Snowden to the IETF: Please make an internet for users, not the spies

Whistleblower addresses Prague meeting of 'net engineers


NSA whistleblower Edward Snowden has urged the world's leading group of internet engineers to design a future 'net that puts the user in the center, and so protects people's privacy.

Speaking via webcast to a meeting in Prague of the Internet Engineering Task Force (IETF), the former spy talked about a range of possible changes to the basic engineering of the global communications network that would make it harder for governments to carry out mass surveillance.

The session was not recorded, but a number of attendees live-tweeted the confab. It was not an official IETF session, but one organized by attendees at the Prague event and using the IETF's facilities. It followed a screening of the film Citizenfour, which documents the story of Snowden leaking NSA files to journalists while in a hotel room in Hong Kong.

"Who is the Internet for, who does it serve, who is the IETF's ultimate customer?" Snowden asked, rhetorically. The answer was users, not government and not business.

But, he said, the current internet protocols were leaking too much data about users. "We need to divorce identity from persona in a lasting way," he argued, highlighting how the widespread use of credit cards online was connecting identity to online activity.

"If it's creating more metadata, this is in general a bad thing." Instead, protocols should "follow users' intent." He argued that DNS queries should be encrypted – as well as actual content – so that encryption, rather than surveillance, was the norm. "People are being killed based on metadata," he noted.

Spud gun

Snowden appeared to have a good understanding of how the internet's protocols work, and pointed to a new protocol called SPUD that combines transport protocols to reduce the number of "middleboxes" that data needs to travel through when users interact online.

Snowden noted that the network path was the best place for spies to get access to information and that each middlebox provided another potential point of attack, but also warned that SPUD could make the core UDP internet protocol "a new channel for leaking metadata about users' intents."

He also argued that having identifiable "long lasting" hardware addresses was "extremely dangerous," as it connects people to, say, a MAC address when they use wireless internet connections, which can put an immediate flag on their identity and location.

Snowden's speech was met with a standing ovation. Which is hardly surprising – the IETF and internet engineers in general tend to have a strong independent streak, and many are still embarrassed by the fact that the NSA managed to crack a number of key internet protocols developed by the IETF and even subvert some of its working groups in their bid to develop new standards that would give the spooks easy access.

One of the IETF's first responses to the Snowden revelations was the creation of a new RFC document, which currently serves as "best current practice." In RFC 7258, the organization notes that "Pervasive Monitoring Is a Widespread Attack on Privacy" and "The IETF Will Work to Mitigate Pervasive Monitoring." ®

Similar topics


Other stories you might like

  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • Brave roasts DuckDuckGo over Bing privacy exception
    Search biz hits back at 'misleading' claims, saga lifts lid on Microsoft's web tracking advice

    Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers.

    Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway.

    "For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022