[liberationtech] Dear #NETMundial, Governance is cool and all, but we need to DEMAND IPv6 NOW! cc #OurNetMundial

Tue Apr 29 07:18:10 PDT 2014

Many of my friends and colleagues where in Sao Paulo last week for 
NETMundial, the Multi-stakeholder Meeting on the Future of Internet 
Governance. Dilma Rousseff, President of Brazil, convened this 
initiative to "focus on principles of Internet governance and the 
proposal for a roadmap for future development of this ecosystem."

NETMundial was originally motivated by revelations from Edward Snowden 
about mass surveillance conducted by the US and UK governments, 
including spying on President Rouseff herself. These revelations 
prompted Mrs Rousseff to state "In the absence of the right to privacy, 
there can be no true freedom of expression and opinion, and therefore no 
effective democracy" in a speech to the UN at the 68th General Assembly.

Yet, as important as Internet governance is for our future, and as 
valuable any effort to address this is, it is unlikely to do much, if 
anything, about the right to privacy online. Why? Because surveillance 
is not an issue of Internet governance, but of the way the Internet is 
financed. The vast amount of consumer data amassed by private companies 
like Google, Facebook and Verizon is not the result of IANA or ICANN 
policy, but of the business models of these companies which seek to 
generate profits by way of this data. It is inconceivable that these 
companies could amass such vast amounts of consumer data, use it for 
marketing purposes, sell and share access to it with other companies, 
and yet, somehow keep it out of the hands of the NSA and similar 
intelligence agencies. Likewise, the extraordinary hacks, mods and 
exploits the NSA has conducted, as revealed by Snowden, would not be 
thwarted by any IANA regulation. Aggression by the US is not an Internet 
problem, and Internet governance can not do away with it, any more that 
it can do away with drone strikes and regime change projects.

Yet, there is lots that governments can do to ensure the right to 
privacy, and they can do so today, even absent any change in global 
Internet governance.

Governments have the ability to regulate the way Telecomms and Internet 
companies operate within their countries, indeed, the government is no 
stranger to creating regulation. Government regulation ensures buildings 
are built correctly, structurally sound, follow the fire code, etc. 
Governments create rules that make sure highways, roads, and sidewalks 
are used safely. Governments pass laws to prevent consumers from being 
defrauded, create statuary warranties, labour standards, regulate 
broadcast media, etc. Governments can pass regulations to protect the 
right to privacy. The idea that the Governments such as Brazil, Germany 
and the others participating in NETMundial need reforms to IANA and 
friends before they can work towards guaranteeing their own citizens' 
right to privacy is absurd.

To guarantee the right to privacy, communication systems must implement 
the end-to-end principle, which states that functionality ought to 
reside in the end hosts of a network rather than in intermediary nodes. 
The term "end-to-end" principle was coined in a 1981 paper by J.H. 
Saltzer, D.P. Reed and D.D. Clark at the MIT Laboratory for Computer 
Science, "End-to-End Arguments in System Design," in which they 
specifically address privacy.

In the section titled "Secure transmission of data," the authors argue 
that to ensure "that a misbehaving user or application program does not 
deliberately transmit information that should not be exposed," the 
"automatic encryption of all data as it is put into the network [...] is 
a different requirement from authenticating access rights of a system 
user to specific parts of the data." This means that to protect the 
users' rights to privacy, it is not sufficient to encrypt the network 
itself, or even the platform, as this does not protect against the 
operators of the network, or other users who have access to the 
platform. What is needed, the authors argue, is the "use of encryption 
for application-level authentication and protection," meaning that only 
the software run by the user on the end-node, or their own personal 
computer, should be able to encrypt and decrypt information for 
transmission, rather than any intermediary nodes, and only with the 
user's own login credentials.

The end-to-end principle is a key concept in the design of the Internet 
itself, the underlying "Transmission Control Protocol," one of the core 
protocols of the Internet protocol suite (TCP/IP), exemplifies the 
end-to-principle, and allows applications running on remote nodes to use 
the Internet for the reliable communication of arbitrary data across the 
network, without requiring any of the intermediary nodes to know or 
understand the purpose of the data being transmitted.

In principle, therefore, there is absolutely nothing technically 
stopping everybody from employing private communications on the 
Internet. So then, how do we get into this mess we're in now? Why did 
the Internet, which has the end-to-end principle in it's core 
architecture, become host to the most large scale mass surveillance in 
history?

Two reasons: Capitalism and IPv4. Let's start with IPv4.

Internet Protocol Version 4 (IPv4) was created in 1981, the same year 
the Saltzer, Reed, and Clark paper was published. IPv4 provides 
approximately 4.3 billion addresses, which sounds like a lot, until you 
realize the every device that connects to the Internet needs at least 
one. Running out was not presumed to be a big issue at the time, as this 
version was originally presumed to be a test of DARPA's networking 
concepts, and not the final addressing scheme for the global Internet. 
In 1981 4.3 billion addresses seemed like an awful lot, but when the 
public Internet began to take off in the Nineties, it became clear that 
this would not be nearly enough. In 1998 RFC 2460 was released, this 
document is the specification for IPv6, an addressing scheme that allows 
for a near limitless number of addresses, trillions of trillions for 
each person on earth. Yet, as NETMundial was taking place in Brazil, 
nearly 16 years since the protocol was invented, Google reports that 
about 3% of visits to its services use IPv6. The "World IPv6 Launch" 
site, which promotes IPv6 adoption, estimates that more than half 
Internet users around the world will have IPv6 available by 2018. In 
other words, 20 years after the design of the protocol, nearly half of 
all Internet users will not have access. It's important to note that it 
is not hardware adoption that is holding things up, it's highly doubtful 
that many device made in the last 10 years could not support IPv6, it's 
rather that the owners of the networks do not configure their networks 
to support it.

As everybody knows, 20 years is effectively infinity in Internet years. 
With IPv6 a far away utopia, and with IPv4 addresses still the currency 
of Internet service, NAT was developed. The vast majority of devices 
available to users where not assigned public IP addresses, but only 
private ones, separated from the public internet by "Network Address 
Translation" (NAT), a system that allowed the sharing of public IP 
addresses by many end-nodes, this was an effective solution to IPv4 
address exhaustion, but introduced a bigger problem, the network was no 
longer symmetric, software running on users' computers can reach central 
Internet resources, but can not reach other users, who are also on 
private address space, without some intermediary service providing 
access.

What this means is that so long as users' are on private address space, 
any communication system they use requires centralized resources to 
bridge connections between users, and what's more, the scale of these 
central resources must grow in proportion to the the number of users it 
has. In order for the end-to-end principle to be respected, these 
intermediary services need to support it.

And this where we get to to Capitalism part: Building, maintaining and 
scaling these resources requires money. In the case of "web scale" 
platforms, lots of money.

By and large, this money comes from Venture Capital. As Capitalists 
must capture profit or lose their capital, these platforms require 
business models, and while many business models are possible, the most
popular today, the one presumed to be the most lucrative by investors, 
is big data. Thus, instead of respecting the end-to-end principle and 
engineering functionality into the end hosts of a network, capitalists 
instead only invest in applications where core functionality is built 
into the intermediary nodes, that can capture user data and control user 
interaction, which is how they make money.

Capitalist platforms grow and collect data around these intermediary 
nodes in the same way the mould grows around leaky pipes. In order to 
give alternative platforms that respect the right to privacy a fighting 
chance and rid the Internet of the mould of centralize data-collecting 
platforms, we must fix the pipes, we need to remove the asymmetry in the 
network.

We can not allow private initiative alone to push adoption of IPv6, and 
wait however many years or decades it takes to get it. If governments 
want to promote their citizens right to privacy, they need to mandate 
adoption of IPv6, to ensure their citizens are able to use software that 
respects the end-to-end principle.

Here is a charter of rights that all Governments can provide to their 
own citizens right now to promote the right of privacy:

  - IPv6 connectivity with adequate public address space for all!
  - At least one DNS Domain Name for every citizen!
  - At least one Government signed SSL certificate for every citizen!

If each citizen had a public address space, a domain name and a signed 
certificate, the leaky pipes of the Internet could be fixed, the 
surveillance mould would dissipate, and new privacy-respecting 
applications could flourish!

DEMAND IPv6 NOW!

-- 
Dmytri Kleiner
Venture Communist