
Pervasive Monitoring Is an Attack (2014) - pmoriarty
https://tools.ietf.org/html/rfc7258
======
Joeri
I don’t think it’s effective to describe pervasive monitoring by state actors
as something that requires a technological response. There is no technology
end-run around the law, as has been proven again and again.

If pervasive monitoring in nsa style is legal and culturally accepted, then
the solution must be cultural, not technical. Either by embracing the death of
privacy and having no real secrets, or by convincing hearts and minds of the
immorality of the monitoring until it is outlawed and people who do it are
jailed.

~~~
mrkoot
The BCP's scope is broader than state actors: "The motivation for PM can range
from non-targeted nation-state surveillance, to legal but privacy-unfriendly
purposes by commercial enterprises, to illegal actions by criminals".

Also, the BCP does not contend that an technology end-run around law exist (or
that it is desirable). The BCP is about mitigating, not entirely preventing,
the threats described: "'Mitigation' is a technical term that does not imply
an ability to completely prevent or thwart an attack. Protocols that mitigate
PM will not prevent the attack but can significantly change the threat."

Surely, given commercial practices such as HTTP header injection by Verizon
and the Pharma saga in the U.K., a BCP that promotes privacy/security thinking
in the design of new protocols is a good thing. Which is not to say that
attackers, commercial or otherwise, will not find other ways; but let's at
least try to increase the bar by weeding out unnecessary attack surface and
information leakage.

~~~
Joeri
I didn’t mean to say efforts to improve privacy through technology are bad or
pointless, just that it would be dangerous to do that and only that. The
complete solution is technological and cultural/legal. It is not superior lock
technology that prevents homes from being burglarized daily, but the threat of
legal consequences, although it is a good thing to have better locks.

------
dasil003
Are people scared to comment?

~~~
tyingq
Maybe just the generic nature of the problem description. Are they talking
about Google Analytics? Cloudflare? Black hats running WiFi access points?
Infiltrated Tor endpoints? Forced proxies at schools and companies? State
actors? Local malware and antivirus? Rogue apps and browser extensions? Via
what mechanisms?

Hard to comment on it in a general sense. There's lots of forms of pervasive
monitoring.

~~~
brylie
"Pervasive Monitoring (PM) is widespread (and often covert) surveillance
through intrusive gathering of protocol artefacts, including application
content, or protocol metadata such as headers. Active or passive wiretaps and
traffic analysis, (e.g., correlation, timing or measuring packet sizes), or
subverting the cryptographic keys used to secure protocols can also be used as
part of pervasive monitoring."

Seems somewhat specific.

~~~
tyingq
It's all "what" with no "who" or "how". Wiretaps and/or traffic analysis can
happen all the ways I outlined above and more. And by different entities. As
far as I know, combating it requires being specific.

------
jwilk
(2014)

~~~
sctb
Thanks! Updated.

