Surveillance principles draft

[mer...@mozilla.com]

Hi all,

Members of the platform, policy, and legal teams at Mozilla have been working to create a set of principles that should serve as a guide to government surveillance activities, and that are grounded in our commitment to trust and openness online. We would appreciate your input on these. Check them out below.

The following three principles, derived from the Mozilla Manifesto, offer a Mozilla way of thinking about the complex landscape of government surveillance and law enforcement access. We are not proposing a comprehensive list of good or bad government practices, but rather describing the kinds of activities in this space that would protect the underpinnings and integrity of the Web:

1) User Security
Mozilla Manifesto Principle #4 states "Individuals' security and privacy on the Internet are fundamental and must not be treated as optional." Governments should act to bolster user security, not to weaken it. Encryption is a key tool in improving user security.

Requirements that systems be modified to enable government access to encrypted data are a threat to users' security. The primary aim of computer security is to protect user data against any access not authorized by the user; allowing law enforcement access violates that design requirement and makes the system inherently weaker against attacks that it is intended to defend against. Once systems are modified to enable law enforcement access by one government, vendors will be under enormous pressure to provide access to other governments. It will not be possible in practice to restrict access to only "friendly" actors. Moreover, the more government actors have access to monitoring capabilities, the greater the risk that non-governmental cyberattackers will obtain access. Endpoint law enforcement access requirements are also incompatible with open source and open systems because they conflict with users' right to know and control the software running on their own devices.

2) Minimal Impact
Mozilla Principle #2 states that the Internet is a global public resource. Government surveillance decisions should take into account global implications for trust and security online by focusing activities on those with minimal impact.

Efforts should be made to collect only the information that is needed. Whenever possible, only data on specific, identifiable users should be collected, rather than collecting data from a large group of users with the expectation that it can be triaged later. Activities should be designed to minimize their impact on the Internet infrastructure and on user trust. Compromise of or unauthorized access to third party infrastructure or systems should be avoided if at all possible and is wholly unacceptable if other avenues for obtaining third party cooperation are available.

3) Accountability
Mozilla Principle #8 calls for transparent community-based accountability as the basis for user trust. Because surveillance activities are (and inherently must be, to some degree) conducted in secret, independent oversight bodies must be effectively empowered and must communicate with and on behalf of the public to ensure democratic accountability.

A strong oversight regime involves several components. Oversight should be conducted outside of those agencies responsible for the programs themselves, by bodies with broad mandates and access, technical competence, and enforcement authority. Oversight should include statutory transparency requirements that allow the public to know that aggressive oversight is taking place and to be able to know the scope and scale of government access to user data. Finally, oversight should be evidence-based and start with an analysis of the national security benefits and potential harms of programs in question.

[Rastus Vernon]

That's excellent! Point two seems weaker than the two others.

> _______________________________________________
> governance mailing list
> gover...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/governance

[Gervase Markham]

Hi Marshall,

This is great - thanks for putting it together.

On 02/09/15 22:53, mer...@mozilla.com wrote:
> 2) Minimal Impact Mozilla Principle #2 states that the Internet is a
> global public resource. Government surveillance decisions should take
> into account global implications for trust and security online by
> focusing activities on those with minimal impact.

What does "those" refer to in this last sentence?

> Efforts should be made to collect only the information that is
> needed. Whenever possible, only data on specific, identifiable users
> should be collected, rather than collecting data from a large group
> of users with the expectation that it can be triaged later.
> Activities should be designed to minimize their impact on the
> Internet infrastructure and on user trust. Compromise of or
> unauthorized access to third party infrastructure or systems should
> be avoided if at all possible and is wholly unacceptable if other
> avenues for obtaining third party cooperation are available.

I would add: and this applies even if access through those legal avenues
is denied. (I.e. you can't go and hack Google's computers because a
judge turns down your warrant.)

> oversight should be evidence-based and start with an analysis of the
> national security benefits and potential harms of programs in
> question.

This is a good point, but is it related to the oversight, or to the
policies? That is to say, I think oversight is about "making sure they
do what the law says", but an analysis of benefits and harms is about
"making sure the law says the right thing".

Gerv

[Gervase Markham]

On 04/09/15 00:53, Rastus Vernon wrote:
> That's excellent! Point two seems weaker than the two others.

How so? What would you prefer it to say? :-)

Gerv

[Marshall Erwin]

Thank Gerv. See below.

On Fri, Sep 4, 2015 at 1:49 AM, Gervase Markham <ge...@mozilla.org> wrote:

> Hi Marshall,
>
> This is great - thanks for putting it together.
>
> On 02/09/15 22:53, mer...@mozilla.com wrote:

> > 2) Minimal Impact Mozilla Principle #2 states that the Internet is a
> > global public resource. Government surveillance decisions should take
> > into account global implications for trust and security online by
> > focusing activities on those with minimal impact.
>

> What does "those" refer to in this last sentence?
>

This should be reworded. "focusing on those [activities] with minimal

impact."


>
> > Efforts should be made to collect only the information that is
> > needed. Whenever possible, only data on specific, identifiable users
> > should be collected, rather than collecting data from a large group
> > of users with the expectation that it can be triaged later.
> > Activities should be designed to minimize their impact on the
> > Internet infrastructure and on user trust. Compromise of or
> > unauthorized access to third party infrastructure or systems should
> > be avoided if at all possible and is wholly unacceptable if other
> > avenues for obtaining third party cooperation are available.
>

> I would add: and this applies even if access through those legal avenues
> is denied. (I.e. you can't go and hack Google's computers because a
> judge turns down your warrant.)
>

Good point. I think this is implicit but could be more clear.

>
> > oversight should be evidence-based and start with an analysis of the
> > national security benefits and potential harms of programs in
> > question.
>

> This is a good point, but is it related to the oversight, or to the
> policies? That is to say, I think oversight is about "making sure they
> do what the law says", but an analysis of benefits and harms is about
> "making sure the law says the right thing".
>

Good oversight is actually about both and for most of the key oversight
bodies, their writ isn't just about making intelligence agencies do what
the law says but actually also about making sure they do the appropriate
policy balancing within the bounds of the law. This is more true of
legislative bodies and slightly less true of Judicial oversight bodies. One
key problem with many of these bodies today is that they focus on litigious
analysis to the exclusion of sound policy analysis, a problem that is
magnified by the fact that the activities take place is secret and are thus
not subject to sound *public *policy analysis.


>
> Gerv
>

[Mike Hoye]

On 2015-09-02 5:53 PM, mer...@mozilla.com wrote:
> 1) User Security
> Mozilla Manifesto Principle #4 states "Individuals' security and privacy on the Internet are fundamental and must not be treated as optional." Governments should act to bolster user security, not to weaken it. Encryption is a key tool in improving user security.
>

> Requirements that systems be modified to enable government access to encrypted data are a threat to users' security. The primary aim of computer security is to protect user data against any access not authorized by the user; allowing law enforcement access violates that design requirement and makes the system inherently weaker against attacks that it is intended to defend against. Once systems are modified to enable law enforcement access by one government, vendors will be under enormous pressure to provide access to other governments. It will not be possible in practice to restrict access to only "friendly" actors. Moreover, the more government actors have access to monitoring capabilities, the greater the risk that non-governmental cyberattackers will obtain access. Endpoint law enforcement access requirements are also incompatible with open source and open systems because they conflict with users' right to know and control the software running on their own devices.
I realize that computer security is complicated, but there's a lot of
words here and they're kind of hard to for me to understand. Active v.
passive voice and the subject-object relationship in this paragraph are
all over the place, and the meaning of "act to bolster" is a little opaque.

Can I take a run at this?

"Mozilla Manifesto Principle #4 states "Individuals' security and
privacy on the Internet are fundamental and must not be treated as

optional. Governments' actions should improve citizens' security and
freedom, not weaken them, and encryption is a core tool for
strengthening both."

"Any requirement that systems be designed or modified to enable
third-party access to encrypted data undermines user security. The goal
of computer security is to protect users' data from any access that user
has not authorized; any mechanism that allows the state to circumvent
the users' wishes can be co-opted and abused by other states or
non-state actors to do the same. The same is true of surveillance and
monitoring tools; it is impossible in practice to tell a lawful actor
with "backdoor" access from an unlawful one. Without the transparency
and accountability of open source software and open systems designed to
secure user data rather than facilitate third-party access, those
systems that states use are increasingly vulnerable to foreign and
non-state compromise."

I'm not all that happy with that paragraph, but I think it's an
improvement. I understand that we're elaborating a set of nuanced
principles here, but a document like this also has to be a call to the
barricades. Whatever wording we use when we're talking about our
principles can't feel like corporate boilerplate. It has to feel like
there's blood pumping through it, like it's worth standing your ground for.


- mhoye

[R Kent James]

On 9/9/2015 9:23 AM, Mike Hoye wrote:
> "Any requirement that systems be designed or modified to enable
> third-party access to encrypted data undermines user security. The goal
> of computer security is to protect users' data from any access that user
> has not authorized; any mechanism that allows the state to circumvent
> the users' wishes can be co-opted and abused by other states or
> non-state actors to do the same. The same is true of surveillance and
> monitoring tools; it is impossible in practice to tell a lawful actor
> with "backdoor" access from an unlawful one. Without the transparency
> and accountability of open source software and open systems designed to
> secure user data rather than facilitate third-party access, those
> systems that states use are increasingly vulnerable to foreign and
> non-state compromise."

There is an implicit assumption in the way this is worded that "MY
government is assumed to be benign, but YOUR government may be dangerous."

There's a hint of trying to being politically sensitive to the fact that
we all have to live under some government that we don't want to
antagonize, but we want to find acceptable reasons why we will deny them
access to our user's data without actually coming out and saying that
the government itself might be evil. But face it, some are - maybe even
yours (or mine) without naming any nationalities here.

Do we really have to be that cautious in our wording? Is there some way
that you can say that Mozilla is an international organization that
appeals to a diverse audience, and we cannot make any a priori
assumptions about who is or is not a legitimate entity that should have
privileged access to our user's data (subject to the laws that we are
forced to obey)?

Nit: "from any access that user has not authorized" is really begging
for a double that "access that that user". I agree with
http://english.stackexchange.com/questions/3418/how-do-you-handle-that-that-the-double-that-problem
: "it was a logic distractor, could lead to confusion, and therefore
should be reworded to avoid this."

As a side note, Thunderbird is starting to work closely with the Pretty
Easy Privacy Foundation http://pep-project.org to make end-to-end
communication encryption a priority, so this issue is pretty close to
our heart these days. See also the large number of comments at
https://blog.mozilla.org/thunderbird/2015/08/thunderbird-and-end-to-end-email-encryption-should-this-be-a-priority/

R Kent James
Chair, Thunderbird Council

[Majken Connor]

On Wed, Sep 9, 2015 at 2:36 PM, R Kent James <ke...@caspia.com> wrote:

> On 9/9/2015 9:23 AM, Mike Hoye wrote:
>

>> "Any requirement that systems be designed or modified to enable
>> third-party access to encrypted data undermines user security. The goal
>> of computer security is to protect users' data from any access that user
>> has not authorized; any mechanism that allows the state to circumvent
>> the users' wishes can be co-opted and abused by other states or
>> non-state actors to do the same. The same is true of surveillance and
>> monitoring tools; it is impossible in practice to tell a lawful actor
>> with "backdoor" access from an unlawful one. Without the transparency
>> and accountability of open source software and open systems designed to
>> secure user data rather than facilitate third-party access, those
>> systems that states use are increasingly vulnerable to foreign and
>> non-state compromise."
>>
>

> There is an implicit assumption in the way this is worded that "MY
> government is assumed to be benign, but YOUR government may be dangerous."
>

I don't read it that way, could you be more specific on what parts give you
this impression? I'd like to see if I can see it once you point it out. I
am reading with the context that I know Western governments are actively
trying to subvert encryption and create back doors.

>
> There's a hint of trying to being politically sensitive to the fact that
> we all have to live under some government that we don't want to antagonize,
> but we want to find acceptable reasons why we will deny them access to our
> user's data without actually coming out and saying that the government
> itself might be evil. But face it, some are - maybe even yours (or mine)
> without naming any nationalities here.
>
> Do we really have to be that cautious in our wording? Is there some way
> that you can say that Mozilla is an international organization that appeals
> to a diverse audience, and we cannot make any a priori assumptions about
> who is or is not a legitimate entity that should have privileged access to
> our user's data (subject to the laws that we are forced to obey)?
>
> Nit: "from any access that user has not authorized" is really begging for
> a double that "access that that user". I agree with
> http://english.stackexchange.com/questions/3418/how-do-you-handle-that-that-the-double-that-problem
> : "it was a logic distractor, could lead to confusion, and therefore should
> be reworded to avoid this."
>
> As a side note, Thunderbird is starting to work closely with the Pretty
> Easy Privacy Foundation http://pep-project.org to make end-to-end
> communication encryption a priority, so this issue is pretty close to our
> heart these days. See also the large number of comments at
> https://blog.mozilla.org/thunderbird/2015/08/thunderbird-and-end-to-end-email-encryption-should-this-be-a-priority/
>
> R Kent James
> Chair, Thunderbird Council
>

[Gijs Kruitbosch]

On 10/09/2015 00:42, Majken Connor wrote:
> On Wed, Sep 9, 2015 at 2:36 PM, R Kent James <ke...@caspia.com> wrote:
>
>> On 9/9/2015 9:23 AM, Mike Hoye wrote:
>>
>>> "Any requirement that systems be designed or modified to enable
>>> third-party access to encrypted data undermines user security. The goal
>>> of computer security is to protect users' data from any access that user
>>> has not authorized; any mechanism that allows the state to circumvent
>>> the users' wishes can be co-opted and abused by other states or
>>> non-state actors to do the same. The same is true of surveillance and
>>> monitoring tools; it is impossible in practice to tell a lawful actor
>>> with "backdoor" access from an unlawful one. Without the transparency
>>> and accountability of open source software and open systems designed to
>>> secure user data rather than facilitate third-party access, those
>>> systems that states use are increasingly vulnerable to foreign and
>>> non-state compromise."
>>>
>>
>> There is an implicit assumption in the way this is worded that "MY
>> government is assumed to be benign, but YOUR government may be dangerous."
>>
>
> I don't read it that way, could you be more specific on what parts give you
> this impression? I'd like to see if I can see it once you point it out. I
> am reading with the context that I know Western governments are actively
> trying to subvert encryption and create back doors.

I see two instances:

> any mechanism that allows the state to circumvent the users' wishes
> can be co-opted and abused by other states or non-state actors to do
> the same.

which can be read to imply "the state" has a legitimate right to
circumvent the users' wishes, and "other states" do not, ie one is
"benign" and the other "dangerous".

I agree that there is little point in making this distinction unless we
are actively marketing towards governments who want us to assume their
goodwill/benevolence, which I don't think this paragraph needs to do. We
could avoid the reading I tried to explain by stating something like
"even if one assumes the need for and legitimacy of a mechanism to
circumvent the users' wishes for use by a 'blessed' actor, such a
mechanism can be co-opted and abused by other actors to do the same."

The other instance is:

> those systems that states use are increasingly vulnerable to foreign
> and non-state compromise.

Where I think there's a simple solution of just omitting "foreign and
non-state", and perhaps "that states use" as well.


Reading both the original and mhoye's version, both have the issue R
Kent noted. However, mhoye's version seems (to me) to be making a
stronger claim than the original in that it implies it is technically
*impossible* to make a 'backdoor' that can only be used by the "right"
actor, rather than a more vague slippery-slope-type formulation in the
original (that once we start with making these backdoors, we'll have to
make more of them, and that road isn't one we want to be walking).

I agree with the stronger point mhoye makes, but it's a more contentious
one (rightly or wrongly) and we should be conscious of, and willing to
make, that argument, if we incorporate it in the text.

~ Gijs

[Majken Connor]

On Thu, Sep 10, 2015 at 7:28 AM, Gijs Kruitbosch <gijskru...@gmail.com>
wrote:

> On 10/09/2015 00:42, Majken Connor wrote:
>

>> On Wed, Sep 9, 2015 at 2:36 PM, R Kent James <ke...@caspia.com> wrote:
>>
>> On 9/9/2015 9:23 AM, Mike Hoye wrote:
>>>
>>> "Any requirement that systems be designed or modified to enable
>>>> third-party access to encrypted data undermines user security. The goal
>>>> of computer security is to protect users' data from any access that user
>>>> has not authorized; any mechanism that allows the state to circumvent
>>>> the users' wishes can be co-opted and abused by other states or
>>>> non-state actors to do the same. The same is true of surveillance and
>>>> monitoring tools; it is impossible in practice to tell a lawful actor
>>>> with "backdoor" access from an unlawful one. Without the transparency
>>>> and accountability of open source software and open systems designed to
>>>> secure user data rather than facilitate third-party access, those
>>>> systems that states use are increasingly vulnerable to foreign and
>>>> non-state compromise."
>>>>
>>>>
>>> There is an implicit assumption in the way this is worded that "MY
>>> government is assumed to be benign, but YOUR government may be
>>> dangerous."
>>>
>>>
>> I don't read it that way, could you be more specific on what parts give
>> you
>> this impression? I'd like to see if I can see it once you point it out. I
>> am reading with the context that I know Western governments are actively
>> trying to subvert encryption and create back doors.
>>
>

> I see two instances:

>
> any mechanism that allows the state to circumvent the users' wishes
>> can be co-opted and abused by other states or non-state actors to do
>> the same.
>>
>

> which can be read to imply "the state" has a legitimate right to
> circumvent the users' wishes, and "other states" do not, ie one is "benign"
> and the other "dangerous".
>

Ah, see I see this as addressed *to* the governments. The arguments they're
making are that "we need these back doors to keep our people safe" and I
read this as being told to them "if you can do it, so can your enemies, you
don't actually want this." You don't have to agree with someone's
conclusions to help them see that even if you accept their arguments it
still boils down to "this is bad."

>
> I agree that there is little point in making this distinction unless we
> are actively marketing towards governments who want us to assume their
> goodwill/benevolence, which I don't think this paragraph needs to do. We
> could avoid the reading I tried to explain by stating something like "even
> if one assumes the need for and legitimacy of a mechanism to circumvent the

> users' wishes for use by a 'blessed' actor, such a mechanism can be
> co-opted and abused by other actors to do the same."
>
>
Right, I read it as neutral because it doesn't say if it's good or not for
the state to do it, just acknowledging that the state wants to do it. But I
agree that leaving it neutral leaves it open for different readings,
something could be added here.


> The other instance is:

>
> those systems that states use are increasingly vulnerable to foreign
>> and non-state compromise.
>>
>

> Where I think there's a simple solution of just omitting "foreign and
> non-state", and perhaps "that states use" as well.
>
>

True, there are instances of people abusing state resources, though I do
read this as being directed towards governments and that doesn't need to be
pointed out to them to get the point across, and including that might make
them more defensive.

[R Kent James]

On 9/9/2015 4:42 PM, Majken Connor wrote:
>> There is an implicit assumption in the way this is worded that "MY
>> >government is assumed to be benign, but YOUR government may be dangerous."
>> >
> I don't read it that way, could you be more specific on what parts give you
> this impression? I'd like to see if I can see it once you point it out. I
> am reading with the context that I know Western governments are actively
> trying to subvert encryption and create back doors.
>
>

I think that Gijs accurately pointed out the areas where this was
implicit in the draft.

In a followup, Majken replied "Ah, see I see this as addressed *to* the
governments." If that is the case, that would affect my reading. Are
governments the intended audience of this document? The intro calling
this "a guide to government surveillance activities" could be read that
this document is meant to be directed specifically at governments.

:rkent

[sopa arbuckle]

ok.Thank you