05 Oct 2015
Two years have passed since the Snowden revelations, and almost two years since the IETF meeting in Vancouver. There was a palpable sense of urgency in the meeting, with more than a few hints of anger, as you can see watching the recording. But even with that kind of pressure, there were always some doubts that standard groups like the IETF could achieve significant results in a short time. Well, if we allow that two years is short enough for the IETF, we have in fact seen results.
I don't know if RFC 7624 will ever become a best seller, but it does present a comprehensive review of the threats to Internet privacy posed by global surveillance. It took two years and the merging of several drafts, in typical IETF fashion, but the message is clear. The analysis has informed two different types of actions: deploy encryption, and reduce the amount of meta-data leaked by various protocols.
Previous standards like HTTPS were already there, and the industry started deploying encryption without waiting. We could see the entries in the EFF's Encrypt the Web Report progressively turn green as big companies encrypted their web pages and services, their data storage, or email transmission. But new standards make the encryption more efficient and easier to deploy. In particular, the combination of HTTP/2.0 and TLS/1.3 will make encrypted transmission faster than legacy clear-text HTTP/1.0.
My personal efforts have been centered on the other part of the threat, traffic analysis and metadata collection, and I am glad that lots of my initial analyses found their way in RFC 7624. The connection of your computer or smart phone to the Internet relies on protocols like Ethernet, Wi-Fi, DHCP or the Domain Name System that were designed in the 80's or 90's. The priority then was to make the networks as reliable and as easy to manage as possible. As a result, the protocols carry identifiers like MAC Addresses, unique device identifiers or unique names. As you move through the Internet and connect to a variety of hot spots, the metadata reveal your identity and allows for location tracking and IP address to user name correlation. Traffic analysis gets much easier if the user of the IP address is known!
We are making progress. MAC Address Randomization, DHCP Anonymity and DNS Privacy are still work in progress, but the standards and early implementations are getting ready. That's the good news. The bad news is that even when we will be done, there are still two worrisome kinds of tracking: advertisement on the web, and cell phone locations. Ad blockers may impede web tracking, but for cell phones the only plausible solution so far is the "airplane mode." A little more work is needed there!