An Open Letter to the Internet Engineering Task Force
November 8, 1999
IETF Secretariat
c/o Corporation for National Research Initiatives
1895 Preston White Drive, Suite 100
Reston, VA, USA 20191-5434
+1 703 620 9071 (fax)Dear IETF Members,
We are writing to urge the IETF not to adopt new protocols or modify existing protocols to facilitate eavesdropping. Based on our expertise in the fields of computer security, cryptography, law, and policy, we believe that such a development would harm network security, result in more illegal activities, diminish users' privacy, stifle innovation, and impose significant costs on developers of communications. At the same time, it is likely thatInternet surveillance protocols would provide little or no real benefit for law enforcement.
o Protocols to allow surveillance will undermine network security. Ensuring adequate security on the Internet is extremely difficult. The President's Commission on Critical Infrastructure Protection identified the Internet as a critical but vulnerable infrastructure. Any protocol that requires backdoors or other methods of ensuring surveillance will create new security holes that can be exploited. In addition, the increased complexity of the systems will further undermine security and increase costs of development and implementation. The National Research Council "Trust in Cyberspace" report identified increasing complexity as a core cause of decreasing security. The new security holes will likely cause more economic and personal harm than any interceptions facilitated will prevent.
o The proposed protocols will stifle development of new communications technologies. Any requirement to ensure that every new communications system includes eavesdropping capabilities will limit the ability of companies and individuals to fully develop and deploy new communications technologies. In the United States, the Communications Assistance for Law Enforcement Act (CALEA) has delayed the development of new telephone, cellular and satellite communications technologies as conflicts over the surveillance standards have continued.
o There are no legal requirements for the IETF to develop surveillance protocols. There are no current requirements under U.S. law requiring that computer networks facilitate surveillance. The U.S. Congress, when enacting CALEA, specifically rejected the inclusion of computer networks in the statutory mandate. In addition, it is inconsistent with laws in other jurisdictions, such as the European Union Directive 97/66/EC of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector, requiring that every provider of telecommunications services "must take appropriate technical and organisational measures to safeguard security of its services."
o Surveillance protocols will not prevent crime. Even if the IETF>were to develop protocols that facilitated surveillance, it would not prevent crime as most significant criminal enterprises (i.e., those important enough to warrant being placed under surveillance in the first place) would be sophisticated enough to use end-to-end encryption products to prevent decoding of the intercepted communications. Indeed, almost all national governments have rejected calls for mandatory key-escrow encryption because they recognize that it would not be effective.
o Building in surveillance protocols is inconsistent with the previous activities of the IETF. The IETF has long attempted to increase the reliability, security, and privacy of computer networks. The August 1996 Internet Advisory Board (IAB) and Internet Engineering Steering Group (IESG) Statement on Cryptographic Technology and the Internet (RFC 1984) called for the availability and development of stronger tools to protect security and privacy of network users and rejected limitations on computer security based on country requirements for interception. More recently, the IETF agreed to incorporate encryption into IPv6, even in the face of domestic and export controls in some countries. It would be a dramatic change in policy for the IETF to now begin work on developing surveillance capabilities for IP Voice.
o The proposal will have severe consequences in many non-democratic countries. Privacy of communications is a fundamental human right recognized in the United National Declaration of Human Rights, the International Covenant on Civil and Political Rights and many other international human rights agreements that have been signed by nearly every nation in the world. However, in many nations, those fundamental rights are routinely violated by the national governments and others. The U.S. State Department reported in its 1998 survey of human rights that governments in over 90 countries were conducting illegal surveillance of their citizens. The protocols would continue and likely expand that surveillance.
In conclusion, we urge the IETF to reject the development and inclusion of these protocols.
Sincerely,
Austin Hill
Zero-Knowledge SystemsSteven Aftergood
Federation of American ScientistsYaman Akdeniz
Cyber-Rights & Cyber-Liberties (UK)David Banisar
Attorney and author, The Electronic Privacy PapersSteve Bellovin
AT&T Labs- ResearchMatt Blaze
AT&T Labs - ResearchCaspar Bowden
Foundation for Information Policy ResearchJean Camp
Harvard UniversityJason Catlett
Junkbusters Inc.Roger Clarke
Xamax Consultancy Pty LtdLance Cottrell
Anonymizer Inc.Rick Crawford
UC Davis Computer Security GroupProfessor George Davida
University of Wisconsin - MilwaukeeAlan Davidson
Center for Democracy and TechnologySimon Davies
Privacy InternationalLisa S. Dean
Free Congress FoundationWhitfield Diffie
Sun MicrosystemsBrian K. Durham
Dave Farber
University of PennsylvaniaClinton Fein
ApolloMedia CorporationLeonard N. Foner
MIT Media LabMichael Froomkin
University of Miami School of LawEmily Frye esq.
iWitness, Inc.John Gilmore
co-founder, Electronic Frontier FoundationBrian R. Gladman
Information Security ConsultantEllen Hanratty
Medicine Hawk PublicationsRoger Harrison
Independent security consultantMark W. Heaphy
Wiggin & DanaPaul Hoffman
Internet Mail Consortium and VPN ConsortiumGus Hosein
London School of EconomicsEric Hughes
Signet Assurance CompanyInstitute of Electrical and Electronics Engineers (IEEE), USA
Joichi Ito
Neoteny, Inc.Jerry Kang
UCLA School of LawPhil Karn
QualcommSusan Landau
Sun Microsystems Inc.Ben Laurie - Apache Software Foundation,
OpenSSL Group and A.L. Digital LtdBill Lemieux
Technical AlchemyLawrence Lessig
Harvard Law SchoolRalph Mackiewicz
SISCO, Inc.Russell McOrmond
FLORA Community WEBWilliam Hugh Murray, CISSP
Peter Neumann
SRIGrover G. Norquist
Americans for Tax ReformRichard Payne
Dinah PoKempner
Human Rights WatchJean-Jacques Quisquater
UCL Crypto Group and Math RiZKDonald Ramsbottom LL.B, BA (Hons).
RAMSBOTTOM & Co. SolicitorsMichael Richardson
Sandelman Software WorksRonald L. Rivest
MITMarc Rotenberg
Electronic Privacy Information CenterPamela Samuelson
Professor of Information Management and of Law, UC BerkeleyWilliam L. Schrader
Chairman, CEO and Founder
PSINet Inc.Bruce Schneier
Counterpane SystemsBarbara Simons
Association for Computing MachineryTim Skorick
Technical Security ContractorRichard M. Smith
Independent security consultantDavid Sobel
Electronic Privacy Information CenterShari Steele
Electronic Frontier FoundationBarry Steinhardt
American Civil Liberties UnionDavid Wagner
University of California, BerkeleyCoralee Whitcomb
Computer Professionals for Social ResponsibilityPhilip R. Zimmermann
Network Associates
Affiliations for identification purposes only.