An Open Letter to the Internet Engineering Task Force
November 8, 1999
IETF Secretariat
c/o Corporation for National Research Initiatives
1895 Preston White Drive, Suite 100
Reston, VA, USA 20191-5434
+1 703 620 9071 (fax)
Dear IETF Members,
We are writing to urge the IETF not to adopt new protocols or
modify existing protocols to facilitate eavesdropping. Based on
our expertise in the fields of computer security, cryptography,
law, and policy, we believe that such a development would harm
network security, result in more illegal activities, diminish
users' privacy, stifle innovation, and impose significant costs on
developers of communications. At the same time, it is likely that
Internet surveillance protocols would provide little or no real
benefit for law enforcement.
- Protocols to allow surveillance will undermine network security.
Ensuring adequate security on the Internet is extremely difficult.
The President's Commission on Critical Infrastructure Protection
identified the Internet as a critical but vulnerable
infrastructure. Any protocol that requires backdoors or other
methods of ensuring surveillance will create new security holes
that can be exploited. In addition, the increased complexity of
the systems will further undermine security and increase costs of
development and implementation. The National Research Council
"Trust in Cyberspace" report identified increasing complexity as a
core cause of decreasing security. The new security holes will
likely cause more economic and personal harm than any
interceptions facilitated will prevent.
- The proposed protocols will stifle development of new
communications technologies. Any requirement to ensure that every
new communications system includes eavesdropping capabilities will
limit the ability of companies and individuals to fully develop
and deploy new communications technologies. In the United States,
the Communications Assistance for Law Enforcement Act (CALEA) has
delayed the development of new telephone, cellular and satellite
communications technologies as conflicts over the surveillance
standards have continued.
- There are no legal requirements for the IETF to develop
surveillance protocols. There are no current requirements under
U.S. law requiring that computer networks facilitate surveillance.
The U.S. Congress, when enacting CALEA, specifically rejected the
inclusion of computer networks in the statutory mandate. In
addition, it is inconsistent with laws in other jurisdictions,
such as the European Union Directive 97/66/EC of 15 December 1997
concerning the processing of personal data and the protection of
privacy in the telecommunications sector, requiring that every
provider of telecommunications services "must take appropriate
technical and organisational measures to safeguard security of its
services."
- Surveillance protocols will not prevent crime. Even if the IETF
were to develop protocols that facilitated surveillance, it would
not prevent crime as most significant criminal enterprises (i.e.,
those important enough to warrant being placed under surveillance
in the first place) would be sophisticated enough to use
end-to-end encryption products to prevent decoding of the
intercepted communications. Indeed, almost all national
governments have rejected calls for mandatory key-escrow
encryption because they recognize that it would not be effective.
- Building in surveillance protocols is inconsistent with the
previous activities of the IETF. The IETF has long attempted to
increase the reliability, security, and privacy of computer
networks. The August 1996 Internet Advisory Board (IAB) and
Internet Engineering Steering Group (IESG) Statement on
Cryptographic Technology and the Internet (RFC 1984) called for
the availability and development of stronger tools to protect
security and privacy of network users and rejected limitations on
computer security based on country requirements for interception.
More recently, the IETF agreed to incorporate encryption into
IPv6, even in the face of domestic and export controls in some
countries. It would be a dramatic change in policy for the IETF to
now begin work on developing surveillance capabilities for IP
Voice.
- The proposal will have severe consequences in many
non-democratic countries. Privacy of communications is a
fundamental human right recognized in the United National
Declaration of Human Rights, the International Covenant on Civil
and Political Rights and many other international human rights
agreements that have been signed by nearly every nation in the
world. However, in many nations, those fundamental rights are
routinely violated by the national governments and others. The
U.S. State Department reported in its 1998 survey of human rights
that governments in over 90 countries were conducting illegal
surveillance of their citizens. The protocols would continue and
likely expand that surveillance.
In conclusion, we urge the IETF to reject the development and
inclusion of these protocols.
Sincerely,
Austin Hill
Zero-Knowledge Systems
Steven Aftergood
Federation of American Scientists
Yaman Akdeniz
Cyber-Rights & Cyber-Liberties (UK)
David Banisar
Attorney and author, The Electronic Privacy Papers
Steve Bellovin
AT&T Labs- Research
Matt Blaze
AT&T Labs - Research
Caspar Bowden
Foundation for Information Policy Research
Jean Camp
Harvard University
Jason Catlett
Junkbusters Inc.
Roger Clarke
Xamax Consultancy Pty Ltd
Lance Cottrell
Anonymizer Inc.
Rick Crawford
UC Davis Computer Security Group
Professor George Davida
University of Wisconsin - Milwaukee
Alan Davidson
Center for Democracy and Technology
Simon Davies
Privacy International
Lisa S. Dean
Free Congress Foundation
Whitfield Diffie
Sun Microsystems
Brian K. Durham
Dave Farber
University of Pennsylvania
Clinton Fein
ApolloMedia Corporation
Leonard N. Foner
MIT Media Lab
Michael Froomkin
University of Miami School of Law
Emily Frye esq.
iWitness, Inc.
John Gilmore
co-founder, Electronic Frontier Foundation
Brian R. Gladman
Information Security Consultant
Ellen Hanratty
Medicine Hawk Publications
Roger Harrison
Independent security consultant
Mark W. Heaphy
Wiggin & Dana
Paul Hoffman
Internet Mail Consortium and VPN Consortium
Gus Hosein
London School of Economics
Eric Hughes
Signet Assurance Company
IEEE USA
Joichi Ito
Neoteny, Inc.
Jerry Kang
UCLA School of Law
Phil Karn
Qualcomm
Susan Landau
Sun Microsystems Inc.
Ben Laurie - Apache Software Foundation,
OpenSSL Group and A.L. Digital Ltd
Bill Lemieux
Technical Alchemy
Lawrence Lessig
Harvard Law School
Ralph Mackiewicz
SISCO, Inc.
Russell McOrmond
FLORA Community WEB
William Hugh Murray, CISSP
Peter Neumann
SRI
Grover G. Norquist
Americans for Tax Reform
Richard Payne
Dinah PoKempner
Human Rights Watch
Jean-Jacques Quisquater
UCL Crypto Group and Math RiZK
Donald Ramsbottom LL.B, BA (Hons).
RAMSBOTTOM & Co. Solicitors
Michael Richardson
Sandelman Software Works
Ronald L. Rivest
MIT
Marc Rotenberg
Electronic Privacy Information Center
Pamela Samuelson, Professor of
Information Management and of Law, UC Berkeley
William L. Schrader
Chairman, CEO and Founder
PSINet Inc.
Bruce Schneier
Counterpane Systems
Barbara Simons
Association for Computing Machinery
Tim Skorick
Technical Security Contractor
Richard M. Smith
Independent security consultant
David Sobel
Electronic Privacy Information Center
Shari Steele
Electronic Frontier Foundation
Barry Steinhardt
American Civil Liberties Union
David Wagner
University of California, Berkeley
Coralee Whitcomb
Computer Professionals for Social Responsibility
Philip R. Zimmermann
Network Associates
Affiliations for identification purposes only.
Back to the Policy Archive.
Page last updated November 11, 1999.