The influential Internet Engineering Task Force, which is a large open international community of network designers and operators that work to help evolve the Internet’s underlying protocols and architecture, has decided to take action against massive state sponsored Internet snooping (e.g. GCHQ/NSA etc.) through the development of new solutions to mitigate such activity.

By now most people should be aware of ex-NSA employee Edward Snowden and his revelations concerning the UK Government’s Communications Headquarters (GCHQ) effort to tap into Internet traffic via transatlantic fibre optic cable links and the USA’s related activity through their National Security Agency (here and here).

Since then various debates have been had about the moral rights and wrongs of snooping on such a scale, especially at a time when countries like China and Russia are widely expected to have been conducting similar activity. But now the IETF’s latest Request for Comments (RFC 7258), which is said to represent a consensus of the IETF community, has agreed that Pervasive Monitoring (PM) is a “Widespread Attack on Privacy“.

The IETF has now pledged to develop new ways of mitigating snooping, which won’t be able to prevent such an attack “but can significantly change the threat“. In other words, they intend develop solutions that can “significantly increase the cost of attacking, force what was covert to be overt, or make the attack more likely to be detected“.

IETF Statement – RFC 7258

Pervasive Monitoring (PM) is widespread (and often covert) surveillance through intrusive gathering of protocol artefacts, including application content, or protocol metadata such as headers. Active or passive wiretaps and traffic analysis, (e.g., correlation, timing or measuring packet sizes), or subverting the cryptographic keys used to secure protocols can also be used as part of pervasive monitoring. PM is distinguished by being indiscriminate and very large scale, rather than by introducing new types of technical compromise.

The IETF community’s technical assessment is that PM is an attack on the privacy of Internet users and organisations. The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible. Pervasive monitoring was discussed at the technical plenary of the November 2013 IETF meeting [IETF88Plenary] and then through extensive exchanges on IETF mailing lists. This document records the IETF community’s consensus and establishes the technical nature of PM.

The term “attack” is used here in a technical sense that differs somewhat from common English usage. In common English usage, an attack is an aggressive action perpetrated by an opponent, intended to enforce the opponent’s will on the attacked party. The term is used here to refer to behavior that subverts the intent of communicating parties without the agreement of those parties. An attack may change the content of the communication, record the content or external characteristics of the communication, or through correlation with other communication events, reveal information the parties did not intend to be revealed. It may also have other effects that similarly subvert the intent of a communicator.

In particular, the term “attack”, used technically, implies nothing about the motivation of the actor mounting the attack. The motivation for PM can range from non-targeted nation-state surveillance, to legal but privacy-unfriendly purposes by commercial enterprises, to illegal actions by criminals. The same techniques to achieve PM can be used regardless of motivation.

On the one hand this might look like the IETF positioning itself to be in conflict with some of the world’s biggest governments, most of which will no doubt wish to keep their expensive Internet surveillance technologies alive, but on the other the IETF warned that it “cannot defend against the most nefarious actors while allowing monitoring by other actors no matter how benevolent some might consider them to be” (i.e. the actions required of the attacker are often indistinguishable from other attacks). Indeed the group warns that as technology advances such methods could become more widely available, which might make the situation worse.

The IETF’s standards already provide mechanisms to protect Internet communications, including applying these through protocol design, but at present these do not address Pervasive Monitoring, which until recently was often thought to be too technically complex and costly to do.

The group admits that the nature of the beast is such that there will always be privacy-relevant information that is inevitably disclosed by protocols, but never the less they now plan to revisit the security and privacy properties of their standards by working to “mitigate the technical aspects of PM, just as we do for protocol vulnerabilities in general“.

However the IETF will need to tread very carefully because other forms of “monitoring“, such as legitimate Traffic Management systems that use Deep Packet Inspection (DPI) technology (usually to help balance the network load on broadband ISPs or for anti-spam measures), might easily fall into the same area. The IETF recognises these as beneficial and not part of any attack but it can be hard to distinguish and therein resides one of the biggest difficulties.