Snowden to the IETF: Please make an internet for users, not the spies
Whistleblower addresses Prague meeting of 'net engineers
NSA whistleblower Edward Snowden has urged the world's leading group of internet engineers to design a future 'net that puts the user in the center, and so protects people's privacy.
Speaking via webcast to a meeting in Prague of the Internet Engineering Task Force (IETF), the former spy talked about a range of possible changes to the basic engineering of the global communications network that would make it harder for governments to carry out mass surveillance.
The session was not recorded, but a number of attendees live-tweeted the confab. It was not an official IETF session, but one organized by attendees at the Prague event and using the IETF's facilities. It followed a screening of the film Citizenfour, which documents the story of Snowden leaking NSA files to journalists while in a hotel room in Hong Kong.
"Who is the Internet for, who does it serve, who is the IETF's ultimate customer?" Snowden asked, rhetorically. The answer was users, not government and not business.
But, he said, the current internet protocols were leaking too much data about users. "We need to divorce identity from persona in a lasting way," he argued, highlighting how the widespread use of credit cards online was connecting identity to online activity.
"If it's creating more metadata, this is in general a bad thing." Instead, protocols should "follow users' intent." He argued that DNS queries should be encrypted – as well as actual content – so that encryption, rather than surveillance, was the norm. "People are being killed based on metadata," he noted.
Snowden appeared to have a good understanding of how the internet's protocols work, and pointed to a new protocol called SPUD that combines transport protocols to reduce the number of "middleboxes" that data needs to travel through when users interact online.
Snowden noted that the network path was the best place for spies to get access to information and that each middlebox provided another potential point of attack, but also warned that SPUD could make the core UDP internet protocol "a new channel for leaking metadata about users' intents."
He also argued that having identifiable "long lasting" hardware addresses was "extremely dangerous," as it connects people to, say, a MAC address when they use wireless internet connections, which can put an immediate flag on their identity and location.
Snowden's speech was met with a standing ovation. Which is hardly surprising – the IETF and internet engineers in general tend to have a strong independent streak, and many are still embarrassed by the fact that the NSA managed to crack a number of key internet protocols developed by the IETF and even subvert some of its working groups in their bid to develop new standards that would give the spooks easy access.
One of the IETF's first responses to the Snowden revelations was the creation of a new RFC document, which currently serves as "best current practice." In RFC 7258, the organization notes that "Pervasive Monitoring Is a Widespread Attack on Privacy" and "The IETF Will Work to Mitigate Pervasive Monitoring." ®
Sponsored: Becoming a Pragmatic Security Leader