Mass Surveillance: The Internet’s best engineers are fighting back

The Internet Engineering Task Force (IETF) has played down suggestions that the NSA is weakening the security of the Internet through its standardization processes, and has insisted that the nature of those processes will result in better online privacy for all.

d174ad2a-7500-4c80-b3d8-653c8a7ca9b5.jpgAfter the Snowden documents dropped in mid 2013, the IETF said it was going to do something about mass surveillance. After all, the Internet technology standards body is one of the groups that’s best placed to do so and a year and a half after the NSA contractor blew the lid on the activities of the NSA and its international partners, it looks like real progress is being made.

The IETF doesn’t have members as such, only participants from a huge variety of companies and other organizations that have an interest in the way the Internet develops. Adoption of its standards is voluntary and as a result sometimes patchy, but they are used. This is a key forum for the standardization of Web-RTC and the Internet of Things, for example, and the place where the IPv6 communications protocol was born. And security is now a very high priority across many of these disparate strands.

With trust in the Internet having been severely shaken by Snowden’s revelations, the battle is back on. In May last year, the IETF published a “best practice” document stating baldly that, “pervasive monitoring is an attack.” Stephen Farrell, one of the document’s co-authors and one of the two IETF Security Area Directors, explained that this new stance meant focusing on embedding security in a variety of different projects that the IETF is working on.

Recently Germany’s Der Spiegel published details of some of the efforts by the NSA and its partners, such as British signals intelligence agency GCHQ, to bypass Internet security mechanisms, in some cases by trying to weaken encryption standards. The piece stated that NSA agents go to IETF meetings “to gather information but presumably also to influence the discussions there,” referring in particular to a GCHQ Wiki page that included a write-up of an IETF gathering in San Diego some years ago.

Snowden’s revelations prompted a fundamental rethink within the IETF about what kind of security the Internet should be aiming for overall. Specifically, the IETF is in the process of formalizing a concept called “opportunistic security” whereby, even if full end-to-end security isn’t practical for whatever reason, some security is now officially recognized as being better than nothing.

Facebook and Google have stepped up mail-server-to-mail-server encryption in the wake of Snowden. Facebook sends a lot of emails to its users and, according to Farrell, 90 percent of those are now encrypted between servers. Google has also done a lot of work to send encrypted mail to more providers.

Meanwhile, a separate working group is trying to develop a new DNS Private Exchange (DPRIVE) mechanism to make DNS transactions – where someone enters a web address and a Domain Name System server translates it to a machine-friendly IP address – more private.   gigaom

« US Media Goes Into Overdrive Blaming North Korea for the Sony Hack: Is It Justified?
Google faces US privacy suit over user data policy »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Outpost24

Outpost24

Outpost24 provides easy to deploy and intuitive solutions to continuously identify, remediate and mitigate vulnerabilities in your network.

L J Kushner & Associates

L J Kushner & Associates

L.J. Kushner is a leading Information Security recruiting firm.

ObserveIT

ObserveIT

ObserveIT helps companies identify & eliminate insider threats. Visually monitor & quickly investigate with our easy-deploy user activity monitoring solution.

HYPR

HYPR

HYPR Decentralized Authentication minimizes the risk of enterprise data breaches while providing an enhanced user experience for your customers and employees.

Truepic

Truepic

Truepic provides technologies that prevent fraud, identity theft, misinformation, and disinformation caused by generative, manipulated, or deepfake digital content.

Cryptovision

Cryptovision

Cryptovision GmbH is one of the leading specialists for modern, user-friendly cryptography and solutions for secure electronic identities.

Sigma IT

Sigma IT

SIGMA IT is one of the largest IT services organizations in EMEA region providing a full range of solutions and services including cybersecurity, data protection and business continuity.

Knovos

Knovos

Knovos is a leading technology innovator developing solutions for automating, integrating, and innovating Information Governance.

FortifyData

FortifyData

FortifyData is the next generation of cyber risk management–a comprehensive platform that continuously evaluates your third-party, internal and people risks.

Feroot Security

Feroot Security

Feroot Security secures client-side web applications so that businesses can deliver a flawless user experience to their customers. Our products help organizations protect their client-side surface.

Guernsey

Guernsey

Guernsey provides a wide range of engineering, architecture and consulting services to multiple markets, including cybersecurity consulting and CMMC certification.

Turk Telekom

Turk Telekom

Turk Telekom is the first integrated telecommunications operator in Turkey.

Amyna Systems

Amyna Systems

Amyna has developed an IoT cybersecurity platform that prevents malignant attacks, helping users to protect themselves from cyberattacks.

Prizsm Technologies

Prizsm Technologies

Prizsm is a computational storage capability that provides flexible, easy-to-use, resilient solutions for quantum-resistant, hyper-secure cloud storage and communications.

StackGen

StackGen

StackGen (formerly appCD) automatically generates Infrastructure from Code (IfC) based on application code with golden standards applied.

Corgea

Corgea

Corgea is AI-powered security platform that finds, triages and fixes your insecure code.