IETF Logo Mail Archive

Re: [hrpc] My suggestion for the attribution paragraph

Niels ten Oever <mail@nielstenoever.net> Sat, 01 May 2021 15:05 UTC

Return-Path: <mail@nielstenoever.net>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14A6F3A1DD9 for <hrpc@ietfa.amsl.com>; Sat, 1 May 2021 08:05:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4tLgpWgYHtKv for <hrpc@ietfa.amsl.com>; Sat, 1 May 2021 08:05:14 -0700 (PDT)
Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF7193A1DD8 for <hrpc@irtf.org>; Sat, 1 May 2021 08:05:12 -0700 (PDT)
To: hrpc@irtf.org
References: <CAN1qJvA_ONSNqk_Am6z6SASHO63eObaYMRVMY4cHR6XzPskGqg@mail.gmail.com> <988c1a1b-97a4-bccc-f991-7f51f760c088@cis-india.org> <CAN1qJvC2jPSJuawePyH5DO9xvqWLnUUAzFu8tWBzfkntQBEO6Q@mail.gmail.com> <5f706893-5ccf-a6ad-353e-1f64241e9978@yahoo.com> <91F738F9-3570-423A-8240-F3CB18EA25C8@istaff.org> <CAN1qJvCVMc9E1LaXBD8yENxH+0aWPFt7UqCLDS2CDp8Edrbaxw@mail.gmail.com> <114c3a3a-5b03-28d7-ee05-dc96d2351301@nielstenoever.net> <333c8a96-e7eb-2821-f70c-da2e1b52178f@yahoo.com> <77e7853c-8c31-5aab-ef25-cc5e0f0930cb@nielstenoever.net> <84dec326-813a-ef10-cb50-14cb0da4b2da@yahoo.com>
From: Niels ten Oever <mail@nielstenoever.net>
Message-ID: <0b955102-71b3-c03b-f4cc-a059582665c9@nielstenoever.net>
Date: Sat, 01 May 2021 17:05:03 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <84dec326-813a-ef10-cb50-14cb0da4b2da@yahoo.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Authenticated-As-Hash: f1842a279235a42f6aa2a2a81130733515c5a4ec
X-Virus-Scanned: by clamav at smarthost1.greenhost.nl
X-Scan-Signature: cba2eb4d83bbdf72d3179b19870a415b
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/pHpp9Aq8RG2dAW7TbsPPVG6qOrc>
Subject: Re: [hrpc] My suggestion for the attribution paragraph
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: hrpc discussion list <hrpc.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 May 2021 15:05:19 -0000

Hi all, 

Sorry it has taken some time, but I have come up with new proposal text on the remedy-paragraph.

__________________

### Remedy

Question(s): Can your protocol facilitate a negatively impacted party's right to remedy without disproportionately impacting other parties' human rights, especially their right to privacy?

Explanation: Access to remedy may help victims of human rights violation in seeking justice, or allow law enforcement agencies to identify a possible violator. However, such mechanisms may impede the exercise of the right to privacy. The Special Rapporteur for Freedom of Expression has also argued that anonymity is an inherent part of freedom of expression [Kaye]. Considering the adverse impact of attribution on the right to privacy and freedom of expression, enabling attribution on an individual level is most likely not consistent with human rights. However, providing access to remedy by states and corporations is an inherent part of the UN Guiding Principles on Business and Human Rights {{UNGP}}.

Impacts:

- Right to remedy
- Right to security
- Right to privacy

_________________

Happy to discuss!

Best,

Niels

On 20-03-2021 07:45, Mark Perkins wrote:
> Hi & thanks Niels
> 
> If this replacement can be done great- can we see how that will look?
> 
> If we can also insert the principle 'no right may be used to undermine / annul other rights', as per Gurshabad Grover's text regarding remedy (originally attribution) re privacy/anonymity/freedom of speech, then things would be excellent
> 
> Regards
> 
> Mark P.
> 
> Le 20/03/2021 à 10:04, Niels ten Oever a écrit :
>> Excellent - so perhaps we should be dropping 'attribution' from the title and make a rewrite to focus on 'remedy'. I hope that will then fix the discussion.
>>
>> Would that approach make sense to you (specifically asking Mark, Farzaneh, and John :) )?
>>
>> Best,
>>
>> Niels
>>
>> On 19-03-2021 23:49, Mark Perkins wrote:
>>> Niels
>>>
>>> I think that this could be a factor.
>>>
>>> A few points;
>>>
>>> Attribution (whichever meaning) does not equal remedy
>>>
>>> Attribution is an argument many governments are using against anonymity (India)  and end to end encryption (EU)
>>>
>>> Banks ensure payments over Internet via apps rather than underlying protocol; even on their proper network (ATM), payments are assured by law rather than protocol (given that banks had a poor track record...)
>>>
>>> 'Baking' attribution in at protocol level to aid with 'remedy' I fear will undermine the very human rights it is meant to help - something that human rights law is explictly opposed to (no right may be used to undermine / annul other rights)
>>>
>>> While I am opposed to including 'attribution', I understand that this may be a minority position; if it is included I think the paragraph should be much more nuanced, including the problems mentioned by myself  others
>>>
>>> Mark P.
>>>
>>> Le 20/03/2021 à 02:57, Niels ten Oever a écrit :
>>>> Might it be that the discussion arises from the way attribution is used within the cybersecurity debate? Because here it has a very different meaning.
>>>>
>>>> Best,
>>>>
>>>> Niels
>>>>
>>>> On 19-03-2021 16:24, farzaneh badii wrote:
>>>>> We have raised the problem of cherry-picking in previous papers when criticizing the approach of HRPC, but in this case I don't think cherry-picking is involved. Your framing [attribution results in or can help with legal remedy] is problematic because it brings jurisdictional issues to this document. What legal remedy, based on which law? I heard that people were saying we are not trying to bring one set of legal systems into the discussion. And it's not even clear how you can create a direct link between attribution and legal remedy. Access to legal remedy in the human rights law field does not mean that a private protocol developer helps victims or law enforcement with gathering evidence! Help with gathering evidence does not result in legal remedy. Access to legal remedy is much more nuanced than that.
>>>>>
>>>>> I think we just did not discuss this issue carefully for the past couple of years. We didn't have legal experts and human rights law experts that could analyze this in depth and give us their perspective. I am very concerned about including this paragraph. I tried to help with revising it so it is not that I want to stop progress but as I have said, this paragraph can be potentially against human rights more than for it.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Farzaneh
>>>>>
>>>>>
>>>>> On Tue, Mar 16, 2021 at 9:20 AM John Curran <jcurran@istaff.org  <mailto:jcurran@istaff.org>> wrote:
>>>>>
>>>>>       Mark -
>>>>>
>>>>>       The fact that protocol support for attribution is important to support some human rights (i.e. the right to legal remedy)
>>>>>       but poses important concerns regarding potential implications for other rights would seem to me to argue more strongly on the need for its inclusion in the guidelines rather than its omission, However, I’ll admit that I haven’t done direct protocol development in more than two decades and lacking as I am in recent first-hand experience, I'll leave it to this group to decide as it deems best.
>>>>>
>>>>>       All I do ask is that the IETF document be accurate regarding scope – i.e. if there is a determination to omit inclusion of some human rights from the guidelines because they are inconvenient, then the document should clearly indicate that it provides guidelines for _select_ human rights (and this would also suggest that the language "this is by no means an attempt to exclude specific rights or prioritize some rights over others. If other rights seem relevant, please contact the authors.” should probably be struck.)  I think this would be major step backward (and do not recommend such an approach), but see no other way to address your concerns about the potential risk to inexperienced protocol developers being led astray by the inclusion of the right to legal remedy.
>>>>>
>>>>>       Thanks,
>>>>>       /John
>>>>>
>>>>>
>>>>>>       On 11 Mar 2021, at 4:27 PM, Mark Perkins <marknoumea=40yahoo.com@dmarc.ietf.org  <mailto:marknoumea=40yahoo.com@dmarc.ietf.org>> wrote:
>>>>>>
>>>>>>       An annoying P.S.: just for the record I hope this paragraph does not encourage protocol developers to design protocols that can attribute certain action to an individual or lead to identification of people. I hope it doesn't legitimize attribution using protocols, with no accountability or checks and balances. Attribution features can be abused. I still don't think attribution should have been included at all, but that ship has sailed. So, I compromise.
>>>>>>
>>>>>>       MP>> This is exactly my fear, excepting that I disagree that "that ship has sailed", and am still not sure that consensus has been reached on this issue...
>>>>>>
>>>>>>       Mark P.
>>>>>>
>>>>>>       Le 12/03/2021 à 05:34, farzaneh badii a écrit :
>>>>>>>       Thank you Gurshabad,
>>>>>>>
>>>>>>>       Yes this is fine, though I would have removed "may.. be" from the following sentence and replace it with "is".
>>>>>>>       attribution on an individual level [may] *is not [*be] consistent with those particular human rights.  and would have removed individual from "i.e. mechanisms in protocols or architectures
>>>>>>>       that are designed to make communications or artifacts attributable to acertain computer*or individual)*"
>>>>>>>
>>>>>>>       I can't think of a text that captures Mallory's suggestion right now but I am not insistent on further changes to be applied. So don't want to hold you back.
>>>>>>>       All good and thank you for your hard and excellent work.
>>>>>>>
>>>>>>>
>>>>>>>       An annoying P.S.: just for the record I hope this paragraph does not encourage protocol developers to design protocols that can attribute certain action to an individual or lead to identification of people. I hope it doesn't legitimize attribution using protocols, with no accountability or checks and balances. Attribution features can be abused. I still don't think attribution should have been included at all, but that ship has sailed. So, I compromise.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>       Farzaneh
>>>>>>>
>>>>>>>
>>>>>>>       On Thu, Mar 11, 2021 at 1:00 PM Gurshabad Grover <gurshabad@cis-india.org  <mailto:gurshabad@cis-india.org>> wrote:
>>>>>>>
>>>>>>>           Thanks, Farzaneh.
>>>>>>>
>>>>>>>           I was referring to these suggestions (which came through well to my mail
>>>>>>>           at least), which I mostly incorporated. I realised from your chat
>>>>>>>           messages during hrpc today that you were highlighting the importance of
>>>>>>>           removing the reference to 'law enforcement agencies'. Taking that and
>>>>>>>           the recent suggestions into account, would this text be fine?
>>>>>>>
>>>>>>>           """
>>>>>>>           Question(s): Can your protocol facilitate a negatively impacted party's
>>>>>>>           right to the appropriate remedy without disproportionately impacting
>>>>>>>           other parties' human rights, especially their right to privacy?
>>>>>>>
>>>>>>>           Explanation: Attribution (i.e. mechanisms in protocols or architectures
>>>>>>>           that are designed to make communications or artifacts attributable to a
>>>>>>>           certain computer or individual) may help victims of crimes in seeking
>>>>>>>           appropriate remedy.  However, attribution mechanisms may impede the
>>>>>>>           exercise of the right to privacy.  The Special Rapporteur for Freedom of
>>>>>>>           Expression has also argued that anonymity is an inherent part of freedom
>>>>>>>           of expression. [Kaye] Considering the adverse impact of attribution on
>>>>>>>           the right to privacy and freedom of expression, enabling attribution on
>>>>>>>           an individual level may not be consistent with those particular human
>>>>>>>           rights.
>>>>>>>           """
>>>>>>>
>>>>>>>           On a finer point: I do not think that it is appropriate to remove 'the
>>>>>>>           right to remedy' from the 'Impacts' section, because it is precisely
>>>>>>>           what this section about (regardless of the final position it takes).
>>>>>>>
>>>>>>>           -Gurshabad
>>>>>>>
>>>>>>>
>>>>>>>           On 3/11/21 11:19 PM, farzaneh badii wrote:
>>>>>>>           > Seems like the suggestion I made did not come through because I
>>>>>>>           > strike-through
>>>>>>>           > Screen Shot 2021-03-11 at 12.44.34 PM.png
>>>>>>>           >  that didn't appear on the mailing list archive so I took a screenshot
>>>>>>>           > of the changes I suggested which is attached.
>>>>>>>           >
>>>>>>>           > I will rewrite it here.
>>>>>>>           > Farzaneh
>>>>>>>           >
>>>>>>>           > _______________________________________________
>>>>>>>           > hrpc mailing list
>>>>>>>           >hrpc@irtf.org  <mailto:hrpc@irtf.org>
>>>>>>>           >https://www.irtf.org/mailman/listinfo/hrpc  <https://www.irtf.org/mailman/listinfo/hrpc>
>>>>>>>           >
>>>>>>>
>>>>>>>
>>>>>>>       _______________________________________________
>>>>>>>       hrpc mailing list
>>>>>>>       hrpc@irtf.org  <mailto:hrpc@irtf.org>
>>>>>>>       https://www.irtf.org/mailman/listinfo/hrpc  <https://www.irtf.org/mailman/listinfo/hrpc>
>>>>>>       <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>      Garanti sans virus.www.avast.com  <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>>>>>>
>>>>>>       _______________________________________________
>>>>>>       hrpc mailing list
>>>>>>       hrpc@irtf.org  <mailto:hrpc@irtf.org>
>>>>>>       https://www.irtf.org/mailman/listinfo/hrpc  <https://www.irtf.org/mailman/listinfo/hrpc>
>>>>>       _______________________________________________
>>>>>       hrpc mailing list
>>>>>       hrpc@irtf.org  <mailto:hrpc@irtf.org>
>>>>>       https://www.irtf.org/mailman/listinfo/hrpc  <https://www.irtf.org/mailman/listinfo/hrpc>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> hrpc mailing list
>>>>> hrpc@irtf.org
>>>>> https://www.irtf.org/mailman/listinfo/hrpc
>>>>>
> 

-- 
Niels ten Oever, PhD
Postdoctoral Researcher - Media Studies Department - University of Amsterdam
Research Fellow - Centre for Internet and Human Rights - European University Viadrina
Associated Scholar - Centro de Tecnologia e Sociedade - Fundação Getúlio Vargas
Affiliated Factulty - Digital Democracy Insitute - Simon Fraser University

https://nielstenoever.net - mail@nielstenoever.net - @nielstenoever - +31629051853
PGP: 2458 0B70 5C4A FD8A 9488 643A 0ED8 3F3A 468A C8B3

Read my latest article on Internet infrastructure governance in New Media & Society here: https://journals.sagepub.com/doi/full/10.1177/1461444820929320

v2.23.0 | Report a Bug | By Email