PEARG notes, Friday Nov 7th 2025

• Administrivia
• note taker: Alex Railean

Measuring and understanding ECH deployment

• introduce the problem - the TLS handshake contains the name of the
  host you want to connect to (via SNI) --> privacy issue
• ECH aims to solve that problem
• a scan of the Internet shows that realistically, Cloudflare is the
  only real world deployment of ECH

• in some cases ECH is deliberately blocked

  • evidence of adversarial interference
  • e.g., in Russia

• sometimes users disable ECH themselves

• Refs
  • docs.ooni.org

Q&A and remarks

• Christopher Patton: Cloudflare expected that things would break
  because ECH will be blocked.

• Andrew Campling:

  • Russia blocking ECH was not collateral damage, but a deliberate
    policy enforced by the state
  • ECH only gives privacy against on-path observers, but not
    against CDNs
  • Response
    • we got notified by Roskomnadzor that the site will be
      blocked with info about what you can do as a site operator
    • the question is not whether you're pwned, but who pwned you?

• Flo D: please interpret the plot charts for us

  • Answer: I don't know
  • action item: will be explained on the mailing list

• Nick Doty: regarding 2nd order effects, consider the advantages of
  greatly expanding the number of stakeholders that implement this
  feature

  • Answer: this is a complex system with many interdependencies,
    there will be ripple-effects that are difficult to predict. Ref
    to forecasting models that combine multiple models in order to
    produce better forecasts.

Bespoke threat models - achieving realistic privacy guarantees for deployed protocols

Speaker: Kyle Hogan
Ref to their PhD thesis, expanded version of this slide deck (TODO: add
a link to it, DOI)

• dilemma: view ads or pay money
• a new twist: "pay for privacy"
• <... see slide deck>

Q&A and remarks

• Rohan Mahy: what should we do instead?

  • Answer: don't do metrics that are not targeting-aware.

• Bob Beck: think about your attackers, their motivation and how much
  energy they're willing to put it. Consider on what it takes to raise
  the bar, even if it won't bring a perfect solution

  • Answer: some invasive
    initiatives were brought down by authorities that look into
    anti-competitive practices, rather than by privacy-focused
    organizations.[..] Incremental improvements are worth doing.

Policy threats to encryption

Speaker: Mallory Knodel
Presentation focused on ChatControl

Refs:

• globalencryption.org

• such initiatives are present in various parts of the world, e.g.,
  Europe, in India and Canada

• approaches

  • client-side scanning

    • content is scanned before being uploaded
    • IAB open talk @IETF 122 explains the issues with this
      approach
    • key issue - it will scan everthing

  • link-tracking

    • track users, e.g., for the purpose of attribution in
      pay-per-view scenarios
    • requires access to message content

  • traceability

    • doesn't require the message, but relies on more metadata
      about it

• ChatControl

  • similar proposals have been around in the EU since ~2020
  • client-side scanning
  • objections: vioaltes privacy and confidentiality of comms
  • proposal didn't go through this time, but only by a thin margin
  • it's not a done deal and assume it won't go away
  • Denmark gave it a new twist
    • removes the mandate to scan, but keeps the voluntary part
    • restrict usage or private comms for people under 16 //U16
      • e.g., restrict use of anonymous email and messenger
        accounts

• Sweden's new intelligence law that raises backdoor risks

  • debate on net neutrality

• France: proposed new digital security law that gives ministry of
  interior extra powers

• India: currently the most significant threat to encryption in Asia
  (hmm..)
• Canada: link tracking approach and some bills that
  • compel content scanning
  • lawful access features

Q&A + remarks

• Dan Sexton:

  • chatControl has had immense pushback; tech companies don't want
    to be regulated (ref: to lobbying budget, forgot the amount)
  • his organization: get data from children with evidence of abuse,
    voluntary, "please stop these images from being shared"; kids'
    images will circulate on the Internet forever and we cannot do
    anything about it

• Answer: if they had removed the mandate, they would have obtained a
  sensible result, but because they wanted to mandate it - it didn't
  go through

• Sara Dickinson: once politicians understood the concept of false
  positives, they updated the proposal to exclude themselves from the
  mandate
• Answer: positive protections for encryption; exemptions are not a
  good approach, it must be ubiquitous
• Andrew Campling:
  • misinformation about this topic, e.g. false positives have not
    proven to be a problem in practice
  • voluntary is lovely, but we know from research that encrypted
    platforms are the tools of choice of CSAM distributors -->
    relying on "voluntary" won't solve the problem
  • Answer: ref to IETF122 presentation that clarifies why
    client-side perceptual hash matching is not practical;
    politicians misunderstand it as magic that works, even though it
    doesn't.

Source privacy and decentralization

Speaker: Gianpaolo Angelo Scalone

• issue: client IP leakage despite ECH
• (see slides for detailed problem statement)
• proposals and calls to action
  • decouple who from where
  • preserve source privacy
  • new mailing list will be set up, CFR
  • contact Gianpaolo if you want to contribute to this body of work