Zeus there. She goes, hey, what are you up to? And what she found was Zeus standing there with a cow, because what he'd gone and done to cover it up was turn poor Io into a cow.
And she went, hey, hey Zeus, that's a pretty cow. Can I have the cow? And Zeus, because he was an absolute coward, went, yeah, yeah, yeah, have the cow. She's pretty. Just you do it. Slopes off, leaving poor Io behind in the hands of a vengeful, angry goddess.
So what she then does is decide to put poor Io under constant surveillance using her tool, who was a hundred-eyed giant called Argus Panoptes. And it was constant surveillance because he didn't actually need to close all of his eyes in order to get sleep.
So poor Io's wondering about, with this giant keeping an eye on her, she managed to get to a stream and speak to her father, who was a river god. So he started making a fuss, but she couldn't get away from the surveillance. Eventually, Zeus felt just a tiny, tiny little bit guilty that he'd done this and she was in the situation.
So what he did was go to the god Hermes and go, can you just sort this for me? Because, you know, I'm getting a lot of flack about this and I'd kind of just like it to go away. And so Hermes decided to do an exploit where he did a little bit of social engineering on Argus and told him a long and boring story. Argus fell completely asleep, all the eyes completely closed.
And then Hermes pretty much just murdered him, surveillance disabled. Of course, the trouble is Io was still a cow at this point, but she manages to get away. She gets all the way to the to the river Nile.
And then while she was trying to get away, Hera, still being a tiny bit vengeful, pursued her with a gadfly. I'm sure that you can think about many whistleblowers in our industry that have been pursued quite a bit for whistleblowing or for bringing up allegations.
Eventually, though, she turned back into a nymph again and all was well, and she had children. Yay! So what did Ovid add to the story? Because Ovid would take the basic Greek myth and he'd add a little touch. And what he added was peacocks. Hera felt just really quite sad that her tool of surveillance was dead and she couldn't use him anymore.
So what she did was take all of his eyes and put them on the peacock. Now, what exactly does this have to do with nowadays? I mean, it's Greek mythology. People don't turn into cows. Well, if you're a security firm, if you're into, say, CCTV systems, security, you go, I'm going to call myself Argus Vision.
And you'll stick a big eye right in the middle of that logo. And it's also inspired philosophical thought. Jeremy Benton, a philosopher in the 18th century, came up with a way to monitor
patients in things like pandemics and for quarantine purposes and also to reduce prison observation and work observation as well in factories.
Because he got the idea for the panopticon from his brother, who'd sat in the middle of an office and arranged a bunch of desks around him in Russia. So we've got Benton's brother to thank for the open plan office, but we have Jeremy Benton to thank for this, the panopticon.
It's a very simple idea. You have a tower right in the centre there and around that tower you have cells in the tower centre. You have one person observing and they have a light and they shine that light into a cell.
So the person in the cell knows they're being observed, but they don't know who's doing it. And the philosophical idea behind this is that, you know, you could get surveilled at any point in time and you have no idea who's doing it. So this actually changes how you think about the world. This changes how you interact with the world.
And this one's from an old ruined prison in Cuba. So but there's one trouble with this whole idea of the panopticon. Everybody thinks about the cool thing with the hundred eyed giant. They think about the surveillance. They think about the technology. They don't think about what it means to be that person being surveilled.
So is this myth still appropriate? I mean, perhaps, perhaps not. The trouble is you have the additional elements of peacocks and that means different things in different religions.
It's a bit of a myth. It's a simplified version of the story. So what can we use to illustrate that feeling being surveilled instead? We'll go a bit more modern. We'll go for George Orwell. One of his most famous books after our animal farm was 1984.
How many people in the room have read it? OK, well, that's good. Some of you have got an idea. In the idea of that, there's a very unsympathetic protagonist. And around him, he describes the various means of surveillance and brainwashing of the population. But again, the protagonist isn't sympathetic.
So everybody always thinks about things like Ingsoc and changing what the news is about, changing facts. And again, we've actually just forgotten about IO. We've forgotten about the cow.
We're focusing on the surveillance. So it's quite a simple phrase to get behind 1984 because of what that book means. But we need to think about deeper than just it's someone who wants to stay in power.
We have to think about what it means in terms of that data. And I'm not the only person concerned about this. The IETF in 1996 was noticing as the Internet took off. And they were very concerned about it because at that point in time, the US was putting a ban on escrow cryptography effectively.
They were restricting the sale of it. But who here knows what an RFC is? OK, that's good. That's most of you.
Briefly, the request for comment. They helped to define how we run our services, email, Internet. And it's not just the IETF that creates these RFCs. If you're outside the IETF, there's a separate process that you go through with a review, a submission.
And then it goes through the normal procedure for discussing it. The fun thing is, is that anyone can submit to April Fool's RFC. And I know at least someone in the room that's actually implemented IP over semaphore. But that's the thing.
There are requests for comments and sometimes they'll get upgraded to best practices. But does everybody on the Internet follow these best practices? They're not hard and fast rule. There is no law enforcing this. So the larger firms like Microsoft, like Google, like Apple, don't always follow the rules.
And occasionally new standards get submitted and there should be more scrutiny. Anyway, back to the RFC. In particular, there was an anecdotal case where a firm in the US had to strip out its escrow code,
ship the code over to Europe, and then had to tell people how to put the encryption back in. And the IETF went, this is insane. We have got to say something. Because they have a very difficult balance between trying to serve the needs of governments around the world, and at the same time ensuring that the rest of us have a working Internet that we can consider the privacy of our netizens.
So it was published in 1996 during the anecdote that I told you about, and it got upgraded to best practice in 2015. And you can Google the meeting about this because the notes say that they felt people had been referring to this RFC as best practice anyway,
so they might as well just make it official. So yeah, that's the RFC there. It's fairly clear.
Everybody is entitled to privacy. We are entitled to our bank transactions being private. We are entitled to what we buy, what we're looking at. So they were very worried about governments trying to interfere with the very idea of what the Internet is meant to be about.
So point A is covered by the US's embargo on that. And there's still an embargo on some escrow technologies. And sadly, back in 96, back in 2001, and recently in 2015 after the Boston bombers,
and this very year with AG bar yet again trying to put back doors within apps like WhatsApp and other things. They actually have other mechanisms by which they can get to data. They just want to make it easier for themselves to go on a fishing trip.
And of course, occasionally what they say is fine, have the encryption. Can we have a key as well? Can we just unlock that data and just take a look? We'll be good. We'll be fine. We won't do anything to it. We promise. And in some regimes around the world, only the government's allowed to have encryption. It's not a public right.
So I've already detailed a few versions of the threat. And of course, commercial firms, that's their whole business, collecting our data, gaslighting us into thinking that our data is not worth a lot.
But it is worth a lot. You're all here in this room, but we've got a massive problem because we know this, but our friends and family do not understand that this is the entirety of themselves that they are feeding into these large firms. And it gets worse and worse because there is a trust that's starting to happen with the idea of our biometric data,
fingerprinting, DNA, facial recognition. And our family will think nothing of, say, having an iPhone using facial recognition to unlock it without thinking, well, what's going on with that data?
It's still stored somewhere. We're not entirely sure where it's being stored or what it will be used for in the future. And there are a lot of political threats within the UK, the US, and to some extent within Europe with regimes like Germany and France.
And we've had government leaders state in their parliament or to the news that they don't like the idea of encryption. They don't like the idea of something that they can't read. And if you have a government where they're wanting to know what you read, I think that's a very good indication that they are scared of the populace.
We also have governments that will think nothing of forcing ISPs to effectively act as agents against you because we have metadata laws in the UK and Australia where they will suck up metadata like IP addresses, what you're browsing with.
In the UK, we actually have a filter and they're trying to re-bring in age verification where you have to have put in credit card details to prove your age. And it's a bit like a hydra.
Every now and then, governments will try and have another attempt to break encryption. And once we've lost that ability, it's going to be very hard to have our privacy back. And it's ridiculous for the US. Obama gave the NSA access to the private data of American citizens and the UK will soon have access to that as well.
And of course, with the Cambridge Analytica revelations, we also know that political parties have been collecting data about the demographics of their voters.
And this does include things like in the US magazine subscriptions and what the components of their family are. Because they see it as the more data they have of their constituents to manipulate a vote, the better.
And I mean, what happens once that data is collected? We have even more threats from the bodies that we think should be looking after us. There's a trust there because the issue that we have is we have all of these national health
services, governmental agencies, and they've not really had the proper training yet to consider how dangerous that data is. And if I was the European Union, I certainly would not consider trusting the UK government with any more data than it has.
The revelations last year about the Schengen information leaks by UK government officials. And by government officials, what I actually mean is third party contractors like IBM who are domiciled in the US. So we can expect that that data has ended up in US hands.
And of course, third party contractors, the Republican Party, they've taken that voter data that I'd mentioned earlier. Once they were alerted to the leak, they took it back down again. But the thing is that data was leaked. If data is leaked, it stays leaked.
There is nothing you can do about that. And in a very Orwellian move, Theresa May, when she was the Home Office Minister, deliberately, as part of the hostile environment, deleted the landing cards of the Windrush boat,
which took people from the West Indies, people who were part of the British Empire at the time, and deliberately destroyed evidence that they had a right to stay in the UK. And all of this data can be collected, can be analyzed, and is actively
being used against immigrants in the US who have not entered the country legally. And you have to think about the vulnerable and the margins in society, because if you don't, that technology that's being used against them will be used against your family and your friends.
It doesn't take much to be on the wrong side of a government. And in general, goodness, I don't know what it's like in Europe, but on the Wikipedia page for the UK government's data loss, there are about 30 odd entries of all levels of government from your local municipal council all the way up to ministers at the top just losing data,
leaving a secure laptop in a taxi, thumb drive being handed into a local council office. Officials do not understand the problem space.
And they're also very keen on things like CCTV. You go around here in Brussels, you can see them everywhere. They're in restaurants, they're in your door entries, and people just want to buy them to feel secure at home.
I mean, the Amazon ring in particular is a very concerning thing because Amazon bought ring to solve its own problem, which was porch stealers. But people, middle class families buy them because they're upset about their packages being bought.
Oh, sorry. But regardless, you have to think very carefully about that data. The issue that we have is how do we communicate this to our family and friends?
And the simple answer to that might be with stories. Start small. Build that trust again with your families, because it's not enough to harangue them all the time. Tell them they're doing things wrong. They won't listen to you. You have to build that trust and that friendship with them again and start getting them to realize that they're the cow.