Re: [hrpc] My suggestion for the attribution paragraph

[Mark Perkins <marknoumea@yahoo.com>]

Niels

I think that this could be a factor.

A few points;

Attribution (whichever meaning) does not equal remedy

Attribution is an argument many governments are using against anonymity 
(India)  and end to end encryption (EU)

Banks ensure payments over Internet via apps rather than underlying 
protocol; even on their proper network (ATM), payments are assured by 
law rather than protocol (given that banks had a poor track record...)

'Baking' attribution in at protocol level to aid with 'remedy' I fear 
will undermine the very human rights it is meant to help - something 
that human rights law is explictly opposed to (no right may be used to 
undermine / annul other rights)

While I am opposed to including 'attribution', I understand that this 
may be a minority position; if it is included I think the paragraph 
should be much more nuanced, including the problems mentioned by myself  
others

Mark P.

Le 20/03/2021 à 02:57, Niels ten Oever a écrit :
> Might it be that the discussion arises from the way attribution is used within the cybersecurity debate? Because here it has a very different meaning.
>
> Best,
>
> Niels
>
> On 19-03-2021 16:24, farzaneh badii wrote:
>> We have raised the problem of cherry-picking in previous papers when criticizing the approach of HRPC, but in this case I don't think cherry-picking is involved. Your framing [attribution results in or can help with legal remedy] is problematic because it brings jurisdictional issues to this document. What legal remedy, based on which law? I heard that people were saying we are not trying to bring one set of legal systems into the discussion. And it's not even clear how you can create a direct link between attribution and legal remedy. Access to legal remedy in the human rights law field does not mean that a private protocol developer helps victims or law enforcement with gathering evidence! Help with gathering evidence does not result in legal remedy. Access to legal remedy is much more nuanced than that.
>>
>> I think we just did not discuss this issue carefully for the past couple of years. We didn't have legal experts and human rights law experts that could analyze this in depth and give us their perspective. I am very concerned about including this paragraph. I tried to help with revising it so it is not that I want to stop progress but as I have said, this paragraph can be potentially against human rights more than for it.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Farzaneh
>>
>>
>> On Tue, Mar 16, 2021 at 9:20 AM John Curran <jcurran@istaff.org  <mailto:jcurran@istaff.org>> wrote:
>>
>>      Mark -
>>
>>      The fact that protocol support for attribution is important to support some human rights (i.e. the right to legal remedy)
>>      but poses important concerns regarding potential implications for other rights would seem to me to argue more strongly on the need for its inclusion in the guidelines rather than its omission, However, I’ll admit that I haven’t done direct protocol development in more than two decades and lacking as I am in recent first-hand experience, I'll leave it to this group to decide as it deems best.
>>
>>      All I do ask is that the IETF document be accurate regarding scope – i.e. if there is a determination to omit inclusion of some human rights from the guidelines because they are inconvenient, then the document should clearly indicate that it provides guidelines for _select_ human rights (and this would also suggest that the language "this is by no means an attempt to exclude specific rights or prioritize some rights over others. If other rights seem relevant, please contact the authors.” should probably be struck.)  I think this would be major step backward (and do not recommend such an approach), but see no other way to address your concerns about the potential risk to inexperienced protocol developers being led astray by the inclusion of the right to legal remedy.
>>
>>      Thanks,
>>      /John
>>
>>
>>>      On 11 Mar 2021, at 4:27 PM, Mark Perkins <marknoumea=40yahoo.com@dmarc.ietf.org  <mailto:marknoumea=40yahoo.com@dmarc.ietf.org>> wrote:
>>>
>>>      An annoying P.S.: just for the record I hope this paragraph does not encourage protocol developers to design protocols that can attribute certain action to an individual or lead to identification of people. I hope it doesn't legitimize attribution using protocols, with no accountability or checks and balances. Attribution features can be abused. I still don't think attribution should have been included at all, but that ship has sailed. So, I compromise.
>>>
>>>      MP>> This is exactly my fear, excepting that I disagree that "that ship has sailed", and am still not sure that consensus has been reached on this issue...
>>>
>>>      Mark P.
>>>
>>>      Le 12/03/2021 à 05:34, farzaneh badii a écrit :
>>>>      Thank you Gurshabad,
>>>>
>>>>      Yes this is fine, though I would have removed "may.. be" from the following sentence and replace it with "is".
>>>>      attribution on an individual level [may] *is not [*be] consistent with those particular human rights.  and would have removed individual from "i.e. mechanisms in protocols or architectures
>>>>      that are designed to make communications or artifacts attributable to acertain computer*or individual)*"
>>>>
>>>>      I can't think of a text that captures Mallory's suggestion right now but I am not insistent on further changes to be applied. So don't want to hold you back.
>>>>      All good and thank you for your hard and excellent work.
>>>>
>>>>
>>>>      An annoying P.S.: just for the record I hope this paragraph does not encourage protocol developers to design protocols that can attribute certain action to an individual or lead to identification of people. I hope it doesn't legitimize attribution using protocols, with no accountability or checks and balances. Attribution features can be abused. I still don't think attribution should have been included at all, but that ship has sailed. So, I compromise.
>>>>
>>>>
>>>>
>>>>      Farzaneh
>>>>
>>>>
>>>>      On Thu, Mar 11, 2021 at 1:00 PM Gurshabad Grover <gurshabad@cis-india.org  <mailto:gurshabad@cis-india.org>> wrote:
>>>>
>>>>          Thanks, Farzaneh.
>>>>
>>>>          I was referring to these suggestions (which came through well to my mail
>>>>          at least), which I mostly incorporated. I realised from your chat
>>>>          messages during hrpc today that you were highlighting the importance of
>>>>          removing the reference to 'law enforcement agencies'. Taking that and
>>>>          the recent suggestions into account, would this text be fine?
>>>>
>>>>          """
>>>>          Question(s): Can your protocol facilitate a negatively impacted party's
>>>>          right to the appropriate remedy without disproportionately impacting
>>>>          other parties' human rights, especially their right to privacy?
>>>>
>>>>          Explanation: Attribution (i.e. mechanisms in protocols or architectures
>>>>          that are designed to make communications or artifacts attributable to a
>>>>          certain computer or individual) may help victims of crimes in seeking
>>>>          appropriate remedy.  However, attribution mechanisms may impede the
>>>>          exercise of the right to privacy.  The Special Rapporteur for Freedom of
>>>>          Expression has also argued that anonymity is an inherent part of freedom
>>>>          of expression. [Kaye] Considering the adverse impact of attribution on
>>>>          the right to privacy and freedom of expression, enabling attribution on
>>>>          an individual level may not be consistent with those particular human
>>>>          rights.
>>>>          """
>>>>
>>>>          On a finer point: I do not think that it is appropriate to remove 'the
>>>>          right to remedy' from the 'Impacts' section, because it is precisely
>>>>          what this section about (regardless of the final position it takes).
>>>>
>>>>          -Gurshabad
>>>>
>>>>
>>>>          On 3/11/21 11:19 PM, farzaneh badii wrote:
>>>>          > Seems like the suggestion I made did not come through because I
>>>>          > strike-through
>>>>          > Screen Shot 2021-03-11 at 12.44.34 PM.png
>>>>          >  that didn't appear on the mailing list archive so I took a screenshot
>>>>          > of the changes I suggested which is attached.
>>>>          >
>>>>          > I will rewrite it here.
>>>>          > Farzaneh
>>>>          >
>>>>          > _______________________________________________
>>>>          > hrpc mailing list
>>>>          >hrpc@irtf.org  <mailto:hrpc@irtf.org>
>>>>          >https://www.irtf.org/mailman/listinfo/hrpc  <https://www.irtf.org/mailman/listinfo/hrpc>
>>>>          >
>>>>
>>>>
>>>>      _______________________________________________
>>>>      hrpc mailing list
>>>>      hrpc@irtf.org  <mailto:hrpc@irtf.org>
>>>>      https://www.irtf.org/mailman/listinfo/hrpc  <https://www.irtf.org/mailman/listinfo/hrpc>
>>>      <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>  	Garanti sans virus.www.avast.com  <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>>>
>>>      _______________________________________________
>>>      hrpc mailing list
>>>      hrpc@irtf.org  <mailto:hrpc@irtf.org>
>>>      https://www.irtf.org/mailman/listinfo/hrpc  <https://www.irtf.org/mailman/listinfo/hrpc>
>>      _______________________________________________
>>      hrpc mailing list
>>      hrpc@irtf.org  <mailto:hrpc@irtf.org>
>>      https://www.irtf.org/mailman/listinfo/hrpc  <https://www.irtf.org/mailman/listinfo/hrpc>
>>
>>
>> _______________________________________________
>> hrpc mailing list
>> hrpc@irtf.org
>> https://www.irtf.org/mailman/listinfo/hrpc
>>

-- 
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
https://www.avast.com/antivirus