IAB Comments on a notice by the Federal Trade Commission on “Trade Regulation Rule on Commercial Surveillance and Data Security” (16 CFR Part 464)
statement-iab-comments-on-a-notice-by-the-federal-trade-commission-on-trade-regulation-rule-on-commercial-surveillance-and-data-security-16-cfr-part-464-00
Document | Type | IAB Statement | |
---|---|---|---|
Title | IAB Comments on a notice by the Federal Trade Commission on “Trade Regulation Rule on Commercial Surveillance and Data Security” (16 CFR Part 464) | ||
Published | 2022-11-21 | ||
Metadata last updated | 2023-08-09 | ||
State | Active | ||
Send notices to | (None) |
statement-iab-comments-on-a-notice-by-the-federal-trade-commission-on-trade-regulation-rule-on-commercial-surveillance-and-data-security-16-cfr-part-464-00
On 21 November 2022, the IAB provided comments on a notice by the Federal Trade Commission on “Trade Regulation Rule on Commercial Surveillance and Data Security” (16 CFR Part 464):
Nov 21, 2022
IAB Comments on a notice by the Federal Trade Commission on "Trade
Regulation Rule on Commercial Surveillance and Data Security" (16 CFR
Part 464)
Re: Commercial Surveillance ANPR, R111004
To: Federal Trade Commission
Office of the Secretary
600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B)
Washington, DC 20580
When considering rule making around consumer privacy, the Internet
Architecture Board (IAB) points out the importance of protecting users
from various forms of pervasive monitoring and would like to remind the
Federal Trade Commission that regulatory efforts should be considered
complementary to the process of standardization, technical interoperable
standards themselves, and the adoption and implementation of standards.
INTRODUCTION
The Internet Architecture Board (IAB) welcomes the opportunity to
comment on the Federal Trade Commission's (the Commission) Advance
Notice of Proposed Rulemaking (ANPRM) on Commercial Surveillance and
Data Security.[1] The IAB provides oversight for protocols and
procedures used by the Internet and also handles the liaison management
for the Internet Engineering Task Force (IETF), the main engineering
organization that works on standards relating to Internet technology.
The IETF is an open, diverse, global community of developers consisting
of network operators, vendors, researchers and many other stakeholders.
The mission of the IETF is to produce "relevant technical documents that
influence the way people design, use, and manage the Internet [...] to
make the Internet work better" "for communities that share our
commitment to openness and fairness" (RFC 3935).
The IETF develops and maintains Internet protocols, including a large
number of security technologies used in the Internet. It is responsible
for evolving the technical specifications that define the Internet and
its protocols. We believe the Internet's success has resulted from its
flexible, modular architecture, demonstrated clearly in its evolution
towards better security and to protect user privacy.
The IAB thanks the Commission for their attention on the topic raised in
the notice. Surveillance in its different forms have been the subject of
concern in the IAB and IETF communities since the original development
of Internet technologies. This understanding is clearly documented as a
basic design principle for IETF protocols in RFC 7258, which classifies
"pervasive monitoring" as an attack, and harmful to users – whether the
monitoring is for non-targeted nation-state surveillance, legal but
privacy-unfriendly purposes by commercial enterprises, or illegal
actions by criminals.
Specific answers to the questions posed in the commission's request are
elaborated below, related to surveillance harms, costs and benefits of
rulemaking, data security and protection as they relate to the
underlying architecture of the Internet. In addition, as an overall
response the IAB would like to draw the Commission's attention to the
following general points.
GENERAL FEEDBACK
The privacy and safety of consumers' and citizens' online information is
a broad area that spans both technical and non-technical topics such as
use of security mechanisms or business practices as well as regulations.
As such, there are a number of different roles and actors with various
responsibility areas that need to be considered when analyzing data
security. For instance, application providers, network operators as well
as infrastructure providers are all in charge of different aspects of
user services. Taken together, they create a complex landscape over
which privacy and security analyses need to be considered. The IETF as
an open multi-stakeholder forum brings together multiple perspectives
when addressing security in communications protocols.
The IAB would like to specifically recognize the role of standards in
ensuring user privacy. As a basic requirement to enable data security,
broad use of encryption must be supported as the foundation that
empowers user's minimize the number of parties aware of private
information. IETF protocols such as HTTPS (RFC 9110), TLS (RFC 8446),
QUIC (RFC 9001), DNS-over-HTTPS (RFC 8484), and others support the use
of encryption. Furthermore, the IETF is developing technologies that
enable systems to share information without compromising on the privacy
of the users, such as Oblivious HTTP (OHAI WG), Oblivious DNS over HTTPS
(RFC 9230) and Privacy Preserving Measurements (PPM WG).
Beyond the focus of the IETF on communication security, the IAB
explicitly recognizes the need to protect communications not only
against eavesdropping or tampering, but also potential data leaks that
may occur from server systems or users' devices through attacks, or
accidents, or even commercial practices. Therefore it is crucial to
consider a communication system as a whole beyond the communication
itself including data handling by each actor involved.
Necessary mitigations to ensure privacy may in addition require new
technology. Standards organizations such as the IETF develop
specifications that allow interoperable systems to be built (or re-
built) in a (more) secure manner and to uphold the privacy of the
consumers. As such relying on standards supports board adoption and
ensures high quality technology supporting security and user privacy.
Another aspect that requires attention when developing privacy systems
and technologies is the need for transparency. For systems that are
collecting any user information, it is important for the user to
understand what is happening with their data. As such transparency is
crucial to uphold the rights of the users while ensuring their privacy
and security. Requiring transparency as a first principle enables
mitigation against practices or mechanisms that would otherwise work
opaquely.
For additional consideration, we would like to draw your attention to
the most relevant documentation in the IETF regarding surveillance, data
security, and privacy, specifically "Privacy Considerations for Internet
Protocols" that includes data minimization principles (RFC 6973);
"Pervasive Monitoring is an Attack" (RFC 7258); "IETF Policy on
Wiretapping" (RFC 2804); the IAB "Statement on Internet
Confidentiality". You might also want to refer to the works of the
Internet Engineering Research Force (IRTF) privacy research group
(PEARG).
PROTECTING AGAINST SURVEILLANCE HARMS
Any rulemaking should provide incentives for the implementation and
deployment of privacy-preserving standards to safeguard users against
surveillance. There are several measures that companies could take at
the technical level to protect communications by implementing encryption
based on IETF standards, such as the ones listed earlier.
Rulemaking should consider how requirements for cooperation between
competitive companies can be established, resulting in architectures
that can protect data privacy. Protecting the communications to control
and limit access to data is an important part, but not sufficient by
itself. In addition to communication security, protecting data is
important. As such, the IETF is working on architectural approaches to
designing protocols that minimize the information each entity is able to
access by splitting functionally separable components between different
providers. This architectural principle is not applicable when a service
is provided by only one entity. The applicability of this principle is
exemplified by the approach implemented by Oblivious HTTP (OHAI WG) or
Oblivious DNS over HTTPS (RFC 9230), where a relay service is used that
forwards encrypted requests to avoid linkability between independent
service requests of the same user.
Further, any trade regulation rules focused on end user data privacy
ought to also cover information that can be correlated with persons
(personally correlated information, PCI). As an example we would like to
highlight the specifications developed in the PPM WG provide mechanisms
for splitting and aggregating data for measurement purposes without
revealing sensitive personal data. These mechanism are designed to avoid
fingerprinting of users or devices, even if no personally identifying
information (PII) or sensitive data such as location data is used, as
even non-sensitive information can be associated to different kinds of
identifiers that then could be connected to identify a person, user
agent, or device.
Rulemaking must consider end users and protection of their data
throughout all layers of the "stack" of the Internet system. It is
important to remember that there is a lot of infrastructure that lies
between end users and the applications and platforms, both in the form
of machines performing computations as well as intermediaries operating
that infrastructure. However, rule making should not treat all
intermediaries the same but depending on their function, user consent,
and respective access to data. For example, the abilities of
infrastructure to gain meaningful consent from end users for the
purposes of data handling are more limited than for application
providers that directly interact with the user.
COSTS AND BENEFITS OF RULEMAKING COMPLIANCE
New trade regulation rules on data security or commercial surveillance
must be designed carefully to not impede innovation. The IETF and
Internet standards setting fora in general provide a level playing field
where innovation can take place. New work in the IETF such as developed
in the PPM WG and Messaging Layer Security working group (MLS WG)
exemplify that innovation can flourish especially as privacy has become
an important focus of work for many stakeholders. In addition, the IRTF
has a long-term research group dedicated to privacy, enhancements and
assessments (PEARG), amplifying knowledge exchange between the research
and standards setting communities.
New trade regulation rules on data security or commercial surveillance
should not impede competition. A core principle of Internet architecture
is interoperable networking, where interoperability is also an enabler
of competition. Both interoperable networks and a competitive network
economy ensure a robust and stable Internet. Further, the IAB observes
that the partly concerning trend towards consolidation and
centralization is also driving forces for the need for increased user
privacy.
DATA SECURITY AND PROTECTION TECHNIQUES AND STANDARDS
Regulation on data security should consider whether adherence to general
principles is most appropriate or the implementation of specific
measures is required. The IETF makes voluntary standards. As such, the
IETF determines its success by technical quality and voluntary
deployment. Regulations often consider how they require businesses to
implement such standards, or other administrative, technical, and
physical data security measures, including encryption techniques, to
protect against risks to the security, confidentiality, or integrity of
covered data. Regulations that reference material describing security
principles, terminology, and goals, for example RFC 6973 on privacy
considerations, have long-term relevance; those that require
implementation of specific technologies, for example RFC 8446 for TLS
1.3, may require the regulation to be updated on a schedule to keep up
with current standard revisions.
Similarly, if the Commission requires businesses to certify that their
data practices meet clear security standards, there is existing guidance
in standards bodies, including the IETF, that should be considered, such
as RFC 3552 providing general security considerations for protocol
design. Further, the Supply Chain Integrity, Transparency, and Trust
working group (SCITT WG) is an example of work in standards setting that
will define a set of interoperable building blocks to enable integrity
and accountability in software supply chain systems supporting
trustworthy operation.
CONCLUSION
In closing, we thank the FTC for the opportunity to engage in this
public feedback process. We would like to reiterate our main points
about protecting users from different forms of pervasive monitoring, and
that regulatory efforts should be considered complementary to
interoperable standards and the process of standardization, and that the
role of standards be uplifted as the primary remedy and strengthened and
supported in the larger strategy to protect users.
Thoughtful FTC rulemaking on privacy can complement the situations where
technical mechanisms alone do not provide strong guarantees of privacy.
FTC rules should provide incentives for the implementation and
deployment of privacy-preserving standards. At the same time it should
consider the potential adverse impacts of any rulemaking that would
disincentivize the implementation and deployment of privacy-preserving
standards.
Sincerely,
Mirja Kühlewind (IAB Chair)
For the IAB
--
[1] Trade Regulation Rule on Commercial Surveillance and Data Security,
87 Fed. Reg. 51273 (Aug. 22, 2022).