In the three years since IETF said pervasive monitoring is an attack, what's changed?

Advertising models will change

Companies collaborating to collect advertising data remains a big challenge, he said. That's likely to change – “there's no reason why a particular business model has to last forever”, but in the meantime, “it's hard to see how we make a dramatic improvement in privacy.

“We can make some improvements, but how we make it dramatically better – it's hard. The incentives are aligned to make all the service providers want to be privacy-unfriendly, from the point of “me”, but not perhaps the point of view of 99 per cent of people who use the Internet, and seem happy enough with it.”

Breaches and leaks are frightening the service providers, which helps, because providers “realise that storing everything, forever, is toxic, and in the end they'll get caught by it.”

About the cough NSA cough …

The Register also asked: what protects future standards against security organisations polluting standards, as they did with DUAL-EC?

“As an open organisation, we need to be open to technical contributions from anywhere,” Farrell said, “be that an employee of the NSA, or be that – as we've had in one case – a teenager from the Ukraine who was commenting on RFCs five or six years ago.”

It has to be handled socially, rather than by process, he argued, citing the IETF's creation of the Crypto Forum Research Group, chaired by Alexey Melnikov and Kenny Paterson and designed to bring together IETF standards authors and the academic crypto community.

He described it as a “lightweight process” designed to assess crypto proposals – have they been reviewed? Is the proposal novel and maybe not ready for prime time?

“The number of NSA employees that attend IETF [meetings] – I don't think it's a useful metric at all. I think how well peoples' contributions are examined is a much more useful metric, and there, things like having the CFRG, having academic cryptographers interacting much more with the standards community – those are more effective ways of doing that.

“We've set up a thing called the Advanced Networking Research Prize, which is a prize for already-published academic work. It pays for the academic come to an IETF meeting, give us a talk, get them involved” (Paterson first became involved in the CRFG as an invited academic who won the prize).

Spooks want to monitor everyone because they believe everyone might be guilty, he added, and that's a mistake.

“We should not think people are guilty by association. That's a fallacy – if you believe that NSA employees are not allowed to contribute, you're making the same mistake they're making.” ®