Juan Carlos Zuniga and Mathieu Cunche: “Privacy issues are still not systematically considered by all Standards Developing Organizations”

LINC has interviewed Juan Carlos Zuniga, senior standardisation expert at Sigfox, and Mathieu Cunche, Associate Professor at INSA-Lyon/Inria, member of the Privatics on the need for standardisation on privacy issues. 

LINC: In telecommunications, it is necessary to rely on defined protocols to transmit information between two or more entities. For this, the rules syntax, semantics and synchronization of communication must be precisely specified. Concretely how is this done and by whom?

Juan Carlos Zuniga: The communication protocols that allow interoperability between different modules, products, implementations, etc. are detailed in what are called “standard specifications”. These specifications are written by Standards Developing Organizations (SDOs). The nature of those organizations can vary, but in general they are composed of researchers and engineers coming from the industry and the academy. One notable body is the IETF (Internet Engineering Task Force) that has been active since the beginning of the Internet. IETF has developed protocols like IP, DHCP, DNS, and TCP, which are at the core of the Internet. The IEEE (Institute of Electrical and Electronics Engineers) Standard Association is another standardisation body that has developed protocols such as IEEE 802.3 and IEEE 802.11, the standard specifications behind Ethernet and Wi-Fi respectively. There are several other standardization bodies, each of them focusing on a specific domain; for instance, the 3GPP deals with the mobile telephone communications and the DVB deals with digital video broadcast like TNT (Télévision Numérique Terrestre).

Each group has its own internal rules, but they share some common principles with regard to the process to create and publish a new protocol or standard. Most of the Internet-related standard bodies produce open standard specifications, or simply “standards”, which can be widely implemented by several different academic or commercial entities.

Once adopted, communication standards are thus carved in stone for the long haul. It is therefore important to make things straight before their release. How are privacy aspects taken into account in these working groups?

Mathieu Cunche: Indeed, those communication standards are here to stay for a very long time. Some protocols have been here for decades and are likely to remain active for a while, like the version 4 of the IP protocol that has been used since its publication in the 1980s. Once those protocols are published, it is very difficult to change them. First, it may not be possible to update all the devices using the protocol at once to preserve interoperability between these devices, and second, it may not be possible to update some other devices at all!  This is why this is important to ensure that they do not expose users to privacy breaches from the first inception of the specification. 

Juan Carlos Zuniga: Right now, those privacy issues are not systematically considered by all SDOs. However, we are observing several initiatives to develop privacy preserving protocols or to update existing protocols in order to mitigate privacy issues.

For instance at IETF, there are some groups working to solve privacy issues, like DNS Private Exchange (DPRIVE), there are discussion mailing lists like PERPASS (created after the Snowden revelations), and also published specifications like RFC 8386, Privacy Considerations for Protocols Relying on IP Broadcast or Multicast, and RFC 7217 A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC).

However, while privacy is being acknowledged as a crucial aspect and new laws such as GDPR raise the expectations, why is it so difficult to take privacy into account when working on standardisation of communication protocols?

Juan Carlos Zuniga: In some standardisation bodies, most developments are driven by commercial entities. Commercial companies are still reluctant to consider privacy issues, as they may not see a direct benefit for their business. Also, it is believed that adding privacy considerations can increase systems complexity and induce additional costs. 

However, as end users of the technology are becoming more aware of privacy issues, privacy features are becoming an attractive marketing feature. Furthermore, the economic impact of a privacy scandal (e.g. a hack) can bring completely down a full company.

Mathieu Cunche: In the standardisation bodies, privacy efforts are often led by academics and NGOs, even if some industrial representatives like Juan Carlos are actively working to promote privacy. Actively participating to standardisation bodies requires a significant implication and investment to follow the discussion and to participate often in person to the regular worldwide meetings. Participating in standardisation activities is thus time consuming and has a financial cost that can be difficult to sustain for academics and NGOs.  

Could you give us examples on how the establishment of flawed communication protocols can impact privacy in our everyday life?

Mathieu Cunche: Let’s take the example of Wi-Fi and the associated standard IEEE 802.11. This standard describes a protocol that enables devices to communicate wirelessly over a radio signal. A key element of this standard is the identification of devices that is done with the MAC address, a unique identifier tied to each device. The problem is that this identifier is transmitted in clear on the channel, when the device sends a message, connects to a network or simply searches for a network. This flaw has been exploited to track users without their consent in the physical world [see Mathieu Cunche and Célestin Matte’s interview on this subject]. 

Mitigation techniques have been independently developed and some commercial implementations have already included them in commercial products. However, those techniques have not yet been included in the full 802.11 standard itself. Having features developed and implemented by several actors may lead to compatibility issues. The very issue that standards are supposed to solve. 

Juan Carlos, you are actively involved with IETF and IEEE on these issues. What is the state of play and what are the next steps?

Juan Carlos Zuniga: At IETF, the issue of Privacy has been considered very seriously already for a few years. For instance, I participate with the Internet Architecture Board (IAB) in the Privacy and Security program where we develop, synthesize and promote security and privacy guidance within the IETF and the wide Internet technical standards community. 

Also, at IEEE 802, I chaired an Executive Committee Privacy Study Group that was created in 2014 to study the Privacy issues in IEEE 802 protocol specifications and assess possible solutions. As a result of the work from the Study Group, the IEEE 802E specification is now being finalized and once published it will provide recommendations to standards developers about how to consider and how to avoid creating any privacy issues when developing new protocol specifications. 

These efforts are not sufficient to solve all existing privacy issues related to telecommunication standards. However, it is a big step towards making sure that standards in the future take into account the privacy of individuals and protect them from potential threats.