reviewing for privacy in internet and web standard setting
play

Reviewing for privacy in Internet and Web standard-setting Nick Doty - PowerPoint PPT Presentation

Reviewing for privacy in Internet and Web standard-setting Nick Doty UC Berkeley, School of Information Outline 1. Internet standards at IETF & W3C 2. History of security and privacy reviews 3. Reactions to Snowden 4. Future directions What


  1. Reviewing for privacy in Internet and Web standard-setting Nick Doty UC Berkeley, School of Information

  2. Outline 1. Internet standards at IETF & W3C 2. History of security and privacy reviews 3. Reactions to Snowden 4. Future directions

  3. What is a standard?

  4. Making standards

  5. Privacy and security in standards over time 100% 100% IETF standards W3C standards Percentage mentioning term Percentage mentioning term security since 1970 since 1995 80% 80% 60% 60% 40% 40% security 20% 20% privacy privacy 0% 0% Count of RFCs published 1970 1975 1980 1985 1990 1995 2000 2005 2010 1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 Count of TRs published 300 100 200 50 100 0 0 1993: “Security Considerations” section required

  6. Substantivity of “Security Considerations” All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. 
 —RFC 3552 (2003) Number of lines 2,000 1,500 1,000 500 0 1970 1975 1980 1985 1990 1995 2000 2005 2010 2015

  7. Leadership and systematization “Now everyone [thinks about security]. Not everyone does, but as soon as you don’t, you get called out. […] The security area directors are like a force to be reckoned with at this point. Free lunches got a volunteer Security Directorate started. “Once it was institutionalized and organized, [...] there was enough momentum to keep it going.” interviews with IETF participants

  8. Privacy-specific Web standards DNT: 1

  9. Tools for privacy and security reviews • RFC 3552: Guidelines for Writing RFC Text on Security Considerations • RFC 6973: Privacy Considerations for Internet Protocols • Self-Review Questionnaire: Security and Privacy • Fingerprinting Guidance for Web Specification Authors • Specification Privacy Assessment

  10. Snowden reactions • From individuals: we had a good thing you messed it up for everyone we trusted you we were naive never again Thomson, Martin. 2013. A Simple Statement. 
 http://www.ietf.org/internet-drafts/draft-thomson-perpass-statement-00.txt. Aymann Ismail/ANIMALNewYork

  11. Snowden reactions • From groups: Average daily messages to mailing list 14 perpass Pervasive monitoring is secdir public-privacy 12 ietf-privacy a technical attack that privacydir 10 should be mitigated in 8 the design of IETF protocols, where 6 possible. 4 Farrell, S, and H Tschofenig. 2014. Pervasive Monitoring is an Attack. 2 RFC 7258. RFC Editor. http://tools.ietf.org/html/rfc7258. 0 2009 2010 2011 2012 2013 2014

  12. Groups for privacy and security reviews • W3C Privacy Interest Group • Web Security Interest Group • W3C Technical Architecture Group • IETF Security Directorate • perpass ( per vasive pass ive surveillance) • IAB Privacy & Security Program

  13. Future work • What tools are effective and how can a systematized process be set up in a standard-setting environment? • What can we learn about consideration of values (privacy, security, accessibility, freedom of expression) in multistakeholder groups?

  14. Thanks! Nick Doty npdoty@ischool.berkeley.edu https://npdoty.name

Recommend


More recommend