Reviewing for privacy in Internet and Web standard-setting Nick Doty - - PowerPoint PPT Presentation

reviewing for privacy in internet and web standard setting
SMART_READER_LITE
LIVE PREVIEW

Reviewing for privacy in Internet and Web standard-setting Nick Doty - - PowerPoint PPT Presentation

Mar 26, 2024 402 likes •552 views

Reviewing for privacy in Internet and Web standard-setting Nick Doty UC Berkeley, School of Information Outline 1. Internet standards at IETF & W3C 2. History of security and privacy reviews 3. Reactions to Snowden 4. Future directions What

slide-1
SLIDE 1

Reviewing for privacy in Internet and Web standard-setting

Nick Doty UC Berkeley, School of Information

slide-2
SLIDE 2

Outline

  • 1. Internet standards at IETF & W3C
  • 2. History of security and privacy reviews
  • 3. Reactions to Snowden
  • 4. Future directions
slide-3
SLIDE 3

What is a standard?

slide-4
SLIDE 4

Making standards

slide-5
SLIDE 5

Privacy and security in standards over time

1970 1975 1980 1985 1990 1995 2000 2005 2010 100 200 300 Count of RFCs published 0% 20% 40% 60% 80% 100% Percentage mentioning term privacy security

IETF standards since 1970

1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 50 100 Count of TRs published 0% 20% 40% 60% 80% 100% Percentage mentioning term privacy security

W3C standards since 1995

1993: “Security Considerations” section required

slide-6
SLIDE 6

Substantivity of “Security Considerations”

1970 1975 1980 1985 1990 1995 2000 2005 2010 2015 500 1,000 1,500 2,000 Number of lines

All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. 
 —RFC 3552 (2003)

slide-7
SLIDE 7

Leadership and systematization

“Now everyone [thinks about security]. Not everyone does, but as soon as you don’t, you get called out. […] The security area directors are like a force to be reckoned with at this point. Free lunches got a volunteer Security Directorate

  • started. “Once it was institutionalized and organized,

[...] there was enough momentum to keep it going.”

interviews with IETF participants

slide-8
SLIDE 8

Privacy-specific Web standards

DNT: 1

slide-9
SLIDE 9

Tools for privacy and security reviews

  • RFC 3552: Guidelines for Writing RFC Text on Security

Considerations

  • RFC 6973: Privacy Considerations for Internet Protocols
  • Self-Review Questionnaire: Security and Privacy
  • Fingerprinting Guidance for Web Specification Authors
  • Specification Privacy Assessment
slide-10
SLIDE 10

Snowden reactions

Aymann Ismail/ANIMALNewYork

we had a good thing you messed it up for everyone we trusted you we were naive never again

Thomson, Martin. 2013. A Simple Statement.
 http://www.ietf.org/internet-drafts/draft-thomson-perpass-statement-00.txt.

  • From individuals:
slide-11
SLIDE 11

Snowden reactions

  • From groups:
2009 2010 2011 2012 2013 2014 2 4 6 8 10 12 14 Average daily messages to mailing list perpass secdir public-privacy ietf-privacy privacydir

Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.

Farrell, S, and H Tschofenig. 2014. Pervasive Monitoring is an Attack. RFC 7258. RFC Editor. http://tools.ietf.org/html/rfc7258.

slide-12
SLIDE 12

Groups for privacy and security reviews

  • W3C Privacy Interest Group
  • Web Security Interest Group
  • W3C Technical Architecture Group
  • IETF Security Directorate
  • perpass (pervasive passive surveillance)
  • IAB Privacy & Security Program
slide-13
SLIDE 13

Future work

  • What tools are effective and how can a systematized

process be set up in a standard-setting environment?

  • What can we learn about consideration of values (privacy,

security, accessibility, freedom of expression) in multistakeholder groups?

slide-14
SLIDE 14

Thanks!

Nick Doty npdoty@ischool.berkeley.edu https://npdoty.name