summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc9446.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc9446.txt')
-rw-r--r--doc/rfc/rfc9446.txt1682
1 files changed, 1682 insertions, 0 deletions
diff --git a/doc/rfc/rfc9446.txt b/doc/rfc/rfc9446.txt
new file mode 100644
index 0000000..ccf1394
--- /dev/null
+++ b/doc/rfc/rfc9446.txt
@@ -0,0 +1,1682 @@
+
+
+
+
+Independent Submission S. Farrell
+Request for Comments: 9446 Trinity College, Dublin
+Category: Informational F. Badii
+ISSN: 2070-1721 Digital Medusa
+ B. Schneier
+ Harvard University
+ S. M. Bellovin
+ Columbia University
+ July 2023
+
+
+ Reflections on Ten Years Past the Snowden Revelations
+
+Abstract
+
+ This memo contains the thoughts and recountings of events that
+ transpired during and after the release of information about the
+ United States National Security Agency (NSA) by Edward Snowden in
+ 2013. There are four perspectives: that of someone who was involved
+ with sifting through the information to responsibly inform the
+ public, that of a security area director of the IETF, that of a human
+ rights expert, and that of a computer science and affiliate law
+ professor. The purpose of this memo is to provide some historical
+ perspective, while at the same time offering a view as to what
+ security and privacy challenges the technical community should
+ consider. These essays do not represent a consensus view, but that
+ of the individual authors.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This is a contribution to the RFC Series, independently of any other
+ RFC stream. The RFC Editor has chosen to publish this document at
+ its discretion and makes no statement about its value for
+ implementation or deployment. Documents approved for publication by
+ the RFC Editor are not candidates for any level of Internet Standard;
+ see Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc9446.
+
+Copyright Notice
+
+ Copyright (c) 2023 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document.
+
+Table of Contents
+
+ 1. Introduction
+ 2. Bruce Schneier: Snowden Ten Years Later
+ 3. Stephen Farrell: IETF and Internet Technical Community Reaction
+ 4. Farzaneh Badii: Did Snowden's Revelations Help with Protecting
+ Human Rights on the Internet?
+ 5. Steven M. Bellovin: Governments and Cryptography: The Crypto
+ Wars
+ 5.1. Historical Background
+ 5.2. The Crypto Wars Begin
+ 5.3. The Battle Is Joined
+ 5.4. The Hidden Battle
+ 5.5. Whither the IETF?
+ 6. Security Considerations
+ 7. IANA Considerations
+ 8. Informative References
+ Acknowledgments
+ Authors' Addresses
+
+1. Introduction
+
+ On June 6th, 2013, an article appeared in _The Guardian_ [Guard2013]
+ that was the beginning of a series of what have come to be known as
+ the Snowden revelations, describing certain activities of the United
+ States National Security Agency (NSA). These activities included,
+ amongst others: secret court orders; secret agreements for the
+ receipt of so-called "meta-information" that includes source,
+ destination, and timing of communications; and tapping of
+ communications lines. The breathtaking scope of the operations
+ shocked the Internet technical community and resulted in a sea change
+ within the IETF, IAB, and other standards organizations.
+
+ Now that some years have passed, it seems appropriate to reflect on
+ that period of time and to consider what effect the community's
+ actions had, where security has improved, how the threat surface has
+ evolved, what areas haven't improved, and where the community might
+ invest future efforts.
+
+ Bruce Schneier begins this compendium of individual essays by
+ bringing us back to 2013, recalling how it was for him and others to
+ report what was happening, and the mindset of those involved. Next,
+ Stephen Farrell reviews the technical community's reactions and in
+ particular the reactions of the IETF community, technical advances,
+ and where threats remain. Then Farzaneh Badii discusses the impact
+ of those advances -- or lack thereof -- on human rights. Finally
+ Steven M. Bellovin puts the Snowden revelations into an ever-
+ evolving historical context of secrets and secret stealing that spans
+ centuries, closing with some suggestions for IETF.
+
+ Readers are invited to consider what impact we as a community have
+ had, what challenges remain, and what positive contribution the
+ technical community can and should make to address security and
+ privacy of citizens of the world.
+
+ -- Eliot Lear, Independent Submissions Editor for the RFC Series
+
+2. Bruce Schneier: Snowden Ten Years Later
+
+ In 2013 and 2014, I wrote extensively about new revelations regarding
+ NSA surveillance based on the documents provided by Edward Snowden.
+ But I had a more personal involvement as well.
+
+ I wrote the essay below in September 2013. _The New Yorker_ agreed to
+ publish it, but _The Guardian_ asked me not to. It was scared of UK
+ law enforcement and worried that this essay would reflect badly on
+ it. And given that the UK police would raid its offices in July
+ 2014, it had legitimate cause to be worried.
+
+ Now, ten years later, I offer this as a time capsule of what those
+ early months of Snowden were like.
+
+ | It's a surreal experience, paging through hundreds of top-secret
+ | NSA documents. You're peering into a forbidden world: strange,
+ | confusing, and fascinating all at the same time.
+ |
+ | I had flown down to Rio de Janeiro in late August at the request
+ | of Glenn Greenwald. He had been working on the Edward Snowden
+ | archive for a couple of months, and had a pile of more technical
+ | documents that he wanted help interpreting. According to
+ | Greenwald, Snowden also thought that bringing me down was a good
+ | idea.
+ |
+ | It made sense. I didn't know either of them, but I have been
+ | writing about cryptography, security, and privacy for decades. I
+ | could decipher some of the technical language that Greenwald had
+ | difficulty with, and understand the context and importance of
+ | various document. And I have long been publicly critical of the
+ | NSA's eavesdropping capabilities. My knowledge and expertise
+ | could help figure out which stories needed to be reported.
+ |
+ | I thought about it a lot before agreeing. This was before David
+ | Miranda, Greenwald's partner, was detained at Heathrow airport by
+ | the UK authorities; but even without that, I knew there was a
+ | risk. I fly a lot -- a quarter of a million miles per year -- and
+ | being put on a TSA list, or being detained at the US border and
+ | having my electronics confiscated, would be a major problem. So
+ | would the FBI breaking into my home and seizing my personal
+ | electronics. But in the end, that made me more determined to do
+ | it.
+ |
+ | I did spend some time on the phone with the attorneys recommended
+ | to me by the ACLU and the EFF. And I talked about it with my
+ | partner, especially when Miranda was detained three days before my
+ | departure. Both Greenwald and his employer, _The Guardian_, are
+ | careful about whom they show the documents to. They publish only
+ | those portions essential to getting the story out. It was
+ | important to them that I be a co-author, not a source. I didn't
+ | follow the legal reasoning, but the point is that _The Guardian_
+ | doesn't want to leak the documents to random people. It will,
+ | however, write stories in the public interest, and I would be
+ | allowed to review the documents as part of that process. So after
+ | a Skype conversation with someone at _The Guardian_, I signed a
+ | letter of engagement.
+ |
+ | And then I flew to Brazil.
+ |
+ | I saw only a tiny slice of the documents, and most of what I saw
+ | was surprisingly banal. The concerns of the top-secret world are
+ | largely tactical: system upgrades, operational problems owing to
+ | weather, delays because of work backlogs, and so on. I paged
+ | through weekly reports, presentation slides from status meetings,
+ | and general briefings to educate visitors. Management is
+ | management, even inside the NSA. Reading the documents, I felt as
+ | though I were sitting through some of those endless meetings.
+ |
+ | The meeting presenters try to spice things up. Presentations
+ | regularly include intelligence success stories. There were
+ | details -- what had been found, and how, and where it helped --
+ | and sometimes there were attaboys from "customers" who used the
+ | intelligence. I'm sure these are intended to remind NSA employees
+ | that they're doing good. It definitely had an effect on me.
+ | Those were all things I want the NSA to be doing.
+ |
+ | There were so many code names. Everything has one: every program,
+ | every piece of equipment, every piece of software. Sometimes code
+ | names had their own code names. The biggest secrets seem to be
+ | the underlying real-world information: which particular company
+ | MONEYROCKET is; what software vulnerability EGOTISTICALGIRAFFE --
+ | really, I am not making that one up -- is; how TURBINE works.
+ | Those secrets collectively have a code name -- ECI, for
+ | exceptionally compartmented information -- and almost never appear
+ | in the documents. Chatting with Snowden on an encrypted IM
+ | connection, I joked that the NSA cafeteria menu probably has code
+ | names for menu items. His response: "Trust me when I say you have
+ | no idea."
+ |
+ | Those code names all come with logos, most of them amateurish and
+ | a lot of them dumb. Note to the NSA: take some of that more than
+ | ten-billion-dollar annual budget and hire yourself a design firm.
+ | Really; it'll pay off in morale.
+ |
+ | Once in a while, though, I would see something that made me stop,
+ | stand up, and pace around in circles. It wasn't that what I read
+ | was particularly exciting, or important. It was just that it was
+ | startling. It changed -- ever so slightly -- how I thought about
+ | the world.
+ |
+ | Greenwald said that that reaction was normal when people started
+ | reading through the documents.
+ |
+ | Intelligence professionals talk about how disorienting it is
+ | living on the inside. You read so much classified information
+ | about the world's geopolitical events that you start seeing the
+ | world differently. You become convinced that only the insiders
+ | know what's really going on, because the news media is so often
+ | wrong. Your family is ignorant. Your friends are ignorant. The
+ | world is ignorant. The only thing keeping you from ignorance is
+ | that constant stream of classified knowledge. It's hard not to
+ | feel superior, not to say things like "If you only knew what we
+ | know" all the time. I can understand how General Keith Alexander,
+ | the director of the NSA, comes across as so supercilious; I only
+ | saw a minute fraction of that secret world, and I started feeling
+ | it.
+ |
+ | It turned out to be a terrible week to visit Greenwald, as he was
+ | still dealing with the fallout from Miranda's detention. Two
+ | other journalists, one from _The Nation_ and the other from _The
+ | Hindu_, were also in town working with him. A lot of my week
+ | involved Greenwald rushing into my hotel room, giving me a thumb
+ | drive of new stuff to look through, and rushing out again.
+ |
+ | A technician from _The Guardian_ got a search capability working
+ | while I was there, and I spent some time with it. Question: when
+ | you're given the capability to search through a database of NSA
+ | secrets, what's the first thing you look for? Answer: your name.
+ |
+ | It wasn't there. Neither were any of the algorithm names I knew,
+ | not even algorithms I knew that the US government used.
+ |
+ | I tried to talk to Greenwald about his own operational security.
+ | It had been incredibly stupid for Miranda to be traveling with NSA
+ | documents on the thumb drive. Transferring files electronically
+ | is what encryption is for. I told Greenwald that he and Laura
+ | Poitras should be sending large encrypted files of dummy documents
+ | back and forth every day.
+ |
+ | Once, at Greenwald's home, I walked into the backyard and looked
+ | for TEMPEST receivers hiding in the trees. I didn't find any, but
+ | that doesn't mean they weren't there. Greenwald has a lot of
+ | dogs, but I don't think that would hinder professionals. I'm sure
+ | that a bunch of major governments have a complete copy of
+ | everything Greenwald has. Maybe the black bag teams bumped into
+ | each other in those early weeks.
+ |
+ | I started doubting my own security procedures. Reading about the
+ | NSA's hacking abilities will do that to you. Can it break the
+ | encryption on my hard drive? Probably not. Has the company that
+ | makes my encryption software deliberately weakened the
+ | implementation for it? Probably. Are NSA agents listening in on
+ | my calls back to the US? Very probably. Could agents take
+ | control of my computer over the Internet if they wanted to?
+ | Definitely. In the end, I decided to do my best and stop worrying
+ | about it. It was the agency's documents, after all. And what I
+ | was working on would become public in a few weeks.
+ |
+ | I wasn't sleeping well, either. A lot of it was the sheer
+ | magnitude of what I saw. It's not that any of it was a real
+ | surprise. Those of us in the information security community had
+ | long assumed that the NSA was doing things like this. But we
+ | never really sat down and figured out the details, and to have the
+ | details confirmed made a big difference. Maybe I can make it
+ | clearer with an analogy. Everyone knows that death is inevitable;
+ | there's absolutely no surprise about that. Yet it arrives as a
+ | surprise, because we spend most of our lives refusing to think
+ | about it. The NSA documents were a bit like that. Knowing that
+ | it is surely true that the NSA is eavesdropping on the world, and
+ | doing it in such a methodical and robust manner, is very different
+ | from coming face-to-face with the reality that it is and the
+ | details of how it is doing it.
+ |
+ | I also found it incredibly difficult to keep the secrets. _The
+ | Guardian_'s process is slow and methodical. I move much faster.
+ | I drafted stories based on what I found. Then I wrote essays
+ | about those stories, and essays about the essays. Writing was
+ | therapy; I would wake up in the wee hours of the morning, and
+ | write an essay. But that put me at least three levels beyond what
+ | was published.
+ |
+ | Now that my involvement is out, and my first essays are out, I
+ | feel a lot better. I'm sure it will get worse again when I find
+ | another monumental revelation; there are still more documents to
+ | go through.
+ |
+ | I've heard it said that Snowden wants to damage America. I can
+ | say with certainty that he does not. So far, everyone involved in
+ | this incident has been incredibly careful about what is released
+ | to the public. There are many documents that could be immensely
+ | harmful to the US, and no one has any intention of releasing them.
+ | The documents the reporters release are carefully redacted.
+ | Greenwald and I repeatedly debated with _The Guardian_ editors the
+ | newsworthiness of story ideas, stressing that we would not expose
+ | government secrets simply because they're interesting.
+ |
+ | The NSA got incredibly lucky; this could have ended with a massive
+ | public dump like Chelsea Manning's State Department cables. I
+ | suppose it still could. Despite that, I can imagine how this
+ | feels to the NSA. It's used to keeping this stuff behind multiple
+ | levels of security: gates with alarms, armed guards, safe doors,
+ | and military-grade cryptography. It's not supposed to be on a
+ | bunch of thumb drives in Brazil, Germany, the UK, the US, and who
+ | knows where else, protected largely by some random people's
+ | opinions about what should or should not remain secret. This is
+ | easily the greatest intelligence failure in the history of ever.
+ | It's amazing that one person could have had so much access with so
+ | little accountability, and could sneak all of this data out
+ | without raising any alarms. The odds are close to zero that
+ | Snowden is the first person to do this; he's just the first person
+ | to make public that he did. It's a testament to General
+ | Alexander's power that he hasn't been forced to resign.
+ |
+ | It's not that we weren't being careful about security, it's that
+ | our standards of care are so different. From the NSA's point of
+ | view, we're all major security risks, myself included. I was
+ | taking notes about classified material, crumpling them up, and
+ | throwing them into the wastebasket. I was printing documents
+ | marked "TOP SECRET/COMINT/NOFORN" in a hotel lobby. And once, I
+ | took the wrong thumb drive with me to dinner, accidentally leaving
+ | the unencrypted one filled with top-secret documents in my hotel
+ | room. It was an honest mistake; they were both blue.
+ |
+ | If I were an NSA employee, the policy would be to fire me for that
+ | alone.
+ |
+ | Many have written about how being under constant surveillance
+ | changes a person. When you know you're being watched, you censor
+ | yourself. You become less open, less spontaneous. You look at
+ | what you write on your computer and dwell on what you've said on
+ | the telephone, wonder how it would sound taken out of context,
+ | from the perspective of a hypothetical observer. You're more
+ | likely to conform. You suppress your individuality. Even though
+ | I have worked in privacy for decades, and already knew a lot about
+ | the NSA and what it does, the change was palpable. That feeling
+ | hasn't faded. I am now more careful about what I say and write.
+ | I am less trusting of communications technology. I am less
+ | trusting of the computer industry.
+ |
+ | After much discussion, Greenwald and I agreed to write three
+ | stories together to start. All of those are still in progress.
+ | In addition, I wrote two commentaries on the Snowden documents
+ | that were recently made public. There's a lot more to come; even
+ | Greenwald hasn't looked through everything.
+ |
+ | Since my trip to Brazil (one month before), I've flown back to the
+ | US once and domestically seven times -- all without incident. I'm
+ | not on any list yet. At least, none that I know about.
+
+ As it happened, I didn't write much more with Greenwald or _The
+ Guardian_. Those two had a falling out, and by the time everything
+ settled and both began writing about the documents independently --
+ Greenwald at the newly formed website _The Intercept_ -- I got cut
+ out of the process somehow. I remember hearing that Greenwald was
+ annoyed with me, but I never learned the reason. We haven't spoken
+ since.
+
+ Still, I was happy with the one story I was part of: how the NSA
+ hacks Tor. I consider it a personal success that I pushed _The
+ Guardian_ to publish NSA documents detailing QUANTUM. I don't think
+ that would have gotten out any other way. And I still use those
+ pages today when I teach cybersecurity to policymakers at the Harvard
+ Kennedy School.
+
+ Other people wrote about the Snowden files, and wrote a lot. It was
+ a slow trickle at first, and then a more consistent flow. Between
+ Greenwald, Bart Gellman, and _The Guardian_ reporters, there ended up
+ being steady stream of news. (Bart brought in Ashkan Soltani to help
+ him with the technical aspects, which was a great move on his part,
+ even if it cost Ashkan a government job later.) More stories were
+ covered by other publications.
+
+ It started getting weird. Both Greenwald and Gellman held documents
+ back so they could publish them in their books. Jake Appelbaum, who
+ had not yet been accused of sexual assault by multiple women, was
+ working with Poitras. He partnered with _Der Spiegel_ to release an
+ implant catalog from the NSA's Tailored Access Operations group. To
+ this day, I am convinced that the document was not in the Snowden
+ archives: that Jake got it somehow, and it was released with the
+ implication that it was from Edward Snowden. I thought it was
+ important enough that I started writing about each item in that
+ document in my blog: "NSA Exploit of the Week." That got my website
+ blocked by the DoD: I keep a framed print of the censor's message on
+ my wall.
+
+ Perhaps the most surreal document disclosures were when artists
+ started writing fiction based on the documents. This was in 2016,
+ when Laura Poitras built a secure room in New York to house the
+ documents. By then, the documents were years out of date. And now
+ they're over a decade out of date. (They were leaked in 2013, but
+ most of them were from 2012 or before.)
+
+ I ended up being something of a public ambassador for the documents.
+ When I got back from Rio, I gave talks at a private conference in
+ Woods Hole, the Berkman Center at Harvard, something called the
+ Congress on Privacy and Surveillance in Geneva, events at both CATO
+ and New America in DC, an event at the University of Pennsylvania, an
+ event at EPIC, a "Stop Watching Us" rally in DC, the RISCS conference
+ in London, the ISF in Paris, and...then...at the IETF meeting in
+ Vancouver in November 2013. (I remember little of this; I am
+ reconstructing it all from my calendar.)
+
+ What struck me at the IETF was the indignation in the room, and the
+ calls to action. And there was action, across many fronts. We
+ technologists did a lot to help secure the Internet, for example.
+
+ The government didn't do its part, though. Despite the public
+ outcry, investigations by Congress, pronouncements by President
+ Obama, and federal court rulings, I don't think much has changed.
+ The NSA canceled a program here and a program there, and it is now
+ more public about defense. But I don't think it is any less
+ aggressive about either bulk or targeted surveillance. Certainly its
+ government authorities haven't been restricted in any way. And
+ surveillance capitalism is still the business model of the Internet.
+
+ And Edward Snowden? We were in contact for a while on Signal. I
+ visited him once in Moscow, in 2016. And I had him do a guest
+ lecture to my class at Harvard for a few years, remotely by Jitsi.
+ Afterwards, I would hold a session where I promised to answer every
+ question he would evade or not answer, explain every response he did
+ give, and be candid in a way that someone with an outstanding arrest
+ warrant simply cannot. Sometimes I thought I could channel Snowden
+ better than he could.
+
+ But now it's been a decade. Everything he knows is old and out of
+ date. Everything we know is old and out of date. The NSA suffered
+ an even worse leak of its secrets by the Russians, under the guise of
+ the Shadow Brokers, in 2016 and 2017. The NSA has rebuilt. It again
+ has capabilities we can only surmise.
+
+3. Stephen Farrell: IETF and Internet Technical Community Reaction
+
+ In 2013, the IETF and, more broadly, the Internet technical,
+ security, and privacy research communities, were surprised by the
+ surveillance and attack efforts exposed by the Snowden revelations
+ [Timeline]. While the potential for such was known, it was the scale
+ and pervasiveness of the activities disclosed that was alarming and,
+ I think it fair to say, quite annoying, for very many Internet
+ engineers.
+
+ As for the IETF's reaction, informal meetings during the July 2013
+ IETF meeting in Berlin indicated that IETF participants considered
+ that these revelations showed that we needed to do more to improve
+ the security and privacy properties of IETF protocols, and to help
+ ensure deployments made better use of the security and privacy
+ mechanisms that already existed. In August, the IETF set up a new
+ mailing list [Perpass], which became a useful venue for triaging
+ proposals for work on these topics. At the November 2013 IETF
+ meeting, there was a lively and very well attended plenary session
+ [Plenary-video] on "hardening the Internet" against such attacks,
+ followed by a "birds of a feather" session [Perpass-BoF] devoted to
+ more detailed discussion of possible actions in terms of new working
+ groups, protocols, and Best Current Practice (BCP) documents that
+ could help improve matters. This was followed in February/March 2014
+ by a joint IAB/W3C workshop on "strengthening the Internet against
+ pervasive monitoring" [STRINT] held in London and attended by 150
+ engineers (still the only IAB workshop in my experience where we
+ needed a waiting list for people after capacity for the venue was
+ reached!). The STRINT workshop report was eventually published as
+ [RFC7687] in 2015, but in the meantime, work proceeded on a BCP
+ document codifying that the IETF community considered that "pervasive
+ monitoring is an attack" [RFC7258] (aka BCP 188). The IETF Last Call
+ discussion for that short document included more than 1000 emails --
+ while there was broad agreement on the overall message, a number of
+ IETF participants considered enshrining that message in the RFC
+ Series and IETF processes controversial. In any case, the BCP was
+ published in May 2014. The key statement on which rough consensus
+ was reached is in the abstract of RFC 7258 and says "Pervasive
+ monitoring is a technical attack that should be mitigated in the
+ design of IETF protocols, where possible." That document has since
+ been referenced [Refs-to-7258] by many IETF working groups and RFCs
+ as justifying additional work on security and privacy. Throughout
+ that period and beyond, the repercussions of the Snowden revelations
+ remained a major and ongoing agenda item for both of the IETF's main
+ technical management bodies, the IAB and the IESG (on which I served
+ at the time).
+
+ So far, I've only described the processes with which the IETF dealt
+ with the attacks, but there was, of course, also much technical work
+ started by IETF participants that was at least partly motivated by
+ the Snowden revelations.
+
+ In November 2013, a working group was established to document better
+ practices for using TLS in applications [UTA] so that deployments
+ would be less at risk in the face of some of the attacks related to
+ stripping TLS or having applications misuse TLS APIs or parameters.
+ Similar work was done later to update recommendations for use of
+ cryptography in other protocols in the CURDLE Working Group [CURDLE].
+ The CURDLE Working Group was, to an extent, created to enable use of
+ a set of new elliptic curves that had been documented by the IRTF
+ Crypto Forum Research Group [CFRG]. That work in turn had been
+ partly motivated by (perhaps ultimately unfounded) concerns about
+ elliptic curves defined in NIST standards, following the DUAL_EC_DRBG
+ debacle [Dual-EC] (described further below) where a NIST random
+ number generator had been deliberately engineered to produce output
+ that could be vulnerable to NSA attack.
+
+ Work to develop a new version of TLS was started in 2014, mainly due
+ to concerns that TLS 1.2 and earlier version implementations had been
+ shown to be vulnerable to a range of attacks over the years. The
+ work to develop TLS 1.3 [RFC8446] also aimed to encrypt more of the
+ handshake so as to expose less information to network observers -- a
+ fairly direct result of the Snowden revelations. Work to further
+ improve TLS in this respect continues today using the so-called
+ Encrypted Client Hello (ECH) mechanism [TLS-ECH] to remove one of the
+ last privacy leaks present in current TLS.
+
+ Work on ECH was enabled by significant developments to encrypt DNS
+ traffic, using DNS over TLS (DoT) [RFC7858] or DNS Queries over HTTPS
+ (DoH) [RFC8484], which also started as a result of the Snowden
+ revelations. Prior to that, privacy hadn't really been considered
+ when it came to DNS data or (more importantly) the act of accessing
+ DNS data. The trend towards encrypting DNS traffic represents a
+ significant change for the Internet, both in terms of reducing
+ cleartext, but also in terms of moving points-of-control. The latter
+ aspect was, and remains, controversial, but the IETF did its job of
+ defining new protocols that can enable better DNS privacy. Work on
+ HTTP version 2 [RFC9113] and QUIC [RFC9000] further demonstrates the
+ trend in the IETF towards always encrypting protocols as the new
+ norm, at least at and above the transport layer.
+
+ Of course, not all such initiatives bore fruit; for example, attempts
+ to define a new MPLS encryption mechanism
+ [MPLS-OPPORTUNISTIC-ENCRYPT] foundered due to a lack of interest and
+ the existence of the already deployed IEEE Media Access Control
+ Security (MACsec) scheme. But there has been a fairly clear trend
+ towards trying to remove cleartext from the Internet as a precursor
+ to provide improved privacy when considering network observers as
+ attackers.
+
+ The IETF, of course, forms only one part of the broader Internet
+ technical community, and there were many non-IETF activities
+ triggered by the Snowden revelations, a number of which also
+ eventually resulted in new IETF work to standardise better security
+ and privacy mechanisms developed elsewhere.
+
+ In 2013, the web was largely unencrypted despite HTTPS being
+ relatively usable, and that was partly due to problems using the Web
+ PKI at scale. The Let's Encrypt initiative [LE] issued its first
+ certificates in 2015 as part of its aim to try to move the web
+ towards being fully encrypted, and it has been extremely successful
+ in helping achieve that goal. Subsequently, the automation protocols
+ developed for Let's Encrypt were standardised in the IETF's ACME
+ Working Group [ACME].
+
+ In 2013, most email transport between mail servers was cleartext,
+ directly enabling some of the attacks documented in the Snowden
+ documents. Significant effort by major mail services and MTA
+ software developers since then have resulted in more than 90% of
+ email being encrypted between mail servers, and various IETF
+ protocols have been defined in order to improve that situation, e.g.,
+ SMTP MTA Strict Transport Security (MTA-STS) [RFC8461].
+
+ Lastly, MAC addresses have historically been long-term fixed values
+ visible to local networks (and beyond), which enabled some tracking
+ attacks that were documented in the Snowden documents [Toronto].
+ Implementers, vendors, and the IEEE 802 standards group recognised
+ this weakness and started work on MAC address randomisation that in
+ turn led to the IETF's MADINAS Working Group [MADINAS], which aims to
+ ensure randomised MAC addresses can be used on the Internet without
+ causing unintentional harm. There is also a history of IETF work on
+ deprecating MAC-address-based IPv6 interface identifiers and
+ advocating pseudorandom identifiers and temporary addresses, some of
+ which pre-dates Snowden [RFC7217] [RFC8064] [RFC8981].
+
+ In summary, the significantly large volume of technical work pursued
+ in the IETF and elsewhere as a result of the Snowden revelations has
+ focussed on two main things: decreasing the amount of plaintext that
+ remains visible to network observers and secondly reducing the number
+ of long-term identifiers that enable unexpected identification or re-
+ identification of devices or users. This work is not by any means
+ complete, nor is deployment universal, but significant progress has
+ been made, and the work continues even if the level of annoyance at
+ the attack has faded somewhat over time.
+
+ One should also note that there has been pushback against these
+ improvements in security and privacy and the changes they cause for
+ deployments. That has come from more or less two camps: those on
+ whom these improvements force change tend to react badly, but later
+ figure out how to adjust, and those who seemingly prefer not to
+ strengthen security so as to, for example, continue to achieve what
+ they call "visibility" even in the face of the many engineers who
+ correctly argue that such an anti-encryption approach inevitably
+ leads to worse security overall. The recurring nature of this kind
+ of pushback is nicely illustrated by [RFC1984]. That informational
+ document was published in 1996 as an IETF response to an early
+ iteration of the perennial "encryption is bad" argument. In 2015,
+ the unmodified 1996 text was upgraded to a BCP (BCP 200) as the
+ underlying arguments have not changed, and will not change.
+
+ Looking back on all the above from a 2023 vantage point, I think
+ that, as a community of Internet engineers, we got a lot right, but
+ that today there's way more that needs to be done to better protect
+ the security and privacy of people who use the Internet. In
+ particular, we (the technical community) haven't done nearly as good
+ a job at countering surveillance capitalism [Zubhoff2019], which has
+ exploded in the last decade. In part, that's because many of the
+ problems are outside of the scope of bodies such as the IETF. For
+ example, intrusive backend sharing of people's data for advertising
+ purposes can't really be mitigated via Internet protocols.
+
+ However, I also think that the real annoyance felt with respect to
+ the Snowden revelations is (in general) not felt nearly as much when
+ it comes to the legal but hugely privacy-invasive activities of major
+ employers of Internet engineers.
+
+ It's noteworthy that RFC 7258 doesn't consider that bad actors are
+ limited to governments, and personally, I think many advertising
+ industry schemes for collecting data are egregious examples of
+ pervasive monitoring and hence ought also be considered an attack on
+ the Internet that ought be mitigated where possible. However, the
+ Internet technical community clearly hasn't acted in that way over
+ the last decade.
+
+ Perhaps that indicates that Internet engineers and the bodies in
+ which they congregate need to place much more emphasis on standards
+ for ethical behaviour than has been the case for the first half-
+ century of the Internet. And while it would be good to see the
+ current leaders of Internet bodies work to make progress in that
+ regard, at the time of writing, it sadly seems more likely that
+ government regulators will be the ones to try force better behaviour.
+ That of course comes with a significant risk of having regulations
+ that stymie the kind of permissionless innovation that characterised
+ many earlier Internet successes.
+
+ So while we got a lot right in our reaction to Snowden's revelations,
+ currently, we have a "worse" Internet. Nonetheless, I do still hope
+ to see a sea change there, as the importance of real Internet
+ security and privacy for people becomes utterly obvious to all, even
+ the most hard-core capitalists and government signals intelligence
+ agencies. That may seem naive, but I remain optimistic that, as a
+ fact-based community, we (and eventually our employers) will
+ recognise that the lesser risk is to honestly aim to provide the best
+ security and privacy practically possible.
+
+4. Farzaneh Badii: Did Snowden's Revelations Help with Protecting Human
+ Rights on the Internet?
+
+ It is very difficult to empirically measure the effect of Snowden's
+ revelations on human rights and the Internet. Anecdotally, we have
+ been witnessing dominant regulatory and policy approaches that impact
+ technologies and services that are at the core of protecting human
+ rights on the Internet. (A range of European Union laws aims to
+ address online safety or concentration of data. There are many more
+ regulations that have an impact on the Internet [Masnick2023].)
+ There has been little progress in fixing technical and policy issues
+ that help enable human rights. The Snowden revelations did not
+ revolutionize the Internet governance and technical approaches to
+ support human rights such as freedom of expression, freedom of
+ association and assembly, and privacy. It did not decrease the
+ number of Internet shutdowns nor the eagerness of authoritarian (and
+ even to some extent democratic) countries to territorialize the
+ Internet. In some cases, the governments argued that they should
+ have more data sovereignty or Internet sovereignty. Perhaps the
+ revelations helped with the evolution of some technical and policy
+ aspects.
+
+ After Snowden's revelations 10 years ago, engineers and advocates at
+ the IETF responded in a few ways. One prominent response was the
+ issuance of a BCP document, "Pervasive Monitoring Is an Attack"
+ [RFC7258] by Farrell and Tschofenig. The responses to the Snowden
+ revelations did not mean that IETF had lost sight of issues such as
+ privacy and surveillance. There were instances of resistance to
+ surveillance in the past by engineers (we do not delve into how
+ successful that was in protecting human rights). However,
+ historically, many engineers believed that widespread and habitual
+ surveillance was too expensive to be practical. The revelations
+ proved them wrong.
+
+ Rights-centered activists were also involved with the IETF before the
+ revelations. For example, staff from Center for Democracy and
+ Technology (CDT) was undertaking work at the IETF (and was a member
+ of the Internet Architecture Board) and held workshops about the
+ challenges of creating privacy-protective protocols and systems. The
+ technical shortcomings that were exploited by the National Security
+ Agency to carry out mass-scale surveillance were recognized by the
+ IETF before the Snowden revelations [Garfinkel1995] [RFC6462]. In
+ 2012, Joy Liddicoat and Avri Doria wrote a report for the Internet
+ Society that extensively discussed the processes and principles of
+ human rights and Internet protocols [Doria2012].
+
+ Perhaps the Snowden revelations brought more attention to the IETF
+ and its work as it related to important issues, such as privacy and
+ freedom of expression. It might have also expedited and helped with
+ more easily convening the Human Rights Protocol Considerations
+ Research Group (HRPC) in the Internet Research Task Force (IRTF) in
+ July 2015. The HRPC RG was originally co-chaired by Niels ten Oever
+ (who worked at Article 19 at the time) and Internet governance
+ activist Avri Doria. The charter of the HRPC RG states that the
+ group was established: "to research whether standards and protocols
+ can enable, strengthen or threaten human rights, as defined in the
+ Universal Declaration of Human Rights (UDHR) and the International
+ Covenant on Civil and Political Rights (ICCPR)."
+
+ During the past decade, a few successful strides were made to create
+ protocols that, when and if implemented, aim at protecting privacy of
+ the users, as well as help with reducing pervasive surveillance.
+ These efforts were in keeping with the consensus of the IETF found in
+ RFC 7258. Sometimes these protocols have anti-censorship qualities
+ as well. A few examples immediately come to mind: 1) the encryption
+ of DNS queries (for example, DNS over HTTPS), 2) ACME protocol
+ underpinning the Let's Encrypt initiative, and 3) Registration Data
+ Access Protocol (RDAP) [RFC7480] [RFC7481] [RFC8056] [RFC9082]
+ [RFC9083] [RFC9224]. (It is debatable that RDAP had anything to do
+ with the Snowden revelations, but it is still a good example and is
+ finally being implemented.)
+
+ The DNS Queries over HTTPS protocol aimed to encrypt DNS queries.
+ Four years after RFC 7258, DoH was developed to tackle both active
+ and passive monitoring of DNS queries. It is also a tool that can
+ help with combatting censorship. Before the revelations, DNS query
+ privacy would have been controversial due to being expensive or
+ unnecessary, but the Snowden revelations made it more plausible.
+ Let's Encrypt was not an Internet protocol, but it was an initiative
+ that aimed to encrypt the web, and later on some of the automation
+ protocols were standardized in the IETF ACME Working Group. RDAP
+ could solve a long-term problem: redacting the domain name
+ registrants' (and IP address holders') sensitive, personal data but
+ at the same time enabling legitimate access to the information. As
+ to the work of HRPC Research Group, it has so far issued [RFC8280] by
+ ten Oever and Cath and a number of informational Internet-Drafts.
+
+ While we cannot really argue that all the movements and privacy-
+ preserving protocols and initiatives that enable protecting human
+ rights at the infrastructure layer solely or directly result from the
+ Snowden revelations, I think it is safe to say that the revelations
+ helped with expediting the resolution of some of the "technical"
+ hesitations that had an effect on fixing Internet protocols that
+ enabled protection of human rights.
+
+ Unfortunately, the Snowden revelations have not yet helped us
+ meaningfully with adopting a human rights approach. We can't agree
+ on prioritizing human rights in our Internet communities for a host
+ of reasons. This could be due to: 1) human rights are sometimes in
+ conflict with each other; 2) it is simply not possible to mitigate
+ the human right violation through the Internet protocol; 3) it is not
+ obvious for the engineers in advance how the Internet protocol
+ contributes to enabling human rights protections, or precisely what
+ they ought to do; 4) the protocol is already there, but market, law,
+ and a host of other societal and political issues do not allow for
+ widespread implementation.
+
+ IETF did not purposefully take a long time to adopt and implement
+ protocols that enabled human rights. There were technical and
+ political issues that created barriers. For example, as WHOIS was
+ not capable of accommodating a tiered-access option, the IETF
+ community attempted a few times before to create a protocol that
+ would disclose the necessary information of IP holders and domain
+ name registrants while at the same time protecting their data (Cross
+ Registry Internet Service Protocol (CRISP) and later on Internet
+ Registry Information Service (IRIS) are the examples). However, IRIS
+ was technically very difficult to implement. It was not until RDAP
+ was developed and the General Data Protection Regulation (GDPR) was
+ enacted that Internet Corporation for Assigned Names and Numbers had
+ to consider instructing registries and registrars to implement RDAP
+ and its community had to come up with a privacy-compliant policy.
+ Overall, a host of regulatory and market incentives can halt or slow
+ down the implementation of human-rights-enabling protocols and
+ implementation could depend on other organizations with their own
+ political and stakeholder conflicts. Sometimes the protocol is
+ available, but the regulatory framework and the market do not allow
+ for implementation. Sometimes the surrounding context includes
+ practical dimensions that are easy to overlook in a purely
+ engineering-focused argument.
+
+ A curious example of this is sanctions regimes that target
+ transactions involving economically valuable assets. As a result,
+ sanctions might limit sanctioned nations' and entities' access to
+ IPv4 resources (because the existence of a resale market for these
+ addresses causes acquiring them to be interpreted as buying something
+ of value), though the same consideration may not apply to IPv6
+ address resources. But IPv6 adoption itself depends on a host of
+ complex factors that are by no means limited to technical comparisons
+ of the properties of IPv4 and IPv6. Someone focused only on
+ technical features of protocols may devise an elegant solution but be
+ surprised both by deployment challenges and unintended downstream
+ effects. Sometimes there are arguments over implementation of a
+ protocol because as it is perceived, while it can protect freedom of
+ expression and reduce surveillance, it can hamper other human rights.
+ For instance, the technical community and some network operators
+ still have doubts about the implementation of DNS over HTTPS, despite
+ its potential to circumvent censorship and its ability to encrypt DNS
+ queries. The arguments against implementation of DoH include
+ protection of children online and lack of law enforcement access to
+ data.
+
+ We must acknowledge that sometimes the technical solutions that we
+ use that protect one right (for example, encryption to protect the
+ right to privacy or to prevent surveillance) could potentially affect
+ technical and policy solutions that try to protect other human rights
+ (for example, encryption could prevent financial institutions from
+ monitoring employees' network activities to detect fraudulent
+ behavior). Acknowledging and identifying these conflicts can help us
+ come up with alternative techniques that could protect human rights
+ while not hampering other technical solutions such as encryption.
+ Where such alternative techniques are not possible, acknowledging the
+ shortcoming could clarify and bring to light the trade-offs that we
+ have accepted in our Internet system.
+
+ Ironically, we advocate for connectivity and believe expressing
+ oneself on the Internet is a human right, but when a war erupts, we
+ resort to tools that impact that very concept. For example, some
+ believe that, by imposing sanctions on critical properties of the
+ Internet, we can punish the perpetrators of a war. The Regional
+ Internet Registries that are in charge of registration of IP
+ addresses have shown resilience to these requests. However, some
+ tech companies (for example, Cogent [Roth2022]) decided not to serve
+ sanctioned countries and overcomplied with sanctions. Overcompliance
+ with sanctions could hamper ordinary people's access to the Internet
+ [Badii2023].
+
+ Perhaps we can solve some of these problems by undertaking a thorough
+ impact assessment and contextualization to reveal how and why
+ Internet protocols affect human rights (something Fidler and I argued
+ for [Badii2021]). Contextualization and impact assessment can reveal
+ how each Internet protocol or each line of code, in which systems,
+ have an impact on which and whose human rights.
+
+ The HRPC RG (which I am a part of) and the larger human rights and
+ policy analyst communities are still struggling to analyze legal,
+ social, and market factors alongside the protocols to have a good
+ understanding of what has an impact and what has to be changed. It
+ is hard, but it is not impossible. If we thoroughly document and
+ research the lifecycle of an Internet protocol and contextualize it,
+ we might have a better understanding of which parts of the protocol
+ to fix and how to fix them in order to protect human rights.
+
+ Overall, the revelations did, to some extent, contribute to the
+ evolution of our ideas and perspectives. Our next step should be to
+ undertake research on the impact of Internet systems (including
+ Internet protocols) on human rights, promote the implementation of
+ protocols good for human rights through policy and advocacy, and
+ focus on which technical parts we can standardize to help with more
+ widespread implementation of human-rights-enabling Internet
+ protocols.
+
+5. Steven M. Bellovin: Governments and Cryptography: The Crypto Wars
+
+5.1. Historical Background
+
+ It's not a secret: many governments in the world don't like it when
+ people encrypt their traffic. More precisely, they like strong
+ cryptography for themselves but not for others, whether those others
+ are private citizens or other countries. But the history is longer
+ and more complex than that.
+
+ For much of written history, both governments and individuals used
+ cryptography to protect their messages. To cite just one famous
+ example, Julius Caesar is said to have encrypted messages by shifting
+ letters in the alphabet by 3 [Kahn1996]. In modern parlance, 3 was
+ the key, and each letter was encrypted with
+
+ C[i] = (P[i] + 3) mod 23
+
+ (The Latin alphabet of his time had only 23 letters.) Known Arabic
+ writings on cryptanalysis go back to at least the 8th century; their
+ sophistication shows that encryption was reasonably commonly used.
+ In the 9th century, Abū Yūsuf Yaʻqūb ibn ʼIsḥāq aṣ-Ṣabbāḥ al-Kindī
+ developed and wrote about frequency analysis as a way to crack
+ ciphers [Borda2011] [Kahn1996].
+
+ In an era of minimal literacy, though, there wasn't that much use of
+ encryption, simply because most people could neither read nor write.
+ Governments used encryption for diplomatic messages, and
+ cryptanalysts followed close behind. The famed Black Chambers of the
+ Renaissance era read messages from many different governments, while
+ early cryptographers devised stronger and stronger ciphers
+ [Kahn1996]. In Elizabethan times in England, Sir Francis
+ Walsingham's intelligence agency intercepted and decrypted messages
+ from Mary, Queen of Scots; these messages formed some of the
+ strongest evidence against her and eventually led to her execution
+ [Kahn1996].
+
+ This pattern continued for centuries. In the United States, Thomas
+ Jefferson invented the so-called wheel cipher in the late 18th
+ century; it was reinvented about 100 years later by Étienne Bazeries
+ and used as a standard American military cipher well into World War
+ II [Kahn1996]. Jefferson and other statesmen of the late 18th and
+ early 19th centuries regularly used cryptography when communicating
+ with each other. An encrypted message was even part of the evidence
+ introduced in Aaron Burr's 1807 trial for treason [Kerr2020]
+ [Kahn1996]. Edgar Allan Poe claimed that he could cryptanalyze any
+ message sent to him [Kahn1996].
+
+ The telegraph era upped the ante. In the US, just a year after
+ Samuel Morse deployed his first telegraph line between Baltimore and
+ Washington, his business partner, Francis Smith, published a codebook
+ to help customers protect their traffic from prying eyes [Smith1845].
+ In 1870, Britain nationalized its domestic telegraph network; in
+ response, Robert Slater published a more sophisticated codebook
+ [Slater1870]. On the government side, Britain took advantage of its
+ position as the central node in the world's international telegraphic
+ networks to read a great deal of traffic passing through the country
+ [Headrick1991] [Kennedy1971]. They used this ability strategically,
+ too -- when war broke out in 1914, the British Navy cut Germany's
+ undersea telegraph cables, forcing them to use radio; an intercept of
+ the so-called Zimmermann telegram, when cryptanalyzed, arguably led
+ to American entry into the war and thence to Germany's defeat. Once
+ the US entered the war, it required users of international telegraph
+ lines to deposit copies of the codebooks they used for compression,
+ so that censors could check messages for prohibited content
+ [Kahn1996].
+
+ In Victorian Britain, private citizens, often lovers, used encryption
+ in newspapers' personal columns to communicate without their parents'
+ knowledge. Charles Wheatstone and Charles Babbage used to solve
+ these elementary ciphers routinely for their own amusement
+ [Kahn1996].
+
+ This pattern continued for many years. Governments regularly used
+ ciphers and codes, while other countries tried to break them; private
+ individuals would sometimes use encryption but not often, and rarely
+ well. But the two World Wars marked a sea change, one that would
+ soon reverberate into the civilian world.
+
+ The first World War featured vast troop movements by all parties;
+ this in turn required a lot of encrypted communications, often by
+ telegraph or radio. These messages were often easily intercepted in
+ bulk. Furthermore, the difficulty of encrypting large volumes of
+ plaintext led to the development of a variety of mechanical
+ encryption devices, including Germany's famed Enigma machine. World
+ War II amplified both trends. It also gave rise to machine-assisted
+ cryptanalysis, such as the United Kingdom's bombes (derived from an
+ earlier Polish design) and Colossus machine, and the American's
+ device for cracking Japan's PURPLE system. The US also used punch
+ card-based tabulators to assist in breaking other Japanese codes,
+ such as the Japanese Imperial Navy's JN-25 [Kahn1996] [Rowlett1998].
+
+ These developments set the stage for the postwar SIGINT (Signals
+ Intelligence) environment. Many intragovernmental messages were sent
+ by radio, making them easy to intercept; advanced cryptanalytic
+ machines made cryptanalysis easier. Ciphers were getting stronger,
+ though, and government SIGINT agencies did not want to give up their
+ access to data. While there were undoubtedly many developments, two
+ are well known.
+
+ The first involved CryptoAG, a Swedish (and later Swiss) manufacturer
+ of encryption devices. The head of that company, Boris Hagelin, was
+ a friend of William F. Friedman, a pioneering American cryptologist.
+ During the 1950s, CryptoAG sold its devices to other governments;
+ apparently at Friedman's behest, Hagelin weakened the encryption in a
+ way that let the NSA read the traffic [Miller2020].
+
+ The story involving the British is less well-documented and less
+ clear. When some of Britain's former colonies gained their
+ independence, the British government gave them captured, war-surplus
+ Enigma machines to protect their own traffic. Some authors contend
+ that this was deceptive, in that these former colonies did not
+ realize that the British could read Enigma-protected traffic; others
+ claim that this was obvious but that these countries didn't care:
+ Britain was no longer their enemy; it was neighboring countries they
+ were worried about. Again, though, this concerned governmental use
+ of encryption [Kahn1996] [Baldwin2022]. There was still little
+ private use.
+
+5.2. The Crypto Wars Begin
+
+ The modern era of conflict between an individual's desire for privacy
+ and the government desires to read traffic began around 1972. The
+ grain harvest in the USSR had failed; since relations between the
+ Soviet Union and the United States were temporarily comparatively
+ warm, the Soviet grain company -- an arm of the Soviet government, of
+ course -- entered into negotiations with private American companies.
+ Unknown to Americans at the time, Soviet intelligence was
+ intercepting the phone calls of the American negotiating teams. In
+ other words, private companies had to deal with state actors as a
+ threat. Eventually, US intelligence learned of this and came to a
+ realization: the private sector needed strong cryptography, too, to
+ protect American national interests [Broad1982] [Johnson1998]. This
+ underscored the need for strong cryptography to protect American
+ civilian traffic -- but the SIGINT people were unhappy at the thought
+ of more encryption that they couldn't break.
+
+ Meanwhile, the US was concerned about protecting unclassified data
+ [Landau2014]. In 1973 and again in 1974, the National Bureau of
+ Standards (NBS) put out a call for a strong, modern encryption
+ algorithm. IBM submitted Lucifer, an internally developed algorithm
+ based on what has become known as a 16-round Feistel network. The
+ original version used a long key. It seemed quite strong, so NBS
+ sent it off to the NSA to get their take. The eventual design, which
+ was adopted in 1976 as the Data Encryption Standard (DES), differed
+ in some important ways from Lucifer. First, the so-called S-boxes,
+ the source of the cryptologic strength of DES, were changed, and were
+ now demonstrably not composed of random integers. Many researchers
+ alleged that the S-boxes contained an NSA back door. It took nearly
+ 20 years for the truth to come out: the S-boxes were in fact
+ strengthened, not weakened. Most likely, IBM independently
+ discovered the attack now known as differential cryptanalysis, though
+ some scholars suspect that the NSA told them about it. The nonrandom
+ S-boxes protected against this attack. The second change, though,
+ was clearly insisted on by the NSA: the key size was shortened, from
+ Lucifer's 112 bits to DES's 56 bits. We now know that the NSA wanted
+ a 48-bit key size, while IBM wanted 64 bits; they compromised at 56
+ bits.
+
+ Whitfield Diffie and Martin Hellman, at Stanford University, wondered
+ about the 56-bit keys. In 1979, they published a paper demonstrating
+ that the US government, but few others, could afford to build a
+ brute-force cracking machine, one that could try all 2^56 possible
+ keys to crack a message. NSA denied tampering with the design; a
+ Senate investigating committee found that assertion to be correct,
+ but did not discuss the shortened key length issue.
+
+ This, however, was not Diffie and Hellman's greatest contribution to
+ cryptology. A few years earlier, they had published a paper
+ inventing what is now known as public key cryptography. (In fact,
+ public key encryption had been invented a few years earlier at UK
+ Government Communications Headquarters (GCHQ), but they kept their
+ discovery classified until 1997.) In 1978, Ronald Rivest, Adi
+ Shamir, and Leonard Adleman devised the RSA algorithm, which made it
+ usable. (An NSA employee, acting on his own, sent a letter warning
+ that academic conferences on cryptology might violate US export
+ laws.)
+
+ Around the same time, George Davida at the University of Wisconsin
+ applied for a patent on a stream cipher; the NSA slapped a secrecy
+ order on the application. This barred him from even talking about
+ his invention. The publicity was devastating; the NSA had to back
+ down.
+
+ The Crypto Wars had thus begun: civilians were inventing strong
+ encryption systems, and the NSA was tampering with them or trying to
+ suppress them. Bobby Inman, the then-director of the NSA, tried
+ creating a voluntary review process for academic papers, but very few
+ researchers were interested in participating [Landau1988].
+
+ There were few major public battles during the 1980s because there
+ were few new major use cases for civilian cryptography during that
+ time. There was one notable incident, though: Shamir, Amos Fiat, and
+ Uriel Feige invented zero-knowledge proofs and applied for a US
+ patent. In response, the US Army slapped a secrecy order on the
+ patent. After a great deal of public outrage and intervention by, of
+ all organizations, the NSA, the order was lifted on very narrow
+ grounds: the inventors were not American, and they had been
+ discussing their work all over the world [Landau1988].
+
+ In the 1990s, though, everything changed.
+
+5.3. The Battle Is Joined
+
+ There were three major developments in cryptography in the early
+ 1990s. First, Phil Zimmermann released PGP (Pretty Good Privacy), a
+ package to encrypt email messages. In 1993, AT&T planned to release
+ the TSD-3600, an easy-to-use phone encryptor aimed at business
+ travelers. Shortly after that, the Netscape Communications
+ Corporation released SSL (Secure Socket Layer) as a way to enable
+ web-based commerce using their browser and web server. All of these
+ were seen as threats by the NSA and the FBI.
+
+ PGP was, at least arguably, covered by what was known as ITAR, the
+ International Trafficking in Arms Regulations -- under American law,
+ encryption software was regarded as a weapon, so exports required a
+ license. It was also alleged to infringe the patents on the RSA
+ algorithm. Needless to say, both issues were problematic for what
+ was intended to be open source software. Eventually, the criminal
+ investigation into Zimmermann's role in the spread of PGP overseas
+ was dropped, but the threat of such investigations remained to deter
+ others [Levy2001].
+
+ The TSD-3600 was another matter. AT&T was a major corporation that
+ did not want to pick a fight with the US government, but
+ international business travelers were seen as a major market for the
+ device. At the government's "request", the DES chip was replaced
+ with what was known as the Clipper chip. The Clipper chip used
+ Skipjack, a cipher with 80-bit keys; it was thus much stronger
+ against brute-force attacks than DES. However, it provided "key
+ escrow". Without going into any details, the key escrow mechanism
+ allowed US government eavesdroppers to consult a pair of (presumably
+ secure) internal databases and decrypt all communications protected
+ by the chip. The Clipper chip proved to be extremely unpopular with
+ industry; that AT&T Bell Labs' Matt Blaze found a weakness in the
+ design [Blaze1994], one that let you use Skipjack without the key
+ escrow feature, didn't help its reputation.
+
+ The third major development, SSL, was even trickier. SSL was aimed
+ at e-commerce, and of course Netscape wanted to be able to sell its
+ products outside the US. That would require an export license, so
+ they made a deal with the government: non-American users would
+ receive a version that used 40-bit keys, a key length far shorter
+ than what the NSA had agreed to 20 years earlier. (To get ahead of
+ the story: there was a compromise mode of operation, wherein an
+ export-grade browser could use strong encryption when talking to a
+ financial institution. This hybrid mode led to cryptographic
+ weaknesses discovered some 20 years later [Adrian2015].)
+
+ Technologists and American industry pushed back. The IETF adopted
+ the Danvers Doctrine, described in [RFC3365]:
+
+ | At the 32cd [sic] IETF held in Danvers, Massachusetts during April
+ | of 1995 the IESG asked the plenary for a consensus on the strength
+ | of security that should be provided by IETF standards. Although
+ | the immediate issue before the IETF was whether or not to support
+ | "export" grade security (which is to say weak security) in
+ | standards the question raised the generic issue of security in
+ | general.
+ |
+ | The overwhelming consensus was that the IETF should standardize on
+ | the use of the best security available, regardless of national
+ | policies. This consensus is often referred to as the "Danvers
+ | Doctrine".
+
+ Then American companies started losing business to their overseas
+ competitors, who did not have to comply with US export laws. All of
+ this led to what seemed like a happy conclusion: the US government
+ drastically loosened its export rules for cryptographic software.
+ All was well -- or so it seemed...
+
+5.4. The Hidden Battle
+
+ Strong cryptography was here to stay, and it was no longer an
+ American monopoly, if indeed it ever was. The Information Assurance
+ Directorate of the NSA, the part of the agency that is supposed to
+ protect US data, was pleased by the spread of strong cryptography.
+ When the Advanced Encryption Standard (AES) competition was held,
+ there were no allegations of malign NSA interference; in fact, the
+ winning entry was devised by two Europeans, Joan Daemen and Vincent
+ Rijmen. But the NSA and its SIGINT needs did not go away -- the
+ agency merely adopted other techniques.
+
+ I have often noted that one doesn't go through strong security, one
+ goes around it. When strong encryption became more common and much
+ more necessary, the NSA started going around it, by targeting
+ computers and the software that they run. And it seems clear that
+ they believe that AES is quite strong; they've even endorsed its use
+ for protecting TOP SECRET information. But there was an asterisk
+ attached to that endorsement: AES is suitable if and only if properly
+ used and implemented. Therein lies the rub.
+
+ The first apparent attempt to tamper with outside cryptographic
+ mechanisms was discovered in 2007, when two Microsoft researchers,
+ Dan Shumow and Niels Ferguson, noted an odd property of a NIST-
+ standardized random number generator, DUAL_EC_DRBG. (The NBS had
+ been renamed to NIST, the National Institute of Standards and
+ Technology.) Random numbers are vital for cryptography, but Shumow
+ and Ferguson showed that if certain constants in DUAL_EC_DRBG were
+ chosen in a particular way with a known-but-hidden other number,
+ whoever knew that number could predict all future random numbers from
+ a system given a few sample bytes to start from [Kostyuk2022]. These
+ sample bytes could come from known keys, nonces, or anything else.
+ Where did the constants in DUAL_EC_DRBG come from and how were they
+ chosen or generated? No one who knows is talking. But although
+ cryptographers and security specialists were very suspicious -- Bruce
+ Schneier wrote in 2007, before more facts came out, that "both NIST
+ and the NSA have some explaining to do"; I assigned my students
+ reading on the topic -- the issue didn't really get any traction
+ until six years later, when among the papers that Edward Snowden
+ disclosed was the information that the NSA had indeed tampered with a
+ major cryptographic standard, though published reports did not
+ specifically name DUAL_EC_DRBG or explain what the purpose was.
+
+ The revelations didn't stop there. There have been allegations that
+ the NSA paid some companies to use DUAL_EC_DRBG in their products.
+ Some people have claimed that there were attempts to modify some IETF
+ standards to make enough random bytes visible, to aid in exploiting
+ the random number generator. A major vendor of networking gear,
+ Juniper, did use DUAL_EC_DRBG in some of its products, but with
+ different constants [Checkoway2016]. Where did these come from?
+ Were they from the NSA or some other government? Could their source
+ tree have been hacked by an intelligence agency? There was a
+ different hack of their code at around the same time [Moore2015]. No
+ one is talking.
+
+ The Snowden revelations also included data suggesting that the NSA
+ had a worldwide eavesdropping network and a group that tried very
+ specific, targeted hacks on very specific targets' systems. In
+ retrospect, neither is surprising: "spies gonna spy". The NSA's
+ business is signals intelligence; of course they're going to try to
+ intercept traffic. Indeed, the DUAL_EC_DRBG tampering is useless to
+ anyone who has not collected messages to decrypt. And targeted hacks
+ are a natural way around strong encryption: collect the data before
+ it is encrypted or after it is decrypted, and don't worry about the
+ strength of the algorithms.
+
+ The privacy community, worldwide, was appalled, though perhaps they
+ shouldn't have been. It calls to mind the line that Claude Rains'
+ character uttered in the movie Casablanca [Curtiz]: "I'm shocked,
+ shocked to find that gambling is going on in here." The immediate
+ and continuing reaction was to deploy more encryption. The standards
+ have long existed; what was missing was adoption. One barrier was
+ the difficulty and expense of getting certificates to use with TLS,
+ the successor to SSL; that void was filled by Let's Encrypt [LE],
+ which made free certificates easy to get online. Today, most HTTP
+ traffic is encrypted, so much so that Google's search engine down-
+ ranks sites that do not use it. Major email providers uniformly use
+ TLS to protect all traffic. Wi-Fi, though a local area issue, now
+ uses much stronger encryption. (It's important to remember that
+ security and insecurity have economic components. Security doesn't
+ have to be perfect to be very useful, if it raises the attackers'
+ costs by enough.)
+
+ The news on the software side is less good. Not a day goes by when
+ one does not read of organizations being hit by ransomware. It goes
+ without saying that any threat actor capable of encrypting disks is
+ also capable of stealing the information on them; indeed, that is a
+ frequent accompanying activity, since the threat of disclosure is
+ another incentive to pay for those sites that do have good enough
+ backups. Major vendors have put a lot of effort into securing their
+ software, but bugs and operational errors by end-user sites persist.
+
+5.5. Whither the IETF?
+
+ Signal intelligence agencies, not just the NSA, but its peers around
+ the globe -- most major countries have their own -- are not going to
+ go away. The challenges that have beset the NSA are common to all
+ such agencies, and their solutions are likely the same. The question
+ is what should be done to protect individual privacy. A number of
+ strong democracies, such as Australia and the United Kingdom, are, in
+ a resumption of the Crypto Wars, moving to restrict encryption.
+ Spurred on by complaints from the FBI and other law enforcement
+ agencies, the US Congress frequently considers bills to do the same.
+
+ The IETF has long had a commitment to strong, ubiquitous encryption.
+ This is a good thing. It needs to continue, with cryptography and
+ other security features designed into protocols from the beginning.
+ But there is also a need for maintenance. Parameters such as key
+ lengths and modulus sizes age; a value that is acceptable today may
+ not be 10 years hence. (We've already seen apparent problems from
+ 1024-bit moduli specified in an RFC, an RFC that was not modified
+ when technology improved enough that attacking encryption based on
+ them had become feasible [Adrian2015].) The IETF can do nothing
+ about the code that vendors ship or that sites use, but it can alert
+ the world that it thinks things have changed.
+
+ Cryptoagility is of increasing importance. In the next very few
+ years, we will have so-called post-quantum algorithms. Both
+ protocols and key lengths will need to change, perhaps drastically.
+ Is the IETF ready? What will happen to, say, DNSSEC if key lengths
+ become drastically longer? Backwards compatibility will remain
+ important, but that, of course, opens the door to other attacks.
+ We've long thought about them; we need to be sure that our mechanisms
+ work -- we've been surprised in the past [BellovinRescorla2006].
+
+ We also need to worry more about metadata. General Michael Hayden,
+ former director of both the NSA and the CIA, once remarked, "We kill
+ people based on metadata" [Ferran2014]. But caution is necessary;
+ attempts to hide metadata can have side effects. To give a trivial
+ example, Tor is quite strong, but if your exit node is in a different
+ country than you are in, web sites that use IP geolocation may
+ present their content in a language foreign to you. Some sites even
+ block connections from known Tor exit nodes. More generally, many
+ attempts to hide metadata involve trusting a different party; that
+ party may turn out to be untrustworthy or it may itself become a
+ target of attack. As another prominent IETFer has remarked,
+ "Insecurity is like entropy; you can't destroy it, but you can move
+ it around." The IETF has done a lot; it needs to do more. And
+ remember that the risk here is not just governments acting directly,
+ it's also private companies that collect the data and sell it to all
+ comers.
+
+ Finally, the IETF must remember that its middle name is
+ "Engineering". To me, one of the attributes of engineering is the
+ art of picking the right solution in an over-constrained environment.
+ Intelligence agencies won't go away, nor will national restrictions
+ on cryptography. We have to pick the right path while staying true
+ to our principles.
+
+6. Security Considerations
+
+ Each or any of the authors may have forgotten or omitted things or
+ gotten things wrong. We're sorry if that's the case, but that's in
+ the nature of a look-back such as this. Such flaws almost certainly
+ won't worsen security or privacy, though.
+
+7. IANA Considerations
+
+ This document has no IANA actions.
+
+8. Informative References
+
+ [ACME] IETF, "Automated Certificate Management Environment
+ (acme)", <https://datatracker.ietf.org/wg/acme/about/>.
+
+ [Adrian2015]
+ Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P.,
+ Green, M., Halderman, J. A., Heninger, N., Springhall, D.,
+ Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E.,
+ Zanella-Béguelin, S., and P. Zimmermann, "Imperfect
+ Forward Secrecy: How Diffie-Hellman Fails in Practice",
+ CCS '15: Proceedings of the 22th ACM Conference on
+ Computer and Communications Security, October 2015,
+ <https://dl.acm.org/doi/10.1145/2810103.2813707>.
+
+ [Badii2021]
+ Badiei, F., Fidler, B., and The Pennsylvania State
+ University Press, "The Would-Be Technocracy: Evaluating
+ Efforts to Direct and Control Social Change with Internet
+ Protocol Design", Journal of Information Policy, vol. 11,
+ pp. 376-402, DOI 10.5325/jinfopoli.11.2021.0376, December
+ 2021, <https://doi.org/10.5325/jinfopoli.11.2021.0376>.
+
+ [Badii2023]
+ Badiei, F., "Sanctions and the Internet", Digital Medusa,
+ 2023, <https://digitalmedusa.org/wp-
+ content/uploads/2023/05/SanctionsandtheInternet-
+ DigitalMedusa.pdf>.
+
+ [Baldwin2022]
+ Baldwin, M., "Did Britain sell Enigmas postwar?", Dr.
+ Enigma, March 2022, <https://drenigma.org/2022/03/02/did-
+ britain-sell-enigmas-postwar/>.
+
+ [BellovinRescorla2006]
+ Bellovin, S. M. and E. K. Rescorla, "Deploying a New Hash
+ Algorithm", Proceedings of NDSS '06, February 2006,
+ <https://www.cs.columbia.edu/~smb/papers/new-hash.pdf>.
+
+ [Blaze1994]
+ Blaze, M., "Protocol Failure in the Escrowed Encryption
+ Standard", CCS '94: Proceedings of Second ACM Conference
+ on Computer and Communications Security, 1994,
+ <https://dl.acm.org/doi/10.1145/191177.191193>.
+
+ [Borda2011]
+ Borda, M., "Fundamentals in Information Theory and
+ Coding", Springer-Berlin, May 2011.
+
+ [Broad1982]
+ Broad, W. J., "Evading the Soviet Ear at Glen Cove",
+ Science, 217:4563, pp. 910-911, September 1982,
+ <https://www.science.org/doi/abs/10.1126/
+ science.217.4563.910>.
+
+ [CFRG] IRTF, "Crypto Forum (cfrg)",
+ <https://datatracker.ietf.org/rg/cfrg/about/>.
+
+ [Checkoway2016]
+ Checkoway, S., Maskiewicz, J., Garman, C., Fried, J.,
+ Cohney, S., Green, M., Heninger, N., Weinmann, R. P.,
+ Rescorla, E., and Hovav Shacham, "A Systematic Analysis of
+ the Juniper Dual EC Incident", CCS '16: Proceedings of the
+ 2016 ACM SIGSAC Conference on Computer and Communications
+ Security, pp. 468-479, October 2016,
+ <https://dl.acm.org/citation.cfm?id=2978395>.
+
+ [CURDLE] IETF, "CURves, Deprecating and a Little more Encryption
+ (curdle)",
+ <https://datatracker.ietf.org/wg/curdle/about/>.
+
+ [Curtiz] Curtiz, M., Epstein, J. J., Epstein, P. G., and H. Koch,
+ "Casablanca", Warner Bros. Pictures, November 1942.
+
+ [Doria2012]
+ Liddicoat, J. and A. Doria, "Human Rights and Internet
+ Protocols: Comparing Processes and Principles", The
+ Internet Society, December 2012,
+ <https://www.internetsociety.org/resources/doc/2012/human-
+ rights-and-internet-protocols-comparing-processes-and-
+ principles/>.
+
+ [Dual-EC] Bernstein, D., Lange, T., and R. Niederhagen, "Dual EC: A
+ Standardized Back Door", July 2016,
+ <https://eprint.iacr.org/2015/767.pdf>.
+
+ [Ferran2014]
+ Ferran, L., "Ex-NSA Chief: "We Kill People Based on
+ Metadata"", ABC News, May 2014,
+ <https://abcnews.go.com/blogs/headlines/2014/05/ex-nsa-
+ chief-we-kill-people-based-on-metadata>.
+
+ [Garfinkel1995]
+ Garfinkel, S., "PGP: Pretty Good Privacy", O'Reilly and
+ Associates, January 1995.
+
+ [Guard2013]
+ Greenwald, G., "NSA collecting phone records of millions
+ of Verizon customers daily", The Guardian, June 2013.
+
+ [Headrick1991]
+ Headrick, D. R., "The Invisible Weapon: Telecommunications
+ and International Politics, 1851-1945", Oxford University
+ Press, 1991.
+
+ [Johnson1998]
+ Johnson, T. R., "American Cryptology During the Cold War,
+ 1945-1989; Book III: Retrenchment and Reform, 1972-1980",
+ Center for Cryptologic History, NSA, 1998,
+ <https://www.nsa.gov/portals/75/documents/news-features/
+ declassified-documents/cryptologic-histories/
+ cold_war_iii.pdf>.
+
+ [Kahn1996] Kahn, D., "The Codebreakers: The Comprehensive History of
+ Secret Communication from Ancient Times to the Internet",
+ 2nd Edition, Scribner, 1996.
+
+ [Kennedy1971]
+ Kennedy, P. M., "Imperial cable communications and
+ strategy, 1870-1914", English Historical Review, 86:341,
+ pp. 728-752, Oxford University Press, October 1971,
+ <https://www.jstor.org/stable/563928>.
+
+ [Kerr2020] Kerr, O. S., "Decryption Originalism: The Lessons of
+ Burr", Harvard Law Review, 134:905, January 2021,
+ <https://papers.ssrn.com/sol3/
+ papers.cfm?abstract_id=3533069>.
+
+ [Kostyuk2022]
+ Kostyuk, N. and S. Landau, "Dueling over DUAL_EC_DRBG: The
+ Consequences of Corrupting a Cryptographic Standardization
+ Process", Harvard National Security Journal, 13:2, pp.
+ 224-284, June 2022, <https://www.harvardnsj.org/wp-
+ content/uploads/sites/13/2022/06/Vol13Iss2_Kostyuk-
+ Landau_Dual-EC-DRGB.pdf>.
+
+ [Landau1988]
+ Landau, S., "Zero Knowledge and the Department of
+ Defense", Notices of the American Mathematical Society,
+ 35:1, pp. 5-12, January 1988,
+ <https://privacyink.org/pdf/Zero_Knowledge.pdf>.
+
+ [Landau2014]
+ Landau, S., "Under the Radar: NSA's Efforts to Secure
+ Private-Sector Telecommunications Infrastructure", Journal
+ of National Security Law & Policy, 7:3, September 2014,
+ <https://jnslp.com/wp-content/uploads/2015/03/
+ NSA%E2%80%99s-Efforts-to-Secure-Private-Sector-
+ Telecommunications-Infrastructure_2.pdf>.
+
+ [LE] Aas, J., Barnes, R., Case, B., Durumeric, Z., Eckersley,
+ P., Flores-López, A., Halderman, A., Hoffman-Andrews, J.,
+ Kasten, J., Rescorla, E., Schoen, S. D., and B. Warren,
+ "Let's Encrypt: An Automated Certificate Authority to
+ Encrypt the Entire Web", CCS '19: Proceedings of the 2019
+ ACM SIGSAC Conference on Computer and Communications
+ Security, November 2019,
+ <https://dl.acm.org/doi/pdf/10.1145/3319535.3363192>.
+
+ [Levy2001] Levy, S., "Crypto: How the Code Rebels Beat the
+ Government-Saving Privacy in the Digital Age", Penguin
+ Publishing Group, January 2001.
+
+ [MADINAS] IETF, "MAC Address Device Identification for Network and
+ Application Services (madinas)",
+ <https://datatracker.ietf.org/wg/madinas/about>.
+
+ [Masnick2023]
+ Masnick, M., "The Unintended Consequences of Internet
+ Regulation", Copia, April 2023,
+ <https://copia.is/library/unintended-consequences/>.
+
+ [Miller2020]
+ Miller, G., "The intelligence coup of the century", The
+ Washington Post, February 2020,
+ <https://www.washingtonpost.com/graphics/2020/world/
+ national-security/cia-crypto-encryption-machines-
+ espionage/>.
+
+ [Moore2015]
+ Moore, H. D., "CVE-2015-7755: Juniper ScreenOS
+ Authentication Backdoor", Rapid7, December 2015,
+ <https://www.rapid7.com/blog/post/2015/12/20/cve-
+ 2015-7755-juniper-screenos-authentication-backdoor/>.
+
+ [MPLS-OPPORTUNISTIC-ENCRYPT]
+ Farrel, A. and S. Farrell, "Opportunistic Security in MPLS
+ Networks", Work in Progress, Internet-Draft, draft-ietf-
+ mpls-opportunistic-encrypt-03, 28 March 2017,
+ <https://datatracker.ietf.org/doc/html/draft-ietf-mpls-
+ opportunistic-encrypt-03>.
+
+ [Perpass] IETF, "perpass mailing list",
+ <https://mailarchive.ietf.org/arch/browse/perpass/>.
+
+ [Perpass-BoF]
+ IETF, "perpass BoF -- Handling Pervasive Monitoring in the
+ IETF", IETF 88 Proceedings, November 2013,
+ <https://www.ietf.org/proceedings/88/perpass.html>.
+
+ [Plenary-video]
+ "IETF 88 Technical Plenary: Hardening The Internet",
+ YouTube video, 2:37:28, posted by "IETF - Internet
+ Engineering Task Force", November 2013,
+ <https://www.youtube.com/
+ watch?v=oV71hhEpQ20&pp=ygUQaWV0ZiA4OCBwbGVuYXJ5IA%3D%3D>.
+
+ [Refs-to-7258]
+ IETF, "References to RFC7258",
+ <https://datatracker.ietf.org/doc/rfc7258/referencedby/>.
+
+ [RFC1984] IAB and IESG, "IAB and IESG Statement on Cryptographic
+ Technology and the Internet", BCP 200, RFC 1984,
+ DOI 10.17487/RFC1984, August 1996,
+ <https://www.rfc-editor.org/info/rfc1984>.
+
+ [RFC3365] Schiller, J., "Strong Security Requirements for Internet
+ Engineering Task Force Standard Protocols", BCP 61,
+ RFC 3365, DOI 10.17487/RFC3365, August 2002,
+ <https://www.rfc-editor.org/info/rfc3365>.
+
+ [RFC6462] Cooper, A., "Report from the Internet Privacy Workshop",
+ RFC 6462, DOI 10.17487/RFC6462, January 2012,
+ <https://www.rfc-editor.org/info/rfc6462>.
+
+ [RFC7217] Gont, F., "A Method for Generating Semantically Opaque
+ Interface Identifiers with IPv6 Stateless Address
+ Autoconfiguration (SLAAC)", RFC 7217,
+ DOI 10.17487/RFC7217, April 2014,
+ <https://www.rfc-editor.org/info/rfc7217>.
+
+ [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
+ Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
+ 2014, <https://www.rfc-editor.org/info/rfc7258>.
+
+ [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
+ Registration Data Access Protocol (RDAP)", STD 95,
+ RFC 7480, DOI 10.17487/RFC7480, March 2015,
+ <https://www.rfc-editor.org/info/rfc7480>.
+
+ [RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the
+ Registration Data Access Protocol (RDAP)", STD 95,
+ RFC 7481, DOI 10.17487/RFC7481, March 2015,
+ <https://www.rfc-editor.org/info/rfc7481>.
+
+ [RFC7687] Farrell, S., Wenning, R., Bos, B., Blanchet, M., and H.
+ Tschofenig, "Report from the Strengthening the Internet
+ (STRINT) Workshop", RFC 7687, DOI 10.17487/RFC7687,
+ December 2015, <https://www.rfc-editor.org/info/rfc7687>.
+
+ [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
+ and P. Hoffman, "Specification for DNS over Transport
+ Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
+ 2016, <https://www.rfc-editor.org/info/rfc7858>.
+
+ [RFC8056] Gould, J., "Extensible Provisioning Protocol (EPP) and
+ Registration Data Access Protocol (RDAP) Status Mapping",
+ RFC 8056, DOI 10.17487/RFC8056, January 2017,
+ <https://www.rfc-editor.org/info/rfc8056>.
+
+ [RFC8064] Gont, F., Cooper, A., Thaler, D., and W. Liu,
+ "Recommendation on Stable IPv6 Interface Identifiers",
+ RFC 8064, DOI 10.17487/RFC8064, February 2017,
+ <https://www.rfc-editor.org/info/rfc8064>.
+
+ [RFC8280] ten Oever, N. and C. Cath, "Research into Human Rights
+ Protocol Considerations", RFC 8280, DOI 10.17487/RFC8280,
+ October 2017, <https://www.rfc-editor.org/info/rfc8280>.
+
+ [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
+ Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
+ <https://www.rfc-editor.org/info/rfc8446>.
+
+ [RFC8461] Margolis, D., Risher, M., Ramakrishnan, B., Brotman, A.,
+ and J. Jones, "SMTP MTA Strict Transport Security (MTA-
+ STS)", RFC 8461, DOI 10.17487/RFC8461, September 2018,
+ <https://www.rfc-editor.org/info/rfc8461>.
+
+ [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
+ (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
+ <https://www.rfc-editor.org/info/rfc8484>.
+
+ [RFC8981] Gont, F., Krishnan, S., Narten, T., and R. Draves,
+ "Temporary Address Extensions for Stateless Address
+ Autoconfiguration in IPv6", RFC 8981,
+ DOI 10.17487/RFC8981, February 2021,
+ <https://www.rfc-editor.org/info/rfc8981>.
+
+ [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
+ Multiplexed and Secure Transport", RFC 9000,
+ DOI 10.17487/RFC9000, May 2021,
+ <https://www.rfc-editor.org/info/rfc9000>.
+
+ [RFC9082] Hollenbeck, S. and A. Newton, "Registration Data Access
+ Protocol (RDAP) Query Format", STD 95, RFC 9082,
+ DOI 10.17487/RFC9082, June 2021,
+ <https://www.rfc-editor.org/info/rfc9082>.
+
+ [RFC9083] Hollenbeck, S. and A. Newton, "JSON Responses for the
+ Registration Data Access Protocol (RDAP)", STD 95,
+ RFC 9083, DOI 10.17487/RFC9083, June 2021,
+ <https://www.rfc-editor.org/info/rfc9083>.
+
+ [RFC9113] Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113,
+ DOI 10.17487/RFC9113, June 2022,
+ <https://www.rfc-editor.org/info/rfc9113>.
+
+ [RFC9224] Blanchet, M., "Finding the Authoritative Registration Data
+ Access Protocol (RDAP) Service", STD 95, RFC 9224,
+ DOI 10.17487/RFC9224, March 2022,
+ <https://www.rfc-editor.org/info/rfc9224>.
+
+ [Roth2022] Roth, E., "Internet backbone provider shuts off service in
+ Russia", The Verge, March 2022,
+ <https://www.theverge.com/2022/3/5/22962822/internet-
+ backbone-provider-cogent-shuts-off-service-russia>.
+
+ [Rowlett1998]
+ Rowlett, F. B., "The Story of Magic, Memoirs of an
+ American Cryptologic Pioneer", Aegean Park Press, 1998.
+
+ [Slater1870]
+ Slater, R., "Telegraphic Code, to Ensure Secresy in the
+ Transmission of Telegrams", First Edition, W.R. Gray,
+ 1870, <https://books.google.com/books?id=MJYBAAAAQAAJ>.
+
+ [Smith1845]
+ Smith, F. O., "The Secret Corresponding Vocabulary:
+ Adapted for Use to Morse's Electro-Magnetic Telegraph, and
+ Also in Conducting Written Correspondence, Transmitted by
+ the Mails, or Otherwise", Thurston, Isley & Company, 1845,
+ <https://books.google.com/books?id=Z45clCxsF7EC>.
+
+ [STRINT] W3C and IAB, "A W3C/IAB workshop on Strengthening the
+ Internet Against Pervasive Monitoring (STRINT)", March
+ 2014, <https://www.w3.org/2014/strint/>.
+
+ [Timeline] Wikipedia, "Global surveillance disclosures
+ (2013-present)", July 2023, <https://en.wikipedia.org/w/in
+ dex.php?title=Global_surveillance_disclosures_(2013%E2%80%
+ 93present)&oldid=1161557819>.
+
+ [TLS-ECH] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS
+ Encrypted Client Hello", Work in Progress, Internet-Draft,
+ draft-ietf-tls-esni-16, 6 April 2023,
+ <https://datatracker.ietf.org/doc/html/draft-ietf-tls-
+ esni-16>.
+
+ [Toronto] Memmott, M., "Canada Used Airport Wi-Fi To Track
+ Travelers, Snowden Leak Alleges", NPR, January 2014,
+ <https://www.npr.org/sections/thetwo-
+ way/2014/01/31/269418375/airport-wi-fi-used-to-track-
+ travelers-snowden-leak-alleges>.
+
+ [UTA] IETF, "Using TLS in Applications (uta)",
+ <https://datatracker.ietf.org/wg/uta/about>.
+
+ [Zubhoff2019]
+ Zuboff, S., "The Age of Surveillance Capitalism: The Fight
+ for a Human Future at the New Frontier of Power",
+ PublicAffairs, ISBN 9781781256855, January 2019.
+
+Acknowledgments
+
+ Susan Landau added many valuable comments to Steve Bellovin's essay.
+
+ We thank Carsten Bormann, Brian Carpenter, Wendy Grossman, Kathleen
+ Moriarty, Jan Schaumann, Seth David Schoen, and Paul Wouters for
+ comments and review of this text, though that of course doesn't mean
+ that they necessarily agree with the text.
+
+ This document was created at the behest of Eliot Lear, who also cat
+ herded and did some editing.
+
+Authors' Addresses
+
+ Stephen Farrell
+ Trinity College, Dublin
+ Ireland
+ Email: stephen.farrell@cs.tcd.ie
+
+
+ Farzaneh Badii
+ Digital Medusa
+ Email: farzaneh.badii@gmail.com
+
+
+ Bruce Schneier
+ Harvard University
+ United States of America
+ Email: schneier@schneier.com
+
+
+ Steven M. Bellovin
+ Columbia University
+ United States of America
+ Email: smb@cs.columbia.edu