Skip to content

Instantly share code, notes, and snippets.

@fmarier
Created April 20, 2022 00:14
Show Gist options
  • Save fmarier/8b90ec7fd71caa2e2135d2825e29ec8a to your computer and use it in GitHub Desktop.
Save fmarier/8b90ec7fd71caa2e2135d2825e29ec8a to your computer and use it in GitHub Desktop.
Defending against nation-state (legal) attack: how to build a privacy-protecting service in the era of ubiquitous surveillance

by Bill “Woody” Woodcock, Quad9

https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20video%20and%20slides/DEF%20CON%2029%20-%20Bill%20Woodcock%20-%20Defending%20Against%20Nation-state%20%28legal%29%20Attack%20-%20Live.mp4

Started in 2016. EU privacy regulators came to PacketFence because they wanted to see a PoC of a GDPR-compliant DNS recursive resolver.

At the time there were only two public resolvers (Google and OpenDNS) and one of them was actively lobying for a GDPR exemption.

The 9.0.0.0/8 block was owned by IBM and they contributed the IP addresses for the resolvers.

PacketFence was incorporated as a 501c3 in California.

2018 they narrowed their search for legal domicile to:

  • Iceland
  • Netherlands
  • Switzerland

2019 they picked Switzerland.

2020, they went through the paperwork to move Quad9 to a Swiss organization. As of February 2021, it is entirely a Swiss organization.

## Threat models

Us doing something bad. Storing data when we shouldn’t. We want to provide a shield for users. In California, there’s no penalty if the company doesn’t do what it says it does. Even despite the CCPA.

US government sending a national security letter. Companies in the US can be compelled to do things. They can also be compelled to do things secretly and the secrecy can be permanent. There are secret laws about all of that which people aren’t allowed to know.

Subpenoas from foreigns countries are usually not very effective however in the US, which is good for their purposes. US courts protect US companies, though that’s also the case when US companies are helping terrorists abroad.

So they were looking for a jurisdiction where:

  1. privacy laws were criminal rather than civil
  2. GDPR or equivalent privacy law
  3. no secret laws
  4. reasonable limits on gag orders (i.e. not indefinite, not overbroad)
  5. extra-judicial data sharing is illegal
  6. no wiretap law would apply to DNS queries (the US interprets “being a telecom company” as “anybody who does anything on the Internet”)
  7. KYC laws would not apply to them
  8. politically neutral
  9. high on the anti-corruption index

In the US and increasingly in Europe there are public-private data-sharing partnerships where they do joint research on the company’s users.

## Countries

Switzerland:

  • European Commission considers their privacy laws GDPR-equivalent.
  • There is an independent data protection officer. They will accept complaints from anybody anywhere in the world and take on the case.
  • There are no secret laws.
  • Switzerland only allows narrow and time-limited gag order connected to a criminal case.
  • Extra-judicial data sharing is a crime in Switzerland!
  • No wiretap laws apply to Quad9 because Quad9 doesn’t qualify as a telecom company.
  • No KYC requirements for banking or telecom companies.
  • Switzerland has a reputation for being politically neutral. They haven’t signed a lot of treaties. They are not a part to any intelligence treaties. They are not part of the EU, only an associate to the European Economic Area.
  • Corruption perception index: #3 (score of 85)

Iceland:

  • There are no secret laws.
  • Iceland is part of Nordic countries, EEA.
  • Iceland has a small economy very dependent on the US and EU. They have a lot of external debt.
  • Corruption perception index: #17

Netherlands:

  • There are probably some secret laws but people seem to think they’re not a big deal.
  • Full member of the EU.
  • Member of 9 Eyes and 14 Eyes.
  • Very close relationships between Dutch intelligence and US intelligence since the end of WW2.
  • Corruption perception index: #8 (score of 82)

There aren’t really any laws (even in the US) that can force companies to spend money and resources to build something that doesn’t exist (e.g. a logging functionality), other than telcos.

Additionally, laws cannot compel a party to violate another law. There is even a law in the US that says that it’s illegal for a party to violate a law in another country.

MLAT: mutual legal assistance treaties are used to prosecute trans-national crimes. The way that this works is that the external country files a complaint with the country of the crime and that second country tries to match the alleged crime with one of their laws and then decides whether or not to take the case. If they take the case, they do so themselves.

Lugano convention is a 2007 treaty between EU and a couple of other countries and discusses what happens with civil cases between private parties that are trans-national in nature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment