Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Security /

IETF - security savior or privacy violator?

Jim Reavis
Network World on Security, 10/25/99

In a page right out of a Kafka novel, the Internet Engineering Task Force will be devoting time during its plenary session in November to discuss intentionally putting security holes within IETF standards. The announcement came too late for April Fool's and too early for Halloween, so I guess it is fair game for an article.

According to the IETF announcement list, the catalyst for this debate is Internet telephony. The fact that more and more voice traffic will travel over Internet backbones brings up the legal issue of ISP compliance with wiretapping laws that traditional telephone carriers must abide by. The question apparently came up in a telephony-over-IP working group over whether or not a wiretap "backdoor" needs to be implemented into the protocols to allow an ISP to provide government access to private conversations.

Advertisement:

There are so many arguments against the IETF actually doing something like this that one hardly knows where to begin. Hopefully, the only reason the IETF even considered bringing up this topic of backdoors within RFCs was so that it could squash it with great fanfare and send a message that the IETF is incorruptible.

The first problem I have with this issue is the thought that this idea of backdoors could be limited to telephony. At a time when governments are seeking to establish the legal standing of certificates, signatures and other forms of digital communications, including debate over a backdoor into telephony is a slippery slope towards compromising virtually any standard.

An additional flaw in any argument favoring law enforcement backdoors within RFCs is that legitimate eavesdropping needs must occur within the implementation of a standard, not within the standard itself. This is due to the pervasive, international nature of any standard developed by the IETF. What if a government specifically passes a law forbidding wiretapping? Are constituents unable to use standards with a predisposition to allow wiretapping? All governments do not have the same needs, and I cannot imagine that very many privacy-minded people would feel comfortable in using protocols with backdoors.

Will the IETF get involved in making protocols aware of their legal jurisdiction? On the Internet, a domestic phone call can and will very easily cross international boundaries. What will stop one government from using a standard's backdoor to reach outside of its boundary to spy on another government, or a dissident?

If the IETF allows a wiretapping backdoor into a telephony protocol, what is the guarantee that only legitimate parties will exploit it? We all have to remember that the Internet lowers the barriers to market entry in many ways - almost anyone can be an ISP and could use this power indiscriminately.

Deciding the future of the Internet cannot rely heavily on the precedents set by earlier wiretapping relationships between phone companies and law enforcement. While history can often be a useful guide to the decisions we make, the history of telecom and government intervention is not necessarily a good model for the digital future we want. The IETF has done a very good job over the years in effectively creating a measure of technological consensus in a world that does not agree on what an electrical outlet should look like. It should not underestimate the damage it could do to itself as an institution by getting involved in purely governmental matters.

The Internet is all about change, and many of our institutions need to learn to go along with it. The IETF needs to stand for purity in technology, and the best in Internet security. Rather than modifying its standards to adapt to government requirements, it is the governments of the world that must adapt to the Internet.

RELATED LINKS

Jim Reavis, the founder of SecurityPortal.com, is an analyst with over 10 years' experience consulting with Fortune 500 organizations on networking and security-related technology projects. SecurityPortal.com is a Web site dedicated to providing IT professionals with comprehensive information about network security issues. Jim can be reached at jreavis@securityportal.com.

More information from the IETF

New plans for Internet could carry privacy risks
CNN, 10/12/99

IETF to tighten SNMP security features
Network World, 10/04/99

Water Cooler: Do we really need IPv6?
Network World, 09/27/99

Archive of Network World on Security newsletters

Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.