Minutes of the 2019-05-08 IAB Teleconference
- Jari Arkko
- Michelle Cotton (IANA Liaison)
- Stephen Farrell
- Heather Flanagan (RFC Editor Liaison)
- Wes Hardaker
- Ted Hardie (IAB Chair)
- Christian Huitema
- Mirja Kühlewind (IESG Liaison)
- Zhenbin Li
- Cindy Morgan (IAB Executive Administrative Manager)
- Erik Nordmark
- Mark Nottingham
- Karen O’Donoghue (ISOC Liaison)
- Colin Perkins (IRTF Chair)
- Jeff Tantsura
- Martin Thomson
- Brian Trammell
- Amy Vezza (Secretariat)
- Alissa Cooper (IETF Chair)
- Melinda Shore
- Steve Bellovin
- Spencer Dawkins
1.2. Agenda bash & announcements
Cindy Morgan asked the IAB to fill out the poll to select a time for the IETF 105 BOF Coordination Call.
2. Tech Chat: Privacy: Modern Concerns
Steve Bellovin joined the IAB to give a talk on modern privacy concerns.
The slides are available at: <https://www.cs.columbia.edu/~smb/talks/iab-privacy.pdf>
The paper this talk was based on is available at: <https://osf.io/preprints/lawarxiv/5s2vt>
Steve Bellovin said that he is looking at privacy from a historical perspective; privacy regulations around the world today are based on the 50-year-old paradigm of notice and consent.
A brief timeline on privacy regulation:
- 1973: A US government committee came up with the “Fair Information Practice Principles”
- 1974: The US government passes the Privacy Act of 1974, implementing them—but only for the Federal government
- 1980: The OECD guidelines suggested more or less the same thing
- 1994: The Data Protection Directive is enacted
- 2012: The GDPR is adopted
Steve Bellovin noted that all of those regulations are more or less based around the concept of notice and consent. Websites tell users what they collect, and what they will do with that information, and by using the site, the user is deemed to have consented to this policy.
There are problems with notice and consent. As Alan Westin observed, “It should be recognized that consent to reveal information to a particular person or agency, for a particular purpose, is not consent for that information to be circulate to all or used for other purposes.”
There are also security considerations, particularly with how to identify people who access the data that is collected. People do not take care of their passwords, and systems can be undermined by hackers. Metadata can be collected that enables one to make inferences about the user.
The technical problems that were identified more than 50 years ago have still not been solved. Steve Bellovin said that over-collection of data is probably the most crucial problem. Outside parties with whom consumers have no association and to whom they have never consented are able to collect, buy, an sell a tremendous amount of data. Websites track users’ movements on the Web. Ads use HTTP redirection to gather even more data. IP geolocation data can reveal a lot of information. There is a lot of data being collected outside the framework of notice and consent.
No one actually reads privacy policies, which are often written in a deliberately vague way that would be difficult for users to interpret even if they did read them.
Governments have access to the data that is collected. Some governments have complex, restricted processes required to gain access to that data, but other governments do not care very much about such niceties. Other governments simply collect the data via espionage, technical and otherwise.
Most privacy laws are based on protecting personally identifiable information, but that information is not necessarily needed to invade privacy; an identity is not needed for a website to recommend products or services. Machine learning algorithms can infer things not directly observed. Even when some inputs are disallowed by law, there are often proxy variables that can result in the same inferences.
Steve Bellovin suggested replacing notice and consent with use controls that would let users specify how their data can be used (targeted advertising, statistical analysis, medical research, etc.). However, he noted that there are problems with use controls; they are difficult to define, and consent can last over long time intervals. The data that exists can be abused, either by hackers or changes in the law. Steve suggested that a new privacy paradigm:
- Must scale to very many data collectors, known and unknown
- Must scale across time
- Must be comprehensible by individuals
- Must account for inferred data
- Must trade off harm and benefits
Steve Bellovin admitted that he has no idea what such a privacy paradigm would actually look like.
Steve Bellovin suggested that the IETF could help by:
- Encrypting as much as possible
- Not creating unnecessary third-party metadata
- One aspect: specify every field precisely; leave far less to the implementations
- Designing more privacy protocols
- Doing a privacy analysis, similar to the security considerations, for new protocols
- GEOPRIV was a great step in that direction
- Tagging data might help, but it also creates more metadata
Ted Hardie asked how GEOPRIV can be considered a step in the right direction. Steve Bellovin replied that it was the first time that the IETF stepped back from doing technical work and started worrying about privacy; you cannot stop people from giving away their information, but you can stop others from taking it.
3. Monthly Reports
3.1. ISOC Liaison Report
–Begin ISOC Liaison Report, Karen O’Donoghue–
Highlights of Recent ISOC Activities Enhancing IoT Security Meeting #6 and Final Report Launch, Ottawa, Canada, 18 April 2019 Beginning in April 2018, the Internet Society partnered with Innovation, Science and Economic Development Canada (ISED), Canadian Internet Registration Authority (CIRA), CIPPIC, and CANARIE to convene six in- person, multistakeholder meetings and over a dozen virtual meetings in order to develop recommendations for a set of norms and/or policies to secure IoT in Canada. The events throughout the year, as well as a comment period on the initial Draft Outcomes Report from this group, served as an opportunity to begin planning and implementing a bottom-up, organic process to remedy existing and potential security challenges in Canada’s national IoT ecosystem. On 18 April, the NA Bureau hosted a final meeting of its Canadian Multistakeholder: Enhancing IoT Security project. A Final Outcomes Report will be launched in late May and an Implementation Working Group will be formed to carry out the recommendations of the multistakeholder group. Consumers International Summit, Estoril, Portugal, 30 April-1 May 2019 In line with the IoT Trust by Design Campaign, the Internet Society has partnered with Consumers International for the Summit, which is a quadrennial invitation-only event where policy makers, manufacturers, retailers and consumer rights groups from around the world collaborate to solve the most pressing digital challenges affecting consumers. ISOC has contributed to the agenda with a strong focus on Consumer IoT Privacy and Security, including a plenary session featuring our President and CEO Andrew Sullivan and a roundtable gathering key stakeholders taking the lead in the IoT Privacy and Security space, as well as several side events including our Chapters, members and youth. More info and full agenda available at https://www.consumersinternational.org/summit-2019/ MENOG 19, Beirut, Lebanon, 31 March – 4 April 2019 The Middle East Network Operators Group Meeting and Peering Forum (MENOG) offers a platform for key Internet builders in the region to learn from their peers and other leaders in the Internet community from around the world. ISOC staff from the Regional Bureau attended. For more information: https://www.menog.org/meetings/menog-19/ Internet & Jurisdiction Policy Network Workshop on IoT, Berlin, Germany, 5 April Internet and Jurisdiction Policy network organized a one day workshop on "The Future of the Internet of Things: Understanding and Addressing Cross-Border Legal Challenges“ in Berlin on 15 April. Ceren Unal attended the workshop and spoke on the Internet Society's work on IoT Privacy and Security. Results of the meeting will be reported to the 3rd Global Conference of the Internet & Jurisdiction Policy Network, which takes place in Berlin, Germany, on June 3-5, 2019. More information available at https://www.internetjurisdiction.net/event/i-j-workshop-on-the-internet-of-things 2019 Middle East Chapter meeting, Beirut, Lebanon 5 - 6 April 2019 The agenda of the Chapters meeting comprised topics related to MANRS and its implementations. The meeting discussed the Internet Society's 2020 strategic plan, as well as policy questions that are most relevant to enabling the digital infrastructure in the region. Africa Regional Workshop on IoT Security, Privacy and Digital identity, Addis Ababa, Ethiopia, 8-10 April 2019 The African Union Commission (AUC) in partnership with Internet Society (ISOC) and Omidyar Network organized a workshop on IoT Security, Privacy and Digital Identity from 8-9 April 2019 at AUC headquarters in Addis Ababa, Ethiopia. The workshop gathered RECs, Privacy experts and Internet Society’s African Chapter leaders. 2019 WSIS Forum, Geneva, Switzerland , 8-12 April, The World Summit on Information Society Forum convened to showcase the role that ICTs should play at the achievement of the Sustainable Development Goals. Topics such as collaborative governance and support for complementary means for access was discussed. Sebastian Bellagamba was been invited to speak in the opening ceremony and the Internet Society also organized a workshop on Community Networks. Other ISOC speakers included Jane Coffin, Joyce Dogniez and Constance Bommelaer. IGF MAG Open Consultations, 9-11 April, Geneva The second face-to-face Open Consultations and Multistakeholder Advisory Group (MAG) meeting of the IGF 2019 preparatory cycle will took place from 9-11 April at the headquarters of the International Telecommunication Union (ITU), in Geneva, Switzerland. Raquel Gatto, Senior Policy Advisor for ISOC attended the meeting in her MAG member role. The Trust Opportunity: Exploring Consumer Attitudes to the Internet of Things This is research from Consumers International and the Internet Society exploring consumer perceptions and attitudes towards trust, security and the privacy of consumer Internet of Things (IoT) devices. It was released last week at the Consumers International meeting I mentioned in the liaison report. (In hindsight, I should have put this pointer in that report) Online Trust Alliance — 2018 Online Trust Audit and Honor Roll The Online Trust Audit & Honor Roll assesses nearly 1,200 organizations, recognizing excellence in online consumer protection, data security, and responsible privacy practices. This 10th annual audit of more than 1,200 predominantly consumer-facing websites is the largest undertaken by OTA, and was expanded this year to include payment services, video streaming, sports sites, and healthcare.
–End ISOC Liaison Report, Karen O’Donoghue–
3.2. IRTF Chair Report
–Begin IRTF Chair Report, Colin Perkins–
# Research Groups New technical advisers are working with the HRPC chairs to help that RG work more effectively with the broader IETF and IRTF community. Appointed Nick Sullivan as additional co-chair for CFRG. Discussion ongoing to appoint an additional co-chair for NMRG. # ANRP Confirmed that the awardees for IETF 105 will be Taejoong Chung and Neta Schiff. # ANRW The TPC for ANRW’19 has been appointed and the CFP has been distributed (https://irtf.org/anrw/2019/cfp.html). Working with the Alexa Morris and the TPC chairs to finalise the budget and registration processes. Portia Wenze-Danley confirmed sponsorship from Akamai and Comcast. Appointed Portia Wenze-Danley as IETF LLC representative on ANRW steering committee. # Documents and Errata Resolved RFC errata reports #5455, #5519, #5572, #5573, #5675, and #5689. Ongoing discussion to address errata reports #5028, #5568, and #5651. Working with ICNRG chairs to progress draft-irtf-icnrg-terminology, draft-irtf-icnrg-deployment-guidelines, and draft-irtf-icnrg-disaster that are in IRSG review. Working with CFRG chairs to progress draft-irtf-cfrg-re-keying that is in IRSG review. draft-irtf-icnrg-ccnxmessages-09 is with the RFC Editor. draft-irtf-icnrg-ccnxsemantics-10 is in AUTH48 RFCs 8452, 8568, 8576, and 8554 published. # Other Reviewed SoW for IRSG ballot tool. RFP has now been issued. Updated website to start to bring the material up-to-date and to fix numerous broken links. Reviewed and started to revitalise IRTF social media.
–End IRTF Chair Report, Colin Perkins–
3.3. ICANN Liaison Report
–Begin ICANN Liaison Report, Harald Alvestrand–
ICANN report - up to May 6, 2019 This report covers ICANN activity seen by the board liaison until May 6, 2019. The main board activity in this period was the Board workshop in Istanbul. Hot topics Future root server system governance: This is going forward smoothly; the current description of the Governance Working Group (GWG) circulated envisions a timeline leading to the final decision to establish the new system being taken in the second half of 2021. Cyberattacks on the DNS ecosystem: This has faded from the board’s agenda, but is still ongoing. ICANN’s attempts to share information with possible victims have meet with some surprising difficulties - apparently crisis communication is a topic on which registries and registrars need to do some work. .Amazon - the dialogue between Amazon the corporation and the Amazon Cooperation Treaty Organization (ACTO) has not led to an agreement. The Board expects to take action shortly according to the plan it approved in Kobe, but has not yet acted. GDPR, ePDP and related subjects - a chair for the ePDP phase 2 work has been found - Janis Karklins, who many of you may have encountered previously. The CEO has been facilitating a dialogue with the European Commission, which has written ICANN some letters - it looks as if they’re basically positive to ICANN’s work, and want ICANN to implement the (controversial) Universal Access Model or something like it for access to non-public registrant data - how this impacts the work that follows on from the ePDP phase one report remains to be worked out. New GTLD rounds: We’re starting to discuss this. It’s too early to say when, and it’s too early to say if it will be another “hold one round and then think” or if it will be “commit to holding yearly rounds from now on” - but it is being worked on. Eventually, it will happen. ICANN mode of working self-contemplation: Brian Cute has been analyzing the input he got in Kobe, and gave an update on his work in Istanbul (via VC). There will be another session in Marrakech. Financial planning: The idea of doing a 2-year budget cycle has been dropped. Instead, ICANN is putting more work into its existing 5-year operating plan and budget (currently 2021-2025) - as anyone who’s done 5-year plans knows, such plans serve chiefly to highlight the needed change when unexpected things happen - but that’s a quite useful function. The fiscal year 2020 budget (July 2019 to June 2020) was approved by the board. Nothing of world-shaking importance came to my attention wrt IDN, CCT or Hyperlocal, which were topics mentioned in last month’s report. The main activity in the coming month is the GDD Industry Summit in Bangkok (which this liaison is not attending, but expect to hear news from).
–End ICANN Liaison Report, Harald Alvestrand–
3.4. IANA Liaison Report
–Begin IANA Liaison Report, Michelle Cotton–
IANA Services Liaison Report – 8 May 2019 SLA Deliverables Update: - ICANN met 100% of processing goal times for March 2019 monthly statistics reports, exceeding the SLA goal to meet 90% of processing goal times. These times include the steps that ICANN has control over and not time it is waiting on requesters, document authors or other experts. Monthly reports can be found at: https://www.iana.org/ performance/ietf-statistics Other News: - None to report IANA Services Operator and IETF Leadership Meeting Minutes: - None to report
–End IANA Liaison Report, Michelle Cotton–
3.5. RFC Editor Liaison Report
–Begin RFC Editor Liaison Report, Heather Flanagan–
RSE * RFC Format status Tickets for xml2rfc continue to be submitted as the community gains experience with the new xml2rfc features (see https://trac.tools.ietf.org/tools/xml2rfc/trac/report). In addition, updates for rfclint, svgcheck, and xmldiff were released, resulting in another round of testing by the RPC staff. Transitioning to publishing RFCs in the v3 format is still on target for mid- to late-August, with the biggest risk continuing to be the timing of the release of Cluster 238. * Fifty Years of RFCs The RSOC has agreed to endorse draft-flanagan-fiftyyears to the IAB, pending a minor editorial change by the RSE. The request to move forward with the publication of this draft as an IAB stream document will be submitted in early May. * IESG Retreat The RSE attended the IESG retreat to be part of the high-bandwidth conversations on items that may impact the RFC Series. Key conversations included discussions regarding RFC metadata and relationship indicators as well as a possible experiment to create a new, non-archival, non-RFC document type aimed at drafts that would be the target for early adopters. * RPC resourcing The RSE and the RSOC are discussing a request from AMS, the vendor for the RFC Production Center services, to temporarily add additional resources to the RPC team to aid in handling the extended workload during the RFC format transition and implementation. RPC * https://www.rfc-editor.org/report-summary/ Q2 2019 notes: Submissions and PGTE have been slow, but the overall rate of publication has increased. In this first month of Q2, the RPC has already published more than half the number of RFCs that were published in the entirety of the previous quarter. The RPC continues to test the XMLv3 tools in preparation for the approaching transition. In addition, they are examining and updating their processes to account for XMLv3 tools and the new formats. Also related to v3 format work, HTML files for the existing RFCs will soon be available from the RFC Editor site. This means that each RFC published before the XMLv3 era will have an HTML file styled similarly to the current HTML files offered by tools.ietf.org. This allows consistent handling of links to RFCs, regardless of whether the RFC was produced before or after the transition to XMLv3.
–End RFC Editor Liaison Report, Heather Flanagan–
4. Meeting Minutes
The following meeting minutes were approved:
– 2019-04-17 business meeting – (draft submitted 2019-04-17)
The following meeting minutes remain under review:
– 2019-05-01 business meeting – (draft submitted 2019-05-01
5. Action Item Review
The internal action item list was reviewed.
6. Workshop Updates
6.1. Exploring Synergy between Content Aggregation and the Publisher Ecosystem (ESCAPE) Workshop
The call for papers for the ESCAPE Workshop <https://www.iab.org/activities/workshops/escape-workshop/> was sent out on 2019-05-02.
Mark Nottingham asked the IAB if the blog post about the workshop is ready to be posted. Ted Hardie asked for another 24 hours so that he and Alissa Cooper could review it; if there are no changes, Ted will send it to Cindy Morgan for posting.
6.2. Design Expectations vs. Deployment Reality in Protocol Development
Cindy Morgan reported that invitations have been issued for the DEDR workshop. Ted Hardie is putting together the draft agenda.
7. IAB Retreat Planning
Cindy Morgan is looking into remote attendance options for the IAB retreat; at a minimum, she has a directional microphone that can be plugged into a laptop for using WebEx.
Ted Hardie asked for a volunteer to shepherd the discussion on draft-flanagan-fiftyyears, as he will recuse himself from that discussion.
The IAB deferred the decision on whether to send draft-ietf-iasa2-rfc4844-bis out for community review until the discussion about draft-ietf-iasa2-rfc6635bis that is happening on the email@example.com list has converged.
9. Executive Session: Plenary Planning Program Update
An update from the Plenary Planning Program was discussed in an executive session.
10. Executive Session: Community Coordination Group Appointment
The IAB appointment to the Community Coordination Group was discussed in an executive session.