IETF Policy on Wiretapping
RFC 2804

Document Type RFC - Informational (May 2000; Errata)
Last updated 2015-11-11
Stream IAB
Formats plain text pdf html bibtex
Stream IAB state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
Network Working Group                                               IAB
Request for Comments: 2804                                         IESG
Category: Informational                                        May 2000

                       IETF Policy on Wiretapping

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   The Internet Engineering Task Force (IETF) has been asked to take a
   position on the inclusion into IETF standards-track documents of
   functionality designed to facilitate wiretapping.

   This memo explains what the IETF thinks the question means, why its
   answer is "no", and what that answer means.

1. Summary position

   The IETF has decided not to consider requirements for wiretapping as
   part of the process for creating and maintaining IETF standards.

   It takes this position for the following basic reasons:

   - The IETF, an international standards body, believes itself to be
     the wrong forum for designing protocol or equipment features that
     address needs arising from the laws of individual countries,
     because these laws vary widely across the areas that IETF standards
     are deployed in.  Bodies whose scope of authority correspond to a
     single regime of jurisdiction are more appropriate for this task.

   - The IETF sets standards for communications that pass across
     networks that may be owned, operated and maintained by people from
     numerous jurisdictions with numerous requirements for privacy.  In
     light of these potentially divergent requirements, the IETF
     believes that the operation of the Internet and the needs of its
     users are best served by making sure the security properties of

IAB & IESG                   Informational                      [Page 1]
RFC 2804               IETF Policy on Wiretapping               May 2000

     connections across the Internet are as well known as possible.  At
     the present stage of our ignorance this means making them as free
     from security loopholes as possible.

   - The IETF believes that in the case of traffic that is today going
     across the Internet without being protected by the end systems (by
     encryption or other means), the use of existing network features,
     if deployed intelligently, provides extensive opportunities for
     wiretapping, and should be sufficient under presently seen
     requirements for many cases. The IETF does not see an engineering
     solution that allows such wiretapping when the end systems take
     adequate measures to protect their communications.

   - The IETF believes that adding a requirement for wiretapping will
     make affected protocol designs considerably more complex.
     Experience has shown that complexity almost inevitably jeopardizes
     the security of communications even when it is not being tapped by
     any legal means; there are also obvious risks raised by having to
     protect the access to the wiretap. This is in conflict with the
     goal of freedom from security loopholes.

   - The IETF restates its strongly held belief, stated at greater
     length in [RFC 1984], that both commercial development of the
     Internet and adequate privacy for its users against illegal
     intrusion requires the wide availability of strong cryptographic
     technology.

   - On the other hand, the IETF believes that mechanisms designed to
     facilitate or enable wiretapping, or methods of using other
     facilities for such purposes, should be openly described, so as to
     ensure the maximum review of the mechanisms and ensure that they
     adhere as closely as possible to their design constraints. The IETF
     believes that the publication of such mechanisms, and the
     publication of known weaknesses in such mechanisms, is a Good
     Thing.

2. The Raven process

   The issue of the IETF doing work on legal intercept technologies came
   up as a byproduct of the extensive work that the IETF is now doing in
   the area if IP-based telephony.

   In the telephony world, there has been a tradition of cooperation
   (often mandated by law) between law enforcement agencies and
   telephone equipment operators on wiretapping, leading to companies
   that build telephone equipment adding wiretapping features to their
   telephony-related equipment, and an emerging consensus in the

IAB & IESG                   Informational                      [Page 2]
RFC 2804               IETF Policy on Wiretapping               May 2000

   industry of how to build and manage such features. Some traditional
Show full document text