Today, IGP releases a new research paper on the politics of the new Transport Layer Security standard: Standardizing Security: Surveillance, Human Rights, and TLS 1.3. The research was done by Colin J. Kiernan, a graduate of Georgia Tech’s Masters of Science in Cybersecurity Policy program, with theoretical work by Dr. Milton Mueller.
TLS version 1.3 was developed by the Internet Engineering Task Force (IETF) after the Snowden revelations in an attempt to improve privacy and security on the internet. At about the same time, human rights activists entered the IETF and began promoting the idea that human rights could be “hard coded” into standards. These efforts raised important and interesting questions about whether technical standards “have” politics and the extent to which the design of protocols embody or enforce values upon society as a whole.
Standardizing Security develops a conceptual framework for understanding the relationship between technical standards and political/social effects. We identify three distinct ways of understanding this relationship: 1) by examining the interest groups who shaped the standard, which we call the Political Economy of Standardization (PES); 2) by focusing on the Societal Effects of Standards (SES) which refers to cumulative effects of adoption and implementation decisions over time; and 3) the idea that politics and rights are embedded in the standard; i.e., that Protocols Have Politics (PHP). We then perform a detailed analysis of the controversies around the design, adoption and implementation of TLS 1.3.
We find that the PHP approach had limited explanatory value compared to the PES and SES approaches. TLS 1.3 does in fact strengthen confidentiality – and technical efficiency – if adopted and implemented as intended. But the design of TLS 1.3’s stronger confidentiality measures met with resistance from corporate network operators who wanted more visibility into their internal networks and some governmental interests, leading to the development of an alternate standard by ETSI. There are also technical measures that can be deployed to undermine perfect forward secrecy. Additionally, authoritarian governments are now taking measures to block use of the new protocol. TLS 1.3 was an improvement, but its effects were limited.
By conveying the idea that political, economic and social effects can be hard coded into protocol designs, the protocols-have-politics view short-circuits careful analysis of the way standards contribute to governance. It also drastically overstates the role of protocol design in internet governance. Rights advocates and internet governance participants need to have more realistic ideas about what measures advance human rights on the internet.