[Pearg] draft-irtf-pearg-safe-internet-measurement review, implied consent
Nick Doty <ndoty@cdt.org> Mon, 10 July 2023 19:58 UTC
Return-Path: <ndoty@cdt.org>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7D05C16B5B0 for <pearg@ietfa.amsl.com>; Mon, 10 Jul 2023 12:58:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hpoMA6EcAAv for <pearg@ietfa.amsl.com>; Mon, 10 Jul 2023 12:58:53 -0700 (PDT)
Received: from mail-yw1-x112d.google.com (mail-yw1-x112d.google.com [IPv6:2607:f8b0:4864:20::112d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA12DC137371 for <pearg@irtf.org>; Mon, 10 Jul 2023 12:58:53 -0700 (PDT)
Received: by mail-yw1-x112d.google.com with SMTP id 00721157ae682-577412111f0so62882197b3.0 for <pearg@irtf.org>; Mon, 10 Jul 2023 12:58:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; t=1689019132; x=1691611132; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=VMHc/JoHUaG2M4wSSLtLxrQ7zn+9Dak+5HlyQfWBzAc=; b=KJG1BHmmz7v+rbGTn5+SceZGA1+Os29W5ARRjQtCMcQ12RDDx4HL4Q4oIthji7lS/b sNcGSBh+DzG9evHZH3PZNcTa0LGcFgOAh0I60RgqmZJrcdrFRReB7FK/NYOWPeve96nO EONro8ImTPpEjAtJ8NKsSlt7QUC4QbGgck/5A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689019132; x=1691611132; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=VMHc/JoHUaG2M4wSSLtLxrQ7zn+9Dak+5HlyQfWBzAc=; b=OH2tLQ5h0NTkuSzWqWGjd44M0mEBf3FCp+QiPX1YC+J9wRvS4ggqrQYVRx0vq1HjN8 XtxfXKDZrXmHWgPoSDzsxngyf1WVd7Kkw9P6oVI0228o/tPIfGxUUuO+p4WW3KcFTBxy IbI5zDM1D29QjyFVTrrOoe0lsnsx4wgf2SSbkUuudITFG4WaM60JVbRhPKbSLPFv+FY2 Px329zm/7TzWGqhlJQ5RGNMoloPRBrFtfgrhxN90rjkSuJzg9tftR1o/RjA+OPD9tUuf ZWWxAQJLWAretFtC8bzW+UpOiwFnADDNLNsIjt0AvTVJ9nc4EgapTGl9AHLXnaIzVKZH GebQ==
X-Gm-Message-State: ABy/qLZJItuL4TsCUEgz5FVwr4SsaCCU/VZyt1Hd9e/sq5Ac6eB3g+Nl JWAxL1EcqYBitlFur9VNqK+6UMe3mVa1n7U6MJbNnTUZcYZGnfeC2qnwBA==
X-Google-Smtp-Source: APBJJlHkfPRHQUX7GVaajBHWA0tigClQNG2cq2NJewv1iPhQB1kOGADI074rHLtIF4FPFqykL+0rsTN/wA7NZ9/j9IA=
X-Received: by 2002:a0d:e20e:0:b0:57a:40aa:3fe4 with SMTP id l14-20020a0de20e000000b0057a40aa3fe4mr16907022ywe.22.1689019132696; Mon, 10 Jul 2023 12:58:52 -0700 (PDT)
MIME-Version: 1.0
From: Nick Doty <ndoty@cdt.org>
Date: Mon, 10 Jul 2023 15:58:41 -0400
Message-ID: <CA+tYtvHQF7s3e-740jqjB0XEJp8OKin3xav6kheag00b1p6w1g@mail.gmail.com>
To: pearg@irtf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/p0YnOzqnHiKdmfhh2fuII7uyfkQ>
Subject: [Pearg] draft-irtf-pearg-safe-internet-measurement review, implied consent
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2023 19:58:57 -0000
Some comments on the safe internet measurement draft: Thanks for doing this! Safe measurement is important and I expect that's a concept that will come up more and more often as we try to improve the privacy and safety properties of lots of Internet and Web functionality. ## impersonation I didn't follow how impersonation risks would take place. These attacks could maybe use examples of each. ## implied consent Is "implied consent" what's happening in the case where data is collected where the potential harm is de minimis and part of the everyday course of interactions? If I were proposing this to my university IRB, I would expect to explain the normality and lack of harm in testing the TLS version numbers and have them conclude that I don't need to gain consent, not that the server operators do consent in some way even though they have no idea that the study is happening. Similarly, under European and similar data protection law, consent isn't universal, it's not that every data processing takes place with some kind of consent, but rather that you need informed consent when something of a particular weight is happening and there isn't another justification and in other cases it's reasonable for you to do the processing without getting consent (because it's not personal data, say), not that you did have some implied consent. Bandwidth seems like another case where consent isn't the determining factor. You're right to note that even small amounts of bandwidth may have a cost. I don't think we would conclude that all servers would have consented or have implicitly consented to all studies that use their bandwidth. The justification seems to be more, the costs are small, reasonable, and part of the course of typical activity. I think the section on analyzing risk and weighing the costs and benefits likely needs to be expanded here. That seems to be another fundamental basis of institutional research ethics, and it would be better to have it elaborated rather than relying on implied consent. ## minimization There may be more detail and citations to add to minimization; I can see that those sections aren't completed yet. I'll be happy to help contribute to that, although probably not before 117. Hope this helps, Nick -- Nick Doty | https://npdoty.name Senior Fellow, Internet Architecture Center for Democracy & Technology | https://cdt.org
- [Pearg] draft-irtf-pearg-safe-internet-measuremen… Nick Doty
- Re: [Pearg] draft-irtf-pearg-safe-internet-measur… Antoine FRESSANCOURT
- Re: [Pearg] draft-irtf-pearg-safe-internet-measur… Mallory Knodel
- Re: [Pearg] draft-irtf-pearg-safe-internet-measur… Vittorio Bertola
- Re: [Pearg] draft-irtf-pearg-safe-internet-measur… Mallory Knodel