Internet Architecture Board

RFC2850

IAB Minutes 2019-05-08

Home»Documents»Minutes»Minutes 2019»IAB Minutes 2019-05-08

Minutes of the 2019-05-08 IAB Teleconference

1. Administrivia

1.1. Attendance

Present:
  • Jari Arkko
  • Michelle Cotton (IANA Liaison)
  • Stephen Farrell
  • Heather Flanagan (RFC Editor Liaison)
  • Wes Hardaker
  • Ted Hardie (IAB Chair)
  • Christian Huitema
  • Mirja Kühlewind (IESG Liaison)
  • Zhenbin Li
  • Cindy Morgan (IAB Executive Administrative Manager)
  • Erik Nordmark
  • Mark Nottingham
  • Karen O’Donoghue (ISOC Liaison)
  • Colin Perkins (IRTF Chair)
  • Jeff Tantsura
  • Martin Thomson
  • Brian Trammell
  • Amy Vezza (Secretariat)
Regrets:
  • Alissa Cooper (IETF Chair)
  • Melinda Shore
Guest:
  • Steve Bellovin
Observers:
  • Spencer Dawkins

1.2. Agenda bash & announcements

Cindy Morgan asked the IAB to fill out the poll to select a time for the IETF 105 BOF Coordination Call.

2. Tech Chat: Privacy: Modern Concerns

Steve Bellovin joined the IAB to give a talk on modern privacy concerns.

The slides are available at: <https://www.cs.columbia.edu/~smb/talks/iab-privacy.pdf>

The paper this talk was based on is available at: <https://osf.io/preprints/lawarxiv/5s2vt>

Steve Bellovin said that he is looking at privacy from a historical perspective; privacy regulations around the world today are based on the 50-year-old paradigm of notice and consent.

A brief timeline on privacy regulation:

  • 1973: A US government committee came up with the “Fair Information Practice Principles”
  • 1974: The US government passes the Privacy Act of 1974, implementing them—but only for the Federal government
  • 1980: The OECD guidelines suggested more or less the same thing
  • 1994: The Data Protection Directive is enacted
  • 2012: The GDPR is adopted

Steve Bellovin noted that all of those regulations are more or less based around the concept of notice and consent. Websites tell users what they collect, and what they will do with that information, and by using the site, the user is deemed to have consented to this policy.

There are problems with notice and consent. As Alan Westin observed, “It should be recognized that consent to reveal information to a particular person or agency, for a particular purpose, is not consent for that information to be circulate to all or used for other purposes.”

There are also security considerations, particularly with how to identify people who access the data that is collected. People do not take care of their passwords, and systems can be undermined by hackers. Metadata can be collected that enables one to make inferences about the user.

The technical problems that were identified more than 50 years ago have still not been solved. Steve Bellovin said that over-collection of data is probably the most crucial problem. Outside parties with whom consumers have no association and to whom they have never consented are able to collect, buy, an sell a tremendous amount of data. Websites track users’ movements on the Web. Ads use HTTP redirection to gather even more data. IP geolocation data can reveal a lot of information. There is a lot of data being collected outside the framework of notice and consent.

No one actually reads privacy policies, which are often written in a deliberately vague way that would be difficult for users to interpret even if they did read them.

Governments have access to the data that is collected. Some governments have complex, restricted processes required to gain access to that data, but other governments do not care very much about such niceties. Other governments simply collect the data via espionage, technical and otherwise.

Most privacy laws are based on protecting personally identifiable information, but that information is not necessarily needed to invade privacy; an identity is not needed for a website to recommend products or services. Machine learning algorithms can infer things not directly observed. Even when some inputs are disallowed by law, there are often proxy variables that can result in the same inferences.

Steve Bellovin suggested replacing notice and consent with use controls that would let users specify how their data can be used (targeted advertising, statistical analysis, medical research, etc.). However, he noted that there are problems with use controls; they are difficult to define, and consent can last over long time intervals. The data that exists can be abused, either by hackers or changes in the law. Steve suggested that a new privacy paradigm:

  • Must scale to very many data collectors, known and unknown
  • Must scale across time
  • Must be comprehensible by individuals
  • Must account for inferred data
  • Must trade off harm and benefits

Steve Bellovin admitted that he has no idea what such a privacy paradigm would actually look like.

Steve Bellovin suggested that the IETF could help by:

  • Encrypting as much as possible
  • Not creating unnecessary third-party metadata
    • One aspect: specify every field precisely; leave far less to the implementations
  • Designing more privacy protocols
  • Doing a privacy analysis, similar to the security considerations, for new protocols
    • GEOPRIV was a great step in that direction
  • Tagging data might help, but it also creates more metadata

Ted Hardie asked how GEOPRIV can be considered a step in the right direction. Steve Bellovin replied that it was the first time that the IETF stepped back from doing technical work and started worrying about privacy; you cannot stop people from giving away their information, but you can stop others from taking it.

3. Monthly Reports

3.1. ISOC Liaison Report

–Begin ISOC Liaison Report, Karen O’Donoghue–

Highlights of Recent ISOC Activities

Enhancing IoT Security Meeting #6 and Final Report Launch, Ottawa, 
Canada, 18 April 2019
Beginning in April 2018, the Internet Society partnered with Innovation, 
Science and Economic Development Canada (ISED), Canadian Internet 
Registration Authority (CIRA), CIPPIC, and CANARIE to convene six in-
person, multistakeholder meetings and over a dozen virtual meetings in 
order to develop recommendations for a set of norms and/or policies to 
secure IoT in Canada. The events throughout the year, as well as a 
comment period on the initial Draft Outcomes Report from this group, 
served as an opportunity to begin planning and implementing a bottom-up, 
organic process to remedy existing and potential security challenges in 
Canada’s national IoT ecosystem. On 18 April, the NA Bureau hosted a 
final meeting of its Canadian Multistakeholder: Enhancing IoT Security 
project. A Final Outcomes Report will be launched in late May and an 
Implementation Working Group will be formed to carry out the 
recommendations of the multistakeholder group.

Consumers International Summit, Estoril, Portugal, 30 April-1 May 2019
In line with the IoT Trust by Design Campaign, the Internet Society has 
partnered with Consumers International for the Summit, which is a 
quadrennial invitation-only event where policy makers, manufacturers, 
retailers and consumer rights groups from around the world collaborate 
to solve the most pressing digital challenges affecting consumers. ISOC 
has contributed to the agenda with a strong focus on Consumer IoT 
Privacy and Security, including a plenary session featuring our 
President and CEO  Andrew Sullivan and a roundtable gathering key 
stakeholders taking the lead in the IoT Privacy and Security space, as 
well as several side events including our Chapters, members and youth. 
More info and full agenda available at 
https://www.consumersinternational.org/summit-2019/

MENOG 19, Beirut, Lebanon, 31 March – 4 April 2019
The Middle East Network Operators Group Meeting and Peering Forum 
(MENOG) offers a platform for key Internet builders in the region to 
learn from their peers and other leaders in the Internet community from 
around the world. ISOC staff from the Regional Bureau attended. For more 
information: https://www.menog.org/meetings/menog-19/

Internet & Jurisdiction Policy Network Workshop on IoT, Berlin, Germany, 
5 April
Internet and Jurisdiction Policy network organized a one day workshop on 
"The Future of the Internet of Things: Understanding and Addressing 
Cross-Border Legal Challenges“ in Berlin on 15 April. Ceren Unal  
attended the workshop and spoke on the Internet Society's work on IoT 
Privacy and Security. Results of the meeting will be reported to the 3rd 
Global Conference of the Internet & Jurisdiction Policy Network, which 
takes place in Berlin, Germany, on June 3-5, 2019. More information 
available at 
https://www.internetjurisdiction.net/event/i-j-workshop-on-the-internet-of-things

2019 Middle East Chapter meeting, Beirut, Lebanon 5 - 6 April 2019 
The agenda of the Chapters meeting comprised topics related to MANRS and 
its implementations. The meeting discussed the Internet Society's 2020 
strategic plan, as well as policy questions that are most relevant to 
enabling the digital infrastructure in the region. 

Africa Regional Workshop on IoT Security, Privacy and Digital identity, 
Addis Ababa, Ethiopia, 8-10 April 2019 
The African Union Commission (AUC) in partnership with Internet Society 
(ISOC) and Omidyar Network  organized a workshop on IoT Security, 
Privacy and Digital Identity from 8-9 April 2019 at AUC headquarters in 
Addis Ababa, Ethiopia. The workshop gathered RECs, Privacy experts and 
Internet Society’s African Chapter leaders.

2019 WSIS Forum, Geneva, Switzerland , 8-12 April,
The World Summit on Information Society Forum convened to showcase the 
role that ICTs should play at the achievement of the Sustainable 
Development Goals. Topics such as collaborative governance and support 
for complementary means for access was discussed. Sebastian Bellagamba 
was been invited to speak in the opening ceremony and the Internet 
Society also organized a workshop on Community Networks. Other ISOC 
speakers included Jane Coffin, Joyce Dogniez and Constance Bommelaer. 

IGF MAG Open Consultations, 9-11 April, Geneva
The second face-to-face Open Consultations and Multistakeholder Advisory 
Group (MAG) meeting of the IGF 2019 preparatory cycle will took place 
from 9-11 April at the headquarters of the International 
Telecommunication Union (ITU), in Geneva, Switzerland. Raquel Gatto, 
Senior Policy Advisor for ISOC attended the meeting in her MAG member 
role.

The Trust Opportunity: Exploring Consumer Attitudes to the Internet of 
Things
This is research from Consumers International and the Internet Society 
exploring consumer perceptions and attitudes towards trust, security and 
the privacy of consumer Internet of Things (IoT) devices. It was 
released last week at the Consumers International meeting I mentioned in 
the liaison report. (In hindsight, I should have put this pointer in 
that report)

Online Trust Alliance — 2018 Online Trust Audit and Honor Roll
The Online Trust Audit & Honor Roll assesses nearly 1,200 organizations, 
recognizing excellence in online consumer protection, data security, and 
responsible privacy practices. This 10th annual audit of more than 1,200 
predominantly consumer-facing websites is the largest undertaken by OTA, 
and was expanded this year to include payment services, video streaming, 
sports sites, and healthcare.

–End ISOC Liaison Report, Karen O’Donoghue–

3.2. IRTF Chair Report

–Begin IRTF Chair Report, Colin Perkins–

# Research Groups

New technical advisers are working with the HRPC chairs to help that RG 
work more effectively with the broader IETF and IRTF community.

Appointed Nick Sullivan as additional co-chair for CFRG.

Discussion ongoing to appoint an additional co-chair for NMRG.

# ANRP

Confirmed that the awardees for IETF 105 will be Taejoong Chung and Neta 
Schiff.

# ANRW

The TPC for ANRW’19 has been appointed and the CFP has been distributed 
(https://irtf.org/anrw/2019/cfp.html). Working with the Alexa Morris and 
the TPC chairs to finalise the budget and registration processes. Portia 
Wenze-Danley confirmed sponsorship from Akamai and Comcast.

Appointed Portia Wenze-Danley as IETF LLC representative on ANRW 
steering committee.

# Documents and Errata

Resolved RFC errata reports #5455, #5519, #5572, #5573, #5675, and 
#5689. Ongoing discussion to address errata reports #5028, #5568, and 
#5651.

Working with ICNRG chairs to progress draft-irtf-icnrg-terminology, 
draft-irtf-icnrg-deployment-guidelines, and draft-irtf-icnrg-disaster 
that are in IRSG review.

Working with CFRG chairs to progress draft-irtf-cfrg-re-keying that is 
in IRSG review.

draft-irtf-icnrg-ccnxmessages-09 is with the RFC Editor.
draft-irtf-icnrg-ccnxsemantics-10 is in AUTH48

RFCs 8452, 8568, 8576, and 8554 published.

# Other

Reviewed SoW for IRSG ballot tool. RFP has now been issued.

Updated website to start to bring the material up-to-date and to fix 
numerous broken links. Reviewed and started to revitalise IRTF social 
media.

–End IRTF Chair Report, Colin Perkins–

3.3. ICANN Liaison Report

–Begin ICANN Liaison Report, Harald Alvestrand–

ICANN report - up to May 6, 2019

This report covers ICANN activity seen by the board liaison until May 6, 
2019.

The main board activity in this period was the Board workshop in 
Istanbul.

Hot topics

Future root server system governance: This is going forward smoothly; 
the current description of the Governance Working Group (GWG) circulated 
envisions a timeline leading to the final decision to establish the new 
system being taken in the second half of 2021.

Cyberattacks on the DNS ecosystem: This has faded from the board’s 
agenda, but is still ongoing. ICANN’s attempts to share information with 
possible victims have meet with some surprising difficulties - 
apparently crisis communication is a topic on which registries and 
registrars need to do some work.

.Amazon - the dialogue between Amazon the corporation and the Amazon 
Cooperation Treaty Organization (ACTO) has not led to an agreement. The 
Board expects to take action shortly according to the plan it approved 
in Kobe, but has not yet acted.

GDPR, ePDP and related subjects - a chair for the ePDP phase 2 work has 
been found - Janis Karklins, who many of you may have encountered 
previously.

The CEO has been facilitating a dialogue with the European Commission, 
which has written ICANN some letters - it looks as if they’re basically 
positive to ICANN’s work, and want ICANN to implement the 
(controversial) Universal Access Model or something like it for access 
to non-public registrant data - how this impacts the work that follows 
on from the ePDP phase one report remains to be worked out.

New GTLD rounds: We’re starting to discuss this. It’s too early to say 
when, and it’s too early to say if it will be another “hold one round 
and then think” or if it will be “commit to holding yearly rounds from 
now on” - but it is being worked on. Eventually, it will happen.

ICANN mode of working self-contemplation: Brian Cute has been analyzing 
the input he got in Kobe, and gave an update on his work in Istanbul 
(via VC). There will be another session in Marrakech.

Financial planning: The idea of doing a 2-year budget cycle has been 
dropped. Instead, ICANN is putting more work into its existing 5-year 
operating plan and budget (currently 2021-2025) - as anyone who’s done 
5-year plans knows, such plans serve chiefly to highlight the needed 
change when unexpected things happen - but that’s a quite useful 
function.

The fiscal year 2020 budget (July 2019 to June 2020) was approved by the 
board.

Nothing of world-shaking importance came to my attention wrt IDN, CCT or 
Hyperlocal, which were topics mentioned in last month’s report.

The main activity in the coming month is the GDD Industry Summit in 
Bangkok (which this liaison is not attending, but expect to hear news 
from).

–End ICANN Liaison Report, Harald Alvestrand–

3.4. IANA Liaison Report

–Begin IANA Liaison Report, Michelle Cotton–

IANA Services Liaison Report – 8 May 2019
 
SLA Deliverables Update:
 
- ICANN met 100% of processing goal times for March 2019 monthly 
statistics reports, exceeding the SLA goal to meet 90% of processing 
goal times.  These times include the steps that ICANN has control over 
and not time it is waiting on requesters, document authors or other 
experts.  Monthly reports can be found at: https://www.iana.org/
performance/ietf-statistics
  
Other News:
 
- None to report
 
IANA Services Operator and IETF Leadership Meeting Minutes:
   
- None to report

–End IANA Liaison Report, Michelle Cotton–

3.5. RFC Editor Liaison Report

–Begin RFC Editor Liaison Report, Heather Flanagan–

RSE

* RFC Format status

Tickets for xml2rfc continue to be submitted as the community gains 
experience with the new xml2rfc features (see 
https://trac.tools.ietf.org/tools/xml2rfc/trac/report). In addition, 
updates for rfclint, svgcheck, and xmldiff were released, resulting in 
another round of testing by the RPC staff.

Transitioning to publishing RFCs in the v3 format is still on target for 
mid- to late-August, with the biggest risk continuing to be the timing 
of the release of Cluster 238.

* Fifty Years of RFCs

The RSOC has agreed to endorse draft-flanagan-fiftyyears to the IAB, 
pending a minor editorial change by the RSE. The request to move forward 
with the publication of this draft as an IAB stream document will be 
submitted in early May.

* IESG Retreat
The RSE attended the IESG retreat to be part of the high-bandwidth 
conversations on items that may impact the RFC Series. Key conversations 
included discussions regarding RFC metadata and relationship indicators 
as well as a possible experiment to create a new, non-archival, non-RFC 
document type aimed at drafts that would be the target for early 
adopters.

* RPC resourcing
The RSE and the RSOC are discussing a request from AMS, the vendor for 
the RFC Production Center services, to temporarily add additional 
resources to the RPC team to aid in handling the extended workload 
during the RFC format transition and implementation.

RPC

* https://www.rfc-editor.org/report-summary/

Q2 2019 notes: Submissions and PGTE have been slow, but the overall rate 
of publication has increased. In this first month of Q2, the RPC has 
already published more than half the number of RFCs that were published 
in the entirety of the previous quarter.

The RPC continues to test the XMLv3 tools in preparation for the 
approaching transition. In addition, they are examining and updating 
their processes to account for XMLv3 tools and the new formats.

Also related to v3 format work, HTML files for the existing RFCs will 
soon be available from the RFC Editor site. This means that each RFC 
published before the XMLv3 era will have an HTML file styled similarly 
to the current HTML files offered by tools.ietf.org. This allows 
consistent handling of links to RFCs, regardless of whether the RFC was 
produced before or after the transition to XMLv3.

–End RFC Editor Liaison Report, Heather Flanagan–

4. Meeting Minutes

The following meeting minutes were approved:

– 2019-04-17 business meeting – (draft submitted 2019-04-17)

The following meeting minutes remain under review:

– 2019-05-01 business meeting – (draft submitted 2019-05-01

5. Action Item Review

The internal action item list was reviewed.

6. Workshop Updates

6.1. Exploring Synergy between Content Aggregation and the Publisher Ecosystem (ESCAPE) Workshop

The call for papers for the ESCAPE Workshop <https://www.iab.org/activities/workshops/escape-workshop/> was sent out on 2019-05-02.

Mark Nottingham asked the IAB if the blog post about the workshop is ready to be posted. Ted Hardie asked for another 24 hours so that he and Alissa Cooper could review it; if there are no changes, Ted will send it to Cindy Morgan for posting.

6.2. Design Expectations vs. Deployment Reality in Protocol Development
(DEDR) Workshop

Cindy Morgan reported that invitations have been issued for the DEDR workshop. Ted Hardie is putting together the draft agenda.

7. IAB Retreat Planning

Cindy Morgan is looking into remote attendance options for the IAB retreat; at a minimum, she has a directional microphone that can be plugged into a laptop for using WebEx.

Ted Hardie asked for a volunteer to shepherd the discussion on draft-flanagan-fiftyyears, as he will recuse himself from that discussion.

8. draft-ietf-iasa2-rfc4844-bis-02

The IAB deferred the decision on whether to send draft-ietf-iasa2-rfc4844-bis out for community review until the discussion about draft-ietf-iasa2-rfc6635bis that is happening on the iasa20@ietf.org list has converged.

9. Executive Session: Plenary Planning Program Update

An update from the Plenary Planning Program was discussed in an executive session.

10. Executive Session: Community Coordination Group Appointment

The IAB appointment to the Community Coordination Group was discussed in an executive session.