notes by Dave Plonka HPRC Research Group meeting began about Tue Mar 28 13:02:14 CDT 2017 Chair noted we have packed agenda: https://datatracker.ietf.org/meeting/98/agenda.html Each bullet below is a different presentation chair intro slides, e.g.: status of RG... begining IETF91 c. Oct. 2014 Presentation: Francesca Musiani joined remotely to present on Distributed architectures: a few research paths beyond engineering sciences see slides w/overview of past and current project w.r.t. rights https://www.ietf.org/proceedings/98/slides/slides-98-hrpc-presentation-ietf98-hrpc-00.pdf ... A socio-legal approach to distributed architectures (slide) opposed to narratives that suggest only terrorists use encrypted technologies in distributed architectures slide: Four areas of (cross-cutting) reflection on distributed architectures (from Musiani & Meadel, 2016) historical perspective: build on lessons learned in prior works heterogeneity of distributed architectures User empowerments Law, how can architectures redistribute responsibility and authority? slide: Recent interdisciplinary efforts/projects: (links in slides) P2Pvalue netCommons NEXTLEAP Conclusion: "Architectures is politics, but it is not a substitute for politics" (Agre, 2003) q: Chair comment: politics of protocols is a "favorite" topic of this research group q: How does consolidation in CDNs, etc. ??? a: Francesca: bitcoin is the distributed project that people most think of w.r.t. [my work] the netCommons projects is both research and activism next step is for institutions to acknowledge these concerns, not just considering them stand-along grass roots efforts q: Chair suggested discussion w/Francesca continue on mailing list Presentation + Q&A: John Havens joined remotely on: IEEE Global Innitiative for Ethical Considerations in AI & AS (10 minutes) speaker is Executive Director of this project on Artificial Intelligence and Autonomous Systems slide: "Ethics is the New Green" basic idea: 10 years ago, sustainability was about the environment; take care of the planet; establish trust w/stakeholders by doing tis now, this work on ethics: how can sustain human agency, well-being? values-driven desigign identify what stakeholders interests are [and respect those] on AI: "How will machines know what we value i we don't know ourselves?" Look within, individual and societally, to creates standards [on ethics] IEEE bas a paper called "Ethically Aligned Design" - this is especially important in AI We (in the IEEE) along with that paper, also tasked with collecting info on areas where standards should be created: There are now 7 approved, related working groups: 3 underway P7000, speaker is a WG chair; related book: Ethical IT Innovation on Value-Based Design, e.g., "Privacy" is a sample value, then examine a context in which it is pertinent, e.g., RFID technology; "Identity" might be another value; how can you build thins that align with [their] values? It's a market differentiator and tool for innovation q: Giovane Moura: comment: we should think about teaching students about this q: Joe from ZDT (?): how much of this is a general exercise vs. narrowly-scoped alternatives? we build a tool for ML algorithms, because anything bigger would be boiling the ocean so what is the scope of this effort? (for ML) a: John: not an ML expert, in our work [though] the general idea is that due diligence suggests there are more questions to ask than are currently being asked When you have multiple tools, you can come at the same question from multiple angles "Agile marketing, but for ethics" [Agreed] Starting general sometimes can not work for a specific problem not just about risks to avoid, but what questions drive innnovation? q: Andrew Sullivan: does this work require the designer of the framework not to be neutral? If they must take the value stance of the consumer, isn't there a danger of making technologies that might be used in ways we don't want? a: John: those are good issues; ethics is not easy; we haven't solved everything In my experience (at a PR firm), a lot of times the ethical work has to deal with the unintended effects of a product my experience, then, was it's easier to say what you should have done I was amazed, [though,] how many questions of ethics and values weren't [even] asked P7000 is taking existing life-cycle development lifecycles and consider where is there no values-oriented language? How do we introduce values-sensitive design there? People have codes of ethics, but there is bias that these tools can help to examine to align with product users q: chair: you seem to say we need to base ourselves on values of end users, although there are all sorts of values in the world? Is there a standard we should set, or should we consider all of those values? a: John: you do have to understand what their values are; no, you don't help them better kill people this is hard to talk about in a general, open context For example, about RFID: what is the context of where it will be used? e.g., in a mall, you should ask "Who walks through the doors of that mall?" And this will vary region by region [country by country]... those contexts help think about the values Yes, you could build something that can be used in ways you didn't intend, [but people should consider] how to honor differentl levels of protection of Privacy. You should consider innovations that would prevent tracking, [for instance.] q: Brian Polk: thanks; q: regarding use cases, a lot of AI and ML, you're developing an algorithm for thousands of use cases. How do bring values into ML situations like this? q: John: good question; [We should ask] What is the first purpose the algorithm is being built to do? what is the company's main purpose? B2B, B2C. Ask about transparency and accountability... do we know what the algorithm is doing? Is there accountability, traceability? We think a lot about [e.g.,] if you build a robot with eyes and a face, in the U.S. that would look into your eyes, but that same robot, e.g., in Asia, there may be a tradition of not looking into peoples' eyes. This cultural questions speaks to the values of end users in places where a project will be released. If it's not thought about, it affects sustainability. Presentation Giovane Moura (in person) on "No domain left behind: is Let's Encrypt democratizing encryption?" [Note: Giovane also presented this in MAPRG this morning He said (of hprc):] This is appropriate for this working group, but here I will focus on different things [Goal of work, answer] Does Let's Encrypt democratize and help people be protected? The related paper is here [PDF linked therein]: https://arxiv.org/abs/1612.03005 some old domains are now encrypted with Let's Encrypt that weren't encrypted at all before; [presumably this a good thing :) ] q: chair: were people just going for the cheaper option now? a: we didn't look at that q: ???? this is a success story, but one lesson is this will also be used by bad people a: Giovane: any technology can be misused q: ??? : this seems very WWW-centric; comment: in the DNS world 2/3 of using Let's Enctypt, the automation was a critical part * Presentation: Adamantia Rachovitsa remote from NL on "Rethinking Privacy Online and Human Rights: The IETF as the Guiardian of Privacy Online in the Face of Mass Surveillance a.k.a. Mando [I wrote this] to introduce the IETF to International lawyers The paper discusses mostly privacy, but [now] I will talk more general about human rights See details (last preso) in this slideset: https://www.ietf.org/proceedings/98/slides/slides-98-hrpc-presentation-ietf98-hrpc-00.pdf From my point of view, I will raise 4 questions? Is IETF bound by human rights? No Does the IETF get involved in human rights: No - b/c has no mandate to do so; Yes - b/c Internet standards define a levvel of human rights protections Does it fall w/in IETF's mandate to address impact of the standards on human rights? Yes - if and only if the impact is related to maintinaing trust with the network or making the Internet's function better How will/should the IETF assess the impact of Internet standards on users' human rights? It [should] assess the contribution to all affected parties; It will assess posible impact but will not assess the privacy or freedom of expression of user A in coutry X So, IETF [in speaker's view] should assess *impact* Thinking outside the IHRL box [IHRL = International Human Rights Law] inside means: human rights are applicable online, etc. (see slide) outside the box means [something else] (see slide) Instead of thinking of rights offline being in conflict/tension or competing interests think of how they can, instead, about symbiotic, mutually supportive Privacy, e.g., can be a preconditon for cybersecurity q: Ted Hardy: thanks, helping to bridge between communities comment: in your use of the term mandate, IETF doesn't have a mandate but has a technical scope There is no one that gave IETF a *mandate* I've often found that the "law of the sea" is a good metaphor here b/c the technical work is about the conditions of the sea and technical things, IETF is more on this than on the regulatory side We have to be careful of our scope - we [IETF] deal with the world as it exists, rather than regulating/mandating it q: Matt Mathis: comments/observations: I am apphalled by the ways in which our protocols leak... I think this is a technical bug at the end of the day, we have reasons for lawful intercept and censorship (e.g. malware) - the technologies that do this have no intrinsic value, the value is in the policy domain we should provde building blocks (w/o unintended behaviors) and how they're used should come from outside IETF a: (Mando): the "mandate" may be my unfortunate use of the term; what we mean does the IETF believe it should get involved, and it some instance, I belive, it does think it should get involved Also, I agree that many of the issues of Internet standards are always about human rights q: John Levine: in universal decalaration of HR, I see us focusing just on 2 (privacy, freedom of speach) There are many others, e.g., attacks on honor and reputation, property - these are a big deal too What I'm looking for is where is the balancing of rights that have conflicting technical demands a: Mando: human rights are not optional concepts... they are subject to restrictions; these restrictions could be on the basis of state functions (e.g. public morals) or on the basis of other people (e.g. freedom of expression vs. privacy)... here a judge will use a balancing mechanism to balance the competing interests - this is the mechanism in Human Rights law In IETF it doesn't work exactly the same, but is similar I see the balancing exercise is intriguing in it's priority, e.g., privacy is the rule, with possible exception, e.g., freedom of expression. This hierarchy limits how you can balance things. When you try to apply this to interest online, it becomes more complex. In my view, the IETF should be human rights aware; it does not mean that it will treat all human rights discussion (by Neils ten Oever, not in chair role) on draft-tenoever-hrpc-anonymity-00 https://tools.ietf.org/html/draft-tenoever-hrpc-anonymity q: ????: I think this work is interesting and relevant comment: there are more people than just the [user] and ISP that are threats to anonymity a: who will volunteer to take this draft over q: Hannes ???: this work is really important for our work at the WWW Consortium (W3C)... work on verifiable claims things like anonymous claims, e.g., of being over the age of 18 We need documents to guide us, and people to engage with us, about this What is the best way for us to collaborate with this group (57 companies signed the W3C charter)? we would be happy to collaborate, we have fewer people, [tho] working on privacy - we could help review on specifications a: Neils: you could work on this draft [with us] chairs: both think it would be good to review and collaborate on this together (IETF and W3C) remotely, Gisela Perez de Acha on draft-tenoever-hrpc-assocation-00 https://datatracker.ietf.org/doc/draft-tenoever-hrpc-association/ This work came about from considering what be a way to protest, leveraging the Internet architecture, that doesn't have negative impacts like DDoS? migrated from protest to "assembly and association" considering collective expression at protocol level protest is encompassed in right to assembly, but also can be executed individually, dissent Both rights, then, to join or to leave. (Forced association is a violation of rights) Is the Internet itself an assembly? Or an association? What are we missing (asked in slide) chair suggests sharing those in mailing list, etc. Avri Doria (co-chair): one slide re: research group on draft-irtf-hrpc-research reached out to other groups, academic and human rights advocacy, for feedback says she believes we have rough consensus [will do something after this meeting] will submit the draft to the the IRSG for its review according to th rules in RFC5743 chair closes saying there are two drafts, and next steps, discuss on the list. q: Lee Howard: note that there will be a plenary topic on human rights