from the but-that's-the-easy-bit dept
Edward Snowden's leaks show that the NSA and GCHQ have been systematically subverting key technologies that underlie the Internet. That betrayal of trust has prompted some soul-searching by the Net engineering community, which realizes that it needs to come up with more surveillance-resistant approaches. This story from Radio Netherlands Worldwide (RNW) provides information about the kind of thing they are working on in one key group, the Internet Engineering Task Force (IETF). It reports on a speech given by the IETF's chair, Jari Arkko, at the recent Internet Governance Forum in Bali, Indonesia.
Firstly, the IETF wants to eventually apply encryption to all web traffic.
Putting that in context, Axl Pavlik, the managing director of Europe's Internet Registry (RIPE NCC), notes that you can never stop surveillance completely, but you can make it more expensive:
"Today, security only gets switched on for certain services like banking," Arkko explained, referring to IETF-developed standards like SSL -- the little lock that appears in the upper left corner of your browser to secure online purchases. "If we work hard, we can make [the entire internet] secure by default." To this end, the IETF might make encryption mandatory for HTTP 2.0, a new version of the basic web protocol.
Secondly, the IETF plans to remove weak algorithms and strengthen existing algorithms behind encryption. This means that the US National Security Agency and other surveillors will find it harder to crack current forms of encryption.
"You and I have limited resources, and the surveillor has limited resources -- maybe more than we have -- but if millions of users of the internet raise the bar a little bit, the requirements to surveil every little bit of internet traffic would be much higher," he explained to RNW.
Mandatory use of encryption helps do that. And here's another good reason for adopting it:
The IETF's plans also benefit people who are already encrypting their online activities themselves, argued Marco Hogewoning, technical adviser to RIPE NCC. According to him, these people currently stick out like a sore thumb to the very surveillors they hope to evade.
He has a great analogy:
"If you see an armoured car now on the street, you know there must be something valuable inside," Hogewoning explained. "If everybody drives around in an armoured car, I can go around and put a lot of effort into breaking into each and every car, and hope I get lucky and find something valuable inside, but it might be empty. If everybody encrypts everything, all you can see is armoured cars."
However, valuable as these moves will be in raising the cost of surveillance, there is always the problem of the endpoints:
While the IETF might be able to secure the pipes through which users' data travel, users must also be able to trust the parties where their data is stored: software, hardware and services such as Cisco, Gmail and Facebook. These parties can hand over user data directly to government agencies.
To address that, technical improvements aren't enough -- we need political solutions, too. Unfortunately, those are rather more difficult to engineer.