Minutes of the 2019-01-23 IAB Teleconference (Tech Chat & Business Meeting)
- Jari Arkko
- Deborah Brungard (IESG Liaison)
- Alissa Cooper (IETF Chair)
- Ted Hardie (IAB Chair)
- Christian Huitema
- Allison Mankin (IRTF Chair)
- Cindy Morgan (IAB Executive Administrative Manager)
- Erik Nordmark
- Mark Nottingham
- Karen O’Donoghue (ISOC Liaison)
- Melinda Shore
- Robert Sparks
- Martin Thomson
- Brian Trammell
- Amy Vezza (Secretariat)
- Suzanne Woolf
- Gabriel Montenegro
- Jeff Tantsura
- Arvind Narayanan
- Spencer Dawkins
- Aaron Falk
- Shivan Kaul Sahib
- Sara Dickinson
- Greg Wood
1.2. Agenda bash & announcements
Cindy Morgan reminded the IAB to fill out the Doodle poll to schedule the BOF coordination call for IETF 104.
1.3. Meeting Minutes
The following meeting minutes were approved:
- 2019-01-09 business meeting – (draft submitted 2019-01-09)
The following meeting minutes remain under review:
- 2019-01-16 business meeting – (draft submitted 2019-01-16)
1.4. Action Item Review
The internal action item list was reviewed.
2. Tech Chat: Privacy
Arvind Narayanan, Associate Professor of Computer Science at Princeton, joined the IAB to discuss his work on Princeton’s Web Transparency and Accountability Project. He highlighted three things:
- Data for tracking users that has been collected in different contexts and different databases is now being merged because of common identifiers.
- There is potential for machine-learning algorithms to take this data and infer things that are not in the databases.
- Web tracking, smartphone tracking, and IoT tracking do not always work the same way.
Arvind Narayanan concluded that it would be very helpful if standards organizations would encourage designing protocols for measurement so that the privacy implications can be better understood.
Martin Thomson asked whether designing for accountability to the user would be better than designing for measurement. Arvind Narayanan replied that designing for accountability would be good, but that it is difficult and that designing for measurement is a more achievable goal in the short-term.
Alissa Cooper noted that with IoT devices, there is a difference between a device that uses standard protocols that encrypts the traffic and devices that use proprietary interfaces. She asked that if IoT devices use a standardized protocol stack, wouldn’t researchers still have problems if the traffic is encrypted? Arvind Narayanan replied that end-to-end encryption is good for the users but makes things more difficult for researchers. Researchers do have various tricks (such as exploiting bugs) to bypass encryption. The hope is for standards organizations to help standardize something like on-board diagnostics tools for IoT devices.
Allison Mankin observed that there is the ability to fingerprint traffic from an encrypted stream. She asked what the prospects are for breaking TLS 1.3 encryption. Arvind Narayanan replied that he thinks that we should be looking into all available methods; he noted that he has a draft paper showing how much can be inferred from IoT devices about people’s activities. There is a concern that it’s still a zero-sum game between the privacy of the user and the ability of the researcher to see what is going on. He hopes that the ways researchers bypass encryption will be seen as privacy vulnerabilities for the users, and that manufacturers will fix them.
Christian Huitema noted that one proposal is to have IoT devices report back to a home hub, rather than the manufacturer. Arvind Narayanan replied that some IoT devices have smartphone apps that allow visibility into what is being sent into the networks, and that is the best of both worlds.
Ted Hardie asked if it makes a difference to researchers where they access the data flow; is there a difference in getting a diagnostic stream from the cloud side rather than the hub side? Arvind Narayanan replied that the more the researcher gets access to, the more ineffectual it becomes from an enforcement perspective.
Martin Thomson said that at Mozilla, they have been discussing people reverse-training the Amazon algorithms by sending their friends links to various unusual products so that that their viewing history leads Amazon to make some strange conclusions. He asked if there were any defenses against that sort of attack. Arvind Narayanan replied that there is a lot of academic work on the topic.
Alissa Cooper asked what the people working at the lower layers of the protocol stack should take away from this discussion. Arvind Narayanan replied that they should think about the design of identifiers and how it makes it easy to connect unrelated databases together.
The IAB thanked Arvind Narayanan for speaking with them.
3. “Trust in Internet Entities” Statement
The IAB briefly discussed the draft text for the “Trust in Internet Entities” statement. Discussions will continue over email.
4. ESCAPE Workshop
Mark Nottingham reported that the ESCAPE Workshop may have lined up a host and is now looking at dates from mid-April through June.
Alissa Cooper noted that the IESG is compiling a list of conflicts during that time frame for the purpose of planning their 2019 retreat. Alissa will forward that list to the IAB.
5. Design Expectations vs. Deployment Reality in Protocol Development (DEDR) Workshop
Karen O’Donoghue reported that the Internet Society workshop planned for Prague will look at what emerging technologies might have an impact on the Internet and what the Internet Society can or should do in that context. After discussion, the IAB agreed that this workshop has a different focus from the DEDR workshop. Discussion of the DEDR workshop proposal will continue over email.
6. Plenary Planning Program Update
Melinda Shore reported that a plenary on privacy is planned for Prague.
7. Upcoming Appointments and Personnel Issues
The following items were discussed in an executive session:
- Melinda Shore will extend an invitation to a potential plenary speaker for IETF 104.
- Interviews for the Internet Society Board of Trustees appointment are in the process of being scheduled.
- The IAB selected Colin Perkins as the next IRTF Chair for a two-year term starting at IETF 104.