I don’t think it’s effective to describe pervasive monitoring by state actors as something that requires a technological response. There is no technology end-run around the law, as has been proven again and again.
If pervasive monitoring in nsa style is legal and culturally accepted, then the solution must be cultural, not technical. Either by embracing the death of privacy and having no real secrets, or by convincing hearts and minds of the immorality of the monitoring until it is outlawed and people who do it are jailed.
The BCP's scope is broader than state actors: "The motivation for PM can range from non-targeted nation-state surveillance, to legal but privacy-unfriendly purposes by commercial enterprises, to illegal actions by criminals".
Also, the BCP does not contend that an technology end-run around law exist (or that it is desirable). The BCP is about mitigating, not entirely preventing, the threats described: "'Mitigation' is a technical term that does not imply an ability to completely prevent or thwart an attack. Protocols that mitigate PM will not prevent the attack but can significantly change the threat."
Surely, given commercial practices such as HTTP header injection by Verizon and the Pharma saga in the U.K., a BCP that promotes privacy/security thinking in the design of new protocols is a good thing. Which is not to say that attackers, commercial or otherwise, will not find other ways; but let's at least try to increase the bar by weeding out unnecessary attack surface and information leakage.
I didn’t mean to say efforts to improve privacy through technology are bad or pointless, just that it would be dangerous to do that and only that. The complete solution is technological and cultural/legal. It is not superior lock technology that prevents homes from being burglarized daily, but the threat of legal consequences, although it is a good thing to have better locks.
Maybe just the generic nature of the problem description. Are they talking about Google Analytics? Cloudflare? Black hats running WiFi access points? Infiltrated Tor endpoints? Forced proxies at schools and companies? State actors? Local malware and antivirus? Rogue apps and browser extensions? Via what mechanisms?
Hard to comment on it in a general sense. There's lots of forms of pervasive monitoring.
"Pervasive Monitoring (PM) is widespread (and often covert) surveillance through intrusive gathering of protocol artefacts, including application content, or protocol metadata such as headers. Active or passive wiretaps and traffic analysis, (e.g., correlation, timing or measuring packet sizes), or subverting the cryptographic keys used to secure protocols can also be used as part of pervasive monitoring."
It's all "what" with no "who" or "how". Wiretaps and/or traffic analysis can happen all the ways I outlined above and more. And by different entities. As far as I know, combating it requires being specific.
"The motivation for PM can range from non-targeted nation-state surveillance, to legal but privacy-unfriendly purposes by commercial enterprises, to illegal actions by criminals."
Also relatively specific, without being overly so.
If pervasive monitoring in nsa style is legal and culturally accepted, then the solution must be cultural, not technical. Either by embracing the death of privacy and having no real secrets, or by convincing hearts and minds of the immorality of the monitoring until it is outlawed and people who do it are jailed.