idnits 2.17.1
draft-irtf-hrpc-guidelines-00.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The abstract seems to contain references ([RFC6973], [RFC8280]), which
it shouldn't. Please replace those with straight textual mentions of the
documents in question.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (March 20, 2018) is 2229 days in the past. Is this
intentional?
Checking references for intended status: Informational
----------------------------------------------------------------------------
-- Looks like a reference, but probably isn't: '1' on line 1183
-- Looks like a reference, but probably isn't: '2' on line 1185
-- Looks like a reference, but probably isn't: '3' on line 1187
== Unused Reference: 'RFC4033' is defined on line 1076, but no explicit
reference was found in the text
-- Obsolete informational reference (is this intentional?): RFC 793
(Obsoleted by RFC 9293)
-- Obsolete informational reference (is this intentional?): RFC 3979
(Obsoleted by RFC 8179)
-- Obsolete informational reference (is this intentional?): RFC 4941
(Obsoleted by RFC 8981)
Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 7 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Human Rights Protocol Considerations Research GroupN. ten Oever (editor)
3 Internet-Draft ARTICLE 19
4 Intended status: Informational March 20, 2018
5 Expires: September 21, 2018
7 Guidelines for Human Rights Protocol Considerations
8 draft-irtf-hrpc-guidelines-00
10 Abstract
12 This document proposes guidelines for human rights considerations,
13 similar to the work done on the guidelines for privacy considerations
14 [RFC6973]. This is an updated version of the guidelines for human
15 rights considerations in [RFC8280].
17 Status of This Memo
19 This Internet-Draft is submitted in full conformance with the
20 provisions of BCP 78 and BCP 79.
22 Internet-Drafts are working documents of the Internet Engineering
23 Task Force (IETF). Note that other groups may also distribute
24 working documents as Internet-Drafts. The list of current Internet-
25 Drafts is at https://datatracker.ietf.org/drafts/current/.
27 Internet-Drafts are draft documents valid for a maximum of six months
28 and may be updated, replaced, or obsoleted by other documents at any
29 time. It is inappropriate to use Internet-Drafts as reference
30 material or to cite them other than as "work in progress."
32 This Internet-Draft will expire on September 21, 2018.
34 Copyright Notice
36 Copyright (c) 2018 IETF Trust and the persons identified as the
37 document authors. All rights reserved.
39 This document is subject to BCP 78 and the IETF Trust's Legal
40 Provisions Relating to IETF Documents
41 (https://trustee.ietf.org/license-info) in effect on the date of
42 publication of this document. Please review these documents
43 carefully, as they describe your rights and restrictions with respect
44 to this document. Code Components extracted from this document must
45 include Simplified BSD License text as described in Section 4.e of
46 the Trust Legal Provisions and are provided without warranty as
47 described in the Simplified BSD License.
49 Table of Contents
51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
52 2. Vocabulary used . . . . . . . . . . . . . . . . . . . . . . . 2
53 3. Model for developing human rights protocol considerations . . 2
54 3.1. Human rights threats . . . . . . . . . . . . . . . . . . 3
55 3.2. Guidelines for human rights considerations . . . . . . . 4
56 3.2.1. Connectivity . . . . . . . . . . . . . . . . . . . . 5
57 3.2.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . 6
58 3.2.3. Content agnosticism . . . . . . . . . . . . . . . . . 6
59 3.2.4. Security . . . . . . . . . . . . . . . . . . . . . . 7
60 3.2.5. Internationalization . . . . . . . . . . . . . . . . 7
61 3.2.6. Censorship resistance . . . . . . . . . . . . . . . . 8
62 3.2.7. Open Standards . . . . . . . . . . . . . . . . . . . 9
63 3.2.8. Heterogeneity Support . . . . . . . . . . . . . . . . 11
64 3.2.9. Pseudonymity . . . . . . . . . . . . . . . . . . . . 12
65 3.2.10. Accessibility . . . . . . . . . . . . . . . . . . . . 13
66 3.2.11. Localization . . . . . . . . . . . . . . . . . . . . 13
67 3.2.12. Decentralization . . . . . . . . . . . . . . . . . . 14
68 3.2.13. Reliability . . . . . . . . . . . . . . . . . . . . . 15
69 3.2.14. Confidentiality . . . . . . . . . . . . . . . . . . . 16
70 3.2.15. Integrity . . . . . . . . . . . . . . . . . . . . . . 17
71 3.2.16. Authenticity . . . . . . . . . . . . . . . . . . . . 17
72 3.2.17. Adaptability . . . . . . . . . . . . . . . . . . . . 18
73 3.2.18. Outcome Transparency . . . . . . . . . . . . . . . . 19
74 3.2.19. Anonymity . . . . . . . . . . . . . . . . . . . . . . 19
75 4. Document Status . . . . . . . . . . . . . . . . . . . . . . . 20
76 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20
77 6. Security Considerations . . . . . . . . . . . . . . . . . . . 21
78 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21
79 8. Research Group Information . . . . . . . . . . . . . . . . . 21
80 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
81 9.1. Informative References . . . . . . . . . . . . . . . . . 21
82 9.2. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 26
83 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 26
85 1. Introduction
87 2. Vocabulary used
89 3. Model for developing human rights protocol considerations
91 This section outlines a set of human rights protocol considerations
92 for protocol developers. It provides questions engineers should ask
93 themselves when developing or improving protocols if they want to
94 understand their human rights impact. It should however be noted
95 that the impact of a protocol cannot solely be deduced from its
96 design, but its usage and implementation should also be studied to
97 form a full protocol human rights impact assessment.
99 The questions are based on the research performed by the hrpc
100 research group which has been documented before these considerations.
101 The research establishes that human rights relate to standards and
102 protocols and offers a common vocabulary of technical concepts that
103 impact human rights and how these technical concept can be combined
104 to ensure that the Internet remains an enabling environment for human
105 rights. With this the contours of a model for developing human
106 rights protocol considerations has taken shape.
108 3.1. Human rights threats
110 Human rights threats on the Internet come in a myriad of forms.
111 Protocols and standards can harm or enable the right to freedom of
112 expression, right to non-discrimination, right to equal protection,
113 right to participate in cultural life, arts and science, right to
114 freedom of assembly and association, and the right to security. An
115 end-user who is denied access to certain services, data or websites
116 may be unable to disclose vital information about the malpractices of
117 a government or other authority. A person whose communications are
118 monitored may be prevented from exercising their right to freedom of
119 association or participate in political processes [Penney]. In a
120 worst-case scenario, protocols that leak information can lead to
121 physical danger. A realistic example to consider is when individuals
122 perceived as threats to the state are subjected to torture or
123 extrajudicial killing or detention on the basis of information
124 gathered by state agencies through information leakage in protocols.
126 This section details several 'common' threats to human rights,
127 indicating how each of these can lead to human rights violations/
128 harms and present several examples of how these threats to human
129 rights materialize on the Internet. This threat modeling is inspired
130 by [RFC6973] Privacy Considerations for Internet Protocols, which is
131 based on the security threat analysis. This method is by no means a
132 perfect solution for assessing human rights risks in Internet
133 protocols and systems; it is however the best approach currently
134 available. Certain specific human rights threats are indirectly
135 considered in Internet protocols as part of the security
136 considerations [BCP72], but privacy guidelines [RFC6973] or reviews,
137 let alone human rights impact assessments of protocols are not
138 standardized or implemented.
140 Many threats, enablers and risks are linked to different rights.
141 This is not unsurprising if one takes into account that human rights
142 are interrelated, interdependent and indivisible. Here however we're
143 not discussing all human rights because not all human rights are
144 relevant to ICTs in general and protocols and standards in particular
145 [Bless]: "The main source of the values of human rights is the
146 International Bill of Human Rights that is composed of the Universal
147 Declaration of Human Rights [UDHR] along with the International
148 Covenant on Civil and Political Rights [ICCPR] and the International
149 Covenant on Economic, Social and Cultural Rights [ICESCR]. In the
150 light of several cases of Internet censorship, the Human Rights
151 Council Resolution 20/8 was adopted in 2012 [UNHRC2016], affirming ".
152 . . that the same rights that people have offline must also be
153 protected online. . . " . In 2015, the Charter of Human Rights and
154 Principles for the Internet [IRP] was developed and released.
155 According to these documents, some examples of human rights relevant
156 for ICT systems are human dignity (Art. 1 UDHR), non-discrimination
157 (Art. 2), rights to life, liberty and security (Art. 3), freedom of
158 opinion and expression (Art. 19), freedom of assembly and association
159 (Art. 20), rights to equal protection, legal remedy, fair trial, due
160 process, presumed innocent (Art. 7-11), appropriate social and
161 international order (Art. 28), participation in public affairs (Art.
162 21), participation in cultural life, protection of the moral and
163 material interests resulting from any scientific, literary or
164 artistic production of which he is the author property (Art. 27), and
165 privacy (Art. 12)." A partial catalog of human rights related to
166 ICTs, including economic rights, can be found in [Hill2014].
168 This is by no means an attempt to exclude specific rights or
169 prioritize some rights over others. If other rights seem relevant,
170 please contact the authors.
172 3.2. Guidelines for human rights considerations
174 This section provides guidance for document authors in the form of a
175 questionnaire about protocols and their (potential) impact. The
176 questionnaire may be useful at any point in the design process,
177 particularly after document authors have developed a high-level
178 protocol model as described in [RFC4101]. These guidelines do not
179 seek to replace any existing referenced specifications, but rather
180 contribute to them and look at the design process from a human rights
181 perspective.
183 Protocols and Internet Standard might benefit from a documented
184 discussion of potential human rights risks arising from potential
185 misapplications of the protocol or technology described in the RFC.
186 This might be coupled with an Applicability Statement for that RFC.
188 Note that the guidance provided in this section does not recommend
189 specific practices. The range of protocols developed in the IETF is
190 too broad to make recommendations about particular uses of data or
191 how human rights might be balanced against other design goals.
193 However, by carefully considering the answers to the following
194 questions, document authors should be able to produce a comprehensive
195 analysis that can serve as the basis for discussion on whether the
196 protocol adequately takes specific human rights threats into account.
197 This guidance is meant to help the thought process of a human rights
198 analysis; it does not provide specific directions for how to write a
199 human rights protocol considerations section (following the example
200 set in [RFC6973]), and the addition of a human rights protocol
201 considerations section has also not yet been proposed. In
202 considering these questions, authors will need to be aware of the
203 potential of technical advances or the passage of time to undermine
204 protections. In general, considerations of rights are likely to be
205 more effective if they are considered given a purpose and specific
206 use cases, rather than as abstract absolute goals.
208 3.2.1. Connectivity
210 Question(s): Does your protocol add application-specific functions to
211 intermediary nodes? Could this functionality be added to end nodes
212 instead of intermediary nodes? Is your protocol optimized for low
213 bandwidth and high latency connections? Could your protocol also be
214 developed in a stateless manner?
216 Explanation: The end-to-end principle [Saltzer] holds that 'the
217 intelligence is end to end rather than hidden in the network'
218 [RFC1958]. The end-to-end principle is important for the robustness
219 of the network and innovation. Such robustness of the network is
220 crucial to enabling human rights like freedom of expression.
222 Example: Middleboxes (which can be Content Delivery Networks,
223 Firewalls, NATs or other intermediary nodes that provide other
224 'services' than routing) serve many legitimate purposes. But the
225 protocols guiding them, can influence individuals' ability to
226 communicate online freely and privately. The potential for abuse and
227 intentional and unintentional censoring and limiting permissionless
228 innovation, and thus ultimately the impact of middleboxes on the
229 Internet as a place of unfiltered, unmonitored freedom of speech, is
230 real.
232 Impacts:
234 - Right to freedom of expression
236 - Right to freedom of assembly and association
238 3.2.2. Privacy
240 Question(s): Did you have a look at the Guidelines in the Privacy
241 Considerations for Internet Protocols [RFC6973] section 7? Could
242 your protocol in any way impact the confidentiality of protocol
243 metadata? Could your protocol counter traffic analysis? Could your
244 protocol improve data minimization? Does your document identify
245 potentially sensitive logged data by your protocol and/or for how
246 long that needs to be retained for technical reasons?
248 Explanation: Privacy refers to the right of an entity (normally a
249 person), acting in its own behalf, to determine the degree to which
250 it will interact with its environment, including the degree to which
251 the entity is willing to share its personal information with others.
252 [RFC4949]. If a protocol provides insufficient privacy protection it
253 may have a negative impact on freedom of expression as users self-
254 censor for fear of surveillance, or find themselves unable to express
255 themselves freely.
257 Example: See [RFC6973]
259 Impacts:
261 - Right to freedom of expression
263 - Right to non-discrimination
265 3.2.3. Content agnosticism
267 Question(s): If your protocol impacts packet handling, does it use
268 user data (packet data that is not included in the header)? Is it
269 making decisions based on the payload of the packet? Does your
270 protocol prioritize certain content or services over others in the
271 routing process ? Is the protocol transparent about the
272 prioritization that is made (if any)?
274 Explanation: Content agnosticism refers to the notion that network
275 traffic is treated identically regardless of payload, with some
276 exception where it comes to effective traffic handling, for instance
277 where it comes to delay tolerant or delay sensitive packets, based on
278 the header.
280 Example: Content agnosticism prevents payload-based discrimination
281 against packets. This is important because changes to this principle
282 can lead to a two-tiered Internet, where certain packets are
283 prioritized over others on the basis of their content. Effectively
284 this would mean that although all users are entitled to receive their
285 packets at a certain speed, some users become more equal than others.
287 Impacts:
289 - Right to freedom of expression
291 - Right to non-discrimination
293 - Right to equal protection
295 3.2.4. Security
297 Question(s): Did you have a look at Guidelines for Writing RFC Text
298 on Security Considerations [BCP72]? Have you found any "attacks that
299 are somewhat related to your protocol yet considered out of scope of
300 your document? Would these attacks be pertinent to the human rights
301 enabling features of the Internet (as described throughout this
302 document)?
304 Explanation: Most people speak of security as if it were a single
305 monolithic property of a protocol or system, however, upon reflection
306 one realizes that it is clearly not true. Rather, security is a
307 series of related but somewhat independent properties. Not all of
308 these properties are required for every application. Since
309 communications are carried out by systems and access to systems is
310 through communications channels, these goals obviously interlock, but
311 they can also be independently provided [BCP72].
313 Example: See [BCP72].
315 Impacts:
317 - Right to freedom of expression
319 - Right to freedom of assembly and association
321 - Right to non-discrimination
323 - Right to security
325 3.2.5. Internationalization
327 Question(s): Does your protocol have text strings that have to be
328 understood or entered by humans? Does your protocol allow Unicode?
329 If so, do you accept texts in one charset (which must be UTF-8), or
330 several (which is dangerous for interoperability)? If character sets
331 or encodings other than UTF-8 are allowed, does your protocol mandate
332 a proper tagging of the charset? Did you have a look at [RFC6365]?
333 Explanation: Internationalization refers to the practice of making
334 protocols, standards, and implementations usable in different
335 languages and scripts (see Localization). In the IETF,
336 internationalization means to add or improve the handling of non-
337 ASCII text in a protocol. [RFC6365] A different perspective, more
338 appropriate to protocols that are designed for global use from the
339 beginning, is the definition used by W3C:
341 "Internationalization is the design and development of a
342 product, application or document content that enables easy
343 localization for target audiences that vary in culture, region,
344 or language." {{W3Ci18nDef}}
346 Many protocols that handle text only handle one charset (US-ASCII),
347 or leave the question of what CCS and encoding are used up to local
348 guesswork (which leads, of course, to interoperability problems). If
349 multiple charsets are permitted, they must be explicitly identified
350 [RFC2277]. Adding non-ASCII text to a protocol allows the protocol
351 to handle more scripts, hopefully representing users across the
352 world. In today's world, that is normally best accomplished by
353 allowing Unicode encoded in UTF-8 only.
355 In the current IETF policy [RFC2277], internationalization is aimed
356 at user-facing strings, not protocol elements, such as the verbs used
357 by some text-based protocols. (Do note that some strings are both
358 content and protocol elements, such as the identifiers.) If the
359 Internet wants to be a global network of networks, the protocols
360 should work with other languages than English and other character
361 sets than latin characters. It is therefore crucial that at least
362 the content carried by the protocol can be in any script, and that
363 all scripts are treated equally.
365 Example: See localization
367 Impacts:
369 - Right to freedom of expression
371 - Right to political participation
373 - Right to participate in cultural life, arts and science
375 3.2.6. Censorship resistance
377 Question(s): Does this protocol introduce new identifiers or reuse
378 existing identifiers (e.g. MAC addresses) that might be associated
379 with persons or content? Does your protocol make it apparent or
380 transparent when access to a resource it restricted? Can your
381 protocol contribute to filtering in a way it could be implemented to
382 censor data or services? Could this be designed to ensure this
383 doesn't happen?
385 Explanation: Censorship resistance refers to the methods and measures
386 to prevent Internet censorship.
388 Example: In the development of the IPv6 protocol it was discussed to
389 embed a Media Access Control (MAC) address into unique IP addresses.
390 This would make it possible for 'eavesdroppers and other information
391 collectors to identify when different addresses used in different
392 transactions actually correspond to the same node. [RFC4941] This is
393 why Privacy Extensions for Stateless Address Autoconfiguration in
394 IPv6 have been introduced. [RFC4941]
396 Identifiers of content exposed within a protocol might be used to
397 facilitate censorship, as in the case of Application Layer based
398 censorship, which affects protocols like HTTP. Denial or restriction
399 of access can be made apparent by the use of status code 451 - which
400 allows server operators to operate with greater transparency in
401 circumstances where issues of law or public policy affect their
402 operation [RFC7725].
404 Impacts:
406 - Right to freedom of expression
408 - Right to political participation
410 - Right to participate in cultural life, arts and science
412 - Right to freedom of assembly and association
414 3.2.7. Open Standards
416 Question(s): Is your protocol fully documented in a way that it could
417 be easily implemented, improved, built upon and/or further developed?
418 Do you depend on proprietary code for the implementation, running or
419 further development of your protocol? Does your protocol favor a
420 particular proprietary specification over technically equivalent and
421 competing specification(s), for instance by making any incorporated
422 vendor specification "required" or "recommended" [RFC2026]? Do you
423 normatively reference another standard that is not available without
424 cost (and could it possible be done without)? Are you aware of any
425 patents that would prevent your standard from being fully implemented
426 [RFC3979] [RFC6701]?
427 Explanation: The Internet was able to be developed into the global
428 network of networks because of the existence of open, non-proprietary
429 standards [Zittrain]. They are crucial for enabling
430 interoperability. Yet, open standards are not explicitly defined
431 within the IETF. On the subject, [RFC2026] states: Various national
432 and international standards bodies, such as ANSI, ISO, IEEE, and ITU-
433 T, develop a variety of protocol and service specifications that are
434 similar to Technical Specifications defined at the IETF. National
435 and international groups also publish "implementors' agreements" that
436 are analogous to Applicability Statements, capturing a body of
437 implementation-specific detail concerned with the practical
438 application of their standards. All of these are considered to be
439 "open external standards" for the purposes of the Internet Standards
440 Process. Similarly, [RFC3935] does not define open standards but
441 does emphasize the importance of 'open process': any interested
442 person can participate in the work, know what is being decided, and
443 make his or her voice heard on the issue. Part of this principle is
444 the IETF's commitment to making its documents, WG mailing lists,
445 attendance lists, and meeting minutes publicly available on the
446 Internet.
448 Open standards are important as they allow for permissionless
449 innovation, which is important to maintain the freedom and ability to
450 freely create and deploy new protocols on top of the communications
451 constructs that currently exist. It is at the heart of the Internet
452 as we know it, and to maintain its fundamentally open nature, we need
453 to be mindful of the need for developing open standards.
455 All standards that need to be normatively implemented should be
456 freely available and with reasonable protection for patent
457 infringement claims, so it can also be implemented in open source or
458 free software. Patents have often held back open standardization or
459 been used against those deploying open standards, particularly in the
460 domain of cryptography [newegg]. An exemption of this is sometimes
461 made when a protocol is standardized that normatively relies on
462 speficiations produced by others SDOs that are not freely available.
463 Patents in open standards or in normative references to other
464 standards should have a patent disclosure [notewell], royalty-free
465 licensing [patentpolicy], or some other form of reasonable
466 protection. Reasonable patent protection should includes but is not
467 limited to cryptographic primitives.
469 Example: [RFC6108] describes a system for providing critical end-user
470 notifications to web browsers, which has been deployed by Comcast, an
471 Internet Service Provider (ISP). Such a notification system is being
472 used to provide near-immediate notifications to customers, such as to
473 warn them that their traffic exhibits patterns that are indicative of
474 malware or virus infection. There are other proprietary systems that
475 can perform such notifications, but those systems utilize Deep Packet
476 Inspection (DPI) technology. In contrast to DPI, this document
477 describes a system that does not rely upon DPI, and is instead based
478 in open IETF standards and open source applications.
480 Impacts:
482 - Right to freedom of expression
484 - Right to participate in cultural life, arts and science
486 3.2.8. Heterogeneity Support
488 Question(s): Does your protocol support heterogeneity by design?
489 Does your protocol allow for multiple types of hardware? Does your
490 protocol allow for multiple types of application protocols? Is your
491 protocol liberal in what it receives and handles? Will it remain
492 usable and open if the context changes? Does your protocol allow
493 there to be well-defined extension points? Do these extension points
494 allow for open innovation?
496 Explanation: The Internet is characterized by heterogeneity on many
497 levels: devices and nodes, router scheduling algorithms and queue
498 management mechanisms, routing protocols, levels of multiplexing,
499 protocol versions and implementations, underlying link layers (e.g.,
500 point-to-point, multi-access links, wireless, FDDI, etc.), in the
501 traffic mix and in the levels of congestion at different times and
502 places. Moreover, as the Internet is composed of autonomous
503 organizations and Internet service providers, each with their own
504 separate policy concerns, there is a large heterogeneity of
505 administrative domains and pricing structures. As a result, the
506 heterogeneity principle proposed in [RFC1958] needs to be supported
507 by design [FIArch].
509 Example: Heterogeneity is inevitable and needs be supported by
510 design. Multiple types of hardware must be allowed for, e.g.
511 transmission speeds differing by at least 7 orders of magnitude,
512 various computer word lengths, and hosts ranging from memory-starved
513 microprocessors up to massively parallel supercomputers. Multiple
514 types of application protocol must be allowed for, ranging from the
515 simplest such as remote login up to the most complex such as
516 distributed databases [RFC1958].
518 Impacts:
520 - Right to freedom of expression
522 - Right to political participtation
524 3.2.9. Pseudonymity
526 Question(s): Have you considered the Privacy Considerations for
527 Internet Protocols [RFC6973], especially section 6.1.2 ? Does the
528 protocol collect personally derived data? Does the protocol generate
529 or process anything that can be, or be tightly correlated with,
530 personally identifiable information? Does the protocol utilize data
531 that is personally-derived, i.e. derived from the interaction of a
532 single person, or their device or address? Does this protocol
533 generate personally derived data, and if so how will that data be
534 handled?
536 Explanation: Pseudonymity - the ability to use a persistent
537 identifier not linked to one's offline identity" straight away - is
538 an important feature for many end-users, as it allows them different
539 degrees of disguised identity and privacy online.
541 Example: Designing a standard that exposes personal data, it is
542 important to consider ways to mitigate the obvious impacts. While
543 pseudonyms cannot be simply reverse engineered - some early
544 approaches simply took approaches such as simple hashing of IP
545 addreses, these could then be simply reversed by generating a hash
546 for each potential IP address and comparing it to the pseudonym -
547 limiting the exposure of personal data remains important.
549 Pseudonymity means using a pseudonym instead of one's "real" name.
550 There are many reasons for users to use pseudoyms, for instance to:
551 hide their gender, protect themselves against harassment, protect
552 their families' privacy, frankly discuss sexuality, or develop a
553 artistic or journalistic persona without retribution from an
554 employer, (potential) customers, or social surrounding.
555 [geekfeminism] The difference between anonymity and pseudonymity is
556 that a pseudonym often is persistent. "Pseudonymity is strengthened
557 when less personal data can be linked to the pseudonym; when the same
558 pseudonym is used less often and across fewer contexts; and when
559 independently chosen pseudonyms are more frequently used for new
560 actions (making them, from an observer's or attacker's perspective,
561 unlinkable)." [RFC6973]
563 Impacts:
565 - Right to non-discrimination
567 - Right to freedom of assembly and association
569 3.2.10. Accessibility
571 Question(s): Is your protocol designed to provide an enabling
572 environment for people who are not able-bodied? Have you looked at
573 the W3C Web Accessibility Initiative for examples and guidance?
575 Explanation: The Internet is fundamentally designed to work for all
576 people, whatever their hardware, software, language, culture,
577 location, or physical or mental ability. When the Internet meets
578 this goal, it is accessible to people with a diverse range of
579 hearing, movement, sight, and cognitive ability [W3CAccessibility].
580 Sometimes in the design of protocols, websites, web technologies, or
581 web tools, barriers are created that exclude people from using the
582 Web.
584 Example: The HTML protocol as defined in [HTML5] specifically
585 requires that every image must have an alt attribute (with a few
586 exceptions) to ensure images are accessible for people that cannot
587 themselves decipher non-text content in web pages.
589 Impacts:
591 - Right to non-discrimination
593 - Right to freedom of assembly and association
595 - Right to education
597 - Right to political participation
599 3.2.11. Localization
601 Question(s): Does your protocol uphold the standards of
602 internationalization? Have made any concrete steps towards
603 localizing your protocol for relevant audiences?
605 Explanation: Localization refers to the adaptation of a product,
606 application or document content to meet the language, cultural and
607 other requirements of a specific target market (a locale)
608 [W3Ci18nDef]. It is also described as the practice of translating an
609 implementation to make it functional in a specific language or for
610 users in a specific locale (see Internationalization).
612 Example: The Internet is a global medium, but many of its protocols
613 and products are developed with a certain audience in mind, that
614 often share particular characteristics like knowing how to read and
615 write in ASCII and knowing English. This limits the ability of a
616 large part of the world's online population from using the Internet
617 in a way that is culturally and linguistically accessible. An
618 example of a protocol that has taken into account the view that
619 individuals like to have access to data in their native language can
620 be found in [RFC5646]. This protocol labels the information content
621 with an identifier for the language in which it is written. And this
622 allows information to be presented in more than one language.
624 Impacts:
626 - Right to non-discrimination
628 - Right to participate in cultural life, arts and science
630 - Right to freedom of expression
632 3.2.12. Decentralization
634 Question(s): Can your protocol be implemented without one single
635 point of control? If applicable, can your protocol be deployed in a
636 federated manner? What is the potential for discrimination against
637 users of your protocol? How can the use of your protocol be used to
638 implicate users? Does your protocol create additional centralized
639 points of control?
641 Explanation: Decentralization is one of the central technical
642 concepts of the architecture of the networks, and embraced as such by
643 the IETF [RFC3935]. It refers to the absence or minimization of
644 centralized points of control; a feature that is assumed to make it
645 easy for new users to join and new uses to unfold [Brown]. It also
646 reduces issues surrounding single points of failure, and distributes
647 the network such that it continues to function if one or several
648 nodes are disabled. With the commercialization of the Internet in
649 the early 1990's there has been a slow move to move away from
650 decentralization, to the detriment of the technical benefits of
651 having a decentralized Internet.
653 Example: The bits traveling the Internet are increasingly susceptible
654 to monitoring and censorship, from both governments and Internet
655 service providers, as well as third (malicious) parties. The ability
656 to monitor and censor is further enabled by the increased
657 centralization of the network that creates central infrastructure
658 points that can be tapped in to. The creation of peer-to-peer
659 networks and the development of voice-over-IP protocols using peer-
660 to-peer technology in combination with distributed hash table (DHT)
661 for scalability are examples of how protocols can preserve
662 decentralization [Pouwelse].
664 Impacts:
666 - Right to freedom of expression
668 - Right to freedom of assembly and association
670 3.2.13. Reliability
672 Question(s): Is your protocol fault tolerant? Does it degrade
673 gracefully? Can your protocol resist malicious degradation attempts?
674 Do you have a documented way to announce degradation? Do you have
675 measures in place for recovery or partial healing from failure? Can
676 your protocol maintain dependability and performance in the face of
677 unanticipated changes or circumstances?
679 Explanation: Reliability ensures that a protocol will execute its
680 function consistently and error resistant as described, and function
681 without unexpected result. A system that is reliable degenerates
682 gracefully and will have a documented way to announce degradation.
683 It also has mechanisms to recover from failure gracefully, and if
684 applicable, allow for partial healing. It is important here to draw
685 a distinction between random degradation and malicious degradation.
686 Many current attacks against TLS, for example, exploit TLS's ability
687 to gracefully degrade to older cipher suites - from a functional
688 perspective, this is good. From a security perspective, this can be
689 very bad. As with confidentiality, the growth of the Internet and
690 fostering innovation in services depends on users having confidence
691 and trust [RFC3724] in the network. For reliability it is necessary
692 that services notify the users if a delivery fails. In the case of
693 real-time systems in addition to the reliable delivery the protocol
694 needs to safeguard timeliness.
696 Example: In the modern IP stack structure, a reliable transport layer
697 requires an indication that transport processing has successfully
698 completed, such as given by TCP's ACK message [RFC0793], and not
699 simply an indication from the IP layer that the packet arrived.
700 Similarly, an application layer protocol may require an application-
701 specific acknowledgement that contains, among other things, a status
702 code indicating the disposition of the request (See [RFC3724]).
704 Impacts:
706 - Right to freedom of expression
708 - Right to security
710 3.2.14. Confidentiality
712 Question(s): Does this protocol expose information related to
713 identifiers or data? If so, does it do so to each other protocol
714 entity (i.e., recipients, intermediaries, and enablers) [RFC6973]?
715 What options exist for protocol implementers to choose to limit the
716 information shared with each entity? What operational controls are
717 available to limit the information shared with each entity?
719 What controls or consent mechanisms does the protocol define or
720 require before personal data or identifiers are shared or exposed via
721 the protocol? If no such mechanisms or controls are specified, is it
722 expected that control and consent will be handled outside of the
723 protocol?
725 Does the protocol provide ways for initiators to share different
726 pieces of information with different recipients? If not, are there
727 mechanisms that exist outside of the protocol to provide initiators
728 with such control?
730 Does the protocol provide ways for initiators to limit which
731 information is shared with intermediaries? If not, are there
732 mechanisms that exist outside of the protocol to provide users with
733 such control? Is it expected that users will have relationships that
734 govern the use of the information (contractual or otherwise) with
735 those who operate these intermediaries? Does the protocol prefer
736 encryption over clear text operation?
738 Does the protocol provide ways for initiators to express individuals'
739 preferences to recipients or intermediaries with regard to the
740 collection, use, or disclosure of their personal data?
742 Explanation: Confidentiality refers to keeping your data secret from
743 unintended listeners [BCP72]. The growth of the Internet depends on
744 users having confidence that the network protects their personal data
745 [RFC1984].
747 Example: Protocols that do not encrypt their payload make the entire
748 content of the communication available to the idealized attacker
749 along their path. Following the advice in [RFC3365], most such
750 protocols have a secure variant that encrypts the payload for
751 confidentiality, and these secure variants are seeing ever-wider
752 deployment. A noteworthy exception is DNS [RFC1035], as DNSSEC
753 [RFC4033]does not have confidentiality as a requirement. This
754 implies that, in the absence of changes to the protocol as presently
755 under development in the IETF's DNS Private Exchange (DPRIVE) working
756 group, all DNS queries and answers generated by the activities of any
757 protocol are available to the attacker. When store-and-forward
758 protocols are used (e.g., SMTP [RFC5321]), intermediaries leave this
759 data subject to observation by an attacker that has compromised these
760 intermediaries, unless the data is encrypted end-to-end by the
761 application-layer protocol or the implementation uses an encrypted
762 store for this data [RFC7624].
764 Impacts:
766 - Right to privacy
768 - Right to security
770 3.2.15. Integrity
772 Question(s): Does your protocol maintain, assure and/or verify the
773 accuracy of payload data? Does your protocol maintain and assure the
774 consistency of data? Does your protocol in any way allow for the
775 data to be (intentionally or unintentionally) altered?
777 Explanation: Integrity refers to the maintenance and assurance of the
778 accuracy and consistency of data to ensure it has not been
779 (intentionally or unintentionally) altered.
781 Example: Integrity verification of data is important to prevent
782 vulnerabilities and attacks, like man-in-the-middle-attacks. These
783 attacks happen when a third party (often for malicious reasons)
784 intercepts a communication between two parties, inserting themselves
785 in the middle changing the content of the data. In practice this
786 looks as follows:
788 Alice wants to communicate with Bob.
789 Corinne forges and sends a message to Bob, impersonating Alice. Bob
790 cannot see the data from Alice was altered by Corinne.
791 Corinne intercepts and alters the communication as it is sent between
792 Alice and Bob.
793 Corinne is able to control the communication content.
795 Impacts:
797 - Right to freedom of expression
799 - Right to security
801 3.2.16. Authenticity
803 Question(s): Do you have sufficient measures to confirm the truth of
804 an attribute of a single piece of data or entity? Can the attributes
805 get garbled along the way (see security)? If relevant have you
806 implemented IPsec, DNSsec, HTTPS and other Standard Security Best
807 Practices?
809 Explanation: Authenticity ensures that data does indeed come from the
810 source it claims to come from. This is important to prevent certain
811 attacks or unauthorized access and use of data.
813 Example: Authentication of data is important to prevent
814 vulnerabilities and attacks, like man-in-the-middle-attacks. These
815 attacks happen when a third party (often for malicious reasons)
816 intercepts a communication between two parties, inserting themselves
817 in the middle and posing as both parties. In practice this looks as
818 follows:
820 Alice wants to communicate with Bob.
821 Alice sends data to Bob.
822 Corinne intercepts the data sent to Bob.
823 Corinne reads (and potentially alters) the message to Bob.
824 Bob cannot see the data did not come from Alice but from Corinne.
826 When there is proper authentication the scenario would be as follows:
828 Alice wants to communicate with Bob.
829 Alice sends data to Bob.
830 Corinne intercepts the data sent to Bob.
831 Corinne reads and alters the message to Bob.
832 Bob can see the data did not come from Alice but from Corinne.
834 Impacts:
836 - Right to privacy
838 - Right to freedom of expression
840 - Right to security
842 3.2.17. Adaptability
844 Question(s): Is your protocol written in such a way that is would be
845 easy for other protocols to be developed on top of it, or to interact
846 with it? Does your protocol impact permissionless innovation? See
847 'Connectivity' above.
849 Explanation: Adaptability is closely interrelated with permissionless
850 innovation, both maintain the freedom and ability to freely create
851 and deploy new protocols on top of the communications constructs that
852 currently exist. It is at the heart of the Internet as we know it,
853 and to maintain its fundamentally open nature, we need to be mindful
854 of the impact of protocols on maintaining or reducing permissionless
855 innovation to ensure the Internet can continue to develop.
857 Example: WebRTC generates audio and/or video data. In order to
858 ensure that WebRTC can be used in different locations by different
859 parties it is important that standard Javascript APIs are developed
860 to support applications from different voice service providers.
861 Multiple parties will have similar capabilities, in order to ensure
862 that all parties can build upon existing standards these need to be
863 adaptable, and allow for permissionless innovation.
865 Impacts:
867 - Right to education
869 - Freedom of expression
871 - Freedom of assembly and association
873 3.2.18. Outcome Transparency
875 Question(s): Are the effects of your protocol fully and easily
876 comprehensible, including with respect to unintended consequences of
877 protocol choices?
879 Explanation: certain technical choice may have unintended
880 consequences.
882 Example: lack of authenticity may lead to lack of integrity and
883 negative externalities, of which spam is an example. Lack of data
884 that could be used for billing and accounting can lead to so-called
885 "free" arrangements which obscure the actual costs and distribution
886 of the costs, for example the barter arrangements that are commonly
887 used for Internet interconnection; and the commercial exploitation of
888 personal data for targeted advertising which is the most common
889 funding model for the so-called "free" services such as search
890 engines and social networks.
892 Impacts: - Freedom of expression - Privacy - Freedom of assembly and
893 association - Access to information
895 3.2.19. Anonymity
897 Example: Often protocols expose personal data, it is important to
898 consider ways to mitigate the obvious privacy impacts. A protocol
899 that uses data that could help identify a sender (items of interest)
900 should be protected from third parties. For instance if one wants to
901 hide the source/destination IP addresses of a packet, the use of
902 IPsec in tunneling mode (e.g., inside a virtual private network) can
903 be helpful to protect from third parties likely to eavesdrop packets
904 exchanged between the tunnel endpoints.
906 Question(s): Does you protocol make use of persistent identifiers?
907 Can it be done without them? If your protocol collects data and
908 distributes it (see [RFC6235]), you should anonymize the data, but
909 keep in mind that "anonymizing" data is notoriously hard. Do not
910 think that just dropping the last byte of an IP address "anonymizes"
911 data. If your protocol allows for identity management, there should
912 be a clear barrier between the identities to ensure that they cannot
913 (easily) be associated with each other. Did you have a look at the
914 Privacy Considerations for Internet Protocols [RFC6973], especially
915 section 6.1.1 ?
917 Explanation: Anonymity refers to the condition of an identity being
918 unknown or concealed [RFC4949]. Even though full anonymity is hard
919 to achieve, it is a non-binary concept. Making pervasive monitoring
920 and tracking harder is important for many users as well as for the
921 IETF [RFC7258]. Achieving a higher level of anonymity is an
922 important feature for many end-users, as it allows them different
923 degrees of privacy online. Anonymity is an inherent part of the
924 right to freedom of opinion and expression and the right to privacy.
925 Avoid adding identifiers, options or configurations that create or
926 might lead to patterns or regularities that are not explicitely
927 required by the protocol.
929 Example: An example is DHCP where sending a persistent identifier as
930 the client name was not mandatory but, in practice, done by many
931 implementations, before [RFC7844].
933 Impacts:
935 - Right to non-discrimination
937 - Right to political participation
939 - Right to freedom of assembly and association
941 - Right to security
943 4. Document Status
945 5. Acknowledgements
946 6. Security Considerations
948 As this document concerns a research document, there are no security
949 considerations.
951 7. IANA Considerations
953 This document has no actions for IANA.
955 8. Research Group Information
957 The discussion list for the IRTF Human Rights Protocol Considerations
958 Research Group is located at the e-mail address hrpc@ietf.org [1].
959 Information on the group and information on how to subscribe to the
960 list is at https://www.irtf.org/mailman/listinfo/hrpc [2]
962 Archives of the list can be found at: https://www.irtf.org/mail-
963 archive/web/hrpc/current/index.html [3]
965 9. References
967 9.1. Informative References
969 [BCP72] IETF, "Guidelines for Writing RFC Text on Security
970 Considerations", 2003,
971 .
973 [Bless] Bless, R. and C. Orwat, "Values and Networks", 2015.
975 [Brown] Brown, I. and M. Ziewitz, "A Prehistory of Internet
976 Governance", Research Handbook on Governance of the
977 Internet. Cheltenham, Edward Elgar. , 2013.
979 [FIArch] "Future Internet Design Principles", January 2012,
980 .
983 [geekfeminism]
984 Geek Feminism Wiki, "Pseudonymity", 2015,
985 .
987 [Hill2014]
988 Hill, R., "Partial Catalog of Human Rights Related to ICT
989 Activities", 2014,
990 .
992 [HTML5] W3C, "HTML5", 2014, .
994 [ICCPR] United Nations General Assembly, "International Covenant
995 on Civil and Political Rights", 1976,
996 .
999 [ICESCR] United Nations General Assembly, "International Covenant
1000 on Economic, Social and Cultural Rights", 1966,
1001 .
1004 [IRP] Internet Rights and Principles Dynamic Coalition, "10
1005 Internet Rights & Principles", 2014,
1006 .
1010 [newegg] Mullin, J., "Newegg on trial: Mystery company TQP rewrites
1011 the history of encryption", 2013, .
1015 [notewell]
1016 IETF, "Note Well", 2015,
1017 .
1019 [patentpolicy]
1020 W3C, "W3C Patent Policy", 2004,
1021 .
1023 [Penney] Penney, J., "Chilling Effects: Online Surveillance and
1024 Wikipedia Use", 2016, .
1027 [Pouwelse]
1028 Pouwelse, Ed, J., "Media without censorship", 2012,
1029 .
1032 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
1033 RFC 793, DOI 10.17487/RFC0793, September 1981,
1034 .
1036 [RFC1035] Mockapetris, P., "Domain names - implementation and
1037 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
1038 November 1987, .
1040 [RFC1958] Carpenter, B., Ed., "Architectural Principles of the
1041 Internet", RFC 1958, DOI 10.17487/RFC1958, June 1996,
1042 .
1044 [RFC1984] IAB and IESG, "IAB and IESG Statement on Cryptographic
1045 Technology and the Internet", BCP 200, RFC 1984,
1046 DOI 10.17487/RFC1984, August 1996,
1047 .
1049 [RFC2026] Bradner, S., "The Internet Standards Process -- Revision
1050 3", BCP 9, RFC 2026, DOI 10.17487/RFC2026, October 1996,
1051 .
1053 [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and
1054 Languages", BCP 18, RFC 2277, DOI 10.17487/RFC2277,
1055 January 1998, .
1057 [RFC3365] Schiller, J., "Strong Security Requirements for Internet
1058 Engineering Task Force Standard Protocols", BCP 61,
1059 RFC 3365, DOI 10.17487/RFC3365, August 2002,
1060 .
1062 [RFC3724] Kempf, J., Ed., Austein, R., Ed., and IAB, "The Rise of
1063 the Middle and the Future of End-to-End: Reflections on
1064 the Evolution of the Internet Architecture", RFC 3724,
1065 DOI 10.17487/RFC3724, March 2004,
1066 .
1068 [RFC3935] Alvestrand, H., "A Mission Statement for the IETF",
1069 BCP 95, RFC 3935, DOI 10.17487/RFC3935, October 2004,
1070 .
1072 [RFC3979] Bradner, S., Ed., "Intellectual Property Rights in IETF
1073 Technology", RFC 3979, DOI 10.17487/RFC3979, March 2005,
1074 .
1076 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1077 Rose, "DNS Security Introduction and Requirements",
1078 RFC 4033, DOI 10.17487/RFC4033, March 2005,
1079 .
1081 [RFC4101] Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101,
1082 DOI 10.17487/RFC4101, June 2005,
1083 .
1085 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy
1086 Extensions for Stateless Address Autoconfiguration in
1087 IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007,
1088 .
1090 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
1091 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
1092 .
1094 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
1095 DOI 10.17487/RFC5321, October 2008,
1096 .
1098 [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying
1099 Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646,
1100 September 2009, .
1102 [RFC6108] Chung, C., Kasyanov, A., Livingood, J., Mody, N., and B.
1103 Van Lieu, "Comcast's Web Notification System Design",
1104 RFC 6108, DOI 10.17487/RFC6108, February 2011,
1105 .
1107 [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization
1108 Support", RFC 6235, DOI 10.17487/RFC6235, May 2011,
1109 .
1111 [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in
1112 Internationalization in the IETF", BCP 166, RFC 6365,
1113 DOI 10.17487/RFC6365, September 2011,
1114 .
1116 [RFC6701] Farrel, A. and P. Resnick, "Sanctions Available for
1117 Application to Violators of IETF IPR Policy", RFC 6701,
1118 DOI 10.17487/RFC6701, August 2012,
1119 .
1121 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
1122 Morris, J., Hansen, M., and R. Smith, "Privacy
1123 Considerations for Internet Protocols", RFC 6973,
1124 DOI 10.17487/RFC6973, July 2013,
1125 .
1127 [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
1128 Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
1129 2014, .
1131 [RFC7624] Barnes, R., Schneier, B., Jennings, C., Hardie, T.,
1132 Trammell, B., Huitema, C., and D. Borkmann,
1133 "Confidentiality in the Face of Pervasive Surveillance: A
1134 Threat Model and Problem Statement", RFC 7624,
1135 DOI 10.17487/RFC7624, August 2015,
1136 .
1138 [RFC7725] Bray, T., "An HTTP Status Code to Report Legal Obstacles",
1139 RFC 7725, DOI 10.17487/RFC7725, February 2016,
1140 .
1142 [RFC7844] Huitema, C., Mrugalski, T., and S. Krishnan, "Anonymity
1143 Profiles for DHCP Clients", RFC 7844,
1144 DOI 10.17487/RFC7844, May 2016,
1145 .
1147 [RFC8280] ten Oever, N. and C. Cath, "Research into Human Rights
1148 Protocol Considerations", RFC 8280, DOI 10.17487/RFC8280,
1149 October 2017, .
1151 [Saltzer] Saltzer, J., Reed, D., and D. Clark, "End-to-End Arguments
1152 in System Design", ACM TOCS, Vol 2, Number 4, November
1153 1984, pp 277-288. , 1984.
1155 [UDHR] United Nations General Assembly, "The Universal
1156 Declaration of Human Rights", 1948,
1157 .
1159 [UNHRC2016]
1160 United Nations Human Rights Council, "UN Human Rights
1161 Council Resolution "The promotion, protection and
1162 enjoyment of human rights on the Internet" (A/HRC/32/
1163 L.20)", 2016, .
1167 [W3CAccessibility]
1168 W3C, "Accessibility", 2015,
1169 .
1171 [W3Ci18nDef]
1172 W3C, "Localization vs. Internationalization", 2010,
1173 .
1175 [Zittrain]
1176 Zittrain, J., "The Future of the Internet - And How to
1177 Stop It", Yale University Press , 2008,
1178 .
1181 9.2. URIs
1183 [1] mailto:hrpc@ietf.org
1185 [2] https://www.irtf.org/mailman/listinfo/hrpc
1187 [3] https://www.irtf.org/mail-archive/web/hrpc/current/index.html
1189 Author's Address
1191 Niels ten Oever
1192 ARTICLE 19
1194 EMail: mail@nielstenoever.net