The Role of the IETF in Improving Privacy on the Internet

Jon Peterson, Bernard Aboba, Karen Solins, and myself recently published a short writeup with the title “The Role of the Internet Engineering Task Force (IETF) in Improving Privacy on the Internet”. The article can be downloaded from http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-32.pdf.

We wrote this short position paper as a contribution for the “W3C Workshop on Privacy for Advanced Web APIs”. More about the workshop can be found here: http://www.w3.org/2010/api-privacy-ws/.

A little bit of background: Some of us worked in the GEOPRIV working group and had been exposed to the topic of privacy for years already. Over time we got a better understanding of it, also with the help of privacy experts like John Morris and Alissa Cooper.

When the W3C then started their work on a so-called Geolocation API many of us had expressed concerns about how privacy is addressed in the design of that protocol. We got the impression that users would be exposing their location in surprising ways.

We weren’t, however, able to convince certain people involved in the design of the protocol and the Geolocation API got implemented and deployed. As deployment investigations later showed (see references in the paper) the privacy properties being provided in the wild weren’t “favorable” for users.

With the ongoing work on the Device API in the W3C there is even more risk of getting things wrong since this work essentially allows to expose your camera, microphone, contact list, storage, etc. via your web browser to Web sites (who sent you the right JavaScript code).

Now, it seems that even the last few folks have realized that there might be a privacy issue in the air.

Hence, the W3C schedule a workshop with the focus on these APIs.

We looked into the work various IETF groups did in the area of privacy and came to the conclusion that we do actually consider privacy in our protocol design. The paper highlights a couple of cases. We do not have a systematic approach of doing so but the structure of the IETF as an organization, the processes we have (with various levels of reviews), and the wide expertise allow us to catch or document potential privacy unfriendliness.

We (the IAB) would like to figure out what the IETF and the IRTF can do to provide better privacy protection and where our influence ends. To do so we need your help.

Your feedback to the article and the topic overall is appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *