[discuss] we need to fix what may be broken

Carlos A. Afonso ca at cafonso.ca
Tue Apr 15 21:47:15 UTC 2014

Dear people,

I recall our discussions with folks in the so-called "technical
community" between IGFs 2006 and 2007, in which the mantra "do not fix
what is not broken" was used to convince us all that management of the
logical infrastructure of the net should not be even considered as an
Internet governance topic in the IGF dialogues (and this with the IGF
prohibited from making recommendations). Thanks to pressure from sectors
of civil society and the government of Brazil (host to the 2007 IGF), we
finally managed to insert the theme in the IGF agenda, but it had to go
under the disguise of "critical Internet resources".

A bit more than six years passed, and what we see? Relevant and
frightening examples of the frailty of the current "governance" or
coordination model of the network -- mostly in the expert hands
basically of the I* group of entities and forums, which goes beyond just
names, numbers and protocols, and badly in need of fixing (and I assume
that the fix in general will involve more than just technical
coordination measures):

- The net was revealed as incredibly vulnerable by the revelations on
NSA surveillance, and we discovered that the NIST was at cahoots with
the NSA in "backdooring" the cryptographic systems.

- The IPv6 transition was literally abandoned by Icann. This on the one
hand is good, since I am one of the people who defend the
decentralization of Iana functions, and the RIRs structure works
technically quite well. But they cannot carry alone the burden of the
political/economic aspects of this transition. A more assertive Icann
(and other stances, such as the ITU pressuring their clients, the big
telcos, and equipment manufacturers taking the transition really
seriously) would have helped avoid this situation of crisis in the
addressing system (just read the situation papers and strong alerts by
Geoff Huston), which by the way increases vulnerability of the net with
improvised concoctions such as CGNAT and so on.

- The OpenSSL memory leak bug was sitting in our servers for years, to
the joy of NSA and similar peeking folks, and this is an open source
system maintained by the "technical community" -- supposedly, open
source code is there to be verified, double-checked etc, particularly
such a key security element of the net; there is nothing more disruptive
of the net security that we know of since the net became so pervasive
worldwide; I operate a very small non-profit Web service and am
horrified by the implications of this failure to verify the code.
Literally no one could know how far their servers' data have been
compromised after Heartbleed was sitting there for so many years -- and
who knows how many servers are still in need of patching.

- Now Yahoo decides unilaterally to implement an email verification
feature (DMARC) which is still in beta, affects all its users, and even
the implementation they did is not clear, as Miles Fidelman verified,
and I quote: "They knowingly did massive damage, published some
suggestions on how to mitigate that damage - using a capability defined
in the spec. that they deployed - then say "we don't support that"."

- And there are signs that Gmail may be taking unilateral measures as
well (not clear yet what is being done), as suspected recently by Lauren

In the last two cases, there is a caveat -- they are free, opt-in
services, no one is required to use them to be on the net. But hundreds
of millions of users rely on their services, and these users are
basically "voluntary shareholders" of them, as the profiling of their
presence adds revenue to the respective companies -- but they are a
special kind of shareholders whose share just earns them unlimited mail
and social net services' use in exchange for their profiling. Someone
described these users as "products", which also makes some sense. And
the central fact is that these unilateral measures (using features which
the "technical community" describes as still beta) impact on hundreds of
thousands of email and listserv services worldwide, even on their own
users (!), and their response seems to be "this is what we are doing,

The OpenSSL failure is so incredibly disruptive that some entities who
have Web sites in our servers are happy they never used SSL -- their
argument is: "if I had SSL, it would attract peekers thinking that,
well, this site uses SSL so there may be something worth mining there...
and it is easy to mine!"

Frankly, there are things scarily broken in this "governance" or
coordination system (and let us recall that coordination does not
necessarily mean centralization), and I hope NETmundial will provide an
opportunity to dialogue on what to do. It is the billions of Internet
users who are expecting us to do something better.

fraternal regards

Carlos A. Afonso
[writing in my personal capacity only]

More information about the discuss mailing list