IETF Logo Mail Archive

Re: [Pearg] More comments on draft-irtf-pearg-safe-internet-measurement-08

Mallory Knodel <mknodel@cdt.org> Tue, 07 November 2023 08:17 UTC

Return-Path: <mknodel@cdt.org>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D303C1B030D for <pearg@ietfa.amsl.com>; Tue, 7 Nov 2023 00:17:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-96f8rUMfT2 for <pearg@ietfa.amsl.com>; Tue, 7 Nov 2023 00:17:07 -0800 (PST)
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 370DCC18E559 for <pearg@irtf.org>; Tue, 7 Nov 2023 00:17:07 -0800 (PST)
Received: by mail-pj1-x1033.google.com with SMTP id 98e67ed59e1d1-280137f1a1bso4036787a91.1 for <pearg@irtf.org>; Tue, 07 Nov 2023 00:17:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; t=1699345026; x=1699949826; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Fck9+zhDXsfyW1KbZSu+ePOvI/+rU/0yFD4LGrYpuI4=; b=bbUJbAMKRIz1shUuH6dcEpaMesNzoVQ5BE1JcoPe8oWsRRlUcMappprZ4pH5wh9IKH siwF7fTMa27HJyiznM2LF5Zs8z1Jn1uzOcikmxLxHhd4+qcQmTj9rAvlFfeiJPKRcNpB aX2vnD98tyqA5+S9vrDP6g2wNermw+V8+yMYg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699345026; x=1699949826; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Fck9+zhDXsfyW1KbZSu+ePOvI/+rU/0yFD4LGrYpuI4=; b=KZshXEDyEQ0WesSGrqJBvqw5OkpbBBhHyJQy5s/8Q4MEB+emB2EVM93Vj9RCmhjbri +vA0fwUZfVOMuih6M6csRjTB9Wu7CLmvYICbpoca2fjI584qxvokuL4Vg2sBgVMsaLKO 7AVWty99ceSvDw1Q8HCT4PsFwt2gKBbYBYB0EN0qnIIxH7TzodnC5kWB62r/QyPamsWN d/MyMUcsk64g97k7yGfCdrUQB8D30au5C52R6zGh23zqyhY0+caONnwLKd+JG/8QhXLp UBEKbiOl5cs2eXxrBWWRczml4tzh8GWMhoL9kC46Qpz1bhodk8HCfk8zB7HB2/Lvy7Bt 0/7A==
X-Gm-Message-State: AOJu0Yy+EXHzU9xSJ6bGfHWZo2iXQxbb0xJV/vY3G6Qcw5k8h02guzil LkhtgNx+wRAeTgx6X2Sfc2HSHzIRTZ2A0prGY5+e40Gbfj7UxL5mUVM=
X-Google-Smtp-Source: AGHT+IG8uMpHkZRNqmo0wtZrfZ+sZUg4nYk+YaoW0R/Bk5Vi+9hO4Xnc0udIX0kD1yXFBfGdbH6meqHB2lkkoNSavFA=
X-Received: by 2002:a17:90b:3597:b0:27d:46e5:2d7c with SMTP id mm23-20020a17090b359700b0027d46e52d7cmr24650301pjb.26.1699345026167; Tue, 07 Nov 2023 00:17:06 -0800 (PST)
MIME-Version: 1.0
References: <CAMgphBD43bkD8+3y8McV6m0OvmgjSU7J5mrVGvSp1=_OcTx-Bw@mail.gmail.com> <CAL-akOsx09VviAohCUB_qP8j+6U+fnx72cpTR2NBL4AByLOrHQ@mail.gmail.com> <CAMgphBDgOmGu4axbRNq4LXdQ4gSdCh+G-qZHq_HNdOV-DOZhOQ@mail.gmail.com>
In-Reply-To: <CAMgphBDgOmGu4axbRNq4LXdQ4gSdCh+G-qZHq_HNdOV-DOZhOQ@mail.gmail.com>
From: Mallory Knodel <mknodel@cdt.org>
Date: Tue, 07 Nov 2023 09:16:54 +0100
Message-ID: <CAGVFjMJT+bN32oQOOtEY7h2-wdSVBF-UC=Rc1+p7yc0RX6BVEw@mail.gmail.com>
To: Marwan Fayed <marwan=40cloudflare.com@dmarc.ietf.org>
Cc: Tara Tarakiyee <me@tarakiyee.com>, pearg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000a2c64f06098b9832"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/MX2n4-xnqIl70Zqvr9P3XM-3KWQ>
Subject: Re: [Pearg] More comments on draft-irtf-pearg-safe-internet-measurement-08
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2023 08:17:11 -0000

Hi Marwan,

Top post on terminology. IRTF documents cannot use rfc2119 terms with
precision, because this is not a standards track doc.

And, the use of attacker is the appropriate and precise term for designing
systems with a threat model, which is what this document does. I’ll look
for ways to bring the tone down a notch, though this will add more words to
a doc that was meant to be lightweight. Worth it to get it right, however.

Many thanks for the ongoing discussion and offer to bring in more reviews.
I haven’t got a new version out with these changes but I will do soon.

Let’s keep talking,
-Mallory


On Tue, 7 Nov 2023 at 09:01, Marwan Fayed <marwan=
40cloudflare.com@dmarc.ietf.org> wrote:

> Thanks Mallory and Tara. I shall keep my promise and share with the wider
> measurement community at SIGCOMM and others.
>
> In the meantime, a constructive thought: Perhaps it would be useful to
> reconstruct or reframe the contents of this draft using IETF terminology?
> (For non-IETFers, last I knew, the vocabulary is
> https://datatracker.ietf.org/doc/rfc2119 .) Measurement practice has many
> subtleties, some very clear do/do-nots. It occurs to me that many of the
> subtleties in a draft like this would pop out when presented as MUST or
> SHOULD NOT statements (if they can be, at all). It may help to read public
> statements from open research, in which measurement studies are now always
> accompanied by documentation explaining choices, and more. For example, see
> 'Ethics' in https://conferences.sigcomm.org/imc/2023/cfp/
>
> The suggestion to user IETF terminology is motivated by a simple question,
> the likes of which IETF exists to answer: What does "interop" look like for
> measurement practice?
>
> Setting details and subtleties aside, I must reiterate that the tone in
> this draft placing measurement on par with attacks is likely to present as
> problematic for people who know this domain well, many whose established
> expertise is measurement practice. It also could be misleading for
> non-experts who are reviewing measurement plans or practice -- in other
> words, the risks may outweigh the benefits in current form.
>
> It has taken the measurement community years to get to where it is now;
> even so our knowledge and practice continues to evolve. In this wider
> context this draft is no small endeavour, and the effort is commendable!
> (Thank you, Contributors!) No matter the outcome of this draft, it brings
> visibility to an important subject.
>
> Best,
> --marwan
>
>
>
>
> On Sun, 5 Nov 2023 at 10:27, Tara Tarakiyee <me@tarakiyee.com> wrote:
>
>> Dear Marwan,
>>
>> Thank you for sharing your review. I've read the draft with the
>> perspective of someone who was a measurement volunteer and who organised
>> measurement volunteers in contexts very similar to the example under 2.1
>> and I can say I didn't find the positioning of measurement in this document
>> to be bad or biased, considering that it's a safety considerations
>> document. In fact, an alternative framing that sugarcoats risks involved
>> with measurement would counter the goals of the document.
>>
>> That said, I agree with your point on 2.1 about taking into account the
>> power dynamic between the seeker of consent and the user. Furthermore, I
>> think 2.1 should be closely tied to 2.7, it's not enough that the user
>> considers risk to themselves, but the measurer should also take into
>> consideration the overall benefits vs risks involved to their measurement
>> participants even if they have informed consent. Another consideration to
>> add to informed consent is the capabilities of the user. A volunteer
>> working alone might be inclined to accept the risk because they want to
>> help, but their understanding of the risk could be improved by connecting
>> them with a local technologist, or exposure to the risk could be minimized
>> by connecting them to local legal resources.
>>
>> Best wishes,
>> Tara Tarakiyee
>>
>>
>>
>>
>> On Fri, Oct 27, 2023 at 7:01 PM Marwan Fayed <marwan=
>> 40cloudflare.com@dmarc.ietf.org> wrote:
>>
>>> Opening with thanks for the reminders to comment on this draft! Perhaps
>>> a most useful suggestion is to solicit feedback from beyond the IRTF/IETF
>>> community since so much of our best practice and guidance has been
>>> developed, and is tracked, outside of the IRTF/IETF. I'm happy to help in
>>> this regard.
>>>
>>> As a member of the measurement community, I can echo earlier sentiments
>>> that this draft is useful. I also see gaps, but have additional concerns
>>> about the way it positions measurement, overall, in ways that (at a
>>> minimum) could adversely bias institutional review or other forms of
>>> scrutiny by panels and people unfamiliar with the measurement domain.
>>>
>>> First, and most importantly, my reading of the draft's set-up in its
>>> current form is that it (unintentionally no doubt) presupposes that
>>> measurement is bad and harmful. Specifically, the draft explicitly equates
>>> many if not all forms of measurement each as being a type of attack. Some
>>> examples:
>>>
>>>  - [1.2] "Passive measurements use surveillance..." -- the Oxford
>>> definition of surveillance is "[noun] close observation, especially of
>>> a suspected spy or criminal."
>>>
>>>  - [1.3] encapsulates all measurements as being sources of attack. There
>>> are 12 explicit definitions, 9 of which start by "An attack".
>>>
>>> It's important to recognise that a draft like this would be beneficial
>>> to a wide audience. At the same time I am unable to see how an outside
>>> observer or reviewer, e.g. institutional review, using guidelines of this
>>> form (and likely have to consider liability along with safe and responsible
>>> practice), wouldn't automatically be forced into a starting position of
>>> defensiveness against measurement. (Aside: one additional suggestion may be
>>> to use 'responsible' alongside 'safe', which is a common convention in the
>>> research community.)
>>>
>>> The 'risk' in this current draft is that its current set-up reverses a
>>> lot of the incredibly hard and tireless efforts from the measurement
>>> community to define, account for, report, and review best practices, as
>>> well as call out violations.
>>>
>>> Second, there are a few subtleties missing from some 'Guidelines' that
>>> cannot be overlooked. Their omission could lull a reader into false senses
>>> of security that they've checked certain boxes. In particular,
>>>
>>>  - [2.1] suggests that informed consent is sufficient, when in fact we
>>> know that even fully informed consent in some circumstances may not be
>>> enough. For example, the value and merit of consent to statements like "by
>>> helping this measurement you could go to jail" is questionable, at best.
>>> Alongside, the seeker of consent has to be taken into consideration; for
>>> example, there is no way to know the effect of a consent-seeker on a
>>> consent-giver who may be more or less inclined to trust a multinational
>>> corporation, foreign government, civil liberty group, or a university lab
>>> -- these are just not the same, and an individual may trust more or less
>>> depending.
>>>
>>>  - [2.3] This is a good one! If it's helpful, even the seemingly
>>> obviously 'ok' can have caveats. Speedtests are a great example. It might
>>> be reasonable to assume that any speedtest server is happy to receive a
>>> test request, and any subscriber who pays for access is entitled to request
>>> the test -- but what about the transit provider in-between?
>>>
>>>  - [2.4] Also great, and easy to overlook. Here, too, however, I wonder
>>> if all requests are equal? As an example, what does it mean for Google to
>>> request do-not-scan? (I honestly don't know!) One possible addition may be
>>> to suggest that "self-identify" is good practice, especially when releasing
>>> measurement tools into the world. For example, the popular zmap tool self
>>> identifies itself by placing "54321" in the IP-ID field.
>>>
>>> One last suggestion: It's hard to know which are the most useful
>>> references in this space, so a draft like this would be a great place to
>>> have a comprehensive list of pointers to best and current practice in this
>>> space (e.g. the CACM written by Partridge and Allman), and docs that might
>>> include case studies. Even better might be to have one or two sentences for
>>> each to describe why the reference is useful, or what it offers.
>>> (Acknowledging in advance that distilling down from multiple inputs is a
>>> challenge in itself, and would be a great feat!)
>>>
>>> Hope some of this helps.
>>>
>>> --marwan
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Pearg mailing list
>>> Pearg@irtf.org
>>> https://mailman.irtf.org/mailman/listinfo/pearg
>>>
>> --
>> Pearg mailing list
>> Pearg@irtf.org
>> https://mailman.irtf.org/mailman/listinfo/pearg
>>
> --
> Pearg mailing list
> Pearg@irtf.org
> https://mailman.irtf.org/mailman/listinfo/pearg
>

v2.23.0 | Report a Bug | By Email