IETF Logo Mail Archive

Re: [Pearg] New Version Notification for draft-irtf-pearg-safe-internet-measurement-06.txt

Brad Chen <bradchen@google.com> Fri, 14 October 2022 15:05 UTC

Return-Path: <bradchen@google.com>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3A67C14F743 for <pearg@ietfa.amsl.com>; Fri, 14 Oct 2022 08:05:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.607
X-Spam-Level:
X-Spam-Status: No, score=-22.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FzafGdycLkQ3 for <pearg@ietfa.amsl.com>; Fri, 14 Oct 2022 08:05:38 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49568C14CF05 for <pearg@irtf.org>; Fri, 14 Oct 2022 08:05:26 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id fy4so11132736ejc.5 for <pearg@irtf.org>; Fri, 14 Oct 2022 08:05:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0mfEPPW4G+gDkyo6uSvFsVi/Wr88MPT89tBRS1tIgSk=; b=aPPZMS3g82hEN24VVCJcmvVuOgTYgtUzKE4v0YaU5pKuTZBwQVkseeSwESm2iVXlhv S6bSwGooCujre6NnZov5MPiruKeNJlI04swRFxJwLkMc44a+9OoraU3axiOMlypaN9l6 XpipETdDwS3Rbv/PJ9KZCiqlA2akp4jUuMo2Nv/zIofxwkJIaRrGLrY19mP5KB78/HJf QvCUgrhENsPAnqgsK7QpZD0uRG8OefCwyxpjOscOTTVnU3lvWw5E5tgnw+P0SeSuksFw vUVNbT3X4zbfqTItLHZ8GXmYuBBSxlg+uRtclKinlC//9iPpEIVLqA48nHrDWKVc/htM u7LQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0mfEPPW4G+gDkyo6uSvFsVi/Wr88MPT89tBRS1tIgSk=; b=kQzExf9it1IG1fw1sMlpcwX6l5xzpT1FHWCIG35KcoMnkcm3t8RnqZOyTzDgTbaOax nLKWeYoWrATYM/58Dm9FR3EB7uKCiTAHjQ/XtsjoDzhchNuQ/caIMfwSb2DD6z4oZGm9 TKEguWqn14VGPRjhPuXUdhzZJgg+NVAMm+5QVDyB6lNrXWCFaPBoHrXO1/FMg5H5m6F9 nKpHdFwS0an6GrGAtZPVZwygMPSB9RrvTyvYpm/oX3jCxGR9QNkT/jNL/XoM1XzgKo2S J4hInZSvZHpnc5Q54fq0TotFzspLMNSC5gnOk7XM5KavFKFkJSEKPSoBMKBW187RINN+ tk+w==
X-Gm-Message-State: ACrzQf07IISm0TvckGGUNJ5cx2vr+BXLGfO/DvmK5+mE/RuuQIhh3YGL uX4dvfmxnfAirLSGemd+kaQayrNPDE/hDpNWMTGMWQ==
X-Google-Smtp-Source: AMsMyM6a75g0ByZFFlky0vZsSO3fDfV3D1in5bADuQUpRZRO8kAGbqFBabw7f7Axw+iJufKxf6mdKfQKXLKnslCypn0=
X-Received: by 2002:a17:906:8a66:b0:78b:da52:b752 with SMTP id hy6-20020a1709068a6600b0078bda52b752mr3862617ejc.365.1665759923646; Fri, 14 Oct 2022 08:05:23 -0700 (PDT)
MIME-Version: 1.0
References: <166094489131.14532.16995503633780264379@ietfa.amsl.com> <626a3eaa-497b-644d-16d7-7cc8c07a4dde@cdt.org> <0983ae69e957424f810750211379ba89@huawei.com>
In-Reply-To: <0983ae69e957424f810750211379ba89@huawei.com>
Reply-To: bradchen@google.com
From: Brad Chen <bradchen@google.com>
Date: Fri, 14 Oct 2022 08:05:08 -0700
Message-ID: <CAFzihuXF6dxuqPEEYxiVe3MEBJD2VsYyn+j+RS3EXk9z8N8ovw@mail.gmail.com>
To: Antoine FRESSANCOURT <antoine.fressancourt=40huawei.com@dmarc.ietf.org>
Cc: Mallory Knodel <mknodel@cdt.org>, "pearg@irtf.org" <pearg@irtf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000009270fd05eafff4b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/DiXYuZX_NAyei8xMuQrollnu7cI>
Subject: Re: [Pearg] New Version Notification for draft-irtf-pearg-safe-internet-measurement-06.txt
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2022 15:05:42 -0000

Would it be appropriate to also consult with safety advocates?

Should this group assume all regulations are well founded? Or does our role
include providing feedback on regulations and recognizing better designs?

Consent is a difficult concept in this space. Too often, users are
presented with decisions they aren't prepared or competent to make. The
ubiquitous "do you accept cookies" prompts we see are a relatively benign
example. I find it hard to argue they are helping users, or accomplishing
much beyond providing cover for service providers and their use of cookies.
Still lacking is a useful system of public auditing and auditing standards
for responsible cookie disclosure and use.

Moreover, consent utterly fails for accounts that are dormant, which over
time tend to succumb to control by abuse operations. At the point an
account is deployed for scaled abuse, the notion of consent becomes absurd.
In some cases safety efforts, including relevant measurement efforts, are
considered out-of-scope for consent. In other cases abuse is simply
unmanaged, and the public is less safe.

If we make the Internet even more private without planning for safety, we
degrade the position both of governments and private operators to defend
against state-sponsored abuse and scaled criminal syndicates. What
accommodation should measurement standards make for public safety? Perhaps
none. We could pursue privacy unilaterally. This assures the privacy of
criminals, and leaves ordinary users in a precarious state, obviously not
the outcome we intend.

Regarding the draft:

   - The discussion of threat model is pretty clear on data privacy, but
   ambiguous regarding public safety problems such as fraud, disinformation,
   harassment, malware, scaled influence operations etc. which have little to
   do with data privacy.
   - The discussion of consent might consider situations where consent
   should not apply
   - The draft might consider measurement scenarios outside of the purely
   academic / research context. If public safety operations are out of scope,
   the draft might indicate that explicitly.

Brad

On Fri, Oct 14, 2022 at 2:24 AM Antoine FRESSANCOURT <antoine.fressancourt=
40huawei.com@dmarc.ietf.org> wrote:

> Hello,
>
> I have finally found time to carefully read the document. Its purpose is
> interesting but I wonder if it applicable worldwide in all legal contexts.
> As an European, I am obviously biased towards having to deal with GDPR when
> it comes to dealing with the draft's matter.
> So here are a few remarks.
>
> First, in the chapter about consent, I found some things odd when compared
> with GDPR [1]. In Article 6, the lawfulness of personal data processing is
> described. Explicit consent is the first condition that allows a data
> processor to process personal data. A few other conditions are given; but I
> fear that some of those reasons are not covered by proxy consent or
> implicit consent for use cases or purposes that are not vital to the data
> subject or necessary to operate a service to the data subject. Scientific
> research is mentioned in GDPR as a possible purpose for processing personal
> data beyond explicit consent, but the regulation specifies that it should
> not be possible to pseudonymize the data subject. For example, if we want
> the case study in paragraph 2.2 (TCP Options) or in paragraph 2.3 (maximum
> TLS version) to hold, if consent is not gathered, the data processor should
> prove that the collection of personal data associated with this measurement
> is necessary to operate the service provided to the customer (but
> measurements that don't gather personal data are fine). Note that the
> explicit consent is tied with a description of the processing purposes and
> a change in purposes requires that you ask for consent again. In the text,
> the practicality of the consent retrieval is mentioned, but I fear that
> even if the consent is difficult to gather, it needs to be retrieved if
> personal data is processed beyond exception cases listed.
>
> In the threat model; I think the text should insist on de-anonymization
> risks associated with the correlation of data sets collected during
> different experiments. If an attacker has access to two different data sets
> on a similar population and that secondary data can be used to decrease the
> size of anonymity sets for each data set, then the risk for the data
> subject to be identified is higher, with associated threats as listed in
> the document.
>
> In the 3rd chapter on the Safety considerations, I would add a specific
> paragraph on the need to anonymize data. Right now, the document insists on
> minimizing data, and anonymization techniques may fall in the techniques
> described in this paragraph. Still, focusing on operations to perform so
> that data subjects' privacy can be insured is a key point with regards to
> the GDPR. In particular, I think techniques that one could put in place to
> prevent identification by cross correlation from a variety of data sources
> should be presented. Besides, maybe we could work on a document to survey
> anonymization techniques and their merits in the context of data processed
> in the operation of networked systems to give practical examples of
> techniques that researchers or network administrator could use in their
> data collection.
>
> I think that this document touches subjects that are beyond our background
> and experience (as engineers). Maybe we can try to involve privacy advocacy
> groups beyond the IETF / IRTF community to ask them about their remarks or
> inputs on the document ? I can try to find people in EU if you feel it
> could be a valuable input.
>
> Best,
>
> Antoine
>
> --
>
> [1]
> https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
>
>
> -----Original Message-----
> From: Pearg <pearg-bounces@irtf.org> On Behalf Of Mallory Knodel
> Sent: lundi 22 août 2022 16:05
> To: pearg@irtf.org
> Subject: Re: [Pearg] New Version Notification for
> draft-irtf-pearg-safe-internet-measurement-06.txt
>
> Hi all,
>
> I have the new version of this draft in the datatracker, which I briefly
> presented on at the PEARG session of the IETF 115 meeting. Mostly the
> changes were to the XML and the structure of the document.
>
> As discussed, I also submitted the draft to the M-TEN IAB workshop on
> measurement and privacy. Hopefully we can get some volunteers to review and
> co-author.
>
> -Mallory
>
> On 8/19/22 5:34 PM, internet-drafts@ietf.org wrote:
> > A new version of I-D,
> > draft-irtf-pearg-safe-internet-measurement-06.txt
> > has been successfully submitted by Mallory Knodel and posted to the
> > IETF repository.
> >
> > Name:         draft-irtf-pearg-safe-internet-measurement
> > Revision:     06
> > Title:                Guidelines for Performing Safe Measurement on the
> Internet
> > Document date:        2022-08-19
> > Group:                pearg
> > Pages:                11
> > URL:
> https://www.ietf.org/archive/id/draft-irtf-pearg-safe-internet-measurement-06.txt
> > Status:
> https://datatracker.ietf.org/doc/draft-irtf-pearg-safe-internet-measurement/
> > Htmlized:
> https://datatracker.ietf.org/doc/html/draft-irtf-pearg-safe-internet-measurement
> > Diff:
> https://www.ietf.org/rfcdiff?url2=draft-irtf-pearg-safe-internet-measurement-06
> >
> > Abstract:
> >     Researchers from industry and academia often use Internet
> >     measurements as part of their work.  While these measurements can
> >     give insight into the functioning and usage of the Internet, they can
> >     come at the cost of user privacy.  This document describes guidelines
> >     for ensuring that such measurements can be carried out safely.
> >
> > Note
> >
> >     Comments are solicited and should be addressed to the research
> >     group's mailing list at pearg@irtf.org and/or the author(s).
> >
> >     The sources for this draft are at:
> >
> >     https://github.com/irl/draft-safe-internet-measurement
> >
> >
>
> >
> >
> > The IETF Secretariat
> >
> >
> --
> Mallory Knodel
> CTO, Center for Democracy and Technology gpg fingerprint :: E3EB 63E0 65A3
> B240 BCD9 B071 0C32 A271 BD3C C780
>
> --
> Pearg mailing list
> Pearg@irtf.org
> https://www.irtf.org/mailman/listinfo/pearg
>
> --
> Pearg mailing list
> Pearg@irtf.org
> https://www.irtf.org/mailman/listinfo/pearg
>

v2.23.0 | Report a Bug | By Email