I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. In my opinion, the draft is ready. The draft does a good job explaining pervasive monitoring, why pervasive monitoring is considered an attack, and that the IETF will *continue* to mitigate the effects of such an attack where possible. I found it easy enough to follow and particularly good at removing politics from the equation. If I had any criticism at all, it would be that the draft doesn't convey that privacy is security as it pertains to a particular type of information (replace personally identifying information with credit card data, and you've got something more like PCI security). To those unfamiliar with security and/or privacy, this point might be made clearer either in a draft like this or in something like RFC6973 (and it may be covered well there). Like I said, though, I think the draft is ready. Regards, Adam