Skip to Content

Cybersecurity & Standards

I* Newsletter: Kenya recognizes community networks, mitigating widespread surveillance by ISPs

“I*: Navigating Internet Governance and Standards” was a monthly newsletter distributed by the Center for Democracy & Technology (CDT), and compiled by the Public Interest Technology Group (PITG), a group of expert technologists who work across a complex landscape of internet standards development (“I”) organizations that convene in the public interest.

The newsletter highlighted emerging internet infrastructure issues that affect privacy, free expression, and more, clearly explaining their technical underpinnings.

# SugarCoat: Privacy or Compatibility, Pick Any Two: Brave Software, in collaboration with the University of California San Diego, developed an open-source tool to prevent the web compatibility issues that arise when blocking malicious scripts that are tightly integrated with websites. Called SugarCoat, the tool automatically generates privacy-preserving versions of tracking scripts.

# Describing Rogue Behavior in the DNS Root Zone: The internet’s Root Server System (RSS) provides responses to queries for data in the root zone, or the highest level of the Domain Name System (DNS) hierarchy. The resolvers that rely on the system — provided by ISPs or companies like Cloudflare or Google — trust that every query to any Root Server Operator (RSO) will correctly map a requested website to an IP address; this trust is based on decades of positive experience.

A rogue operator has the potential to abuse this trust in a variety of ways, including by providing incorrect or extra responses, stripping encryption, or intentionally degrading service. A new report from the ICANN Root Server System Advisory Committee (RSSAC) — which advises the ICANN community on matters relating to the operation, administration, security, and integrity of the RSS — details criteria for considering an RSO’s activities as rogue, along with a few examples of those behaviors. Determining whether these behaviors are rogue also involves determining the intent.

Said the Center for Democracy & Technology’s Mallory Knodel, “This document describes, in careful language built on the consensus of experts in the technical community, what constitutes behavior that threatens the health of a critical component of the core of the internet. The major challenges facing global internet governance would be better resolved by focusing more on describing behavior, and less on geopolitics.”

# Kenya Recognizes Community Networks with New License: Recently, Kenya made a regulatory move to allow the operations of community networks, a welcome step in advancing freedom of expression and expanding civic space online. These regulations enhance the diversity of internet connection models and ensure that even marginalised communities can be connected to the internet. This is especially important in cases where big telecommunications providers had previously not seen a profitable business case for connecting such populations.

# Popular OpenSSL Project Forked Over Differences in Supporting QUIC: At the 112th meeting of the Internet Engineering Task Force (IETF 112), a side meeting discussed software libraries needed to implement the new QUIC protocol, which provides integrated security and transport services for internet traffic. Its transport features are more flexible than those offered by the well-established TCP (“Transport Control Protocol”), and its security features offer similar guarantees to those made by the also well-established TLS (“Transport Layer Security”) protocol.

QUIC itself makes use of TLS’s cryptographic handshake to initiate its secure communications, even though QUIC’s traffic differs from TLS’s. Many QUIC implementations will depend on an external TLS library for setting up the TLS handshake so that the QUIC implementers can focus on QUIC-specific details.

One of the most widely-distributed and well-maintained free and open-source implementations of the TLS protocol is a software library named OpenSSL. However, OpenSSL recently declined to merge an offered set of changes that would have allowed QUIC implementations to rely on the library. Project maintainers have announced that, instead, they want to implement their own (but potentially incomplete) QUIC implementation.

In response, Microsoft and Akamai have begun a fork of OpenSSL that will provide the interface to OpenSSL’s TLS mechanisms for QUIC implementations. It remains to be seen in the long term whether this fork will be widely adopted and distributed, whether OpenSSL project maintainers will change their decision and integrate this functionality, or whether a general QUIC<->TLS API will be developed so that QUIC implementations can choose from multiple different TLS implementations.

The long-term health of new protocols like QUIC depends on successful diverse implementations and reliable open-source infrastructure, including a widely-available, well-maintained TLS library with the hooks to support QUIC, but whether or where that infrastructure will come from is now in flux.

# W3C Inclusion Fund: At its yearly Technical Plenary and Advisory Committee conference, the World Wide Web Consortium (W3C) revised its Inclusion Fund to respond to the obstacles that might block participation from underrepresented groups. Even as it may be easier to “travel” to a virtual meeting, the fund offered reimbursement to remove other barriers, such as for assistive technology or caring support. W3C seeks additional Inclusion Fund sponsorships for next year.

# Widespread Surveillance by ISPs, and How to Mitigate It: Last month, the staff of the U.S. Federal Trade Commission (FTC) published a report summarizing the data practices of several large U.S. Internet Service Providers (ISPs), with comprehensive and shocking findings. As the FTC Chair noted, ISPs “are surveilling users across a broad swath of activities,” and “aggregate a staggering array of data” that is re-used to sell highly-targeted advertising.

At the Internet Engineering Task Force (IETF) and other internet governance venues, the technical community has been steadily improving protections that may provide some (though incomplete) privacy from the snooping of your network provider. These include HTTPS to encrypt the contents of web traffic, Virtual Private Networks to encrypt network traffic to a different network provider, DNS-over-HTTPS to encrypt web address lookups, and — to come — Encrypted Client Hello to encrypt initial connections that include the name of the service being requested. The FTC report on the active use of surveillance practices by ISPs emphasizes the broad and urgent need for these technical protections.

At the same time, we simply shouldn’t accept that broad surveillance is now commonplace from the companies that virtually every student, family, and worker has no choice but to purchase service from in order to conduct the necessary activities of modern life.

Network providers may also be undermining the privacy choices made by users on their own devices. Choices to opt out of location tracking, data collection for behaviorally-targeted advertising, and sale of data may all be undone by an ISP who continues to collect that data and then uses it to target advertising. The report also hints at ongoing use by at least two U.S. ISPs of “header enrichment,” which can defeat privacy controls on a user’s browser or device by secretly introducing identifiers even after a user clears cookies. Operating at a lower layer of the internet must not become a workaround to evade user choices and privacy tools.

# Privacy for Mobility: The recently-launched Privacy Principles for Mobility Data — a collaborative effort among city transportation agencies, mobility services, privacy advocates, academics, and others — sets a new standard for privacy for mobility data, putting people first. Notably, the principles focus on community engagement and input, especially from historically marginalised communities, in decisions about uses of mobility data.

One of the architects of the document, Christine Runnegar, says, “People should not have to choose between privacy and mobility. Yet, increasingly, transportation services come with embedded sensors and other forms of tracking posing a threat to users’ privacy. It’s crucial that public and private mobility services step up and make a strong commitment to maintain user privacy.”