< draft-irtf-pearg-safe-internet-measurement-02.txt		draft-irtf-pearg-safe-internet-measurement-03.txt >
	Network Working Group I. Learmonth		Network Working Group I. Learmonth
	Internet-Draft Tor Project		Internet-Draft Tor Project
	Intended status: Informational December 4, 2019		Intended status: Informational May 18, 2020
	Expires: June 6, 2020		Expires: November 19, 2020
	Guidelines for Performing Safe Measurement on the Internet		Guidelines for Performing Safe Measurement on the Internet
	draft-irtf-pearg-safe-internet-measurement-02		draft-irtf-pearg-safe-internet-measurement-03
	Abstract		Abstract
	Researchers from industry and academia often use Internet		Researchers from industry and academia often use Internet
	measurements as part of their work. While these measurements can		measurements as part of their work. While these measurements can
	give insight into the functioning and usage of the Internet, they can		give insight into the functioning and usage of the Internet, they can
	come at the cost of user privacy. This document describes guidelines		come at the cost of user privacy. This document describes guidelines
	for ensuring that such measurements can be carried out safely.		for ensuring that such measurements can be carried out safely.
	Note		Note
	skipping to change at page 1, line 43 ¶		skipping to change at page 1, line 43 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.		Drafts is at https://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on June 6, 2020.		This Internet-Draft will expire on November 19, 2020.
	Copyright Notice		Copyright Notice
	Copyright (c) 2019 IETF Trust and the persons identified as the		Copyright (c) 2020 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of		(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	carefully, as they describe your rights and restrictions with respect		carefully, as they describe your rights and restrictions with respect
	to this document.		to this document.
	1. Introduction		1. Introduction
	skipping to change at page 2, line 30 ¶		skipping to change at page 2, line 30 ¶
	1.1. Scope of this document		1.1. Scope of this document
	Following the guidelines contained within this document is not a		Following the guidelines contained within this document is not a
	substitute for any institutional ethics review process, although		substitute for any institutional ethics review process, although
	these guidelines could help to inform that process. Similarly, these		these guidelines could help to inform that process. Similarly, these
	guidelines are not legal advice and local laws must also be		guidelines are not legal advice and local laws must also be
	considered before starting any experiment that could have adverse		considered before starting any experiment that could have adverse
	impacts on user safety.		impacts on user safety.
	1.2. Active and passive measurements		The scope of this document is restricted to guidelines that mitigate
			exposure to risks to Internet user safety when measuring properties
			of the Internet: the network, its constiuent hosts and links, or its
			users traffic.
			For the purpose of this document, an Internet user is an individual
			or organisation that uses the Internet to communicate, or maintains
			Internet infrastructure.
			1.2. Threat Model
			A threat is a potential for a security violation, which exists when
			there is a circumstance, capability, action, or event that could
			breach security and cause harm [RFC4949]. Every Internet measurement
			study has the potential to subject Internet users to threat actions,
			or attacks.
			Many of the threats to user safety occur from an instantiation (or
			combination) of the following:
			Surveillance: An attack whereby an Internet user's information is
			collected. This type of attack covers not only data but also
			metadata.
			Inadequate protection of collected data: An attack where data, either
			in flight or at rest, was not adequately protected from disclosure.
			Failure to adequately protect data to the expectations of the user is
			an attack even if it does not lead to another party gaining access to
			the data.
			Traffic generation: An attack whereby traffic is generated to
			traverse the Internet.
			Traffic modification: An attack whereby the Internet traffic of users
			is modified.
			Any conceivable Internet measurement study might be considered an
			attack on an Internet user's safety. It is always necessary to
			consider the best approach to mitigate the impact of measurements,
			and to balance the risks of measurements against the benefits to
			impacted users.
			1.3. Measurement Studies
	Internet measurement studies can be broadly categorized into two		Internet measurement studies can be broadly categorized into two
	groups: active measurements and passive measurements. Active		groups: active measurements and passive measurements. Active
	measurements generate traffic. Performance measurements such as TCP		measurements generate or modify traffic while passive measurements
	throughput testing [RFC6349] or functional measurements such as the		use surveillance of existing traffic. The type of measurement is not
	feature-dependent connectivity failure tests performed by		truly binary and many studies will include both active and passive
	[PATHspider] both fall into this category. Performing passive		components. The measurement of generated traffic may also lead to
	measurements requires existing traffic.		insights into other users' traffic indirectly.
	Both active and passive measurements carry risk. A poorly considered		XXX On-path/off-path
	active measurement could result in an inadvertent denial-of-service
	attack, while passive measurements could result in serious violations
	of user privacy.
	The type of measurement is not truly binary and many studies will		XXX One ended/two ended
	include both active and passive components. Each of the
	considerations in this document must be carefully considered for		1.4. User Impact from Measurement Studies
	their applicability regardless of the type of measurement.
			Consequences of attacks
			Breach of Privacy: data collection. This impact also covers the case
			of an Internet user's data being shared beyond that which a user had
			given consent for.
			Impersonation: An attack where a user is impersonated during a
			measurement.
			XXX Legal
			XXX Other Retribution
			System corruption: An attack where generated or modified traffic
			causes the corruption of a system. This attack covers cases where a
			user's data may be lost or corrupted, and cases where a user's access
			to a system may be affected.
			XXX Data loss, corruption
			XXX Denial of Service (by which self-censorship is covered)
			XXX Emotional Trauma
	2. Consent		2. Consent
			XXX a user is best placed to balanced risks vs benefits themselves
	In an ideal world, informed consent would be collected from all users		In an ideal world, informed consent would be collected from all users
	that may be placed at risk, no matter how small a risk, by an		that may be placed at risk, no matter how small a risk, by an
	experiment. In cases where it is practical to do so, this should be		experiment. In cases where it is practical to do so, this should be
	done.		done.
	2.1. Informed Consent		2.1. Informed Consent
	For consent to be informed, all possible risks must be presented to		For consent to be informed, all possible risks must be presented to
	the users. The considerations in this document can be used to		the users. The considerations in this document can be used to
	provide a starting point although other risks may be present		provide a starting point although other risks may be present
	skipping to change at page 8, line 32 ¶		skipping to change at page 9, line 49 ¶
	[MenloReportCompanion]		[MenloReportCompanion]
	Bailey, M., Dittrich, D., and E. Kenneally, "Applying		Bailey, M., Dittrich, D., and E. Kenneally, "Applying
	Ethical Principles to Information and Communication		Ethical Principles to Information and Communication
	Technology Research", October 2013,		Technology Research", October 2013,
	<https://www.impactcybertrust.org/link_docs/Menlo-Report-		<https://www.impactcybertrust.org/link_docs/Menlo-Report-
	Companion.pdf>.		Companion.pdf>.
	[netem] Stephen, H., "Network emulation with NetEm", April 2005.		[netem] Stephen, H., "Network emulation with NetEm", April 2005.
	[PATHspider]
	Learmonth, I., Trammell, B., Kuehlewind, M., and G.
	Fairhurst, "PATHspider: A tool for active measurement of
	path transparency", DOI 10.1145/2959424.2959441, July
	2016,
	<https://dl.acm.org/citation.cfm?doid=2959424.2959441>.
	[RFC2544] Bradner, S. and J. McQuaid, "Benchmarking Methodology for		[RFC2544] Bradner, S. and J. McQuaid, "Benchmarking Methodology for
	Network Interconnect Devices", RFC 2544,		Network Interconnect Devices", RFC 2544,
	DOI 10.17487/RFC2544, March 1999,		DOI 10.17487/RFC2544, March 1999,
	<https://www.rfc-editor.org/info/rfc2544>.		<https://www.rfc-editor.org/info/rfc2544>.
	[RFC6349] Constantine, B., Forget, G., Geib, R., and R. Schrage,		[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
	"Framework for TCP Throughput Testing", RFC 6349,		August 2007, <https://www.rfc-editor.org/info/rfc4949>.
	DOI 10.17487/RFC6349, August 2011,
	<https://www.rfc-editor.org/info/rfc6349>.
	[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,		[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
	Morris, J., Hansen, M., and R. Smith, "Privacy		Morris, J., Hansen, M., and R. Smith, "Privacy
	Considerations for Internet Protocols", RFC 6973, July		Considerations for Internet Protocols", RFC 6973, July
	2013, <https://www.rfc-editor.org/info/rfc6937>.		2013, <https://www.rfc-editor.org/info/rfc6937>.
	[Tor.2017-04-001]		[Tor.2017-04-001]
	Herm, K., "Privacy analysis of Tor's in-memory		Herm, K., "Privacy analysis of Tor's in-memory
	statistics", Tor Tech Report 2017-04-001, April 2017,		statistics", Tor Tech Report 2017-04-001, April 2017,
	<https://research.torproject.org/techreports/privacy-in-		<https://research.torproject.org/techreports/privacy-in-
End of changes. 11 change blocks.
	30 lines changed or deleted		84 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/