Hi everyone, I am following up on the discussion that was partially spurred by the reference to the Golumbia article that argues against anonymous communications as a universally accessible and acceptable service. I agree with the issues that Golumbia has with respect to the unequally distributed benefits of anonymous communications and absolutely appreciate the engagement with the topic. Technically speaking, however, I find his position uninformed and his legal analysis too short to do justice to the issue. What is maybe worse is that his points are uncomfortably aligned with the “going dark” argument [0]: a popular argument that is especially dubious when more private and public data is available to law enforcement and government agencies than ever and the number of non-commercial civilian use of encryption and anonymous communications is abysmal. The latter is one important reason why addressing privacy in standards is key.
Having said that, the interaction between privacy laws and privacy enhancing technologies is complex and worthy of further discussion. In [1] you will find an outdated but hopefully still useful paper on this topic. Also in that article is a distinction between types of PETs based on the role of the service provider, which you may appreciate. Cheers, seda [0] Going Dark by James Comey http://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-course [1] Hero or Villain: The Data Controller in Privacy Law and Technologies, Claudia Diaz, Omer Tene, Seda Gurses https://www.cosic.esat.kuleuven.be/publications/article-2365.pdf Constitutional privacy law in Europe and the United States establishes the right to privacy as freedom from government surveillance. It is based on suspicion of power and distrust in the state, which can unleash ominous intrusions into the private sphere to crush dissent and stifle democratic discourse and free speech. Over the past forty years, an additional legal framework has emerged to protect information privacy. Yet unlike the constitutional framework, information privacy law provides little protection against the risk of surveillance by either governments or private sector entities. Indeed, such organizations are assumed by law to be trusted entities acting as stewards of individuals’ rights, essentially “information fiduciaries.” This Article demonstrates that an analysis of the assumptions and principles underlining privacy enhancing technologies (PETs) highlights the gap between the constitutional and information privacy frameworks. It argues that by embracing PETs, information privacy law can recalibrate to better protect individuals from surveillance and unwanted intrusions into their private lives. Conversely, if the law continues on its current trajectory, emphasizing organizational accountability and marginalizing data minimization and transparency, PETs would become unviable and individuals subject to increasingly stifling digital oversight. > > From: Hugo Maxwell Connery <h...@env.dtu.dk> > Subject: Re: [perpass] https.CIO.gov > Date: March 28, 2015 at 2:38:13 AM EDT > To: "d...@geer.org" <d...@geer.org> > Cc: "perpass@ietf.org" <perpass@ietf.org> > > > Hi, > > Standard Fallacy: if communications are encrypted they cannot be > read/obtained. > > There are two places where 'encrypted' communications are viewable, at > the sender and receiver. Thus, the government (or anyone) can obtain the > communications by invading the sending or receiving system if either a > plain-text > of the message(s) or the key and cipher text are still obtainable on the > device. > Metadata of the communication is often available in logs. > > The question is, under what circumstances should the government (or others) > be able to do this? > > Recall that when people say 'encryption' what they usually mean is 'secure > communication' and that means 3 things (CIA model): Confidentiality, > Integrity and Authenticity. > > Sometimes only two of these properties are desired, and I suggest that we > should > be thinking about this. For example, a public forum wishes for integrity > and authenticity but does not necessarily require confidentiality. > > No amount of digital 'secure communications' will prevent surveillance when > an end-point device is compromised (e.g key logger). > > Additionally, current transport protocols include the addresses of the > end-points > and thus expose the metadata of these connections to all locations in the > communications path, irrespective of 'secure communications'. > > Thus, anonymity is another consideration that is entailed in these > discussions. > -- > Hugo Connery, Head of IT, DTU Environment, http://www.env.dtu.dk > ________________________________________ > From: perpass [perpass-boun...@ietf.org] on behalf of d...@geer.org > [d...@geer.org] > Sent: Friday, 27 March 2015 03:11 > To: perpass@ietf.org > Subject: Re: [perpass] https.CIO.gov > > Encryption everywhere all the time? No, thank you. > > Better said, and at effective length, by David Golumbia > > Opt-Out Citizenship: End-to-End Encryption and > Constitutional Governance > http://www.uncomputing.org/?p=272 > > > --dan > > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass > > >
_______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass
