Skip to main content

Minutes IETF108: hrpc
minutes-108-hrpc-02

Meeting Minutes Human Rights Protocol Considerations (hrpc) RG
Date and time 2020-07-28 14:10
Title Minutes IETF108: hrpc
State Active
Other versions plain text
Last updated 2020-07-30

minutes-108-hrpc-02
---

IETF 108: HRPC
Date: Tuesday, 28 July 2020
Time: 14:10 -- 15:50 (UTC)
Session: 3
Location: Meetecho (Room 2)

---

Minutes HRPC IETF 108

Chairs: Avri Doria and Mallory Knodel

Agenda and slides: https://datatracker.ietf.org/meeting/108/session/hrpc

# Welcome and introduction (~0 minutes)

        Scribe, Note takers

        - Note taker: Kris Shrishak

        Agenda Review
        Research Group status

    - Niels: Maybe add the adoption of drafts and milestones on hrpc.io

    - Mallory: There were plans to make the website static but we can continue
    publishing there. We can also use data tracker to track the milestones.

# Talk: Simon McGarr, Data Compliance Europe (30 minutes)

                Apps for COVID-19 Tracing An EU Data Rights View

        - Representing Digital rights Ireland
        - Applying data protection law to COVID tracing apps
        - Advocating for a good outcome

        - Tracing apps maybe good.
                Important to reduce the time between the time of infection and
                the time of notification. This idea allows people to get tested
                quickly. Good idea if it works. So, does it work well?

        - Legal basis
                Charter of fundamental rights.
                Right to data protection is the right under consideration.
                Legal basis that the states can use---consent is the model
                chosen in the EU.

        - What does consent mean in EU law.
                - freely given: But, there is a power imbalance between
                citizens and state (GDPR). So, the state cannot rely on consent
                to gather data. If more things are built on top of contact
                tracing, then informed consent becomes hard. Free consent is
                granular consent. If you agree to a particular aspect in the
                app, you must be able to disagree with another aspect as well.
                different processes should not be bundled together.

                - specific: Before getting free consent, you must have decided
                what people need to consent for. But, the state wanted to know
                more about the citizens. Symptoms that people are feeling, etc.
                State shifted to more than one purpose. App was well designed
                to inform the public of these purposes. Function creep needs to
                be prevented.

                - informed: The state cannot put a wall of text but the txt
                must be easy to understand before consent can be considered
                informed and free consent. Irish app did well enough, although
                it was not the best. There are requiredments for informed
                consent (check the slides)

                - unambiguous: health is a special category of data under Art.
                9 in GDPR. High levels of consent is required.

                It should be possible to withdraw consent, access the
                information that was gathered, correct the information.

        - ICCI/DRI principled framework
                - Aim was that developments must meet specific requirement.
                (clear and limited purpose, transparency and promote trust,
                privacy and data protection by design) - In most countries the
                take up of the app is 10-15% - It is a key to be able to build
                in trust and demonstrate it. - The app is subject to sunset
                clause - If the app is not effective, then it cannot be
                necessary and if it is not necessary then the data
                collection/processing is not proportional - The state published
                the code and data protection impact assessment online - The
                state was rewarded by the citizens as it has about 60% uptake
                (based on the downloads) - The state claims that the app is 70%
                effective (the metric of effectiveness unknown) - Civil society
                involvement made a difference: centralized app was dropped and
                switched to Google/Apple API.

        - Scorecard
                - C+. The best we can hope for.

        Questions:

        Jim Reid: Wonderful stuff. Congratulations on GDPR compliance.
        Startling difference with UK. How much of the success of the tracing
        app is due to Google/Apple API? The UK relies on centralized repository.

        Simon: This is Google/Apple world and everyone else is playing in it.
        You can strike off on your own , fall off the edge of the world. They
        can control whether a framework has access or not. For instance, they
        can force users to keep the screen to stay on for the app to function.
        Yes, Irish authorities cited data protection concerns. At base, they
        did not have a choice. In this occasion, it is privacy protecting. In
        truth the underlying underlying stack is controlled by Mountainview and
        not the statues.

        Mallory: Please share your inputs on HRPC list.

# Talk: Eva Galperin, Electronic Frontier Foundation (30 minutes)

        Whose Internet is This? Moving the Periphery to the Center
    - Internet is a fantastic tool to share information and for oppression,
    misinformation and censorship
        - This talk is about encouraging the good stuff and discouraging the
        bad stuff. - High school history teacher did not have a history
        textbook but used newspapers, articles, etc. - Why should we have a
        human rights (HR) framework? - Lawyers at Boston university asked why
        HR farmeworks are needed. - Law is sometimes bullshit and wrong. So we
        need HR--court of HR, US constitution. These are important - Criticism
        of HR: A bludgeon that the West uses to impose on other countries.
        China and Russia have complained about this in the past. we need HR in
        the West as well. People should be in a position to defend their HR. -
        Fukuyama: The end of history. Capitalism has won. - Internet was going
        to be the force for good: transparency, civil society, democracy, etc.
        Some of them happened. - Years back, studied Chinese censorship. Now,
        Chinese model is held up as the model in Russia and Iran. - The
        Internet also allows people to be tracked. - We carry tracking devices
        in our pockets. Cell phones do not work otherwise. - EFF spent a lot of
        time on govt. surveillance issues. - Thanks to Mark Klein: telecom
        industry was working with NSA. All the traffic was being copied and
        sent to NSA, presumably searched through for national security
        purposes. - This was unconstitutional as this was information on a lot
        of people and NSA is not allowed to surveil US citizens - ACLU also
        filed cases on this issue - Govt. were the cause of worry as they had
        the monopoly on the legitimate use of violence. - But, govts. are not
        the only problem; increasingly, our communication takes place on a
        limited set of platforms from a limited set of of countries. - If you
        are working at one of the large platforms that hold large amounts of
        data, US lawyers could request data. Other govts also requested for
        data to silence critics. - Case: President of Turkey spent legal
        requests to Google and Yahoo to find out who was criticizing him
        (illegal in Turkey); prosecute people who made memes on Erdogan. -
        Companies began publishing transparency reports that mentioned the
        number of requests, from who and which requests they complied with. -
        Copyright law is often used as a backdoor to political censorship. -
        What would the Internet look like if the concerns of the powerful are
        not on the forefront? - The poor and those with less access are often
        left behind. So are dissidents and journalists. - These are considered
        edge cases and hence, keeping such people safe was not considered as a
        priority at these companies. - 2FA, HTTPS by default - Twitter
        engineer: I gave you 95% of what you wanted, what else do yu want? -
        Eva: I want the other 5%. - When we are making products, standards,
        laws, we should think about those who need it the most and not those
        who want the money. - If you begin with journalists, BLM activists,
        LGBTQ activists, you will inevitably make a secure system for the
        average users. - The other way around, you will not be able to cover
        edge cases.

        Questions:

        Bron Gondwana: This does not come free. The reason why people choose
        not to do it is that the cost of usability and competition is high.
        Most people go to lower privacy solutions. More people on FB .

        Eva: The key is not to live in the mountains. I am not suggesting that
        we all move to PGP. I want people to be able to communicate with each
        other. the history of privacy preserving apps has demonstrated that
        usable solutions are not easy. It is important that users be able to
        give imformed consent. Users don't understand what data they are
        producing and who has access to it.

        Bron: I agree with GDPR and the regulatory framework where human rights
        are embedded in the law.

        Mallory: There is a draft in the IETF called 'For the people'

        Niels: thanks Mallory and Eva. Would you have concrete ways to
        operationalize. Are you aware of the drafts in this research group?
        What can we do to operationalize your suggestions?

        Eva: I am here to convince you guys to go in the right direction.
        Should everything be encrypted by default? Should we have anonymity
        online? But the trade-offs are not fair. What happens if we have legal
        name policy? It is completely legal. FB's policy is a prominent
        example. That was a policy that endangered victims of domestic abuse,
        people who were being stalked. This is so braod that...I cannot give
        you specific technical suggestions.

        Mallory: There used to be a draft that was on anonymity. It has
        expired. If anyone wants to take it up. Gurshabad called out Registries
        for asking identities. Bron's point is about trade-offs and there might
        be other consequences.

# Updates: Research group drafts (10 minutes)

                draft-irtf-hrpc-association, Mallory Knodel (on behalf of
                Stéphane Couture)

        - Significant changes that have been sent to the list. No feedback so
        far. - After RFC 8280, we wanted to dive deep into rights o association
        and assembly. Niels and Gisela were the original editors. Joe and
        Stephane took over. - There was consensus on taking this draft forward.
        Stephane re-conducted literature review. The research question has been
        modified. There are 7 sub-questions. - So far:
                - reformulation of the aim
                - enhanced literature review
                - identification of 7 new sub-research questions: some of the
                previous use cases may not remain. Sections will be focussed on
                the protocols. A rethink of the conclusions. Maybe later.
        - Check slides for the 7 sub-questions
        - These questions are specific. we may not cover the entire world of
        freedom of association and assembly. - E.g., is it possible to
        distinguish peaceful and non-peaceful association from the perspective
        of protocol development? - The questions are up for debate. - Can we
        agree with the revisions? - New author and editors needed.

        Avri: I really like the rewrite. I have not had the time to comment on
        the list. (audio not clear). I appreciate that you [Mallory] are
        charing this.

        Mallory: Glad to hear this.

        Niels: I can work on the draft with you. Thanks to Stephane and you for
        the new structure. Great progress. Thanks.

        Mallory: I just came in towards the end. Stephane did most of the work.
        i was only shepherding. These questions are not light. We need to do
        some heavy lifting. we also care about the other draft (guidelines).

        Shivan: I agree with the general actions. A comment on the latest. The
        draft talks a lot about centralization. Should it be here as there is
        another draft on centralization. maybe the authors should talk about
        how centralization links with association and assembly.

        Mallory: Another thing that surprised me was that there was not much on
        interoperability. There is a gap in what already exists. The literature
        review brought up a lot. We shouldn't be rewriting things but we should
        reference to the draft. We can also reference publication in journals.

# Update: Guidelines draft and short presentations from reviewers (10 minutes)

        draft-irtf-hrpc-guidelines, Gurshabad Grover

        - Attribution aspect..due to Brazil and India
        - No feedback received ina  while
        - Send your thoughts and feedback here or on the list.
        - Is it good to go for research group last call after the proposed
        changes?

        Mallory: We should move the draft to last call. You as a author have
        thought deeply about the draft. A question for you: Do you think you
        want to make changes before the last call?

        Gurshabad: I have a draft on attribution. It may or may not be
        contentious. After the planned changes, I have nothing else in mind.
        The draft is being used, but we have not had any feedback in a while.

        Mallory: Anyone wants to weigh in about pushing the last call/

        Gurshabad: Feedback welcome

        Mallory: Is the last call the way to get more feedback? What is there
        is already there. Gurshabad is going to clarify.

        Shivan: Maybe too late to change scope right now. New questions are
        added on top of RFC 8280. Right?

        Niels: it went a bit further. We refined the questions, added examples,
        added methodology. New issues have come up. Some reviewers thought that
        some things were unclear. Some thought that RFC 8280 was too long. This
        is much shorter. Human rights 1.0 version.

        Shivan: I think that it is still pretty long. If the objective is that
        it is for people to review it then I will take part of it. ... I don't
        see these as guidelines. I see it more as an extended research

        Mallory: 8280 was the research. Baseline scoping. Where do we start
        when we think about protocols and human rights. For a check-list,
        Gurshabad posted it on Git (hub or lab) that can be used when doing a
        protocol review.

        Shivan: I heard that it is a check-list. But, I don't think this is a
        check-list. It is fine if this is 8280 2.0.

        Mallory: we can think of the guidelines draft as a guide to the
        check-list. Use this draft to understand how the questions in the
        check-list came about.

        Gurshabad: Shivan's comment is useful. This draft is supposed to update
        the guideline. The explanations in the draft could be moved to the
        appendix.

# Update: Options for research publication (10 minutes)

        Ongoing RG discussion, Avri Doria

        - At the last meeting, Avri brought up the idea of publishing articles
        in a journal (audio not clear)

        Mallory summarizing:
        We have been discussing other avenues to publish the output from this
        research group. There is a call to find concrete places to do so.

        Avri: It wasn't about when. It could take an year. It is about getting
        to start working on it so that I can find an avenue for publishing.

        Mallory: Call for people who are interested in pursuing that.