Re: [Pearg] More comments on draft-irtf-pearg-safe-internet-measurement-08
Mallory Knodel <mknodel@cdt.org> Tue, 07 November 2023 08:17 UTC
Return-Path: <mknodel@cdt.org>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D303C1B030D for <pearg@ietfa.amsl.com>; Tue, 7 Nov 2023 00:17:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-96f8rUMfT2 for <pearg@ietfa.amsl.com>; Tue, 7 Nov 2023 00:17:07 -0800 (PST)
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 370DCC18E559 for <pearg@irtf.org>; Tue, 7 Nov 2023 00:17:07 -0800 (PST)
Received: by mail-pj1-x1033.google.com with SMTP id 98e67ed59e1d1-280137f1a1bso4036787a91.1 for <pearg@irtf.org>; Tue, 07 Nov 2023 00:17:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; t=1699345026; x=1699949826; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Fck9+zhDXsfyW1KbZSu+ePOvI/+rU/0yFD4LGrYpuI4=; b=bbUJbAMKRIz1shUuH6dcEpaMesNzoVQ5BE1JcoPe8oWsRRlUcMappprZ4pH5wh9IKH siwF7fTMa27HJyiznM2LF5Zs8z1Jn1uzOcikmxLxHhd4+qcQmTj9rAvlFfeiJPKRcNpB aX2vnD98tyqA5+S9vrDP6g2wNermw+V8+yMYg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699345026; x=1699949826; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Fck9+zhDXsfyW1KbZSu+ePOvI/+rU/0yFD4LGrYpuI4=; b=KZshXEDyEQ0WesSGrqJBvqw5OkpbBBhHyJQy5s/8Q4MEB+emB2EVM93Vj9RCmhjbri +vA0fwUZfVOMuih6M6csRjTB9Wu7CLmvYICbpoca2fjI584qxvokuL4Vg2sBgVMsaLKO 7AVWty99ceSvDw1Q8HCT4PsFwt2gKBbYBYB0EN0qnIIxH7TzodnC5kWB62r/QyPamsWN d/MyMUcsk64g97k7yGfCdrUQB8D30au5C52R6zGh23zqyhY0+caONnwLKd+JG/8QhXLp UBEKbiOl5cs2eXxrBWWRczml4tzh8GWMhoL9kC46Qpz1bhodk8HCfk8zB7HB2/Lvy7Bt 0/7A==
X-Gm-Message-State: AOJu0Yy+EXHzU9xSJ6bGfHWZo2iXQxbb0xJV/vY3G6Qcw5k8h02guzil LkhtgNx+wRAeTgx6X2Sfc2HSHzIRTZ2A0prGY5+e40Gbfj7UxL5mUVM=
X-Google-Smtp-Source: AGHT+IG8uMpHkZRNqmo0wtZrfZ+sZUg4nYk+YaoW0R/Bk5Vi+9hO4Xnc0udIX0kD1yXFBfGdbH6meqHB2lkkoNSavFA=
X-Received: by 2002:a17:90b:3597:b0:27d:46e5:2d7c with SMTP id mm23-20020a17090b359700b0027d46e52d7cmr24650301pjb.26.1699345026167; Tue, 07 Nov 2023 00:17:06 -0800 (PST)
MIME-Version: 1.0
References: <CAMgphBD43bkD8+3y8McV6m0OvmgjSU7J5mrVGvSp1=_OcTx-Bw@mail.gmail.com> <CAL-akOsx09VviAohCUB_qP8j+6U+fnx72cpTR2NBL4AByLOrHQ@mail.gmail.com> <CAMgphBDgOmGu4axbRNq4LXdQ4gSdCh+G-qZHq_HNdOV-DOZhOQ@mail.gmail.com>
In-Reply-To: <CAMgphBDgOmGu4axbRNq4LXdQ4gSdCh+G-qZHq_HNdOV-DOZhOQ@mail.gmail.com>
From: Mallory Knodel <mknodel@cdt.org>
Date: Tue, 07 Nov 2023 09:16:54 +0100
Message-ID: <CAGVFjMJT+bN32oQOOtEY7h2-wdSVBF-UC=Rc1+p7yc0RX6BVEw@mail.gmail.com>
To: Marwan Fayed <marwan=40cloudflare.com@dmarc.ietf.org>
Cc: Tara Tarakiyee <me@tarakiyee.com>, pearg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000a2c64f06098b9832"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/MX2n4-xnqIl70Zqvr9P3XM-3KWQ>
Subject: Re: [Pearg] More comments on draft-irtf-pearg-safe-internet-measurement-08
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2023 08:17:11 -0000
Hi Marwan, Top post on terminology. IRTF documents cannot use rfc2119 terms with precision, because this is not a standards track doc. And, the use of attacker is the appropriate and precise term for designing systems with a threat model, which is what this document does. I’ll look for ways to bring the tone down a notch, though this will add more words to a doc that was meant to be lightweight. Worth it to get it right, however. Many thanks for the ongoing discussion and offer to bring in more reviews. I haven’t got a new version out with these changes but I will do soon. Let’s keep talking, -Mallory On Tue, 7 Nov 2023 at 09:01, Marwan Fayed <marwan= 40cloudflare.com@dmarc.ietf.org> wrote: > Thanks Mallory and Tara. I shall keep my promise and share with the wider > measurement community at SIGCOMM and others. > > In the meantime, a constructive thought: Perhaps it would be useful to > reconstruct or reframe the contents of this draft using IETF terminology? > (For non-IETFers, last I knew, the vocabulary is > https://datatracker.ietf.org/doc/rfc2119 .) Measurement practice has many > subtleties, some very clear do/do-nots. It occurs to me that many of the > subtleties in a draft like this would pop out when presented as MUST or > SHOULD NOT statements (if they can be, at all). It may help to read public > statements from open research, in which measurement studies are now always > accompanied by documentation explaining choices, and more. For example, see > 'Ethics' in https://conferences.sigcomm.org/imc/2023/cfp/ > > The suggestion to user IETF terminology is motivated by a simple question, > the likes of which IETF exists to answer: What does "interop" look like for > measurement practice? > > Setting details and subtleties aside, I must reiterate that the tone in > this draft placing measurement on par with attacks is likely to present as > problematic for people who know this domain well, many whose established > expertise is measurement practice. It also could be misleading for > non-experts who are reviewing measurement plans or practice -- in other > words, the risks may outweigh the benefits in current form. > > It has taken the measurement community years to get to where it is now; > even so our knowledge and practice continues to evolve. In this wider > context this draft is no small endeavour, and the effort is commendable! > (Thank you, Contributors!) No matter the outcome of this draft, it brings > visibility to an important subject. > > Best, > --marwan > > > > > On Sun, 5 Nov 2023 at 10:27, Tara Tarakiyee <me@tarakiyee.com> wrote: > >> Dear Marwan, >> >> Thank you for sharing your review. I've read the draft with the >> perspective of someone who was a measurement volunteer and who organised >> measurement volunteers in contexts very similar to the example under 2.1 >> and I can say I didn't find the positioning of measurement in this document >> to be bad or biased, considering that it's a safety considerations >> document. In fact, an alternative framing that sugarcoats risks involved >> with measurement would counter the goals of the document. >> >> That said, I agree with your point on 2.1 about taking into account the >> power dynamic between the seeker of consent and the user. Furthermore, I >> think 2.1 should be closely tied to 2.7, it's not enough that the user >> considers risk to themselves, but the measurer should also take into >> consideration the overall benefits vs risks involved to their measurement >> participants even if they have informed consent. Another consideration to >> add to informed consent is the capabilities of the user. A volunteer >> working alone might be inclined to accept the risk because they want to >> help, but their understanding of the risk could be improved by connecting >> them with a local technologist, or exposure to the risk could be minimized >> by connecting them to local legal resources. >> >> Best wishes, >> Tara Tarakiyee >> >> >> >> >> On Fri, Oct 27, 2023 at 7:01 PM Marwan Fayed <marwan= >> 40cloudflare.com@dmarc.ietf.org> wrote: >> >>> Opening with thanks for the reminders to comment on this draft! Perhaps >>> a most useful suggestion is to solicit feedback from beyond the IRTF/IETF >>> community since so much of our best practice and guidance has been >>> developed, and is tracked, outside of the IRTF/IETF. I'm happy to help in >>> this regard. >>> >>> As a member of the measurement community, I can echo earlier sentiments >>> that this draft is useful. I also see gaps, but have additional concerns >>> about the way it positions measurement, overall, in ways that (at a >>> minimum) could adversely bias institutional review or other forms of >>> scrutiny by panels and people unfamiliar with the measurement domain. >>> >>> First, and most importantly, my reading of the draft's set-up in its >>> current form is that it (unintentionally no doubt) presupposes that >>> measurement is bad and harmful. Specifically, the draft explicitly equates >>> many if not all forms of measurement each as being a type of attack. Some >>> examples: >>> >>> - [1.2] "Passive measurements use surveillance..." -- the Oxford >>> definition of surveillance is "[noun] close observation, especially of >>> a suspected spy or criminal." >>> >>> - [1.3] encapsulates all measurements as being sources of attack. There >>> are 12 explicit definitions, 9 of which start by "An attack". >>> >>> It's important to recognise that a draft like this would be beneficial >>> to a wide audience. At the same time I am unable to see how an outside >>> observer or reviewer, e.g. institutional review, using guidelines of this >>> form (and likely have to consider liability along with safe and responsible >>> practice), wouldn't automatically be forced into a starting position of >>> defensiveness against measurement. (Aside: one additional suggestion may be >>> to use 'responsible' alongside 'safe', which is a common convention in the >>> research community.) >>> >>> The 'risk' in this current draft is that its current set-up reverses a >>> lot of the incredibly hard and tireless efforts from the measurement >>> community to define, account for, report, and review best practices, as >>> well as call out violations. >>> >>> Second, there are a few subtleties missing from some 'Guidelines' that >>> cannot be overlooked. Their omission could lull a reader into false senses >>> of security that they've checked certain boxes. In particular, >>> >>> - [2.1] suggests that informed consent is sufficient, when in fact we >>> know that even fully informed consent in some circumstances may not be >>> enough. For example, the value and merit of consent to statements like "by >>> helping this measurement you could go to jail" is questionable, at best. >>> Alongside, the seeker of consent has to be taken into consideration; for >>> example, there is no way to know the effect of a consent-seeker on a >>> consent-giver who may be more or less inclined to trust a multinational >>> corporation, foreign government, civil liberty group, or a university lab >>> -- these are just not the same, and an individual may trust more or less >>> depending. >>> >>> - [2.3] This is a good one! If it's helpful, even the seemingly >>> obviously 'ok' can have caveats. Speedtests are a great example. It might >>> be reasonable to assume that any speedtest server is happy to receive a >>> test request, and any subscriber who pays for access is entitled to request >>> the test -- but what about the transit provider in-between? >>> >>> - [2.4] Also great, and easy to overlook. Here, too, however, I wonder >>> if all requests are equal? As an example, what does it mean for Google to >>> request do-not-scan? (I honestly don't know!) One possible addition may be >>> to suggest that "self-identify" is good practice, especially when releasing >>> measurement tools into the world. For example, the popular zmap tool self >>> identifies itself by placing "54321" in the IP-ID field. >>> >>> One last suggestion: It's hard to know which are the most useful >>> references in this space, so a draft like this would be a great place to >>> have a comprehensive list of pointers to best and current practice in this >>> space (e.g. the CACM written by Partridge and Allman), and docs that might >>> include case studies. Even better might be to have one or two sentences for >>> each to describe why the reference is useful, or what it offers. >>> (Acknowledging in advance that distilling down from multiple inputs is a >>> challenge in itself, and would be a great feat!) >>> >>> Hope some of this helps. >>> >>> --marwan >>> >>> >>> >>> >>> >>> -- >>> Pearg mailing list >>> Pearg@irtf.org >>> https://mailman.irtf.org/mailman/listinfo/pearg >>> >> -- >> Pearg mailing list >> Pearg@irtf.org >> https://mailman.irtf.org/mailman/listinfo/pearg >> > -- > Pearg mailing list > Pearg@irtf.org > https://mailman.irtf.org/mailman/listinfo/pearg >
- [Pearg] More comments on draft-irtf-pearg-safe-in… Marwan Fayed
- Re: [Pearg] More comments on draft-irtf-pearg-saf… Mallory Knodel
- Re: [Pearg] More comments on draft-irtf-pearg-saf… Tara Tarakiyee
- Re: [Pearg] More comments on draft-irtf-pearg-saf… Marwan Fayed
- Re: [Pearg] More comments on draft-irtf-pearg-saf… Mallory Knodel
- Re: [Pearg] More comments on draft-irtf-pearg-saf… Eric Rescorla
- Re: [Pearg] More comments on draft-irtf-pearg-saf… Mallory Knodel
- Re: [Pearg] More comments on draft-irtf-pearg-saf… Tobias Fiebig
- Re: [Pearg] More comments on draft-irtf-pearg-saf… Mallory Knodel
- Re: [Pearg] More comments on draft-irtf-pearg-saf… Christian Huitema