29 October marks International Internet Day, the anniversary of the first time, back in 1969, that the internet was used to transmit an electronic message. On the occasion, we pose a question relevant for all RNW's readers: is there a technical solution to the problem of mass online surveillance? According to the Internet Engineering Task Force, there is.
Greatly disturbed by the recent revelations of mass internet surveillance, the Internet Engineering Task Force has announced plans to ramp up online security. You may never have heard of them, but the IETF is a group composed of the creators and engineers of the internet's architecture.
For the IETF, Edward Snowden's revelations were "a wake-up call," said Jari Arkko, the task force's chair. Arkko spoke at last week's UN-initiated Internet Governance Forum in Bali, Indonesia. Surprised by the scale and tactics of surveillance, Arkko stated the engineers are "looking at technical changes that will raise the bar for monitoring."
"Perhaps the notion that internet is by default insecure needs to change," he said. The IETF's will is there, and Arkko believes significant technical fixes "just might be possible."
That focus remains in the current plans to make the internet more resistant to mass surveillance, Arkko emphasised in an interview with RNW: "This is a technical, not a political decision."
Standards and protocols
The engineers of the IETF keep a low profile, but they have been crucial to creating and setting the standards on which the internet was built, ever since its birth in 1969. They have developed email, instant messaging and many protocols that hide behind familiar, if mysterious, acronyms like HTTP and TCP/IP.
As the internet evolved from an academic project into a global network, the role governments and companies played in how it functions grew dramatically. But the IETF maintained its well-respected role, thanks in part to its fervently apolitical stance and focus on technical issues.
In a speech he gave at the Internet Governance Forum, Arkko chose his words carefully, addressing an audience comprising representatives from governments that perpetrate the same mass-surveillance he hopes to curtail.
"I do not think we should react to specific cases," Arkko stated during the forum's opening sessions. "But our commerce, business and personal communications are all depending on the internet technology being secure and trusted."
More, new and better security
Ideas about how the internet might be secured against mass surveillance are currently discussed over the IETF's publicly accessible mailing lists, to which anyone can subscribe and contribute. While nothing is set in stone yet, Arkko sketched out a few of the IETF's ideas in his public address.
Firstly, the IETF wants to eventually apply encryption to all web traffic.
"Today, security only gets switched on for certain services like banking," Arkko explained, referring to IETF-developed standards like SSL - the little lock that appears in the upper left corner of your browser to secure online purchases. "If we work hard, we can make [the entire internet] secure by default."
To this end, the IETF might make encryption mandatory for HTTP 2.0, a new version of the basic web protocol.
Secondly, the IETF plans to remove weak algorithms and strengthen existing algorithms behind encryption. This means that the US National Security Agency and other surveillors will find it harder to crack current forms of encryption.
In other words: the IETF proposes putting locks in more places and making existing locks harder to pick. If the protocols are applied, intercepting the traffic between any two points on the internet - the sender and receiver of an email, the visitor and owner of a website, the buyer and seller of a product - will be close to impossible.
No power to enforce adoption
Yet while the IETF can propose standards and protocols, it has no power to enforce their adoption. The onus to adopt standards lies with the software developers who make browsers and web servers, as well as website owners, and everyday internet users who need to install browser updates.
For instance, a standard like HTTPS - which stands for 'hypertext transfer protocol secure' - can already be applied by every website to improve security. But many websites still make use of unsafe options because they are easier to use. Some websites don't care for security, and ignore the standard; Yahoo Mail will only make HTTPS encryption the default setting starting January 2014.
Yet Arkko, the IETF chair, doesn't see universal adoption as a big hurdle. "I have no worry about that," he said. "Our standards are very widely applied."
He stressed that in addition to increased security, newer standards offer multiple advantages.
"HTTP 2.0 has many other improvements," he said. In one example, he pointed out that "for the users, websites would load faster."
These improvements would no doubt serve as an incentive for websites to implement the new protocol.
Yet one major caveat remains. While the IETF might be able to secure the pipes through which users' data travel, users must also be able to trust the parties where their data is stored: software, hardware and services such as Cisco, Gmail and Facebook. These parties can hand over user data directly to government agencies.
Arkko stressed the limitations of what the internet's engineers can do.
"We are trying to do as much as we can," he explained, "which will help situations where there's someone in the network monitoring you. It will not help situations where someone has direct access to your email provider."
Starting 3 November, the IETF holds a week of meetings in Vancouver, Canada, to concretize the online security plans in person.