Written evidence submitted by Evolving Internet Standards and Services Undermine User Safety (OSB0172)

 

Introduction

The UK’s efforts to enhance online safety through legislation and regulation risk being undermined by continuing developments within the tech sector.  A series of new Internet standards, along with the introduction of new services, are combining in ways that undermine user safety, bypassing privacy and security protections.  These developments risk causing harm both to consumers and to enterprises. 

This document will highlight some examples of these developments and new services, identifying the risks that they pose and some of the additional steps that may need to be taken within the proposed legislation to counteract the threats posed.

 

Internet Standards Development

Internet standards are developed under the auspices of the Internet Engineering Task Force[1].  It describes itself as “a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. 

Whilst being a body that anyone can attend, it should be borne in mind that the subject matter that the IETF discusses tends to discourage participation by non-technical people.  One of the issues currently being discussed within the IETF is diversity, given that participants are drawn largely from large companies in the tech and telecoms sectors, primarily from North America and Europe.  It also has the distinction of having lower gender diversity than the tech sector as a whole, despite the latter being criticised for poor diversity. 

In general, new standards developed within the IETF are brought forward on their technical merits, with participants tending to avoid discussion of any non-technical aspects such as any public policy implications of those standards.  Recently there have been efforts to encourage the IETF to consider multistakeholder engagement in order to ensure that developments are for the benefit of end users[2], however there has been limited evidence to date of any action being taken to implement these recommendations. 

 

Internet Standards and Privacy

Several recent developments within the IETF have focused on enhancements to improve user security through the incorporation of encryption into Internet standards.  An example of such a development is the relatively recent “DNS over HTTPS” (DoH) standard[3], which was brought forward in order to encrypt the Domain Name System, the method used to convert website addresses such as www.example.co.uk typed by humans into the IP addresses used by computers. 

The intent behind the DoH standard is to encrypt the communications between computers so that it is not possible for observers to identify the content that a user is seeking to access over the Internet.  An unfortunate side-effect is that it also bypasses services like parental controls and malware protection that Internet Service Providers often offer to their customers, potentially exposing users to harms against which they were previously protected. 

A second initiative within the IETF which is still under development is titled “Encrypted Client Hello” or ECH.  Websites are increasingly located on host services to provide greater resilience, sometimes with large numbers of websites sharing the same IP address.  When a user accesses content on a shared address, ECH will encrypt the communication so that it is not possible for an observer to determine which specific site is being accessed.

As is the case with the DoH protocol, ECH is being developed in order to improve user privacy.  However ECH does have some unintended and quite serious consequences: for example, a browser using ECH would bypass most filtering software used by schools, potentially allowing pupils to access harmful content.  And ECH can weaken the cyber defences of enterprises, exposing companies to additional security threats.

More details about the issues posed by ECH are accessible at https://419.consulting/encrypted-client-hello, including notes from a roundtable discussion with experts from the education and financial services sectors. 

 

New Services

The Private Relay service has been developed by Apple as an extension of its iCloud+ service for devices running the iOS 15, iPadOS 15 and macOS Monterey operating systemsIt introduces a range of new, privacy-related features that can shield the activities of the users of Apple devices from observers. 

Unfortunately, when Private Relay is enabled by a user it will potentially allow them to bypass court orders blocking access to illegal and to copyright-infringing content.  It will also circumvent ISP-services blocking access to malicious content and optional filtering capabilities such as parental controls. 

More significantly though, Private Relay adversely affects the ability of ISPs and network operators to comply with requirements relating to lawful interception as well as to data retention and disclosure.  Law enforcement agencies would need to contact Apple rather than ISPs for much of the data associated with such requests, assuming that Apple could be shown to be within the scope of the relevant legislation. 

More details about the issues posed by Private Relay are accessible at https://419.consulting/private-relay, including notes from a roundtable discussion focused on the implications of the service for network operators and ISPs. 

 

Relevance to the Online Safety Legislation

The developments summarised in this document are intended to provide examples that highlight the complexity and changing nature of the Internet.  It will be increasingly difficult for network operators and ISPs to identify the content that transits their networks and systems, making it hard for them to provide the ability to block access to content as a last resort when required by regulators or legislators. 

As the brief examples illustrate, new developments may reduce the level of protection offered to Internet users, leaving them at greater risk of harm than is currently the case.  It is possible that some of these changes will render current protections ineffective without any warning to either users or those responsible for protecting them, an example being the case of ECH and school content filtering systems.

Therefore any legislation needs to be sufficiently flexible to cover the activities of a wide range of market participants, not just obvious groups such as platform operators and ISPs.  The location of these participants may complicate matters as some may not have operations based in the UK and may try to avoid UK jurisdiction.  In addition, the dominant market position globally of some participants may discourage criticism of their actions by other parties. 

 

28 September 2021


[1] See https://www.ietf.org/about/ 

[2] See RFC 8890, “The Internet is for End Users”, https://www.rfc-editor.org/rfc/rfc8890

[3] See RFC 8484, https://www.rfc-editor.org/rfc/pdfrfc/rfc8484.txt.pdf