Home»Documents»IAB Correspondence, Reports, and Selected Documents»2022»IAB Comments on a notice by the Federal Trade Commission on "Trade Regulation Rule on Commercial Surveillance and Data Security" (16 CFR Part 464)
On 21 November 2022, the IAB provided comments on a notice by the Federal Trade Commission on “Trade Regulation Rule on Commercial Surveillance and Data Security” (16 CFR Part 464):
Nov 21, 2022 IAB Comments on a notice by the Federal Trade Commission on "Trade Regulation Rule on Commercial Surveillance and Data Security" (16 CFR Part 464) Re: Commercial Surveillance ANPR, R111004 To: Federal Trade Commission Office of the Secretary 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B) Washington, DC 20580 When considering rule making around consumer privacy, the Internet Architecture Board (IAB) points out the importance of protecting users from various forms of pervasive monitoring and would like to remind the Federal Trade Commission that regulatory efforts should be considered complementary to the process of standardization, technical interoperable standards themselves, and the adoption and implementation of standards. INTRODUCTION The Internet Architecture Board (IAB) welcomes the opportunity to comment on the Federal Trade Commission's (the Commission) Advance Notice of Proposed Rulemaking (ANPRM) on Commercial Surveillance and Data Security. The IAB provides oversight for protocols and procedures used by the Internet and also handles the liaison management for the Internet Engineering Task Force (IETF), the main engineering organization that works on standards relating to Internet technology. The IETF is an open, diverse, global community of developers consisting of network operators, vendors, researchers and many other stakeholders. The mission of the IETF is to produce "relevant technical documents that influence the way people design, use, and manage the Internet [...] to make the Internet work better" "for communities that share our commitment to openness and fairness" (RFC 3935). The IETF develops and maintains Internet protocols, including a large number of security technologies used in the Internet. It is responsible for evolving the technical specifications that define the Internet and its protocols. We believe the Internet's success has resulted from its flexible, modular architecture, demonstrated clearly in its evolution towards better security and to protect user privacy. The IAB thanks the Commission for their attention on the topic raised in the notice. Surveillance in its different forms have been the subject of concern in the IAB and IETF communities since the original development of Internet technologies. This understanding is clearly documented as a basic design principle for IETF protocols in RFC 7258, which classifies "pervasive monitoring" as an attack, and harmful to users – whether the monitoring is for non-targeted nation-state surveillance, legal but privacy-unfriendly purposes by commercial enterprises, or illegal actions by criminals. Specific answers to the questions posed in the commission's request are elaborated below, related to surveillance harms, costs and benefits of rulemaking, data security and protection as they relate to the underlying architecture of the Internet. In addition, as an overall response the IAB would like to draw the Commission's attention to the following general points. GENERAL FEEDBACK The privacy and safety of consumers' and citizens' online information is a broad area that spans both technical and non-technical topics such as use of security mechanisms or business practices as well as regulations. As such, there are a number of different roles and actors with various responsibility areas that need to be considered when analyzing data security. For instance, application providers, network operators as well as infrastructure providers are all in charge of different aspects of user services. Taken together, they create a complex landscape over which privacy and security analyses need to be considered. The IETF as an open multi-stakeholder forum brings together multiple perspectives when addressing security in communications protocols. The IAB would like to specifically recognize the role of standards in ensuring user privacy. As a basic requirement to enable data security, broad use of encryption must be supported as the foundation that empowers user's minimize the number of parties aware of private information. IETF protocols such as HTTPS (RFC 9110), TLS (RFC 8446), QUIC (RFC 9001), DNS-over-HTTPS (RFC 8484), and others support the use of encryption. Furthermore, the IETF is developing technologies that enable systems to share information without compromising on the privacy of the users, such as Oblivious HTTP (OHAI WG), Oblivious DNS over HTTPS (RFC 9230) and Privacy Preserving Measurements (PPM WG). Beyond the focus of the IETF on communication security, the IAB explicitly recognizes the need to protect communications not only against eavesdropping or tampering, but also potential data leaks that may occur from server systems or users' devices through attacks, or accidents, or even commercial practices. Therefore it is crucial to consider a communication system as a whole beyond the communication itself including data handling by each actor involved. Necessary mitigations to ensure privacy may in addition require new technology. Standards organizations such as the IETF develop specifications that allow interoperable systems to be built (or re- built) in a (more) secure manner and to uphold the privacy of the consumers. As such relying on standards supports board adoption and ensures high quality technology supporting security and user privacy. Another aspect that requires attention when developing privacy systems and technologies is the need for transparency. For systems that are collecting any user information, it is important for the user to understand what is happening with their data. As such transparency is crucial to uphold the rights of the users while ensuring their privacy and security. Requiring transparency as a first principle enables mitigation against practices or mechanisms that would otherwise work opaquely. For additional consideration, we would like to draw your attention to the most relevant documentation in the IETF regarding surveillance, data security, and privacy, specifically "Privacy Considerations for Internet Protocols" that includes data minimization principles (RFC 6973); "Pervasive Monitoring is an Attack" (RFC 7258); "IETF Policy on Wiretapping" (RFC 2804); the IAB "Statement on Internet Confidentiality". You might also want to refer to the works of the Internet Engineering Research Force (IRTF) privacy research group (PEARG). PROTECTING AGAINST SURVEILLANCE HARMS Any rulemaking should provide incentives for the implementation and deployment of privacy-preserving standards to safeguard users against surveillance. There are several measures that companies could take at the technical level to protect communications by implementing encryption based on IETF standards, such as the ones listed earlier. Rulemaking should consider how requirements for cooperation between competitive companies can be established, resulting in architectures that can protect data privacy. Protecting the communications to control and limit access to data is an important part, but not sufficient by itself. In addition to communication security, protecting data is important. As such, the IETF is working on architectural approaches to designing protocols that minimize the information each entity is able to access by splitting functionally separable components between different providers. This architectural principle is not applicable when a service is provided by only one entity. The applicability of this principle is exemplified by the approach implemented by Oblivious HTTP (OHAI WG) or Oblivious DNS over HTTPS (RFC 9230), where a relay service is used that forwards encrypted requests to avoid linkability between independent service requests of the same user. Further, any trade regulation rules focused on end user data privacy ought to also cover information that can be correlated with persons (personally correlated information, PCI). As an example we would like to highlight the specifications developed in the PPM WG provide mechanisms for splitting and aggregating data for measurement purposes without revealing sensitive personal data. These mechanism are designed to avoid fingerprinting of users or devices, even if no personally identifying information (PII) or sensitive data such as location data is used, as even non-sensitive information can be associated to different kinds of identifiers that then could be connected to identify a person, user agent, or device. Rulemaking must consider end users and protection of their data throughout all layers of the "stack" of the Internet system. It is important to remember that there is a lot of infrastructure that lies between end users and the applications and platforms, both in the form of machines performing computations as well as intermediaries operating that infrastructure. However, rule making should not treat all intermediaries the same but depending on their function, user consent, and respective access to data. For example, the abilities of infrastructure to gain meaningful consent from end users for the purposes of data handling are more limited than for application providers that directly interact with the user. COSTS AND BENEFITS OF RULEMAKING COMPLIANCE New trade regulation rules on data security or commercial surveillance must be designed carefully to not impede innovation. The IETF and Internet standards setting fora in general provide a level playing field where innovation can take place. New work in the IETF such as developed in the PPM WG and Messaging Layer Security working group (MLS WG) exemplify that innovation can flourish especially as privacy has become an important focus of work for many stakeholders. In addition, the IRTF has a long-term research group dedicated to privacy, enhancements and assessments (PEARG), amplifying knowledge exchange between the research and standards setting communities. New trade regulation rules on data security or commercial surveillance should not impede competition. A core principle of Internet architecture is interoperable networking, where interoperability is also an enabler of competition. Both interoperable networks and a competitive network economy ensure a robust and stable Internet. Further, the IAB observes that the partly concerning trend towards consolidation and centralization is also driving forces for the need for increased user privacy. DATA SECURITY AND PROTECTION TECHNIQUES AND STANDARDS Regulation on data security should consider whether adherence to general principles is most appropriate or the implementation of specific measures is required. The IETF makes voluntary standards. As such, the IETF determines its success by technical quality and voluntary deployment. Regulations often consider how they require businesses to implement such standards, or other administrative, technical, and physical data security measures, including encryption techniques, to protect against risks to the security, confidentiality, or integrity of covered data. Regulations that reference material describing security principles, terminology, and goals, for example RFC 6973 on privacy considerations, have long-term relevance; those that require implementation of specific technologies, for example RFC 8446 for TLS 1.3, may require the regulation to be updated on a schedule to keep up with current standard revisions. Similarly, if the Commission requires businesses to certify that their data practices meet clear security standards, there is existing guidance in standards bodies, including the IETF, that should be considered, such as RFC 3552 providing general security considerations for protocol design. Further, the Supply Chain Integrity, Transparency, and Trust working group (SCITT WG) is an example of work in standards setting that will define a set of interoperable building blocks to enable integrity and accountability in software supply chain systems supporting trustworthy operation. CONCLUSION In closing, we thank the FTC for the opportunity to engage in this public feedback process. We would like to reiterate our main points about protecting users from different forms of pervasive monitoring, and that regulatory efforts should be considered complementary to interoperable standards and the process of standardization, and that the role of standards be uplifted as the primary remedy and strengthened and supported in the larger strategy to protect users. Thoughtful FTC rulemaking on privacy can complement the situations where technical mechanisms alone do not provide strong guarantees of privacy. FTC rules should provide incentives for the implementation and deployment of privacy-preserving standards. At the same time it should consider the potential adverse impacts of any rulemaking that would disincentivize the implementation and deployment of privacy-preserving standards. Sincerely, Mirja Kühlewind (IAB Chair) For the IAB --  Trade Regulation Rule on Commercial Surveillance and Data Security, 87 Fed. Reg. 51273 (Aug. 22, 2022).