Hi Steve, I'd like to challenge your assertions that because Gmail and Facebook have billions of users, the bulk of Internet users do not care about pervasive state surveillance of all or most of their of their Internet communications, and therefore the IETF's attempts at promoting strong security have thus far been sufficient. Privacy is often valued contextually. The fact that a user accepts the trade-offs that Gmail presents (accepting that a private company will scan her emails in exchange for a snappy interface or beneficial network effects) does not mean that the same user is comfortable with pervasive government surveillance that could allow her to be pursued (using police force) under legal standards that are often vague or uncertain for anything she writes in every email she sends. The state's ability to impinge on a wide range of individual freedoms surpasses by far the ability of any single private company to do so. The line between private and public sector data collection has obviously blurred as more and more data is exchanged between the two, but that does not make the two of them equivalent.
For the list: much of this thread's discussion seems to presume that the business considerations behind individual companies' decisions about whether to deploy secure protocols or not are unchanged from what they were four months ago prior to the beginning of the revelations. Yet elsewhere there seems to be a whole lot of hand-wringing going on about how much business is being lost or how nervous various customers are in the wake of the revelations. Can we really assume that no IT managers in charge of enterprise SIP deployments or middlebox-based backwards-compatability solutions are even considering re-evaluating how they balance competing requirements? Alissa On Oct 10, 2013, at 5:57 PM, Stephen Kent <k...@bbn.com> wrote: > Hay, > >> Hiya, >>>> I... >> I disagree. IMO all the snowdonia stuff is very good evidence that >> we need to do better. And "enforcer" is not at issue. > Can yo be more specific here? I have not examined all of what is being made > public; I do have a day job :-) . >> And the 2nd. But the 2nd is a case where there's a teeny bit of >> crypto baked into websockets so that websockets just doesn't >> work without it. But not one to rathole on. > OK, moving on. >> ... >> Going back to a mail from Yoav a few weeks ago - we're not trying to >> prevent state surveillance, but we would like to make it more >> expensive so Yoav isn't on the list of folks that they can afford >> to surveil. Assuming we share that description as a goal, (do we?) >> what other kind of folks do you think we might need to make progress >> on that? > I understand the goal of making life harder for state surveillance. > However, I am not willing (personally) to incur any degraded user experience, > premature cell phone battery depletion, etc in order to support this goal. > I suspect, but cannot prove, that most users would express similar feelings. > > But, if there are things we can do that are "free" of adverse impacts, > and supportive of the goal you noted, we should consider them. >> There is a fair point there but dealing with what people do on FB >> is not really within the IETF's scope I think. Making it harder for >> a few hacked nodes to record everything everyone does is though. >> (And if we can do that well, I suspect we'll get a bunch of other >> security benefits too.) > I use Gmail for some traffic. If I really cared about the confidentiality > of that traffic, I should choose another provider. How many million > folks make the same decision? > > I use the weather channel to check forecasts for my home area, and > for airports en route to destinations, and for vacation and work > trips. I see ads popping up that are a obvious, direct result of > the WC folks having access to cookies from my browser! Somehow > I learned to live with that ;-) . >> And there's also the user-consent issue - regardless of what one >> thinks about web site T&C, it is absolutely the case that users >> have not given permission for the pervasive monitoring that's >> been reported. > Agreed. > > Steve > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass
