Hi TLS Working Group, Writing strictly in personal capacity wearing no other hats.
The email with the above subject line was brought to my attention, and having read it, I felt the need to subscript to the list and make some observations > Having said that, mine is a new personality to many in the wg. So, ECH > being an understandably sensitive topic, a few (personal) qualifiers > before the main discussion: (i) Yes, the purpose of this note is to > raise matters related to larger-scale risks to content operators, > their end-users, and maybe customers; also (ii) no, none of the > discussion suggests that ECH should be halted. > **Short setup**: There is more attention than ever on Internet > operations from non-Internet governance and, in this context, it is > possible that ECH presents a greater risk to the Internet than > benefit, if deployed. And as a result, it is possible that servers and > content operators *may* have more reasons not to deploy. I want to say to the TLS working group that in my experience, working for an operator, the exact opposite of this is true. In fact, the faster that ECH goes into production the better, and this is both from a privacy perspective and a legal perspective. Recently, a content broadcaster issued take down notices in Kenya for more than 800 sites that apparently contained pirated live streams of sports games. They demanded that all such sites be blocked forthwith. The sites were not hosted by the providers these notices were issued to, they were general across the internet. Using a clause in the current Kenyan law, when the take down notices were ignored, they sued one of the ISP's and the largest of the mobile networks in Kenya under an obscure clause in the copyright act. They won the case and the case is now going to appeal. (See https://www.businessdailyafrica.com/bd/corporate/companies/safaricom-loses-fight-over-dstv-pirating-dispute-3858050) The only real hope to get this overturned is to argue that what they are asking for is impractical and cannot be done. ECH - apart from being a good idea in terms of privacy and other aspects, is also a critical part of the arguments that will be made, because while now using the SNI, ISP's can filter based on the domains, once ECH is there, it becomes impossible to see even the domains, and practicality kicks in here. So, rather than creating legal risk, ECH creates a situation where absurdity can be fought against in a court of law. Basically - ECH takes what these broadcasters are asking for from the impractical, bizarre and damaging to the internet and makes it almost impossible to do on any scale, and this argument is almost sure to end up in court soon, citing the draft and the fact that ECH exists in beta form in multiple browser implementations. So - Rather than arguing that ECH creates liability, from my perspective, ECH REDUCES liability, because strengthens the case for "plausible deniability" and gives far stronger teeth to the argument that the ISP cannot filter what the ISP cannot see. I long for the day this goes to last call - and gets ratified - because speaking with an operator hat on - particularly in my part of the world - it will be a welcomed and applauded development. Thanks Andrew _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
