Minutes IETF98: hrpc
minutes-98-hrpc-00

notes by Dave Plonka <dave@plonka.us>
HPRC Research Group meeting began about Tue Mar 28 13:02:14 CDT 2017

Chair noted we have packed agenda:
https://datatracker.ietf.org/meeting/98/agenda.html

Each bullet below is a different presentation

chair intro slides, e.g.: status of RG... begining IETF91 c. Oct. 2014

Presentation: Francesca Musiani joined remotely to present on Distributed
architectures: a few research paths beyond engineering sciences

see slides w/overview of past and current project w.r.t. rights
https://www.ietf.org/proceedings/98/slides/slides-98-hrpc-presentation-ietf98-hrpc-00.pdf
... A socio-legal approach to distributed architectures (slide)

opposed to narratives that suggest only terrorists use encrypted technologies
in distributed architectures

slide: Four areas of (cross-cutting) reflection on distributed architectures
(from Musiani & Meadel, 2016) historical perspective: build on lessons learned
in prior works heterogeneity of distributed architectures User empowerments
Law, how can architectures redistribute responsibility and authority?

slide: Recent interdisciplinary efforts/projects: (links in slides)
P2Pvalue
netCommons
NEXTLEAP

Conclusion:
    "Architectures is politics, but it is not a substitute for politics" (Agre,
    2003)
q: Chair comment: politics of protocols is a "favorite" topic of this research
group q: How does consolidation in CDNs, etc. ??? a: Francesca: bitcoin is the
distributed project that people most think of w.r.t. [my work] the netCommons
projects is both research and activism next step is for institutions to
acknowledge these concerns, not just considering them stand-along grass roots
efforts q: Chair suggested discussion w/Francesca continue on mailing list

Presentation + Q&A: John Havens joined remotely on: IEEE Global Innitiative for
Ethical Considerations in AI & AS (10 minutes) speaker is Executive Director of
this project on Artificial Intelligence and Autonomous Systems slide: "Ethics
is the New Green" basic idea: 10 years ago, sustainability was about the
environment; take care of the planet; establish trust w/stakeholders by doing
tis now, this work on ethics: how can sustain human agency, well-being? 
values-driven desigign identify what stakeholders interests are [and respect
those] on AI: "How will machines know what we value i we don't know ourselves?"
Look within, individual and societally, to creates standards [on ethics] IEEE
bas a paper called "Ethically Aligned Design"
   - this is especially important in AI
We (in the IEEE) along with that paper, also tasked with collecting info on
areas where standards should be created:
    There are now 7 approved, related working groups: 3 underway
    P7000, speaker is a WG chair; related book: Ethical IT Innovation on
    Value-Based Design, e.g., "Privacy" is a sample value, then examine a
    context in which it is pertinent, e.g., RFID technology; "Identity" might
    be another value; how can you build thins that align with [their] values? 
    It's a market differentiator and tool for innovation

q: Giovane Moura: comment: we should think about teaching students about this
q: Joe from ZDT (?): how much of this is a general exercise vs. narrowly-scoped
alternatives? we build a tool for ML algorithms, because anything bigger would
be boiling the ocean so what is the scope of this effort? (for ML) a: John: not
an ML expert, in our work [though] the general idea is that due diligence
suggests there are more questions to ask than are currently being asked When
you have multiple tools, you can come at the same question from multiple angles
"Agile marketing, but for ethics" [Agreed] Starting general sometimes can not
work for a specific problem not just about risks to avoid, but what questions
drive innnovation?

q: Andrew Sullivan: does this work require the designer of the framework not to
be neutral? If they must take the value stance of the consumer, isn't there a
danger of making technologies that might be used in ways we don't want? a:
John: those are good issues; ethics is not easy; we haven't solved everything
In my experience (at a PR firm), a lot of times the ethical work has to deal
with the unintended effects of a product my experience, then, was it's easier
to say what you should have done I was amazed, [though,] how many questions of
ethics and values weren't [even] asked P7000 is taking existing life-cycle
development lifecycles and consider where is there no values-oriented language?
How do we introduce values-sensitive design there? People have codes of ethics,
but there is bias that these tools can help to examine to align with product
users

q: chair: you seem to say we need to base ourselves on values of end users,
although there are all sorts of values in the world? Is there a standard we
should set, or should we consider all of those values? a: John: you do have to
understand what their values are; no, you don't help them better kill people
this is hard to talk about in a general, open context For example, about RFID:
what is the context of where it will be used?  e.g., in a mall, you should ask
"Who walks through the doors of that mall?" And this will vary region by region
[country by country]... those contexts help think about the values Yes, you
could build something that can be used in ways you didn't intend, [but people
should consider] how to honor differentl levels of protection of Privacy. You
should consider innovations that would prevent tracking, [for instance.]

q: Brian Polk: thanks; q: regarding use cases, a lot of AI and ML, you're
developing an algorithm for thousands of use cases. How do bring values into ML
situations like this? q: John: good question; [We should ask] What is the first
purpose the algorithm is being built to do? what is the company's main purpose?
B2B, B2C.  Ask about transparency and accountability... do we know what the
algorithm is doing?  Is there accountability, traceability? We think a lot
about [e.g.,] if you build a robot with eyes and a face, in the U.S. that would
look into your eyes, but that same robot, e.g., in Asia, there may be a
tradition of not looking into peoples' eyes.  This cultural questions speaks to
the values of end users in places where a project will be released.  If it's
not thought about, it affects sustainability.

Presentation Giovane Moura (in person) on "No domain left behind: is Let's
Encrypt democratizing encryption?" [Note: Giovane also presented this in MAPRG
this morning He said (of hprc):] This is appropriate for this working group,
but here I will focus on different things [Goal of work, answer] Does Let's
Encrypt democratize and help people be protected?

The related paper is here [PDF linked therein]: https://arxiv.org/abs/1612.03005
some old domains are now encrypted with Let's Encrypt that weren't encrypted at
all before; [presumably this a good thing :) ]

q: chair: were people just going for the cheaper option now?
a: we didn't look at that

q: ???? this is a success story, but one lesson is this will also be used by
bad people a: Giovane: any technology can be misused

q: ??? : this seems very WWW-centric; comment: in the DNS world 2/3 of using
Let's Enctypt, the automation was a critical part

* Presentation: Adamantia Rachovitsa remote from NL on "Rethinking Privacy
Online and Human Rights: The IETF as the Guiardian of Privacy Online in the
Face of Mass Surveillance a.k.a. Mando [I wrote this] to introduce the IETF to
International lawyers The paper discusses mostly privacy, but [now] I will talk
more general about human rights

See details (last preso) in this slideset:
https://www.ietf.org/proceedings/98/slides/slides-98-hrpc-presentation-ietf98-hrpc-00.pdf

From my point of view, I will raise 4 questions?
Is IETF bound by human rights?  No
Does the IETF get involved in human rights: No - b/c has no mandate to do so;
Yes - b/c Internet standards define a levvel of human rights protections Does
it fall w/in IETF's mandate to address impact of the standards on human rights?
Yes - if and only if the impact is related to maintinaing trust with the
network or making the Internet's function better How will/should the IETF
assess the impact of Internet standards on users' human rights? It [should]
assess the contribution to all affected parties; It will assess posible impact
but will not assess the privacy or freedom of expression of user A in coutry X

So, IETF [in speaker's view] should assess *impact*

Thinking outside the IHRL box [IHRL = International Human Rights Law]
inside means: human rights are applicable online, etc. (see slide)
outside the box means [something else] (see slide)

Instead of thinking of rights offline being in conflict/tension or competing
interests think of how they can, instead, about symbiotic, mutually supportive

Privacy, e.g., can be a preconditon for cybersecurity

q: Ted Hardy: thanks, helping to bridge between communities
comment: in your use of the term mandate, IETF doesn't have a mandate but has a
technical scope There is no one that gave IETF a *mandate* I've often found
that the "law of the sea" is a good metaphor here b/c the technical work is
about the conditions of the sea and technical things, IETF is more on this than
on the regulatory side We have to be careful of our scope - we [IETF] deal with
the world as it exists, rather than regulating/mandating it

q: Matt Mathis: comments/observations: I am apphalled by the ways in which our
protocols leak... I think this is a technical bug at the end of the day, we
have reasons for lawful intercept and censorship (e.g. malware) - the
technologies that do this have no intrinsic value, the value is in the policy
domain we should provde building blocks (w/o unintended behaviors) and how
they're used should come from outside IETF a: (Mando): the "mandate" may be my
unfortunate use of the term; what we mean does the IETF believe it should get
involved, and it some instance, I belive, it does think it should get involved
Also, I agree that many of the issues of Internet standards are always about
human rights

q: John Levine: in universal decalaration of HR, I see us focusing just on 2
(privacy, freedom of speach) There are many others, e.g., attacks on honor and
reputation, property - these are a big deal too What I'm looking for is where
is the balancing of rights that have conflicting technical demands a: Mando:
human rights are not optional concepts... they are subject to restrictions;
these restrictions could be on the basis of state functions (e.g. public
morals) or on the basis of other people (e.g. freedom of expression vs.
privacy)... here a judge will use a balancing mechanism to balance the
competing interests - this is the mechanism in Human Rights law In IETF it
doesn't work exactly the same, but is similar I see the balancing exercise is
intriguing in it's priority, e.g., privacy is the rule, with possible
exception, e.g., freedom of expression.  This hierarchy limits how you can
balance things. When you try to apply this to interest online, it becomes more
complex.

In my view, the IETF should be human rights aware; it does not mean that it
will treat all human rights

discussion (by Neils ten Oever, not in chair role) on
draft-tenoever-hrpc-anonymity-00
https://tools.ietf.org/html/draft-tenoever-hrpc-anonymity q: ????: I think this
work is interesting and relevant comment: there are more people than just the
[user] and ISP that are threats to anonymity a: who will volunteer to take this
draft over

q: Hannes ???: this work is really important for our work at the WWW Consortium
(W3C)... work on verifiable claims things like anonymous claims, e.g., of being
over the age of 18 We need documents to guide us, and people to engage with us,
about this What is the best way for us to collaborate with this group (57
companies signed the W3C charter)? we would be happy to collaborate, we have
fewer people, [tho] working on privacy - we could help review on specifications
a: Neils: you could work on this draft [with us] chairs: both think it would be
good to review and collaborate on this together (IETF and W3C)

remotely, Gisela Perez de Acha on draft-tenoever-hrpc-assocation-00
https://datatracker.ietf.org/doc/draft-tenoever-hrpc-association/

This work came about from considering what be a way to protest, leveraging the
Internet architecture, that doesn't have negative impacts like DDoS?

migrated from protest to "assembly and association"
considering collective expression at protocol level
protest is encompassed in right to assembly, but also can be executed
individually, dissent Both rights, then, to join or to leave. (Forced
association is a violation of rights)

Is the Internet itself an assembly? Or an association?

What are we missing (asked in slide)
chair suggests sharing those in mailing list, etc.

Avri Doria (co-chair): one slide re: research group on draft-irtf-hrpc-research
reached out to other groups, academic and human rights advocacy, for feedback
says she believes we have rough consensus [will do something after this
meeting] will submit the draft to the the IRSG for its review according to th
rules in RFC5743

chair closes saying there are two drafts, and next steps, discuss on the list.
q: Lee Howard: note that there will be a plenary topic on human rights