IETF Logo Mail Archive

Re: [93attendees] Network experiment during the meeting

Henning Schulzrinne <Henning.Schulzrinne@fcc.gov> Tue, 14 July 2015 20:00 UTC

Return-Path: <Henning.Schulzrinne@fcc.gov>
X-Original-To: 93attendees@ietfa.amsl.com
Delivered-To: 93attendees@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C8F31B2BA8 for <93attendees@ietfa.amsl.com>; Tue, 14 Jul 2015 13:00:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id laDx_Nx4HmjS for <93attendees@ietfa.amsl.com>; Tue, 14 Jul 2015 13:00:23 -0700 (PDT)
Received: from DC-IP-1.fcc.gov (dc-ip-1.fcc.gov [192.104.54.97]) by ietfa.amsl.com (Postfix) with ESMTP id 54FA31B2BAC for <93attendees@ietf.org>; Tue, 14 Jul 2015 13:00:23 -0700 (PDT)
From: Henning Schulzrinne <Henning.Schulzrinne@fcc.gov>
To: Leif Johansson <leifj@sunet.se>, Joseph Lorenzo Hall <joe@cdt.org>
Thread-Topic: [93attendees] Network experiment during the meeting
Thread-Index: AQHQvahxWzVQiC3+6kqMk3DoDSZ6H53bGY0AgAAnKgCAAB9ZAIAAATyAgAAA7xk=
Date: Tue, 14 Jul 2015 20:00:20 +0000
Message-ID: <CY1PR09MB063416DD3240F3AB648ED4C8EA9B0@CY1PR09MB0634.namprd09.prod.outlook.com>
References: <55A41BEB.3090102@hs-augsburg.de> <cd99761b951e4dba89903d99d249ff22@hioexcmbx07-prd.hq.netapp.com> <55A54CA4.1080404@sunet.se> <CABtrr-UzcxOLtu831s5+hxSYN3i-G9iG=0PfEi3xHCjiksy4Xg@mail.gmail.com>, <4F2C31B6-EF00-46F2-8E1D-1E43596494C8@sunet.se>
In-Reply-To: <4F2C31B6-EF00-46F2-8E1D-1E43596494C8@sunet.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-microsoft-exchange-diagnostics: 1; CY1PR09MB0634; 5:XPaxGHDA4LXZ9JA2W8RSJJWKcNMBHX8A08DOK4qFRB0jRhBmQroQZsTCWDp8A3IbF5Mx8Cwahe2GOJNt/QZwS83B+KroKc9sTTReKvVy+RtxE/Jk/edB7IZerhYkdFthlOTYnuUGANppnm7tKojqlw==; 24:n6okVgzgbmvt3kF1kmhZgdr/isA2+nGF79qGmuYT8YEZRL2Hy3uLWN0NG1L1KEkt3VkYlIcoyidWzbIJnsCMEm3xjHtmhBdj5eo6/La6cRQ=; 20:nghesmOcqtqZW1F/8MBDjntI4NLi+pgVBh0QbNp1p1aHHJ/VlO///5HmxV/67o5gtw1yB8GUOCgqW8rlNBSGhw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR09MB0634;
cy1pr09mb0634: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <CY1PR09MB06342E779B122DDA6177B208EA9B0@CY1PR09MB0634.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:CY1PR09MB0634; BCL:0; PCL:0; RULEID:; SRVR:CY1PR09MB0634;
x-forefront-prvs: 0637FCE711
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(24454002)(243025005)(51704005)(52604005)(377424004)(99286002)(40100003)(102836002)(92566002)(77096005)(5001960100002)(93886004)(74316001)(77156002)(122556002)(5003600100002)(76576001)(15975445007)(5001770100001)(54356999)(19580405001)(19580395003)(2656002)(76176999)(86362001)(106116001)(62966003)(189998001)(2900100001)(87936001)(50986999)(5002640100001)(33656002)(66066001)(2950100001)(46102003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR09MB0634; H:CY1PR09MB0634.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2015 20:00:20.4271 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72970aed-3669-4ca8-b960-dd016bc72973
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR09MB0634
X-OriginatorOrg: fcc.gov
Archived-At: <http://mailarchive.ietf.org/arch/msg/93attendees/32dQA1RUr13B9MeBkjICNuUd2dw>
Cc: "93attendees@ietf.org" <93attendees@ietf.org>
Subject: Re: [93attendees] Network experiment during the meeting
X-BeenThere: 93attendees@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list of IETF 93 attendees that have opted in on this list. " <93attendees.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/93attendees>, <mailto:93attendees-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/93attendees/>
List-Post: <mailto:93attendees@ietf.org>
List-Help: <mailto:93attendees-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/93attendees>, <mailto:93attendees-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 20:00:26 -0000

IRB (institutional review boards) are associated with the home institution of the researcher, and only exist in institutions, largely universities or research hospitals, that conduct human subject experiments. For example, many or most research groups in industrial settings don't have access to an IRB unless they collaborate with a university researcher.

I would be very surprised if IRBs knew the law and requirements in countries other than their own, or felt comfortable speculating.

Thus, this will probably require a two-step test:

(1) where available, an IRB opinion from the researcher's home institution (in many cases that seem low risk or involve public data they simply say "thanks for asking, but no need for our review")

(2) some kind of locale-specific process. This is going to be the challenging part since you'd need a lawyer familiar with the local laws and practice.

Henning

________________________________________
From: 93attendees <93attendees-bounces@ietf.org> on behalf of Leif Johansson <leifj@sunet.se>
Sent: Tuesday, July 14, 2015 3:50 PM
To: Joseph Lorenzo Hall
Cc: 93attendees@ietf.org
Subject: Re: [93attendees] Network experiment during the meeting

> 14 jul 2015 kl. 21:46 skrev Joseph Lorenzo Hall <joe@cdt.org>:
>
> There are a few of us that have a lot of experience with the law and
> process of doing human subjects research... in the US, the general
> calculus is essentially balancing the risk to individuals to the
> research question at hand. For example, in a number of experiments
> I've been involved with, we've been asked to drop significant octets
> (or two) from IPv4 addresses, hash MAC addresses with a salt/key that
> is securely destroyed immediately afterwards, and ensure we are
> securely deleting data (random writes, etc.) after it is no longer
> needed (and not keeping it forever).

makes sense

>
> If this is the kind of thing IETF might do more of, it might be good
> to have a small group that can assess these kinds of requests, make
> suggestions, and approve/reject before the Chair has to necessarily
> step in. (Similarly, if IETFers might want guidance on these issues in
> terms of network experiments and proper research data handling for
> human subjects data, that's something we'd be interested in helping
> with at CDT.)

my point was that national law may already provide such review mechanisms

>
> The legal questions are going to be the ones we can't rely on our own
> community to deal with and will need to have some analysis before each
> IETF... of course, the hard alternative is "no experiments for other
> than operational questions on the IETF network" which doesn't sound
> satisfying to me.
>

that would be bad

> best, Joe
>
>
>> On Tue, Jul 14, 2015 at 1:53 PM, Leif Johansson <leifj@sunet.se> wrote:
>>> On 2015-07-14 17:33, McDonald, Alex wrote:
>>> I am not a lawyer, but I have done some research in this area.
>>>
>>> Please be aware that (a) the Czech Republic is in the EU (b) according to EU law you are collecting personal identifiable data.
>>>
>>> Therefore (from http://ec.europa.eu/justice/data-protection/data-collection/legal/index_en.htm)
>>>
>>> ---->>
>>> Under the Data Protection Directive, collecting and processing the personal data of individuals is only legitimate in one of the following circumstances laid down by Article 7 of the Directive:
>>>
>>>    Where the individual concerned, (the 'data subject'), has unambiguously given his or her consent, after being adequately informed; or
>>>    if data processing is needed for a contract, for example, for billing, a job application or a loan request; or
>>>    if processing is required by a legal obligation; or
>>>    if processing is necessary in order to protect the vital interest of the data subject, for example, processing of medical data of a victim of a car accident; or
>>>    if processing is necessary to perform tasks of public interests or tasks carried out by government, tax authorities, the police or other public bodies; or
>>>    if the data controller or a third party has a legitimate interest in doing so, as long as this interest does not affect the interests of the data subject, or infringe on his or her fundamental rights, in particular the right to privacy. This provision establishes the need to strike a reasonable balance between the data controllers' business interests and the privacy of data subjects.
>>> <<----
>>>
>>> The last clause is the only clause under which you can collect and process this data. To that end; http://ec.europa.eu/justice/data-protection/data-collection/obligations/index_en.htm
>>
>> I am not a lawyer either but I've dealt with a few cases similar
>> to this in my $dayjob.
>>
>> In some countries research is considered to be a task of public
>> interest and fall under the last but one clause but then often
>> coupled with an ethics review function.
>>
>> For the heck of it I just reviewed the Swedish research ethics board
>> note on PII and they cite the public interest clause [1] (Swedish
>> readers only I'm afraid).
>>
>> To make things worse, EU regulation is changing from a directive to
>> "federal" EU law so national law may not even apply (or at least not
>> for very long) in this area.
>>
>> I'm pretty sure that under (current) Swedish law you'd be required
>> to do a formal review by the human research ethics review board
>> for this type of research.
>>
>> [1] http://www.epn.se/media/63764/faktabroschyr-pul-forskning.pdf
>>
>>        Cheers Leif
>>
>> _______________________________________________
>> 93attendees mailing list
>> 93attendees@ietf.org
>> https://www.ietf.org/mailman/listinfo/93attendees
>
>
>
> --
> Joseph Lorenzo Hall
> Chief Technologist
> Center for Democracy & Technology
> 1634 I ST NW STE 1100
> Washington DC 20006-4011
> (p) 202-407-8825
> (f) 202-637-0968
> joe@cdt.org
> PGP: https://josephhall.org/gpg-key
> fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

_______________________________________________
93attendees mailing list
93attendees@ietf.org
https://www.ietf.org/mailman/listinfo/93attendees

v2.23.0 | Report a Bug | By Email