Re: [93attendees] Network experiment during the meeting

"Leif Johansson" <> Tue, 14 July 2015 19:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1FFB01B2BB7 for <>; Tue, 14 Jul 2015 12:50:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.661
X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uGdSv1Bqgr0F for <>; Tue, 14 Jul 2015 12:50:29 -0700 (PDT)
Received: from ( [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7FAEA1B2BB4 for <>; Tue, 14 Jul 2015 12:50:28 -0700 (PDT)
Received: from ( []) by (8.14.4/8.14.4/Debian-4) with ESMTP id t6EJoK92008399 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 14 Jul 2015 21:50:20 +0200
Received: from ( []) by (8.14.9/8.14.7) with ESMTP id t6EJoHsF015203 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Jul 2015 21:50:20 +0200 (CEST)
VBR-Info:; mc=all;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1436903420; bh=YwxpKB+2H+lmDVrDO/Ov3HDpGFZUhxOclrrtvpnLNss=; h=From:Subject:Date:References:To:In-Reply-To:Cc; b=SpqEq0mYALFIyR/4IYyEUuActESzskXFjZtFZvJ9RGL5/dxk1Ucm81qee+Pw/y18W yDFSmIC6D3jFUW2HxlkICbJYEuKTWa6Z5n7f3BKdTGMYak2HKBEO0HQkJbcvrCkj7B 1ngJaZI6Be8Sp3+Tl/KVMciWD9RAqEV1rQKYhD/8=
X-Footer: c3VuZXQuc2U=
Received: from [] ([]) by (Kerio Connect 8.3.4 patch 1); Tue, 14 Jul 2015 21:50:17 +0200
From: "Leif Johansson" <>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Message-Id: <>
Date: Tue, 14 Jul 2015 21:50:17 +0200
References: <> <> <> <>
To: Joseph Lorenzo Hall <>
In-Reply-To: <>
X-Bayes-Prob: 0.5 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN)
X-CanIt-Geo: ip=; country=SE; latitude=59.3294; longitude=18.0686;,18.0686&z=6
X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default)
X-Canit-Stats-ID: 09OQjOkEG - e018d3666d42 - 20150714
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Received-SPF: neutral ( is neither permitted nor denied by domain; client-ip=; envelope-from=<>;; identity=mailfrom
X-Scanned-By: CanIt (www . roaringpenguin . com) on
Archived-At: <>
Cc: "" <>
Subject: Re: [93attendees] Network experiment during the meeting
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list of IETF 93 attendees that have opted in on this list. " <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Jul 2015 19:50:31 -0000

> 14 jul 2015 kl. 21:46 skrev Joseph Lorenzo Hall <>rg>:
> There are a few of us that have a lot of experience with the law and
> process of doing human subjects research... in the US, the general
> calculus is essentially balancing the risk to individuals to the
> research question at hand. For example, in a number of experiments
> I've been involved with, we've been asked to drop significant octets
> (or two) from IPv4 addresses, hash MAC addresses with a salt/key that
> is securely destroyed immediately afterwards, and ensure we are
> securely deleting data (random writes, etc.) after it is no longer
> needed (and not keeping it forever).

makes sense

> If this is the kind of thing IETF might do more of, it might be good
> to have a small group that can assess these kinds of requests, make
> suggestions, and approve/reject before the Chair has to necessarily
> step in. (Similarly, if IETFers might want guidance on these issues in
> terms of network experiments and proper research data handling for
> human subjects data, that's something we'd be interested in helping
> with at CDT.)

my point was that national law may already provide such review mechanisms

> The legal questions are going to be the ones we can't rely on our own
> community to deal with and will need to have some analysis before each
> IETF... of course, the hard alternative is "no experiments for other
> than operational questions on the IETF network" which doesn't sound
> satisfying to me.

that would be bad

> best, Joe
>> On Tue, Jul 14, 2015 at 1:53 PM, Leif Johansson <> wrote:
>>> On 2015-07-14 17:33, McDonald, Alex wrote:
>>> I am not a lawyer, but I have done some research in this area.
>>> Please be aware that (a) the Czech Republic is in the EU (b) according to EU law you are collecting personal identifiable data.
>>> Therefore (from
>>> ---->>
>>> Under the Data Protection Directive, collecting and processing the personal data of individuals is only legitimate in one of the following circumstances laid down by Article 7 of the Directive:
>>>    Where the individual concerned, (the 'data subject'), has unambiguously given his or her consent, after being adequately informed; or
>>>    if data processing is needed for a contract, for example, for billing, a job application or a loan request; or
>>>    if processing is required by a legal obligation; or
>>>    if processing is necessary in order to protect the vital interest of the data subject, for example, processing of medical data of a victim of a car accident; or
>>>    if processing is necessary to perform tasks of public interests or tasks carried out by government, tax authorities, the police or other public bodies; or
>>>    if the data controller or a third party has a legitimate interest in doing so, as long as this interest does not affect the interests of the data subject, or infringe on his or her fundamental rights, in particular the right to privacy. This provision establishes the need to strike a reasonable balance between the data controllers' business interests and the privacy of data subjects.
>>> <<----
>>> The last clause is the only clause under which you can collect and process this data. To that end;
>> I am not a lawyer either but I've dealt with a few cases similar
>> to this in my $dayjob.
>> In some countries research is considered to be a task of public
>> interest and fall under the last but one clause but then often
>> coupled with an ethics review function.
>> For the heck of it I just reviewed the Swedish research ethics board
>> note on PII and they cite the public interest clause [1] (Swedish
>> readers only I'm afraid).
>> To make things worse, EU regulation is changing from a directive to
>> "federal" EU law so national law may not even apply (or at least not
>> for very long) in this area.
>> I'm pretty sure that under (current) Swedish law you'd be required
>> to do a formal review by the human research ethics review board
>> for this type of research.
>> [1]
>>        Cheers Leif
>> _______________________________________________
>> 93attendees mailing list
> -- 
> Joseph Lorenzo Hall
> Chief Technologist
> Center for Democracy & Technology
> 1634 I ST NW STE 1100
> Washington DC 20006-4011
> (p) 202-407-8825
> (f) 202-637-0968
> PGP:
> fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871