Brussels / 1 & 2 February 2020


RFC 1984

Or why you should start worrying about encryption backdoors and mass data collection

In 1996 Brian E. Carpenter of IAB and Fred Baker of IETF wrote a co-statement on cryptographic technology and the internet. This RFC wasn't a request for a technical standard, it was a statement on their concerns about Governments trying to restrict or interfere with cryptography. They felt that there was a need to offer "All Internet Users an adequate degree of privacy"

Since that time successive governments around the world have sought to build back doors into encrypted apps and services to access more citizen and visitor data. As of July 2019, the AG of the United States William Barr stated: “Some argue that, to achieve at best a slight incremental improvement in security, it is worth imposing a massive cost on society in the form of degraded safety,” i.e For security Americans should accept weakened encryption. The head of the FBI also claimed that weakened encryption wouldn't break it. At the moment the US Government is actively trying to stop Facebook implementing end to end encryption across it's suite of apps.

In Australia the metadata retention laws have been abused against journalists with 58 searches carried out by the AFP. In 2015 ACT police carried out 115 metadata searches. UK officials have a cavalier attitude to the EU SIS database which tracks undocumented migrants, missing people, stolen cars, or suspected criminals.

The EU isn't immune to this either with France considering implementing Facial Recognition on its government services.

IETF Session 105 mentioned privacy and concerns with the mass collection of data. While the IAB and IESG were worried about US export controls on cryptography there is an argument for RFC 1984 to be updated to include the unnecessary mass collection of data and to use it as a term for IT professionals, privacy advocates and the public to rally behind.

In this talk let's recount a brief history of governments around the world wanting to weaken encryption as RFC 1984 warned us about.

We live in a time where citizens put data into commercial, healthcare and Government systems to access services, some services are only accessible online. From CCTV to Facebook people have little understanding of why mass collection of data is dangerous. There is little scrutiny of who can access that data, from Scotland to the US.

Open Surveillance is only a small part of the picture when profiling citizens. It still counts as personal data, when combined with metadata and the actual data that people put into social media and services like ancestor DNA test kits. Businesses who use CCTV have to put up signs to warn the public they are recording. So called anonymized data still contains identifiers that can tie to individuals.

Let's talk about Ovid and peacocks. Let's explore how to expand the RFC to cover recent developments in surveillance capitalism with governments accessing that data, but not securing it. We need to make it clear weakened encryption, the mass collection and careless retention of data isn't acceptable. RFC1984 became Best Practice in 2015, we need to do more to raise awareness and to implement it in our projects.

Why we need to implement RFC 1984:

"The Internet Architecture Board (IAB) and the Internet Engineering Steering Group (IESG),[...] are concerned by the need for increased protection of international commercial transactions on the Internet, and by the need to offer all Internet users an adequate degree of privacy. "

I'd like to start by briefly mentioning Ovid and the legend of Io. Ovid was anti authoritarian during the time of Augustus as he'd been exiled by the Emperor. He wrote The Metamorphoses; an epic poem about Greek myths with the theme of transformation. The myth is often used as a metaphor for surveillance. With Io suffering restriction of liberty and being abused by authority. Being turned into a cow was bad enough, to make things worse she was constantly watched by the agent of Hera another authority Argus (Argus Panoptes) the 100 eyed giant. Argus is a great name for a security firm in fact there are quite a few firms that use an eye in the logo.

Pop culture like Neil Gamien's American gods on Amazon have also referenced this legend to show surveillance and how it can convey power to authority. In the end a modern interpretation of the myth could argue that Hermes sending Argus to sleep to kill him is a good metaphor for opposing actors using exploits to subvert and disable surveillance to access information to Citizens data. We focus more on Argus the agent of Surveillance rather than Io, who was violated, changed and then incarcerated with surveillance against her will.

Argus Panoptes inspired the idea of the Panopticon. A building design by English Philospher Jeremy Bentham as a prison that could be observed by a single guard. Our Internet is in danger of being a virtual panopticon for future citizens. The EFF already started thinking about this with panopticlick so that you can test who's tracking you through your browser. So who's watching us?

Of course this explanation and the metaphor is from a Western Perspective. Privacy doesn't mean the same thing to all countries and cultures. Neither does the symbolism of the Peacock.

Many IT professionals consider RFCs are more like guidelines, see RFC Popular email services like, and even have been listed on RFC ignorant, then it's successor RFC clueless . Sadly the giants often ignore RFCs. Which breaks the idea of interoperable standards and protocols and leaves us in danger of being at the mercy of large hosting giants.

There is a narrative that threads through the media since that time. Privacy is dead, you need to give up that freedom to stay safe. Politicians like the UK Prime Minister David Cameron in 2015 stated:

."In our country, do we want to allow a means of communication between people which even in extremis, with a signed warrant from the home secretary personally, that we cannot read? “Up until now, governments have said: ‘No, we must not'." "

Malcolm Turnbull the Australian Prime Minister in 2017 stated that " the laws of Australia take precedence over the laws of mathematics."

With organizations like Palantir providing information to ICE to target illegal immigrants in the US; The UK Home Office deliberately destroying data in the the Windrush scandal; It's clear that human rights, specifically the right to privacy is in danger. Recently the EU confirmed that UK Border Force officials had illegally copies Shengen SIS data to third party Organizations based in the US.

That's before I even start on repressive regimes where that data can and will be used to oppress citizens of that regime.

The recent IETF Session 105 this month mentioned privacy and concerns with the mass collection of data. While the IAB and IESG were worried about US export controls on cryptography there is an argument for RFC1984 to be updated to include the unnecessary mass collection of data and to use it as a term for IT professionals, privacy advocates and the public to rally behind.

I propose a brief history of governments around the world wanting to weaken encryption as RFC1984 warned us about:

" The IAB and IESG are therefore disturbed to note that various governments have actual or proposed policies on access to cryptographic technology that either:

(a) impose restrictions by implementing export controls; and/or

(b) restrict commercial and private users to weak and inadequate

   mechanisms such as short cryptographic keys; and/or

(c) mandate that private decryption keys should be in the hands of

   the government or of some other third party; and/or

(d) prohibit the use of cryptology entirely, or permit it only to

   specially authorized organizations."

RFC 1984 was explicitly named to reference an Orwellian Society that uses mass surveillance. Let's expand that beyond encryption to the mass collection of data and ask how do we limit this? How do we limit access to this data? How do we stop the nightmare?

Addendum: As time goes on with the current political climate, I expect more focus by the media and the IAB and the IETF on this subject. So while the overall thrust of this presentation will be the same, I plan to keep it as fresh as possible.

I will be updating this talk with more of a focus on Biometric data including Facial Recognition.

I recently presented a version of this talk at UBUCON Europe in October 2019


Photo of Esther Payne Esther Payne