Recent Trends on Privacy-Preserving Technologies under Standardization at the IETF

End-users are concerned about protecting the privacy of their sensitive personal data that are generated while working on information systems. This extends to both the data they actively provide including personal identification in exchange for products and services as well as its related metadata such as unnecessary access to their location. This is when certain privacy-preserving technologies come into a place where Internet Engineering Task Force (IETF) plays a major role in incorporating such technologies at the fundamental level. Thus, this paper offers an overview of the privacy-preserving mechanisms for layer 3 (i.e. IP) and above that are currently under standardization at the IETF. This includes encrypted DNS at layer 5 classified as DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), and DNS-over-QUIC (DoQ) where the underlying technologies like QUIC belong to layer 4. Followed by that, we discuss Privacy Pass Protocol and its application in generating Private Access Tokens and Passkeys to replace passwords for authentication at the application layer (i.e. end-user devices). Lastly, to protect user privacy at the IP level, Private Relays and MASQUE are discussed. This aims to make designers, implementers, and users of the Internet aware of privacy-related design choices.Comment: 9 pages, 5 figures, 1 tabl

Rethinking Privacy Online and Human Rights:The Internet’s Standardisation Bodies as the Guardians of Privacy Online in the Face of Mass Surveillance

There is a growing literature revolving around the role of non-state actors in the international law-making process. The starting point of this article is that, although informal international law-making may not be legally binding, it would be unwise to dismiss it as legally irrelevant. Informal law-making can be relevant with respect to conceptualising and applying existing law as well as guiding future regulation. The present discussion is placed in the context of cyberspace and, more specifically, the Internet standardisation bodies’ informal law-making functions when creating Internet protocols (by setting Internet standards). The article addresses the legitimacy and the ongoing work of the Internet Advisory Board and Internet Engineering Task Force in setting Internet standards with the aim to protect Internet users from mass surveillance and serious threats to privacy online. The article makes two main arguments. First, the effective protection of online privacy cannot be understood only in terms of compliance with legal frameworks but that – in practice - it also needs to be secured through technological means. Second, in the area of online privacy informal law-making and international law converge in a distinctive way. Internet standards should not necessarily be seen as “living a parallel life” to law or as displacing or merely complementing the law. Technical standards and international law can actively inform one another and converge in their application. The analysis explores the implications of the Internet’s technical features to policy-making and legal reasoning by discussing state and judicial practice. The article demonstrates how the technical perspective on privacy informs and enriches the manner in which the legal advisor argues about privacy, the legislator articulates the interests at stake and the judge and practitioner interpret and apply international human rights law. <br/

Engineering and lawyering privacy by design:understanding online privacy both as a technical and an international human rights issue

There is already evidence that “governmental mass surveillance emerges as a dangerous habit”. Despite the serious interests at stake, we are far from fully comprehending the ramifications of the systematic and pervasive violation of privacy online. This article underscores the reasons that policy-makers and lawyers must comprehend and value privacy not only as a human rights issue, but also as a fundamental technical property for the well-functioning of the Internet. The analysis makes two main arguments. First, it argues that the effective protection of online privacy cannot be thought of only in terms of compliance with legal frameworks but that – in practice - it also needs to be secured through technological means, such as privacy enhancing technologies and, most importantly, Privacy by Design. Recent developments in the standardization work of the Internet Advisory Board and the Internet Engineering Task Force suggest a paradigm shift with respect to integrating Privacy by Design into the core Internet protocols. The consideration of privacy as a requirement in the design of the Internet will have a significant impact on reducing states’ capability to conduct mass surveillance and on protecting the privacy of global end-users. Second, the article argues that Internet standards should not be seen as “living a parallel life” to, or as displacing or merely complementing, international human rights law. Technical standards and international law can actively inform one another. The analysis and findings demonstrate how the technical perspective on privacy can inform and enrich policy-making and legal reasoning