Re: [93attendees] Network experiment during the meeting

Joseph Lorenzo Hall <> Tue, 14 July 2015 19:46 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3980D1B2B96 for <>; Tue, 14 Jul 2015 12:46:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tV24RJfz1HDM for <>; Tue, 14 Jul 2015 12:46:13 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 433231B2B15 for <>; Tue, 14 Jul 2015 12:46:13 -0700 (PDT)
Received: by lagx9 with SMTP id x9so12235796lag.1 for <>; Tue, 14 Jul 2015 12:46:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=SUyYKZTFtbqlbg48NWWe8vANMbtjnZeaXJrH4IDU4aQ=; b=I2kr6LYRtVH1KQ1iJzEpUnCJUCkmhs1eq7SwVega9awWjsVVRKic77i184dVY7A3ZX uA4MJrOk440tZxcCIC1wx/Mmg/NGxiamYLdtokZB/nFFW+dDVg7aSOOWVDp1rArh74FS 5SMFCzNPjSdOB/VPtNiafY3xQvfIp0dEiufzI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=SUyYKZTFtbqlbg48NWWe8vANMbtjnZeaXJrH4IDU4aQ=; b=Pm8Jh9gWFS0jlwg0dw0my9h35in6YLSBn9NkbY1tWxgzRmS1qFb5BuEs4kjRaHqzDA xBjw4VjDUH6U6J5ORL/MPBTNlccjgbbohsOfWgAmO3ERUeLRV+/HNCbv8MJU9dWIfIgJ o50jsa2LwDw+Pctk8BUYEglGBIHfhDON1TDVki7Pt4UBzAGiRbk1n6z8FZfoI9PiPfQk hOih+14umTQVWMlMn080+yqz6iTlpEXlzbSGDqkQYpdWJwkmRr1ht4O3Gt25YoP/7YJ4 y5aBg/BsUeJagk1cA0TTuby4cYhmpDKLosjNy1PtqVNnOYRmv/htFBAC65xuwXbtI0Qv se/Q==
X-Gm-Message-State: ALoCoQnmGPRcd4mmWVIMPae80sdnirIlEeKLvPcV4DDcxSfVrHd4/t8p1inJ5IjYrQuEVLMVMG9f
X-Received: by with SMTP id c20mr259782lbo.27.1436903171748; Tue, 14 Jul 2015 12:46:11 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Tue, 14 Jul 2015 12:45:52 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Joseph Lorenzo Hall <>
Date: Tue, 14 Jul 2015 15:45:52 -0400
Message-ID: <>
To: Leif Johansson <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [93attendees] Network experiment during the meeting
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list of IETF 93 attendees that have opted in on this list. " <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Jul 2015 19:46:15 -0000

There are a few of us that have a lot of experience with the law and
process of doing human subjects research... in the US, the general
calculus is essentially balancing the risk to individuals to the
research question at hand. For example, in a number of experiments
I've been involved with, we've been asked to drop significant octets
(or two) from IPv4 addresses, hash MAC addresses with a salt/key that
is securely destroyed immediately afterwards, and ensure we are
securely deleting data (random writes, etc.) after it is no longer
needed (and not keeping it forever).

If this is the kind of thing IETF might do more of, it might be good
to have a small group that can assess these kinds of requests, make
suggestions, and approve/reject before the Chair has to necessarily
step in. (Similarly, if IETFers might want guidance on these issues in
terms of network experiments and proper research data handling for
human subjects data, that's something we'd be interested in helping
with at CDT.)

The legal questions are going to be the ones we can't rely on our own
community to deal with and will need to have some analysis before each
IETF... of course, the hard alternative is "no experiments for other
than operational questions on the IETF network" which doesn't sound
satisfying to me.

best, Joe

On Tue, Jul 14, 2015 at 1:53 PM, Leif Johansson <> wrote:
> On 2015-07-14 17:33, McDonald, Alex wrote:
>> I am not a lawyer, but I have done some research in this area.
>> Please be aware that (a) the Czech Republic is in the EU (b) according to EU law you are collecting personal identifiable data.
>> Therefore (from
>> ---->>
>> Under the Data Protection Directive, collecting and processing the personal data of individuals is only legitimate in one of the following circumstances laid down by Article 7 of the Directive:
>>     Where the individual concerned, (the 'data subject'), has unambiguously given his or her consent, after being adequately informed; or
>>     if data processing is needed for a contract, for example, for billing, a job application or a loan request; or
>>     if processing is required by a legal obligation; or
>>     if processing is necessary in order to protect the vital interest of the data subject, for example, processing of medical data of a victim of a car accident; or
>>     if processing is necessary to perform tasks of public interests or tasks carried out by government, tax authorities, the police or other public bodies; or
>>     if the data controller or a third party has a legitimate interest in doing so, as long as this interest does not affect the interests of the data subject, or infringe on his or her fundamental rights, in particular the right to privacy. This provision establishes the need to strike a reasonable balance between the data controllers' business interests and the privacy of data subjects.
>> <<----
>> The last clause is the only clause under which you can collect and process this data. To that end;
> I am not a lawyer either but I've dealt with a few cases similar
> to this in my $dayjob.
> In some countries research is considered to be a task of public
> interest and fall under the last but one clause but then often
> coupled with an ethics review function.
> For the heck of it I just reviewed the Swedish research ethics board
> note on PII and they cite the public interest clause [1] (Swedish
> readers only I'm afraid).
> To make things worse, EU regulation is changing from a directive to
> "federal" EU law so national law may not even apply (or at least not
> for very long) in this area.
> I'm pretty sure that under (current) Swedish law you'd be required
> to do a formal review by the human research ethics review board
> for this type of research.
> [1]
>         Cheers Leif
> _______________________________________________
> 93attendees mailing list

Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871