----- Original Message -----
From: "Andrew Sullivan" <ajs(_at_)anvilwalrusden(_dot_)com>
To: <ietf(_at_)ietf(_dot_)org>
Sent: Monday, December 16, 2013 9:50 PM
On Mon, Dec 16, 2013 at 09:32:29PM +0000, Stephen Farrell wrote:
And don't forget that we are not here saying that all IETF
protocols MUST be proof against pervasive monitoring - email
for example isn't and we're not going to stop sending mail.
Right, but the very same technical acts against an email stream are
either an attack or a service, depending on the stuation from the POV
of the users.
For instance, many businesses scan all mail that comes and goes
through the corporate servers in order to ensure certain legal
compliance requirements are satisfied.
The same style of scanning can be applied in an effort to look for
"terrorists" or whatever.
I claim that the first of these is not one of the forms of "attack",
as long as the users affected know that this is happening (because,
for example, the existence of the tool is disclosed as part of the
corporate policies). When governments or $bigprovider or whoever does
it without the user knowing, then it's an attack. But as written, the
draft currently classifies the first of these cases as an attack also.
I think that strains even the constrained meaning of "attack" as used
in this draft. (I could equally be persuaded that the document just
needs to embrace this odd consequence of the definition, and call it
out.)
Spot on.
A sea change with websites over the past year or two, probably the
result of an EU directive, is
that many if not most websites are now most informative about Cookies,
what they are, how they are used and so on, before inviting their use.
Cookies are of course a form of pervasive monitoring and without such
information, they are an attack; with it, they are not (us technicians
may
have known that for years but not acted upon it).
What we need is a similar statement about all the other information that
websites upload from us. Google has been mentioned, but when looking at
an airline website yesterday, I was surprised to find that connections
were set up to another 10 or so sites, most of which I had never heard
of and whose names had no resemblance to that of the airline or any of
its partners. And no, I had not clicked any buttons (Like, Twitter,
Facebook etc) anywhere, just entered From, To and Date. That is an
attack. That is what we should be calling out (although perhaps not in
this I-D).
Tom Petch
Best regards,
A
--
Andrew Sullivan
ajs(_at_)anvilwalrusden(_dot_)com