Open letter to IETF on wiretapping the Net; WashPost article

[mea culpa <jericho () DIMENSIONAL COM>]

From: "Jay D. Dyson" <jdyson () techreports jpl nasa gov>

-----BEGIN PGP SIGNED MESSAGE-----

Courtesy of Politech List.

- ---------- Forwarded message ----------
From: Declan McCullagh <declan () well com>

Washington Post finally covers the IETF wiretap debate:
http://washingtonpost.com/wp-dyn/business/A43441-1999Nov9.html

I just got back to DC and will be at the IETF debate tonight on this.

=========

An Open Letter to the Internet Engineering Task Force

November 8, 1999

IETF Secretariat
c/o Corporation for National Research Initiatives
1895 Preston White Drive, Suite 100
Reston, VA, USA 20191-5434
+1 703 620 9071 (fax)

Dear IETF Members,

We are writing to urge the IETF not to adopt new protocols or modify
existing protocols to facilitate eavesdropping. Based on our expertise in
the fields of computer security, cryptography, law, and policy, we believe
that such a development would harm network security, result in more
illegal activities, diminish users' privacy, stifle innovation, and impose
significant costs on developers of communications. At the same time, it is
likely that Internet surveillance protocols would provide little or no
real benefit for law enforcement.

o Protocols to allow surveillance will undermine network security.
Ensuring adequate security on the Internet is extremely difficult.  The
President's Commission on Critical Infrastructure Protection identified
the Internet as a critical but vulnerable infrastructure. Any protocol
that requires backdoors or other methods of ensuring surveillance will
create new security holes that can be exploited. In addition, the
increased complexity of the systems will further undermine security and
increase costs of development and implementation. The National Research
Council "Trust in Cyberspace" report identified increasing complexity as a
core cause of decreasing security. The new security holes will likely
cause more economic and personal harm than any interceptions facilitated
will prevent.

o The proposed protocols will stifle development of new communications
technologies. Any requirement to ensure that every new communications
system includes eavesdropping capabilities will limit the ability of
companies and individuals to fully develop and deploy new communications
technologies. In the United States, the Communications Assistance for Law
Enforcement Act (CALEA) has delayed the development of new telephone,
cellular and satellite communications technologies as conflicts over the
surveillance standards have continued.

o There are no legal requirements for the IETF to develop surveillance
protocols. There are no current requirements under U.S. law requiring that
computer networks facilitate surveillance.  The U.S. Congress, when
enacting CALEA, specifically rejected the inclusion of computer networks
in the statutory mandate. In addition, it is inconsistent with laws in
other jurisdictions, such as the European Union Directive 97/66/EC of 15
December 1997 concerning the processing of personal data and the
protection of privacy in the telecommunications sector, requiring that
every provider of telecommunications services "must take appropriate
technical and organisational measures to safeguard security of its
services."

o Surveillance protocols will not prevent crime. Even if the IETF were to
develop protocols that facilitated surveillance, it would not prevent
crime as most significant criminal enterprises (i.e., those important
enough to warrant being placed under surveillance in the first place)
would be sophisticated enough to use end-to-end encryption products to
prevent decoding of the intercepted communications. Indeed, almost all
national governments have rejected calls for mandatory key-escrow
encryption because they recognize that it would not be effective.

o Building in surveillance protocols is inconsistent with the previous
activities of the IETF. The IETF has long attempted to increase the
reliability, security, and privacy of computer networks. The August 1996
Internet Advisory Board (IAB) and Internet Engineering Steering Group
(IESG) Statement on Cryptographic Technology and the Internet (RFC 1984)
called for the availability and development of stronger tools to protect
security and privacy of network users and rejected limitations on computer
security based on country requirements for interception.  More recently,
the IETF agreed to incorporate encryption into IPv6, even in the face of
domestic and export controls in some countries. It would be a dramatic
change in policy for the IETF to now begin work on developing surveillance
capabilities for IP Voice.

o The proposal will have severe consequences in many non-democratic
countries. Privacy of communications is a fundamental human right
recognized in the United National Declaration of Human Rights, the
International Covenant on Civil and Political Rights and many other
international human rights agreements that have been signed by nearly
every nation in the world. However, in many nations, those fundamental
rights are routinely violated by the national governments and others. The
U.S. State Department reported in its 1998 survey of human rights that
governments in over 90 countries were conducting illegal surveillance of
their citizens. The protocols would continue and likely expand that
surveillance.

In conclusion, we urge the IETF to reject the development and inclusion of
these protocols.

Sincerely,

Austin Hill
Zero-Knowledge Systems

Steven Aftergood
Federation of American Scientists

Yaman Akdeniz
Cyber-Rights & Cyber-Liberties (UK)

David Banisar
Attorney and author, The Electronic Privacy Papers

Steve Bellovin
AT&T Labs- Research

Matt Blaze
AT&T Labs - Research

Caspar Bowden
Foundation for Information Policy Research

Jean Camp
Harvard University

Jason Catlett
Junkbusters Inc.

Roger Clarke
Xamax Consultancy Pty Ltd

Lance Cottrell
Anonymizer Inc.

Rick Crawford
UC Davis Computer Security Group

Professor George Davida
University of Wisconsin - Milwaukee

Alan Davidson
Center for Democracy and Technology

Simon Davies
Privacy International

Lisa S. Dean
Free Congress Foundation

Whitfield Diffie
Sun Microsystems

Brian K. Durham

Dave Farber
University of Pennsylvania

Clinton Fein
ApolloMedia Corporation

Leonard N. Foner
MIT Media Lab

Michael Froomkin
University of Miami School of Law

Emily Frye esq.
iWitness, Inc.

John Gilmore
co-founder, Electronic Frontier Foundation

Brian R. Gladman
Information Security Consultant

Ellen Hanratty
Medicine Hawk Publications

Roger Harrison
Independent security consultant

Mark W. Heaphy
Wiggin & Dana

Paul Hoffman
Internet Mail Consortium and VPN Consortium

Gus Hosein
London School of Economics

Eric Hughes
Signet Assurance Company

IEEE USA

Joichi Ito
Neoteny, Inc.

Jerry Kang
UCLA School of Law

Phil Karn
Qualcomm

Susan Landau
Sun Microsystems Inc.

Ben Laurie - Apache Software Foundation,
OpenSSL Group and A.L. Digital Ltd

Bill Lemieux
Technical Alchemy

Lawrence Lessig
Harvard Law School

Ralph Mackiewicz
SISCO, Inc.

Russell McOrmond
FLORA Community WEB

William Hugh Murray, CISSP

Peter Neumann
SRI

Grover G. Norquist
Americans for Tax Reform

Richard Payne

Dinah PoKempner
Human Rights Watch

Jean-Jacques Quisquater
UCL Crypto Group and Math RiZK

Donald Ramsbottom LL.B, BA (Hons).
RAMSBOTTOM & Co. Solicitors
Michael Richardson
Sandelman Software Works

Ronald L. Rivest
MIT

Marc Rotenberg
Electronic Privacy Information Center

Pamela Samuelson, Professor of
Information Management and of Law, UC Berkeley

William L. Schrader
Chairman, CEO and Founder
PSINet Inc.

Bruce Schneier
Counterpane Systems

Barbara Simons
Association for Computing Machinery

Tim Skorick
Technical Security Contractor

Richard M. Smith
Independent security consultant

David Sobel
Electronic Privacy Information Center

Shari Steele
Electronic Frontier Foundation

Barry Steinhardt
American Civil Liberties Union

David Wagner
University of California, Berkeley

Coralee Whitcomb
Computer Professionals for Social Responsibility

Philip R. Zimmermann
Network Associates



Affiliations for identification purposes only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOCmbUYzYnY/37fGZAQHIiAP/X/OrJyQmwJzqOpX11O9ivAnXDwDdepTZ
oYmiRNK4UiA08Yut7Jfzf59X0y8LdAqh42J7DNYOh2+TIMpv31mVbsLTxUMw/Xpn
JL/kZlXC5wz14IDcvM0XYnUWFrf8J9+2GFmXGd8LlmNqgJGFiKZtGegOl0/zwPpM
fXJYNEnj+5s=
=lCax
-----END PGP SIGNATURE-----

ISN is sponsored by Security-Focus.COM