On 21 November 2022, the IAB provided comments on a notice by the Federal Trade Commission on “Trade Regulation Rule on Commercial Surveillance and Data Security” (16 CFR Part 464):

Nov 21, 2022

IAB Comments on a notice by the Federal Trade Commission on "Trade 
Regulation Rule on Commercial Surveillance and Data Security" (16 CFR 
Part 464)

Re: Commercial Surveillance ANPR, R111004

To: Federal Trade Commission
Office of the Secretary
600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B) 
Washington, DC 20580

When considering rule making around consumer privacy, the Internet 
Architecture Board (IAB) points out the importance of protecting users 
from various forms of pervasive monitoring and would like to remind the 
Federal Trade Commission that regulatory efforts should be considered 
complementary to the process of standardization, technical interoperable 
standards themselves, and the adoption and implementation of standards.

INTRODUCTION

The Internet Architecture Board (IAB) welcomes the opportunity to 
comment on the Federal Trade Commission's (the Commission) Advance 
Notice of Proposed Rulemaking (ANPRM) on Commercial Surveillance and 
Data Security.[1] The IAB provides oversight for protocols and 
procedures used by the Internet and also handles the liaison management 
for the Internet Engineering Task Force (IETF), the main engineering 
organization that works on standards relating to Internet technology. 
The IETF is an open, diverse, global community of developers consisting 
of network operators, vendors, researchers and many other stakeholders. 
The mission of the IETF is to produce "relevant technical documents that 
influence the way people design, use, and manage the Internet [...] to 
make the Internet work better" "for communities that share our 
commitment to openness and fairness" (RFC 3935).

The IETF develops and maintains Internet protocols, including a large 
number of security technologies used in the Internet. It is responsible 
for evolving the technical specifications that define the Internet and 
its protocols. We believe the Internet's success has resulted from its 
flexible, modular architecture, demonstrated clearly in its evolution 
towards better security and to protect user privacy.

The IAB thanks the Commission for their attention on the topic raised in 
the notice. Surveillance in its different forms have been the subject of 
concern in the IAB and IETF communities since the original development 
of Internet technologies. This understanding is clearly documented as a 
basic design principle for IETF protocols in RFC 7258, which classifies 
"pervasive monitoring" as an attack, and harmful to users – whether the 
monitoring is for non-targeted nation-state surveillance, legal but 
privacy-unfriendly purposes by commercial enterprises, or illegal 
actions by criminals.

Specific answers to the questions posed in the commission's request are 
elaborated below, related to surveillance harms, costs and benefits of 
rulemaking, data security and protection as they relate to the 
underlying architecture of the Internet. In addition, as an overall 
response the IAB would like to draw the Commission's attention to the 
following general points.

GENERAL FEEDBACK

The privacy and safety of consumers' and citizens' online information is 
a broad area that spans both technical and non-technical topics such as 
use of security mechanisms or business practices as well as regulations. 
As such, there are a number of different roles and actors with various 
responsibility areas that need to be considered when analyzing data 
security. For instance, application providers, network operators as well 
as infrastructure providers are all in charge of different aspects of 
user services. Taken together, they create a complex landscape over 
which privacy and security analyses need to be considered. The IETF as 
an open multi-stakeholder forum brings together multiple perspectives 
when addressing security in communications protocols.

The IAB would like to specifically recognize the role of standards in 
ensuring user privacy. As a basic requirement to enable data security, 
broad use of encryption must be supported as the foundation that 
empowers user's minimize the number of parties aware of private 
information. IETF protocols such as HTTPS (RFC 9110), TLS (RFC 8446), 
QUIC (RFC 9001), DNS-over-HTTPS (RFC 8484), and others support the use 
of encryption. Furthermore, the IETF is developing technologies that 
enable systems to share information without compromising on the privacy 
of the users, such as Oblivious HTTP (OHAI WG), Oblivious DNS over HTTPS 
(RFC 9230) and Privacy Preserving Measurements (PPM WG).

Beyond the focus of the IETF on communication security, the IAB 
explicitly recognizes the need to protect communications not only 
against eavesdropping or tampering, but also potential data leaks that 
may occur from server systems or users' devices through attacks, or 
accidents, or even commercial practices. Therefore it is crucial to 
consider a communication system as a whole beyond the communication 
itself including data handling by each actor involved.

Necessary mitigations to ensure privacy may in addition require new 
technology. Standards organizations such as the IETF develop 
specifications that allow interoperable systems to be built (or re-
built) in a (more) secure manner and to uphold the privacy of the 
consumers. As such relying on standards supports board adoption and 
ensures high quality technology supporting security and user privacy.

Another aspect that requires attention when developing privacy systems 
and technologies is the need for transparency. For systems that are 
collecting any user information, it is important for the user to 
understand what is happening with their data. As such transparency is 
crucial to uphold the rights of the users while ensuring their privacy 
and security. Requiring transparency as a first principle enables 
mitigation against practices or mechanisms that would otherwise work 
opaquely.

For additional consideration, we would like to draw your attention to 
the most relevant documentation in the IETF regarding surveillance, data 
security, and privacy, specifically "Privacy Considerations for Internet 
Protocols" that includes data minimization principles (RFC 6973); 
"Pervasive Monitoring is an Attack" (RFC 7258); "IETF Policy on 
Wiretapping" (RFC 2804); the IAB "Statement on Internet 
Confidentiality". You might also want to refer to the works of the 
Internet Engineering Research Force (IRTF) privacy research group 
(PEARG).

PROTECTING AGAINST SURVEILLANCE HARMS

Any rulemaking should provide incentives for the implementation and 
deployment of privacy-preserving standards to safeguard users against 
surveillance. There are several measures that companies could take at 
the technical level to protect communications by implementing encryption 
based on IETF standards, such as the ones listed earlier.

Rulemaking should consider how requirements for cooperation between 
competitive companies can be established, resulting in architectures 
that can protect data privacy. Protecting the communications to control 
and limit access to data is an important part, but not sufficient by 
itself. In addition to communication security, protecting data is 
important. As such, the IETF is working on architectural approaches to 
designing protocols that minimize the information each entity is able to 
access by splitting functionally separable components between different 
providers. This architectural principle is not applicable when a service 
is provided by only one entity. The applicability of this principle is 
exemplified by the approach implemented by Oblivious HTTP (OHAI WG) or 
Oblivious DNS over HTTPS (RFC 9230), where a relay service is used that 
forwards encrypted requests to avoid linkability between independent 
service requests of the same user.

Further, any trade regulation rules focused on end user data privacy 
ought to also cover information that can be correlated with persons 
(personally correlated information, PCI). As an example we would like to 
highlight the specifications developed in the PPM WG provide mechanisms 
for splitting and aggregating data for measurement purposes without 
revealing sensitive personal data. These mechanism are designed to avoid 
fingerprinting of users or devices, even if no personally identifying 
information (PII) or sensitive data such as location data is used, as 
even non-sensitive information can be associated to different kinds of 
identifiers that then could be connected to identify a person, user 
agent, or device.

Rulemaking must consider end users and protection of their data 
throughout all layers of the "stack" of the Internet system. It is 
important to remember that there is a lot of infrastructure that lies 
between end users and the applications and platforms, both in the form 
of machines performing computations as well as intermediaries operating 
that infrastructure. However, rule making should not treat all 
intermediaries the same but depending on their function, user consent, 
and respective access to data. For example, the abilities of 
infrastructure to gain meaningful consent from end users for the 
purposes of data handling are more limited than for application 
providers that directly interact with the user.

COSTS AND BENEFITS OF RULEMAKING COMPLIANCE

New trade regulation rules on data security or commercial surveillance 
must be designed carefully to not impede innovation. The IETF and 
Internet standards setting fora in general provide a level playing field 
where innovation can take place. New work in the IETF such as developed 
in the PPM WG and Messaging Layer Security working group (MLS WG) 
exemplify that innovation can flourish especially as privacy has become 
an important focus of work for many stakeholders. In addition, the IRTF 
has a long-term research group dedicated to privacy, enhancements and 
assessments (PEARG), amplifying knowledge exchange between the research 
and standards setting communities.

New trade regulation rules on data security or commercial surveillance 
should not impede competition. A core principle of Internet architecture 
is interoperable networking, where interoperability is also an enabler 
of competition. Both interoperable networks and a competitive network 
economy ensure a robust and stable Internet. Further, the IAB observes 
that the partly concerning trend towards consolidation and 
centralization is also driving forces for the need for increased user 
privacy.

DATA SECURITY AND PROTECTION TECHNIQUES AND STANDARDS

Regulation on data security should consider whether adherence to general 
principles is most appropriate or the implementation of specific 
measures is required. The IETF makes voluntary standards. As such, the 
IETF determines its success by technical quality and voluntary 
deployment. Regulations often consider how they require businesses to 
implement such standards, or other administrative, technical, and 
physical data security measures, including encryption techniques, to 
protect against risks to the security, confidentiality, or integrity of 
covered data. Regulations that reference material describing security 
principles, terminology, and goals, for example RFC 6973 on privacy 
considerations, have long-term relevance; those that require 
implementation of specific technologies, for example RFC 8446 for TLS 
1.3, may require the regulation to be updated on a schedule to keep up 
with current standard revisions.

Similarly, if the Commission requires businesses to certify that their 
data practices meet clear security standards, there is existing guidance 
in standards bodies, including the IETF, that should be considered, such 
as RFC 3552 providing general security considerations for protocol 
design. Further, the Supply Chain Integrity, Transparency, and Trust 
working group (SCITT WG) is an example of work in standards setting that 
will define a set of interoperable building blocks to enable integrity 
and accountability in software supply chain systems supporting 
trustworthy operation.

CONCLUSION

In closing, we thank the FTC for the opportunity to engage in this 
public feedback process. We would like to reiterate our main points 
about protecting users from different forms of pervasive monitoring, and 
that regulatory efforts should be considered complementary to 
interoperable standards and the process of standardization, and that the 
role of standards be uplifted as the primary remedy and strengthened and 
supported in the larger strategy to protect users.

Thoughtful FTC rulemaking on privacy can complement the situations where 
technical mechanisms alone do not provide strong guarantees of privacy. 
FTC rules should provide incentives for the implementation and 
deployment of privacy-preserving standards. At the same time it should 
consider the potential adverse impacts of any rulemaking that would 
disincentivize the implementation and deployment of privacy-preserving 
standards.

Sincerely,

Mirja Kühlewind (IAB Chair) 
For the IAB


--
[1] Trade Regulation Rule on Commercial Surveillance and Data Security, 
    87 Fed. Reg. 51273 (Aug. 22, 2022).