[mrkoot]

The BCP's scope is broader than state actors: "The motivation for PM can range from non-targeted nation-state surveillance, to legal but privacy-unfriendly purposes by commercial enterprises, to illegal actions by criminals".

Also, the BCP does not contend that an technology end-run around law exist (or that it is desirable). The BCP is about mitigating, not entirely preventing, the threats described: "'Mitigation' is a technical term that does not imply an ability to completely prevent or thwart an attack. Protocols that mitigate PM will not prevent the attack but can significantly change the threat."

Surely, given commercial practices such as HTTP header injection by Verizon and the Pharma saga in the U.K., a BCP that promotes privacy/security thinking in the design of new protocols is a good thing. Which is not to say that attackers, commercial or otherwise, will not find other ways; but let's at least try to increase the bar by weeding out unnecessary attack surface and information leakage.

[Joeri]

I didn’t mean to say efforts to improve privacy through technology are bad or pointless, just that it would be dangerous to do that and only that. The complete solution is technological and cultural/legal. It is not superior lock technology that prevents homes from being burglarized daily, but the threat of legal consequences, although it is a good thing to have better locks.