Donate
IETF Issues RFC 7258 Declaring That Pervasive Monitoring Is An Attack Against The Internet Thumbnail
‹ Back
Building Trust 14 May 2014

IETF Issues RFC 7258 Declaring That Pervasive Monitoring Is An Attack Against The Internet

Andrei Robachevsky
By Andrei RobachevskySenior Technology Programme Manager

Large-scale pervasive monitoring (PM) of Internet traffic represents a clear attack against Internet privacy. That is the view stated in a new document from the Internet Engineering Task Force (IETF) representing the consensus of the IETF technical community that the type of widespread (and often covert) surveillance through intrusive collection of communication data we have learned about over the last year represents an attack against the Internet. Further, this new RFC 7258 declares that the IETF will do whatever possible to make this type of large-scale pervasive monitoring more difficult and easier to detect.

This statement doesn’t mean that the IETF hasn’t considered security of its protocols before. On the contrary, the IETF has a long track record of taking security aspects very seriously and its standards already provide mechanisms to protect Internet communications. RFC 3552, issued in 2003, provides comprehensive guidelines for applying these mechanisms in protocol design.

Pervasive monitoring doesn’t introduce new types of technical compromise. But it changes the threat analysis dramatically, by being indiscriminate and very large scale. And that sets additional requirements for the confidentiality of protocol metadata, countering traffic analysis, or data minimisation.

As the document states:

“The IETF community’s technical assessment is that PM is an attack on the privacy of Internet users and organisations. The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible.”

After explaining more about how pervasive monitoring is an attack on Internet privacy, the document directs authors of Internet standards to do all they can to mitigate such attacks. It helpfully explains what is meant by “mitigation:”

“‘Mitigation’ is a technical term that does not imply an ability to completely prevent or thwart an attack. Protocols that mitigate PM will not prevent the attack but can significantly change the threat… This can significantly increase the cost of attacking, force what was covert to be overt, or make the attack more likely to be detected, possibly later.”

We are very pleased to see the publication of this document. As we outlined in our contribution to the recent STRINT workshop, The Danger Of The New Internet Choke Points, we remain very concerned about the architecture of the overall Internet and how we can strengthen that infrastructure against these type of attacks.

I encourage you all to read RFC 7258. It’s quite short and won’t take that long to read. And then I ask you to please join with all of us in the IETF in making sure that Internet standards are hardened against pervasive monitoring – and then that those improved standards get implemented out in our networks today. Collaborating together as a global community, we can create a more secure and resilient Internet where our privacy is better protected.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Pervasive Internet Surveillance – The Technical Community’s Response (So Far)
Pervasive Internet Surveillance – The Technical Community’s Response (So Far)
Building Trust26 June 2014

Pervasive Internet Surveillance – The Technical Community’s Response (So Far)

A little over a year ago, we learned about pervasive monitoring and interception of Internet traffic by governments. The biggest...

Rough Guide to IETF 90: Strengthening the Internet
Rough Guide to IETF 90: Strengthening the Internet
Building Trust21 July 2014

Rough Guide to IETF 90: Strengthening the Internet

The pervasive monitoring revelations over the past year have galvanized the Internet technical community around the topic of Strengthening the...

DPRIVE - New IETF Working Group On DNS Privacy
Deploy36021 October 2014

DPRIVE – New IETF Working Group On DNS Privacy

How can we ensure the confidentiality of DNS queries to protect against pervasive monitoring?  What kind of mechanisms can be developed...

Join the conversation with Internet Society members around the world