--- IETF 108: HRPC Date: Tuesday, 28 July 2020 Time: 14:10 -- 15:50 (UTC) Session: 3 Location: Meetecho (Room 2) --- Minutes HRPC IETF 108 Chairs: Avri Doria and Mallory Knodel Agenda and slides: https://datatracker.ietf.org/meeting/108/session/hrpc # Welcome and introduction (~0 minutes) Scribe, Note takers - Note taker: Kris Shrishak Agenda Review Research Group status - Niels: Maybe add the adoption of drafts and milestones on hrpc.io - Mallory: There were plans to make the website static but we can continue publishing there. We can also use data tracker to track the milestones. # Talk: Simon McGarr, Data Compliance Europe (30 minutes) Apps for COVID-19 Tracing An EU Data Rights View - Representing Digital rights Ireland - Applying data protection law to COVID tracing apps - Advocating for a good outcome - Tracing apps maybe good. Important to reduce the time between the time of infection and the time of notification. This idea allows people to get tested quickly. Good idea if it works. So, does it work well? - Legal basis Charter of fundamental rights. Right to data protection is the right under consideration. Legal basis that the states can use---consent is the model chosen in the EU. - What does consent mean in EU law. - freely given: But, there is a power imbalance between citizens and state (GDPR). So, the state cannot rely on consent to gather data. If more things are built on top of contact tracing, then informed consent becomes hard. Free consent is granular consent. If you agree to a particular aspect in the app, you must be able to disagree with another aspect as well. different processes should not be bundled together. - specific: Before getting free consent, you must have decided what people need to consent for. But, the state wanted to know more about the citizens. Symptoms that people are feeling, etc. State shifted to more than one purpose. App was well designed to inform the public of these purposes. Function creep needs to be prevented. - informed: The state cannot put a wall of text but the txt must be easy to understand before consent can be considered informed and free consent. Irish app did well enough, although it was not the best. There are requiredments for informed consent (check the slides) - unambiguous: health is a special category of data under Art. 9 in GDPR. High levels of consent is required. It should be possible to withdraw consent, access the information that was gathered, correct the information. - ICCI/DRI principled framework - Aim was that developments must meet specific requirement. (clear and limited purpose, transparency and promote trust, privacy and data protection by design) - In most countries the take up of the app is 10-15% - It is a key to be able to build in trust and demonstrate it. - The app is subject to sunset clause - If the app is not effective, then it cannot be necessary and if it is not necessary then the data collection/processing is not proportional - The state published the code and data protection impact assessment online - The state was rewarded by the citizens as it has about 60% uptake (based on the downloads) - The state claims that the app is 70% effective (the metric of effectiveness unknown) - Civil society involvement made a difference: centralized app was dropped and switched to Google/Apple API. - Scorecard - C+. The best we can hope for. Questions: Jim Reid: Wonderful stuff. Congratulations on GDPR compliance. Startling difference with UK. How much of the success of the tracing app is due to Google/Apple API? The UK relies on centralized repository. Simon: This is Google/Apple world and everyone else is playing in it. You can strike off on your own , fall off the edge of the world. They can control whether a framework has access or not. For instance, they can force users to keep the screen to stay on for the app to function. Yes, Irish authorities cited data protection concerns. At base, they did not have a choice. In this occasion, it is privacy protecting. In truth the underlying underlying stack is controlled by Mountainview and not the statues. Mallory: Please share your inputs on HRPC list. # Talk: Eva Galperin, Electronic Frontier Foundation (30 minutes) Whose Internet is This? Moving the Periphery to the Center - Internet is a fantastic tool to share information and for oppression, misinformation and censorship - This talk is about encouraging the good stuff and discouraging the bad stuff. - High school history teacher did not have a history textbook but used newspapers, articles, etc. - Why should we have a human rights (HR) framework? - Lawyers at Boston university asked why HR farmeworks are needed. - Law is sometimes bullshit and wrong. So we need HR--court of HR, US constitution. These are important - Criticism of HR: A bludgeon that the West uses to impose on other countries. China and Russia have complained about this in the past. we need HR in the West as well. People should be in a position to defend their HR. - Fukuyama: The end of history. Capitalism has won. - Internet was going to be the force for good: transparency, civil society, democracy, etc. Some of them happened. - Years back, studied Chinese censorship. Now, Chinese model is held up as the model in Russia and Iran. - The Internet also allows people to be tracked. - We carry tracking devices in our pockets. Cell phones do not work otherwise. - EFF spent a lot of time on govt. surveillance issues. - Thanks to Mark Klein: telecom industry was working with NSA. All the traffic was being copied and sent to NSA, presumably searched through for national security purposes. - This was unconstitutional as this was information on a lot of people and NSA is not allowed to surveil US citizens - ACLU also filed cases on this issue - Govt. were the cause of worry as they had the monopoly on the legitimate use of violence. - But, govts. are not the only problem; increasingly, our communication takes place on a limited set of platforms from a limited set of of countries. - If you are working at one of the large platforms that hold large amounts of data, US lawyers could request data. Other govts also requested for data to silence critics. - Case: President of Turkey spent legal requests to Google and Yahoo to find out who was criticizing him (illegal in Turkey); prosecute people who made memes on Erdogan. - Companies began publishing transparency reports that mentioned the number of requests, from who and which requests they complied with. - Copyright law is often used as a backdoor to political censorship. - What would the Internet look like if the concerns of the powerful are not on the forefront? - The poor and those with less access are often left behind. So are dissidents and journalists. - These are considered edge cases and hence, keeping such people safe was not considered as a priority at these companies. - 2FA, HTTPS by default - Twitter engineer: I gave you 95% of what you wanted, what else do yu want? - Eva: I want the other 5%. - When we are making products, standards, laws, we should think about those who need it the most and not those who want the money. - If you begin with journalists, BLM activists, LGBTQ activists, you will inevitably make a secure system for the average users. - The other way around, you will not be able to cover edge cases. Questions: Bron Gondwana: This does not come free. The reason why people choose not to do it is that the cost of usability and competition is high. Most people go to lower privacy solutions. More people on FB . Eva: The key is not to live in the mountains. I am not suggesting that we all move to PGP. I want people to be able to communicate with each other. the history of privacy preserving apps has demonstrated that usable solutions are not easy. It is important that users be able to give imformed consent. Users don't understand what data they are producing and who has access to it. Bron: I agree with GDPR and the regulatory framework where human rights are embedded in the law. Mallory: There is a draft in the IETF called 'For the people' Niels: thanks Mallory and Eva. Would you have concrete ways to operationalize. Are you aware of the drafts in this research group? What can we do to operationalize your suggestions? Eva: I am here to convince you guys to go in the right direction. Should everything be encrypted by default? Should we have anonymity online? But the trade-offs are not fair. What happens if we have legal name policy? It is completely legal. FB's policy is a prominent example. That was a policy that endangered victims of domestic abuse, people who were being stalked. This is so braod that...I cannot give you specific technical suggestions. Mallory: There used to be a draft that was on anonymity. It has expired. If anyone wants to take it up. Gurshabad called out Registries for asking identities. Bron's point is about trade-offs and there might be other consequences. # Updates: Research group drafts (10 minutes) draft-irtf-hrpc-association, Mallory Knodel (on behalf of Stéphane Couture) - Significant changes that have been sent to the list. No feedback so far. - After RFC 8280, we wanted to dive deep into rights o association and assembly. Niels and Gisela were the original editors. Joe and Stephane took over. - There was consensus on taking this draft forward. Stephane re-conducted literature review. The research question has been modified. There are 7 sub-questions. - So far: - reformulation of the aim - enhanced literature review - identification of 7 new sub-research questions: some of the previous use cases may not remain. Sections will be focussed on the protocols. A rethink of the conclusions. Maybe later. - Check slides for the 7 sub-questions - These questions are specific. we may not cover the entire world of freedom of association and assembly. - E.g., is it possible to distinguish peaceful and non-peaceful association from the perspective of protocol development? - The questions are up for debate. - Can we agree with the revisions? - New author and editors needed. Avri: I really like the rewrite. I have not had the time to comment on the list. (audio not clear). I appreciate that you [Mallory] are charing this. Mallory: Glad to hear this. Niels: I can work on the draft with you. Thanks to Stephane and you for the new structure. Great progress. Thanks. Mallory: I just came in towards the end. Stephane did most of the work. i was only shepherding. These questions are not light. We need to do some heavy lifting. we also care about the other draft (guidelines). Shivan: I agree with the general actions. A comment on the latest. The draft talks a lot about centralization. Should it be here as there is another draft on centralization. maybe the authors should talk about how centralization links with association and assembly. Mallory: Another thing that surprised me was that there was not much on interoperability. There is a gap in what already exists. The literature review brought up a lot. We shouldn't be rewriting things but we should reference to the draft. We can also reference publication in journals. # Update: Guidelines draft and short presentations from reviewers (10 minutes) draft-irtf-hrpc-guidelines, Gurshabad Grover - Attribution aspect..due to Brazil and India - No feedback received ina while - Send your thoughts and feedback here or on the list. - Is it good to go for research group last call after the proposed changes? Mallory: We should move the draft to last call. You as a author have thought deeply about the draft. A question for you: Do you think you want to make changes before the last call? Gurshabad: I have a draft on attribution. It may or may not be contentious. After the planned changes, I have nothing else in mind. The draft is being used, but we have not had any feedback in a while. Mallory: Anyone wants to weigh in about pushing the last call/ Gurshabad: Feedback welcome Mallory: Is the last call the way to get more feedback? What is there is already there. Gurshabad is going to clarify. Shivan: Maybe too late to change scope right now. New questions are added on top of RFC 8280. Right? Niels: it went a bit further. We refined the questions, added examples, added methodology. New issues have come up. Some reviewers thought that some things were unclear. Some thought that RFC 8280 was too long. This is much shorter. Human rights 1.0 version. Shivan: I think that it is still pretty long. If the objective is that it is for people to review it then I will take part of it. ... I don't see these as guidelines. I see it more as an extended research Mallory: 8280 was the research. Baseline scoping. Where do we start when we think about protocols and human rights. For a check-list, Gurshabad posted it on Git (hub or lab) that can be used when doing a protocol review. Shivan: I heard that it is a check-list. But, I don't think this is a check-list. It is fine if this is 8280 2.0. Mallory: we can think of the guidelines draft as a guide to the check-list. Use this draft to understand how the questions in the check-list came about. Gurshabad: Shivan's comment is useful. This draft is supposed to update the guideline. The explanations in the draft could be moved to the appendix. # Update: Options for research publication (10 minutes) Ongoing RG discussion, Avri Doria - At the last meeting, Avri brought up the idea of publishing articles in a journal (audio not clear) Mallory summarizing: We have been discussing other avenues to publish the output from this research group. There is a call to find concrete places to do so. Avri: It wasn't about when. It could take an year. It is about getting to start working on it so that I can find an avenue for publishing. Mallory: Call for people who are interested in pursuing that.