Many of my friends and colleagues where in Sao Paulo last week for NETMundial, the Multi-stakeholder Meeting on the Future of Internet Governance. Dilma Rousseff, President of Brazil, convened this initiative to “focus on principles of Internet governance and the proposal for a roadmap for future development of this ecosystem.”
NETMundial was originally motivated by revelations from Edward Snowden about mass surveillance conducted by the US and UK governments, including spying on President Rouseff herself. These revelations prompted Mrs Rousseff to state “In the absence of the right to privacy, there can be no true freedom of expression and opinion, and therefore no effective democracy” in a speech to the UN at the 68th General Assembly.
Yet, as important as Internet governance is for our future, and as valuable any effort to address this is, it is unlikely to do much, if anything, about the right to privacy online. Why? Because surveillance is not an issue of Internet governance, but of the way the Internet is financed. The vast amount of consumer data amassed by private companies like Google, Facebook and Verizon is not the result of IANA or ICANN policy, but of the business models of these companies which seek to generate profits by way of this data. It is inconceivable that these companies could amass such vast amounts of consumer data, use it for marketing purposes, sell and share access to it with other companies, and yet, somehow keep it out of the hands of the NSA and similar intelligence agencies. Likewise, the extraordinary hacks, mods and exploits the NSA has conducted, as revealed by Snowden, would not be thwarted by any IANA regulation. Aggression by the US is not an Internet problem, and Internet governance can not do away with it, any more that it can do away with drone strikes and regime change projects.
Yet, there is lots that governments can do to ensure the right to privacy, and they can do so today, even absent any change in global Internet governance.
Governments have the ability to regulate the way Telecomms and Internet companies operate within their countries, indeed, the government is no stranger to creating regulation. Government regulation ensures buildings are built correctly, structurally sound, follow the fire code, etc. Governments create rules that make sure highways, roads, and sidewalks are used safely. Governments pass laws to prevent consumers from being defrauded, create statuary warranties, labour standards, regulate broadcast media, etc. Governments can pass regulations to protect the right to privacy. The idea that the Governments such as Brazil, Germany and the others participating in NETMundial need reforms to IANA and friends before they can work towards guaranteeing their own citizens’ right to privacy is absurd.
To guarantee the right to privacy, communication systems must implement the end-to-end principle, which states that functionality ought to reside in the end hosts of a network rather than in intermediary nodes. The term “end-to-end” principle was coined in a 1981 paper by J.H. Saltzer, D.P. Reed and D.D. Clark at the MIT Laboratory for Computer Science, “End-to-End Arguments in System Design,” in which they specifically address privacy.
In the section titled “Secure transmission of data,” the authors argue that to ensure “that a misbehaving user or application program does not deliberately transmit information that should not be exposed,” the “automatic encryption of all data as it is put into the network [...] is a different requirement from authenticating access rights of a system user to specific parts of the data.” This means that to protect the users’ rights to privacy, it is not sufficient to encrypt the network itself, or even the platform, as this does not protect against the operators of the network, or other users who have access to the platform. What is needed, the authors argue, is the “use of encryption for application-level authentication and protection,” meaning that only the software run by the user on the end-node, or their own personal computer, should be able to encrypt and decrypt information for transmission, rather than any intermediary nodes, and only with the user’s own login credentials.
The end-to-end principle is a key concept in the design of the Internet itself, the underlying “Transmission Control Protocol,” one of the core protocols of the Internet protocol suite (TCP/IP), exemplifies the end-to-principle, and allows applications running on remote nodes to use the Internet for the reliable communication of arbitrary data across the network, without requiring any of the intermediary nodes to know or understand the purpose of the data being transmitted.
In principle, therefore, there is absolutely nothing technically stopping everybody from employing private communications on the Internet. So then, how do we get into this mess we’re in now? Why did the Internet, which has the end-to-end principle in it’s core architecture, become host to the most large scale mass surveillance in history?
Two reasons: Capitalism and IPv4. Let’s start with IPv4.
Internet Protocol Version 4 (IPv4) was created in 1981, the same year the Saltzer, Reed, and Clark paper was published. IPv4 provides approximately 4.3 billion addresses, which sounds like a lot, until you realize the every device that connects to the Internet needs at least one. Running out was not presumed to be a big issue at the time, as this version was originally presumed to be a test of DARPA’s networking concepts, and not the final addressing scheme for the global Internet. In 1981 4.3 billion addresses seemed like an awful lot, but when the public Internet began to take off in the Nineties, it became clear that this would not be nearly enough. In 1998 RFC 2460 was released, this document is the specification for IPv6, an addressing scheme that allows for a near limitless number of addresses, trillions of trillions for each person on earth. Yet, as NETMundial was taking place in Brazil, nearly 16 years since the protocol was invented, Google reports that about 3% of visits to its services use IPv6. The “World IPv6 Launch” site, which promotes IPv6 adoption, estimates that more than half Internet users around the world will have IPv6 available by 2018. In other words, 20 years after the design of the protocol, nearly half of all Internet users will not have access. It’s important to note that it is not hardware adoption that is holding things up, it’s highly doubtful that many device made in the last 10 years could not support IPv6, it’s rather that the owners of the networks do not configure their networks to support it.
As everybody knows, 20 years is effectively infinity in Internet years. With IPv6 a far away utopia, and with IPv4 addresses still the currency of Internet service, NAT was developed. The vast majority of devices available to users where not assigned public IP addresses, but only private ones, separated from the public internet by “Network Address Translation” (NAT), a system that allowed the sharing of public IP addresses by many end-nodes, this was an effective solution to IPv4 address exhaustion, but introduced a bigger problem, the network was no longer symmetric, software running on users’ computers can reach central Internet resources, but can not reach other users, who are also on private address space, without some intermediary service providing access.
What this means is that so long as users’ are on private address space, any communication system they use requires centralized resources to bridge connections between users, and what’s more, the scale of these central resources must grow in proportion to the the number of users it has. In order for the end-to-end principle to be respected, these intermediary services need to support it.
And this where we get to the Capitalism part: Building, maintaining and scaling these resources requires money. In the case of “web scale” platforms, lots of money.
By and large, this money comes from Venture Capital. As Capitalists must capture profit or lose their capital, these platforms require business models, and while many business models are possible, the most
popular today, the one presumed to be the most lucrative by investors, is big data. Thus, instead of respecting the end-to-end principle and engineering functionality into the end hosts of a network, capitalists instead only invest in applications where core functionality is built into the intermediary nodes, that can capture user data and control user interaction, which is how they make money.
Capitalist platforms grow and collect data around these intermediary nodes in the same way the mould grows around leaky pipes. In order to give alternative platforms that respect the right to privacy a fighting chance and rid the Internet of the mould of centralize data-collecting platforms, we must fix the pipes, we need to remove the asymmetry in the network.
We can not allow private initiative alone to push adoption of IPv6, and wait however many years or decades it takes to get it. If governments want to promote their citizens right to privacy, they need to mandate adoption of IPv6, to ensure their citizens are able to use software that respects the end-to-end principle.
Here is a charter of rights that all Governments can provide to their own citizens right now to promote the right of privacy:
– IPv6 connectivity with adequate public address space for all!
– At least one DNS Domain Name for every citizen!
– At least one Government signed SSL certificate for every citizen!
If each citizen had a public address space, a domain name and a signed certificate, the leaky pipes of the Internet could be fixed, the surveillance mould would dissipate, and new privacy-respecting applications could flourish!
DEMAND IPv6 NOW!