Skip to Content

Cybersecurity & Standards

I* Newsletter: Traceability, secure messaging, and ITU leadership

“I*: Navigating Internet Governance and Standards” was a monthly newsletter distributed by the Center for Democracy & Technology (CDT), and compiled by the Public Interest Technology Group (PITG), a group of expert technologists who work across a complex landscape of internet standards development (“I”) organizations that convene in the public interest.

The newsletter highlighted emerging internet infrastructure issues that affect privacy, free expression, and more, clearly explaining their technical underpinnings.

# The Ministry And The Trace: Subverting End-To-End Encryption: A new law in India mandates that all messages exchanged on the country’s social media platforms be “traceable,” a requirement that undermines communications privacy. The government of India aims to trace content originators, and makes distracting claims that traceability will not “break” end-to-end encryption.

A new paper in the National University of Juridical Sciences, Kolkata, Law Review discusses the different ways of achieving traceability (dropping end-to-end encryption, hashing messages, and attaching originator information to messages), and how each comes with costs to security and privacy and enables new forms of surveillance.

Through a legal and constitutional analysis, the paper contends that traceability exceeds the scope of delegated legislation under India’s Information Technology Act and is at odds with the fundamental right to privacy. Coupled with the Indian government’s increasing use of national security laws to target dissenters and journalists, the new regulations portend a threat to the exercise of privacy and freedom of expression.

# “Secure Messaging” is No Substitute for Strong End-to-End Encryption: A draft document at the Internet Engineering Task Force attempts to thoroughly but accessibly define what end-to-end encryption actually is from the formal, functional, and user-facing perspectives. This multi-authored effort comes during a year of intense debate about the privacy trade-offs if encrypted messaging systems allowed for lawful access, traceability, or client-side scanning of content.

“End-to-end encryption is under attack again, and until we have an authoritative and clear definition of what it is, I’m afraid that attack will be, ahem, persistent,” said Mallory Knodel on Twitter this week. 

# Leadership of ITU Shapes Safety of International Internet Standards: Next year, the International Telecommunication Union (ITU) — a specialized UN agency — is set to elect its next Secretary-General. Doreen Bogdan-Martin, who currently leads the ITU Telecommunication Development Bureau, is a candidate sponsored by the United States for the post. 

An International Affairs Journal piece characterizes her as a puppet for U.S. hegemony, and appears to try to scare up support for the other announced candidate, Rashid Ismailov — a former deputy minister of Russia’s Ministry of Communications. The last eight years have proven how important the position is for influencing the approach that the ITU takes to internet-related standards and policy development, as under the direction of the current ITU Sec-Gen Houlin Zhao, the agency has moved closer to legitimizing dangerous technologies including the Digital Object Architecture, “New IP”, and facial recognition and other forms of biometric mass surveillance. 

# Raising the Bar on Privacy-Respecting Internet Measurement at the IETF: Last week, NetBlocks — an organization that uses a proprietary network measurement technique to determine where internet shutdowns are occurring worldwide – was revealed to have questionable practices, such as undisclosed experiments on visitors to its website that could endanger people.

Following this revelation, it’s clear that some guideline-setting for network measurement efforts — which measure the amount and type of traffic on a particular network at the expense of user privacy — is critical. Network measurement efforts must ensure that they are asking for consent from those whose data they are using, and protecting privacy and other networks’ data. They should also be transparent about their practices, such that they can be held accountable. In a proposed research document at the Internet Engineering Task Force (IETF) and the Internet Research Task Force (IRTF), the Privacy Enhancements and Assessments Research Group (PEARG) is developing guidelines for how to safely carry out these measurements.

Moreover, NetBlocks is a participant in the IETF and the IRTF. These are spaces in which participants should be collaborative rather than competitive, and seek open design and development that is definitively non-proprietary. 

“We need to ensure that the tools that measure internet accessibility do not trade off the privacy of those who benefit from, but are perhaps at risk because of, network measurement techniques,” says Mallory Knodel, an author of the safe measurement draft.

# Is It Still Centralization if a Different CDN Goes Down Every Month?: Content delivery networks (CDNs) exist on the premise that centralization of internet infrastructure can be cheaper for companies and result in faster service for users. Webpages load faster when served from a local cache close to the user’s location, but it’s hard for any individual company to offer that kind of global network. Hence, individual websites typically pay a company that has invested in that kind of infrastructure to host their content. 

Because of how expensive it is to build and maintain a global CDN, there are real concerns that they are centralizing, monopolistic, and anti-competitive. Thankfully, there isn’t only one competitive CDN in the market, as evidenced by the fact that a different CDN seems to go down every so often: Akamai last week, Fastly last month, Cloudflare a year ago.

Privacy engineer Shivan Sahibsays, “Failure is inevitable at the scale at which CDNs operate, which is a strong disincentive against centralization. It is increasingly good practice for companies to diversify their CDN provider, but there needs to be more than a few giants in the ecosystem.”

# How Multistakeholder Processes Shape Internet Policy: Debates in multistakeholder settings like the World Wide Web Consortium (W3C) often involve disagreement and conflict, especially over privacy and advertising, and usually have more than two diametrically opposed sides. In these bodies, some conflicts arise from confusion over the different roles that individuals play, both in representing an organization but also in collaborative problem-solving.

For public interest support of the Web, the internet, and other platforms, values like privacy must be integrated into engineering generally. But, for that mission to succeed, value-driven public policy goals such as privacy, security, and accessibility must also be aligned with the way the people who implement them work together.

# Tech Competition Governance in the U.K. is Working Against Civil Society: The United Kingdom’s Competition and Market Authority is requiring Google to give them 60 days’ notice before removing third-party cookie functionality from the Chrome browser on “fair competition grounds.” The change would limit access to first-party tracking information in the Chrome browser, and also interoperability — and the EU is following suit.

In the U.S., the proposed ACCESS Act would take steps towards interoperability between social media platforms, but would be centrally enforced by the U.S. Federal Trade Commission (FTC). While members of the Internet Engineering Task Force (IETF) and World Wide Web Consortium (W3C) have been doing a lot of privacy-preserving work, the U.K. policy and U.S. proposal seem to go in the opposite direction.

Although indications about red lines and required outcomes from independent authorities could be useful, particularly since they will shape incentives for market participants, decentralized models have stronger potential for bringing about improved alternatives. They involve diverse stakeholders and the empowerment of even smaller players, while fragmentation might actually exclude many players if the regulating bodies end up focused on local dynamics, like with the U.S. FTC.

At the IETF, several Requests For Comment suggest that all new Internet-Drafts (IDs) should contain a section for the authors to consider the security impact of their work, but there are no clear, predefined, or standard mechanisms for building in interoperability —  nor any type of guidelines that could potentially foster competition. Work groups nonetheless constantly consider interoperability, most of the time due to the industry experience of the members involved. The inclusion and consideration of interoperability and competition in standards development has been regulated by the open community at large, through its well-established feedback-and-edits iteration process.

And at the W3C, proposals aiming to enhance privacy protections, such as Google’s for mechanisms to replace third-party cookies, are similarly under review by members from interest, community, and work groups with diverse participation and public review.