Re: [Pearg] Call for adoption: draft-learmonth-pearg-safe-internet-measurement-02.txt

Eric Rescorla <> Mon, 27 May 2019 13:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B7C7A12001A for <>; Mon, 27 May 2019 06:35:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LWYnqOEqw4Y6 for <>; Mon, 27 May 2019 06:35:28 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E38E312015F for <>; Mon, 27 May 2019 06:35:27 -0700 (PDT)
Received: by with SMTP id 188so14700478ljf.9 for <>; Mon, 27 May 2019 06:35:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CBk0Wq/4M0OuXg0aZRTNrhBhS5vKswoO8LBC8AOWNsw=; b=1dxXgq2euNOfdXfldWtR+Z1vjtdqylfZPfHR22sBMvznlOspKn7Nx1XAsPG9+P5Fl+ IKOeLWLHfUbloE2C3vK4sGQoIPFHMODbr45e+gqSI8fIeSZioVHk8a7BLALMF8I/d/8S DCfQoyqd6Yxosq1r63KcrBYv5tT03yIedZph9KHF9ScaRgBRAVYEk6UTFxf8qCY2nCoj ZjrJ4h097PFPIgNP8Wb5oZEmyF1YCF3OU1qow9jOp3Cnmw0nJgOcELX5b+//W2vWurs/ UvZMAvOtiOkqXllY7KNRTl5tnVO9Bi9zZOLgs5bJ7ff1lflxIOUAJj/+M2cd5g7baljo PcFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CBk0Wq/4M0OuXg0aZRTNrhBhS5vKswoO8LBC8AOWNsw=; b=Pr07xch/cTKFcKN1wSIewR5mZkx8/buXhhGdLYRd2O1GcdeyyIwM1MEWN+CrT/EsRE hjeYsbfPdkrzqceWWapkP4nssTD4FORWqFgPwn+HIoJJPqEyPkq0ig21fYi78gxiwD8H YV5kDEEkJcxRGmId0Vq800UH7ewM6d0r4U4s6kwLpL+NjVaySq3WVD3IbvEd4wSorCjP CCdFcT7rlFopQ4Su/mqIgK4F4teZsJ8Mho+4nw0DToT+o2wo+Hrb7HmsMSRJlB69DboH l6L8WZcxCxtrI39NPdN2Ipjoh8shY0Z0TK6aGdkkgIBmzo4eF57tqg4Y+gf2ee1mt/TB FFOQ==
X-Gm-Message-State: APjAAAUdN7SVEglPXlDnIhLVhjhfQI2w4QQh3Ya2actdq7T2UYWeP31R yXUL1mmigqhH5/b8jB18oy9h5WlP/uLSPeVam3c3BsWvuy8=
X-Google-Smtp-Source: APXvYqwgNPiaxxvNZ+itHiCZqbA4nlxvN9qH9j3k51JuX2TQtSv2+gUqXwyvQVyv9Fhb3laKaan1hHowYOdRDOs9KoM=
X-Received: by 2002:a2e:7d02:: with SMTP id y2mr34869095ljc.62.1558964125962; Mon, 27 May 2019 06:35:25 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Eric Rescorla <>
Date: Mon, 27 May 2019 06:34:47 -0700
Message-ID: <>
To: Sara Dickinson <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="000000000000f2278a0589de9e84"
Archived-At: <>
Subject: Re: [Pearg] Call for adoption: draft-learmonth-pearg-safe-internet-measurement-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 27 May 2019 13:35:32 -0000

I have reviewed this document and while I think some of the advice
here is potentially useful, I don't think the recommendations really
match what's current practice or what's practical. As such, I don't
think it should be adopted without quite a bit more work.

As background, here is a partial list of the kinds of studies that
are commonly done:

- A/B tests of browser behavior where we randomize users into
  a control and treatment group and then measure some parameter
  (e.g., connection success rate) under normal browsing usage.
  This kind of A/B test is standard practice for many browser
  features, at least for Chrome and Firefox. See:

- Forced tests where we have the browser perform some action
  (e.g., connect to a server) with various parameters and
  measure differences between the parameter settings.
  This is less common, but we used these during the roll out
  of TLS 1.3 and are currently using these for DoH.

- Studies where we use an ad network to initiate some behavior
  in the browser. This is pretty common approach when you don't
  control a browser measurement platform. See, for instance:

- Wide-scale scans (e.g.,

I don't really want to get into a long debate about whether any
particular study type is appropriate. Rather, these are common study
types and so if the advice in this document is to be useful, then it
needs to reasonably match what people do -- or at least have a much
stronger argument that people should change what they do than is
offered here.

The text in this draft leans pretty heavily on getting consent,
either direct consent (including all users of the shared network)
or "proxy consent".

However, many of these kinds of studies don't really lend themselves
to detailed consent from individual users of the browser -- let alone
to from every user on the network they are on. As a concrete example,
ad-type studies don't generally get any kind of consent at all.  For
instance, here's the experimental setup for APNIC's DNSSEC

    The experiment uses an online advertisement campaign to deliver
    the test code to end systems. When the end system is passed an ad
    that is carrying the experiment the system runs embedded Adobe
    Flash code. The code is executed when the ad is passed to the
    user, and does not rely on a user "click" or any other user
    trigger action. The active code interrogates one of two experiment
    controllers by performing a URL fetch. The contents of the fetched
    experiment control URL are a dynamically generated sequence of
    four URLs. These four URLs are the substance of the test setup.

It's worth noting at this point that the Web is a platform for running
remote code, and by browsing you're opting into that, and ad studies
just leverage that behavior.

As another example, Mozilla's Shield Studies system
(,is generally
opt-out, with a specific opt-in for when the study collects
more sensitive data:

    Shield Studies are available on all channels. Individual studies
    can be opt-out or opt-in depending on the nature of the study and
    the data being collected. Opt-out Shield Studies can only collect
    Type 1 and 2 data. This is the same type of basic interaction data
    we collect by default as defined in our privacy policy. There may
    be instances where we want to collect data that is not covered by
    our default data collection policies. In those instances you will
    be prompted to opt-in to the study. A complete description of the
    study and any additional data that would be collected will be
    disclosed before enrolling. A great example of this is Pioneer,
    which is actually an opt-in Shield Study currently in the wild.

As above, in the cases where it's opt-in, the primary question is
about the user's private data, and it's when that data is implicated
that we get more consent. There's no practical way to get consent from
other users of the same network. So, the consent section of this draft
doesn't seem to really apply well.

Now, obviously, one could argue that this kind of study should follow
a different set of practices, but I don't think that's really
right. There seem to be two core issues here:

- The effects of various changes on the user or the network they are

- The data collection inherent in doing the study.

WRT to the first point, as a general matter, modern browsers
auto-update, so the user has generally opted into regularly getting
whatever new code the vendor thinks makes the best browser. We use
studies to determine whether a given change is good but in many cases
the alternative is just to roll the change out to everyone,
effectively doing the study on the whole population. So, either
we can have that effect on everyone or only on a limited subset
(what we do now). We run a lot of experiments and having explicit
consent for each one would make that much harder, resulting in
testing much more on the full population.

Similarly, on the topic of data collection, browsers report back quite
a bit of technical data about their behavior. In both Chrome and
Firefox, this is on by default, though you can turn it off. As
suggested by the quote above on Shield studies, many studies just
gather this kind of data (and often data that the browser would
already report back) and Mozilla, at least, has a pretty
well-developed framework for determining what kind of data requires
what level of consent

S 3.4.

   When deciding on the data to collect, assume that any data collected
   might become public.  There are many ways that this could happen,
   through operation security mistakes or compulsion by a judicial

This seems like it might be a good practice under some circumstances,
but impractical in many other cases. Moreover, given the enormous
amounts of personal data that users routinely hand to Web sites,
this seems like an unreasonably high standard.

S 3.5.
   For all data collected, consider whether or not it is really needed.

This section (and Section 4) seem really undeveloped. As a comparison
point, consider Mozilla's Data Collection principles
( I'm not saying
that those principles are perfect, but they're fairly complete and
thought through. if you're going to publishing an RFC with proposed
principles for what data is collected, I would expect it to be
comparably thorough.

On Tue, May 21, 2019 at 3:23 AM Sara Dickinson <> wrote:

> Hi All,
> This email starts a two week Call for Adoption of
> draft-learmonth-pearg-safe-internet-measurement
> The draft is available at:
> Please review this draft to see if you think it is suitable for adoption
> by PEARG and send comments to the list, clearly stating your view.
> Please also indicate if you are willing to contribute text, review, etc.
> This call for adoption ends on 4th April 2019.
> Sara.
> --
> Pearg mailing list