Alissa,
Hi Steve,
I'd like to challenge your assertions that because Gmail and Facebook have
billions of users, the bulk of Internet users do not care about pervasive state
surveillance of all or most of their of their Internet communications, and
therefore the IETF's attempts at promoting strong security have thus far been
sufficient. Privacy is often valued contextually. The fact that a user accepts
the trade-offs that Gmail presents (accepting that a private company will scan
her emails in exchange for a snappy interface or beneficial network effects)
does not mean that the same user is comfortable with pervasive government
surveillance that could allow her to be pursued (using police force) under
legal standards that are often vague or uncertain for anything she writes in
every email she sends. The state's ability to impinge on a wide range of
individual freedoms surpasses by far the ability of any single private company
to do so. The line between private and public sector data collectio
n has obviously blurred as more and more data is exchanged between the two, but
that does not make the two of them equivalent.
I appreciate your analysis, but I don't necessarily agree with your
conclusions. The state has a
responsibility to provide for the security of its citizens. To the
extent that surveillance supports
this goal, it is potentially justified, irrespective of whether every
citizen agrees with the
methods. Corporate collection of personal data tends to be driven by
greed, not quite so noble
a goal :-).
I agree that the state has a more powerful capability to collect info
about Internet users, and
yes, there are no T's & C's to read and agree to (or, more likely ignore
and agree to). But
that does not mean that we, as developers of Internet standards, are in
a position to know
whether all users feel that state vs. corporate surveillance is a
greater personal concern, and
thus warrants mandatory to use (vs. implement) security features.
For the list: much of this thread's discussion seems to presume that the
business considerations behind individual companies' decisions about whether to
deploy secure protocols or not are unchanged from what they were four months
ago prior to the beginning of the revelations. Yet elsewhere there seems to be
a whole lot of hand-wringing going on about how much business is being lost or
how nervous various customers are in the wake of the revelations. Can we really
assume that no IT managers in charge of enterprise SIP deployments or
middlebox-based backwards-compatability solutions are even considering
re-evaluating how they balance competing requirements?
I'll defer to folks with more direct experience with these businesses,
but I have seen no such
change in perception. The only change I have seen is that enterprises
makign use of cloud storage
and backup are more concerned about the confidentiality of the data
stored there, and are considering
offshore alternatives.
Steve
_______________________________________________
perpass mailing list
perpass@ietf.org
https://www.ietf.org/mailman/listinfo/perpass
