Skip to Content

Cybersecurity & Standards

I* Newsletter: Encryption Export Controls, Russian Throttling

“I*: Navigating Internet Governance and Standards” was a monthly newsletter distributed by the Center for Democracy & Technology (CDT), and compiled by the Public Interest Technology Group (PITG), a group of expert technologists who work across a complex landscape of internet standards development (“I”) organizations that convene in the public interest.

The newsletter highlighted emerging internet infrastructure issues that affect privacy, free expression, and more, clearly explaining their technical underpinnings.

# What does the U.S. Department of Commerce’s new rule on encryption export controls actually mean?: Last month, in compliance with the Wassenaar Arrangement, the U.S. Department of Commerce put a rule into effect that eases controls on encryption technology. The U.S. has taken this notable tactic to remove barriers for U.S. companies to export their technologies. 

The rule makes changes that include broadening the technology category with the fewest preexisting barriers to export, “encryption for data confidentiality,” to include more mass-market hardware products. It eases reporting and notification requirements for products that are more heavily controlled, such as networking equipment. 

“This is a welcome policy trend that will make secure and privacy-enabling digital technology, from emerging IoT to standard networking equipment, more ubiquitous,” says Mallory Knodel, Center for Democracy & Technology CTO.

# Research uncovers how Russia is throttling Twitter: On April 5, Twitter traffic in Russia was throttled, or slowed down, because the platform allegedly contravened Russian law by not removing “objectionable” content quickly enough. The throttling was done with equipment distributed and installed at internet service providers located within Russia under the country’s “Sovereign Internet Law.”

The flawed targeting of the throttling had collateral effects on other domain names, and introduced system-wide performance issues for some operators. At the same time, a major data center experienced an outage resulting in inaccessibility of some Russian state information systems, which triggered local media speculation of a U.S. attack on Russian infrastructure. 

# My flock is 4724. What’s yours?: Google is testing FLoC, its proposed protocol for targeting online advertising to cohorts without the need for third-party cookies, even while the protocol’s privacy merits and impacts on the online advertising ecosystem continue to be debated at the World Wide Web Consortium (W3C). The proposal would have web browsers cluster users based on their browsing activity, and share an identifier for each cluster with websites in order to target advertising.

Various tools have been developed to let users see whether their browser is part of the test; and what numeric identifier (generated by Google’s algorithm, based on the particular set of domains a user visited in the past week) is shared with sites or online services that are interested.

More challenging, though, is learning what inferences are likely to be drawn about you from that opaque number, whether sites can infer what other sites you’ve previously visited, or whether your cohort identifier itself can be used as a fingerprint to track your online browsing activity without any need for cookies. 

While Google’s FLoC proposal may seem an improvement on a dismal privacy “status quo” (where users’ browsing habits may be tracked ubiquitously, without awareness, understanding, or control), the status quo is not static, universal, or inevitable.

# DNSSEC deployment and automation: To ensure that domain name systems (DNS) return authentic results, domain name system security extensions (DNSSEC) were developed to allow owners of domains to digitally sign DNS data. Their deployment has been in flux, but automated tools are emerging to facilitate domain registrants configuring their domains with DNSSEC correctly.

“Domain name system security extensions (DNSSEC) are a part of the internet where secure standards exist, but much work remains to deploy them,” says Amelia Andersdotter, Director of Strategic Initiatives at the Council of European Top Level Domain Registries (CENTR). “For some core internet infrastructure, it’s not always obvious how to create cost incentives for internet infrastructure companies to upgrade to better technology, and DNSSEC certainly suffers from this.”

Andersdotter points out, “Separating data privacy and data accuracy conceptually is also smart, like recognising the many different types of ‘security’ concepts there are.”

# Discussion about exclusionary and racist terms in IETF is not close to ending: In the October 2018 meeting of the Internet Engineering Taskforce (IETF), Mallory Knodel of the Center for Democracy & Technology and Niels ten Oever of the University of Amsterdam brought up the continued use of outdated, offensive terms such as Master/Slave and Whitelist/Blacklist. Knodel and ten Oever summarized their arguments in a document titled “Terminology, Power and Oppressive Language.” Although the document has been updated five times, and hundreds of emails have been exchanged regarding the issue, there is not yet a solution to the issue in sight.

Currently, the progress of a resolution in the IETF is blocked. The Internet Engineering Steering Group (IESG) found the proposed charter of a working group on offensive terminology, which has been discussed since 2019, “too divisive”  — especially after the New York Times reported on the topic. In the meantime, and to resolve the blockage, IETF leadership has altered the charter to remove any mention of racism or specific problematic terms.

  • Contact: Niels ten Oever