idnits 2.17.1
draft-tenoever-hrpc-guidelines-01.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The abstract seems to contain references ([RFC6973], [RFC8280]), which
it shouldn't. Please replace those with straight textual mentions of the
documents in question.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (November 12, 2017) is 2356 days in the past. Is this
intentional?
Checking references for intended status: Informational
----------------------------------------------------------------------------
-- Looks like a reference, but probably isn't: '1' on line 1181
== Unused Reference: 'RFC4033' is defined on line 1074, but no explicit
reference was found in the text
-- Obsolete informational reference (is this intentional?): RFC 793
(Obsoleted by RFC 9293)
-- Obsolete informational reference (is this intentional?): RFC 3979
(Obsoleted by RFC 8179)
-- Obsolete informational reference (is this intentional?): RFC 4941
(Obsoleted by RFC 8981)
Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 5 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Human Rights Protocol Considerations Research GroupN. ten Oever (editor)
3 Internet-Draft ARTICLE 19
4 Intended status: Informational November 12, 2017
5 Expires: May 16, 2018
7 Guidelines for Human Rights Protocol Considerations
8 draft-tenoever-hrpc-guidelines-01
10 Abstract
12 This document proposes guidelines for human rights considerations,
13 similar to the work done on the guidelines for privacy considerations
14 [RFC6973]. This is an updated version of the guidelines for human
15 rights considerations in [RFC8280].
17 Status of This Memo
19 This Internet-Draft is submitted in full conformance with the
20 provisions of BCP 78 and BCP 79.
22 Internet-Drafts are working documents of the Internet Engineering
23 Task Force (IETF). Note that other groups may also distribute
24 working documents as Internet-Drafts. The list of current Internet-
25 Drafts is at http://datatracker.ietf.org/drafts/current/.
27 Internet-Drafts are draft documents valid for a maximum of six months
28 and may be updated, replaced, or obsoleted by other documents at any
29 time. It is inappropriate to use Internet-Drafts as reference
30 material or to cite them other than as "work in progress."
32 This Internet-Draft will expire on May 16, 2018.
34 Copyright Notice
36 Copyright (c) 2017 IETF Trust and the persons identified as the
37 document authors. All rights reserved.
39 This document is subject to BCP 78 and the IETF Trust's Legal
40 Provisions Relating to IETF Documents
41 (http://trustee.ietf.org/license-info) in effect on the date of
42 publication of this document. Please review these documents
43 carefully, as they describe your rights and restrictions with respect
44 to this document. Code Components extracted from this document must
45 include Simplified BSD License text as described in Section 4.e of
46 the Trust Legal Provisions and are provided without warranty as
47 described in the Simplified BSD License.
49 Table of Contents
51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
52 2. Vocabulary used . . . . . . . . . . . . . . . . . . . . . . . 2
53 3. Model for developing human rights protocol considerations . . 2
54 3.1. Human rights threats . . . . . . . . . . . . . . . . . . 3
55 3.2. Guidelines for human rights considerations . . . . . . . 4
56 3.2.1. Connectivity . . . . . . . . . . . . . . . . . . . . 5
57 3.2.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . 6
58 3.2.3. Content agnosticism . . . . . . . . . . . . . . . . . 6
59 3.2.4. Security . . . . . . . . . . . . . . . . . . . . . . 7
60 3.2.5. Internationalization . . . . . . . . . . . . . . . . 7
61 3.2.6. Censorship resistance . . . . . . . . . . . . . . . . 8
62 3.2.7. Open Standards . . . . . . . . . . . . . . . . . . . 9
63 3.2.8. Heterogeneity Support . . . . . . . . . . . . . . . . 11
64 3.2.9. Pseudonymity . . . . . . . . . . . . . . . . . . . . 12
65 3.2.10. Accessibility . . . . . . . . . . . . . . . . . . . . 13
66 3.2.11. Localization . . . . . . . . . . . . . . . . . . . . 13
67 3.2.12. Decentralization . . . . . . . . . . . . . . . . . . 14
68 3.2.13. Reliability . . . . . . . . . . . . . . . . . . . . . 15
69 3.2.14. Confidentiality . . . . . . . . . . . . . . . . . . . 16
70 3.2.15. Integrity . . . . . . . . . . . . . . . . . . . . . . 17
71 3.2.16. Authenticity . . . . . . . . . . . . . . . . . . . . 17
72 3.2.17. Adaptability . . . . . . . . . . . . . . . . . . . . 18
73 3.2.18. Outcome Transparency . . . . . . . . . . . . . . . . 19
74 3.2.19. Anonymity . . . . . . . . . . . . . . . . . . . . . . 19
75 4. Document Status . . . . . . . . . . . . . . . . . . . . . . . 20
76 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20
77 6. Security Considerations . . . . . . . . . . . . . . . . . . . 21
78 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21
79 8. Research Group Information . . . . . . . . . . . . . . . . . 21
80 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
81 9.1. Informative References . . . . . . . . . . . . . . . . . 21
82 9.2. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 26
83 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 26
85 1. Introduction
87 2. Vocabulary used
89 3. Model for developing human rights protocol considerations
91 This section outlines a set of human rights protocol considerations
92 for protocol developers. It provides questions engineers should ask
93 themselves when developing or improving protocols if they want to
94 understand their human rights impact. It should however be noted
95 that the impact of a protocol cannot solely be deduced from its
96 design, but its usage and implementation should also be studied to
97 form a full protocol human rights impact assessment.
99 The questions are based on the research performed by the hrpc
100 research group which has been documented before these considerations.
101 The research establishes that human rights relate to standards and
102 protocols and offers a common vocabulary of technical concepts that
103 impact human rights and how these technical concept can be combined
104 to ensure that the Internet remains an enabling environment for human
105 rights. With this the contours of a model for developing human
106 rights protocol considerations has taken shape.
108 3.1. Human rights threats
110 Human rights threats on the Internet come in a myriad of forms.
111 Protocols and standards can harm or enable the right to freedom of
112 expression, right to non-discrimination, right to equal protection,
113 right to participate in cultural life, arts and science, right to
114 freedom of assembly and association, and the right to security. An
115 end-user who is denied access to certain services, data or websites
116 may be unable to disclose vital information about the malpractices of
117 a government or other authority. A person whose communications are
118 monitored may be prevented from exercising their right to freedom of
119 association or participate in political processes [Penney]. In a
120 worst-case scenario, protocols that leak information can lead to
121 physical danger. A realistic example to consider is when individuals
122 perceived as threats to the state are subjected to torture or
123 extrajudicial killing or detention on the basis of information
124 gathered by state agencies through information leakage in protocols.
126 This section details several 'common' threats to human rights,
127 indicating how each of these can lead to human rights violations/
128 harms and present several examples of how these threats to human
129 rights materialize on the Internet. This threat modeling is inspired
130 by [RFC6973] Privacy Considerations for Internet Protocols, which is
131 based on the security threat analysis. This method is by no means a
132 perfect solution for assessing human rights risks in Internet
133 protocols and systems; it is however the best approach currently
134 available. Certain specific human rights threats are indirectly
135 considered in Internet protocols as part of the security
136 considerations [BCP72], but privacy guidelines [RFC6973] or reviews,
137 let alone human rights impact assessments of protocols are not
138 standardized or implemented.
140 Many threats, enablers and risks are linked to different rights.
141 This is not unsurprising if one takes into account that human rights
142 are interrelated, interdependent and indivisible. Here however we're
143 not discussing all human rights because not all human rights are
144 relevant to ICTs in general and protocols and standards in particular
145 [Bless]: "The main source of the values of human rights is the
146 International Bill of Human Rights that is composed of the Universal
147 Declaration of Human Rights [UDHR] along with the International
148 Covenant on Civil and Political Rights [ICCPR] and the International
149 Covenant on Economic, Social and Cultural Rights [ICESCR]. In the
150 light of several cases of Internet censorship, the Human Rights
151 Council Resolution 20/8 was adopted in 2012 [UNHRC2016], affirming ".
152 . . that the same rights that people have offline must also be
153 protected online. . . " . In 2015, the Charter of Human Rights and
154 Principles for the Internet [IRP] was developed and released.
155 According to these documents, some examples of human rights relevant
156 for ICT systems are human dignity (Art. 1 UDHR), non-discrimination
157 (Art. 2), rights to life, liberty and security (Art. 3), freedom of
158 opinion and expression (Art. 19), freedom of assembly and association
159 (Art. 20), rights to equal protection, legal remedy, fair trial, due
160 process, presumed innocent (Art. 7-11), appropriate social and
161 international order (Art. 28), participation in public affairs (Art.
162 21), participation in cultural life, protection of intellectual
163 property (Art. 27), and privacy (Art. 12)." A partial catalog of
164 human rights related to ICTs, including economic rights, can be found
165 in [Hill2014].
167 This is by no means an attempt to exclude specific rights or
168 prioritize some rights over others. If other rights seem relevant,
169 please contact the authors.
171 3.2. Guidelines for human rights considerations
173 This section provides guidance for document authors in the form of a
174 questionnaire about protocols and their (potential) impact. The
175 questionnaire may be useful at any point in the design process,
176 particularly after document authors have developed a high-level
177 protocol model as described in [RFC4101]. These guidelines do not
178 seek to replace any existing referenced specifications, but rather
179 contribute to them and look at the design process from a human rights
180 perspective.
182 Protocols and Internet Standard might benefit from a documented
183 discussion of potential human rights risks arising from potential
184 misapplications of the protocol or technology described in the RFC.
185 This might be coupled with an Applicability Statement for that RFC.
187 Note that the guidance provided in this section does not recommend
188 specific practices. The range of protocols developed in the IETF is
189 too broad to make recommendations about particular uses of data or
190 how human rights might be balanced against other design goals.
191 However, by carefully considering the answers to the following
192 questions, document authors should be able to produce a comprehensive
193 analysis that can serve as the basis for discussion on whether the
194 protocol adequately takes specific human rights threats into account.
195 This guidance is meant to help the thought process of a human rights
196 analysis; it does not provide specific directions for how to write a
197 human rights protocol considerations section (following the example
198 set in [RFC6973]), and the addition of a human rights protocol
199 considerations section has also not yet been proposed. In
200 considering these questions, authors will need to be aware of the
201 potential of technical advances or the passage of time to undermine
202 protections. In general, considerations of rights are likely to be
203 more effective if they are considered given a purpose and specific
204 use cases, rather than as abstract absolute goals.
206 3.2.1. Connectivity
208 Question(s): Does your protocol add application-specific functions to
209 intermediary nodes? Could this functionality be added to end nodes
210 instead of intermediary nodes? Is your protocol optimized for low
211 bandwidth and high latency connections? Could your protocol also be
212 developed in a stateless manner?
214 Explanation: The end-to-end principle [Saltzer] holds that 'the
215 intelligence is end to end rather than hidden in the network'
216 [RFC1958]. The end-to-end principle is important for the robustness
217 of the network and innovation. Such robustness of the network is
218 crucial to enabling human rights like freedom of expression.
220 Example: Middleboxes (which can be Content Delivery Networks,
221 Firewalls, NATs or other intermediary nodes that provide other
222 'services' than routing) serve many legitimate purposes. But the
223 protocols guiding them, can influence individuals' ability to
224 communicate online freely and privately. The potential for abuse and
225 intentional and unintentional censoring and limiting permissionless
226 innovation, and thus ultimately the impact of middleboxes on the
227 Internet as a place of unfiltered, unmonitored freedom of speech, is
228 real.
230 Impacts:
232 - Right to freedom of expression
234 - Right to freedom of assembly and association
236 3.2.2. Privacy
238 Question(s): Did you have a look at the Guidelines in the Privacy
239 Considerations for Internet Protocols [RFC6973] section 7? Could
240 your protocol in any way impact the confidentiality of protocol
241 metadata? Could your protocol counter traffic analysis? Could your
242 protocol improve data minimization? Does your document identify
243 potentially sensitive logged data by your protocol and/or for how
244 long that needs to be retained for technical reasons?
246 Explanation: Privacy refers to the right of an entity (normally a
247 person), acting in its own behalf, to determine the degree to which
248 it will interact with its environment, including the degree to which
249 the entity is willing to share its personal information with others.
250 [RFC4949]. If a protocol provides insufficient privacy protection it
251 may have a negative impact on freedom of expression as users self-
252 censor for fear of surveillance, or find themselves unable to express
253 themselves freely.
255 Example: See [RFC6973]
257 Impacts:
259 - Right to freedom of expression
261 - Right to non-discrimination
263 3.2.3. Content agnosticism
265 Question(s): If your protocol impacts packet handling, does it use
266 user data (packet data that is not included in the header)? Is it
267 making decisions based on the payload of the packet? Does your
268 protocol prioritize certain content or services over others in the
269 routing process ? Is the protocol transparent about the
270 prioritization that is made (if any)?
272 Explanation: Content agnosticism refers to the notion that network
273 traffic is treated identically regardless of payload, with some
274 exception where it comes to effective traffic handling, for instance
275 where it comes to delay tolerant or delay sensitive packets, based on
276 the header.
278 Example: Content agnosticism prevents payload-based discrimination
279 against packets. This is important because changes to this principle
280 can lead to a two-tiered Internet, where certain packets are
281 prioritized over others on the basis of their content. Effectively
282 this would mean that although all users are entitled to receive their
283 packets at a certain speed, some users become more equal than others.
285 Impacts:
287 - Right to freedom of expression
289 - Right to non-discrimination
291 - Right to equal protection
293 3.2.4. Security
295 Question(s): Did you have a look at Guidelines for Writing RFC Text
296 on Security Considerations [BCP72]? Have you found any "attacks that
297 are somewhat related to your protocol yet considered out of scope of
298 your document? Would these attacks be pertinent to the human rights
299 enabling features of the Internet (as described throughout this
300 document)?
302 Explanation: Most people speak of security as if it were a single
303 monolithic property of a protocol or system, however, upon reflection
304 one realizes that it is clearly not true. Rather, security is a
305 series of related but somewhat independent properties. Not all of
306 these properties are required for every application. Since
307 communications are carried out by systems and access to systems is
308 through communications channels, these goals obviously interlock, but
309 they can also be independently provided [BCP72].
311 Example: See [BCP72].
313 Impacts:
315 - Right to freedom of expression
317 - Right to freedom of assembly and association
319 - Right to non-discrimination
321 - Right to security
323 3.2.5. Internationalization
325 Question(s): Does your protocol have text strings that have to be
326 understood or entered by humans? Does your protocol allow Unicode?
327 If so, do you accept texts in one charset (which must be UTF-8), or
328 several (which is dangerous for interoperability)? If character sets
329 or encodings other than UTF-8 are allowed, does your protocol mandate
330 a proper tagging of the charset? Did you have a look at [RFC6365]?
331 Explanation: Internationalization refers to the practice of making
332 protocols, standards, and implementations usable in different
333 languages and scripts (see Localization). In the IETF,
334 internationalization means to add or improve the handling of non-
335 ASCII text in a protocol. [RFC6365] A different perspective, more
336 appropriate to protocols that are designed for global use from the
337 beginning, is the definition used by W3C:
339 "Internationalization is the design and development of a
340 product, application or document content that enables easy
341 localization for target audiences that vary in culture, region,
342 or language." {{W3Ci18nDef}}
344 Many protocols that handle text only handle one charset (US-ASCII),
345 or leave the question of what CCS and encoding are used up to local
346 guesswork (which leads, of course, to interoperability problems). If
347 multiple charsets are permitted, they must be explicitly identified
348 [RFC2277]. Adding non-ASCII text to a protocol allows the protocol
349 to handle more scripts, hopefully representing users across the
350 world. In today's world, that is normally best accomplished by
351 allowing Unicode encoded in UTF-8 only.
353 In the current IETF policy [RFC2277], internationalization is aimed
354 at user-facing strings, not protocol elements, such as the verbs used
355 by some text-based protocols. (Do note that some strings are both
356 content and protocol elements, such as the identifiers.) If the
357 Internet wants to be a global network of networks, the protocols
358 should work with other languages than English and other character
359 sets than latin characters. It is therefore crucial that at least
360 the content carried by the protocol can be in any script, and that
361 all scripts are treated equally.
363 Example: See localization
365 Impacts:
367 - Right to freedom of expression
369 - Right to political participation
371 - Right to participate in cultural life, arts and science
373 3.2.6. Censorship resistance
375 Question(s): Does this protocol introduce new identifiers or reuse
376 existing identifiers (e.g. MAC addresses) that might be associated
377 with persons or content? Does your protocol make it apparent or
378 transparent when access to a resource it restricted? Can your
379 protocol contribute to filtering in a way it could be implemented to
380 censor data or services? Could this be designed to ensure this
381 doesn't happen?
383 Explanation: Censorship resistance refers to the methods and measures
384 to prevent Internet censorship.
386 Example: In the development of the IPv6 protocol it was discussed to
387 embed a Media Access Control (MAC) address into unique IP addresses.
388 This would make it possible for 'eavesdroppers and other information
389 collectors to identify when different addresses used in different
390 transactions actually correspond to the same node. [RFC4941] This is
391 why Privacy Extensions for Stateless Address Autoconfiguration in
392 IPv6 have been introduced. [RFC4941]
394 Identifiers of content exposed within a protocol might be used to
395 facilitate censorship, as in the case of Application Layer based
396 censorship, which affects protocols like HTTP. Denial or restriction
397 of access can be made apparent by the use of status code 451 - which
398 allows server operators to operate with greater transparency in
399 circumstances where issues of law or public policy affect their
400 operation [RFC7725].
402 Impacts:
404 - Right to freedom of expression
406 - Right to political participation
408 - Right to participate in cultural life, arts and science
410 - Right to freedom of assembly and association
412 3.2.7. Open Standards
414 Question(s): Is your protocol fully documented in a way that it could
415 be easily implemented, improved, built upon and/or further developed?
416 Do you depend on proprietary code for the implementation, running or
417 further development of your protocol? Does your protocol favor a
418 particular proprietary specification over technically equivalent and
419 competing specification(s), for instance by making any incorporated
420 vendor specification "required" or "recommended" [RFC2026]? Do you
421 normatively reference another standard that is not available without
422 cost (and could it possible be done without)? Are you aware of any
423 patents that would prevent your standard from being fully implemented
424 [RFC3979] [RFC6701]?
425 Explanation: The Internet was able to be developed into the global
426 network of networks because of the existence of open, non-proprietary
427 standards [Zittrain]. They are crucial for enabling
428 interoperability. Yet, open standards are not explicitly defined
429 within the IETF. On the subject, [RFC2026] states: Various national
430 and international standards bodies, such as ANSI, ISO, IEEE, and ITU-
431 T, develop a variety of protocol and service specifications that are
432 similar to Technical Specifications defined at the IETF. National
433 and international groups also publish "implementors' agreements" that
434 are analogous to Applicability Statements, capturing a body of
435 implementation-specific detail concerned with the practical
436 application of their standards. All of these are considered to be
437 "open external standards" for the purposes of the Internet Standards
438 Process. Similarly, [RFC3935] does not define open standards but
439 does emphasize the importance of 'open process': any interested
440 person can participate in the work, know what is being decided, and
441 make his or her voice heard on the issue. Part of this principle is
442 the IETF's commitment to making its documents, WG mailing lists,
443 attendance lists, and meeting minutes publicly available on the
444 Internet.
446 Open standards are important as they allow for permissionless
447 innovation, which is important to maintain the freedom and ability to
448 freely create and deploy new protocols on top of the communications
449 constructs that currently exist. It is at the heart of the Internet
450 as we know it, and to maintain its fundamentally open nature, we need
451 to be mindful of the need for developing open standards.
453 All standards that need to be normatively implemented should be
454 freely available and with reasonable protection for patent
455 infringement claims, so it can also be implemented in open source or
456 free software. Patents have often held back open standardization or
457 been used against those deploying open standards, particularly in the
458 domain of cryptography [newegg]. An exemption of this is sometimes
459 made when a protocol is standardized that normatively relies on
460 speficiations produced by others SDOs that are not freely available.
461 Patents in open standards or in normative references to other
462 standards should have a patent disclosure [notewell], royalty-free
463 licensing [patentpolicy], or some other form of reasonable
464 protection. Reasonable patent protection should includes but is not
465 limited to cryptographic primitives.
467 Example: [RFC6108] describes a system for providing critical end-user
468 notifications to web browsers, which has been deployed by Comcast, an
469 Internet Service Provider (ISP). Such a notification system is being
470 used to provide near-immediate notifications to customers, such as to
471 warn them that their traffic exhibits patterns that are indicative of
472 malware or virus infection. There are other proprietary systems that
473 can perform such notifications, but those systems utilize Deep Packet
474 Inspection (DPI) technology. In contrast to DPI, this document
475 describes a system that does not rely upon DPI, and is instead based
476 in open IETF standards and open source applications.
478 Impacts:
480 - Right to freedom of expression
482 - Right to participate in cultural life, arts and science
484 3.2.8. Heterogeneity Support
486 Question(s): Does your protocol support heterogeneity by design?
487 Does your protocol allow for multiple types of hardware? Does your
488 protocol allow for multiple types of application protocols? Is your
489 protocol liberal in what it receives and handles? Will it remain
490 usable and open if the context changes? Does your protocol allow
491 there to be well-defined extension points? Do these extension points
492 allow for open innovation?
494 Explanation: The Internet is characterized by heterogeneity on many
495 levels: devices and nodes, router scheduling algorithms and queue
496 management mechanisms, routing protocols, levels of multiplexing,
497 protocol versions and implementations, underlying link layers (e.g.,
498 point-to-point, multi-access links, wireless, FDDI, etc.), in the
499 traffic mix and in the levels of congestion at different times and
500 places. Moreover, as the Internet is composed of autonomous
501 organizations and Internet service providers, each with their own
502 separate policy concerns, there is a large heterogeneity of
503 administrative domains and pricing structures. As a result, the
504 heterogeneity principle proposed in [RFC1958] needs to be supported
505 by design [FIArch].
507 Example: Heterogeneity is inevitable and needs be supported by
508 design. Multiple types of hardware must be allowed for, e.g.
509 transmission speeds differing by at least 7 orders of magnitude,
510 various computer word lengths, and hosts ranging from memory-starved
511 microprocessors up to massively parallel supercomputers. Multiple
512 types of application protocol must be allowed for, ranging from the
513 simplest such as remote login up to the most complex such as
514 distributed databases [RFC1958].
516 Impacts:
518 - Right to freedom of expression
520 - Right to political participtation
522 3.2.9. Pseudonymity
524 Question(s): Have you considered the Privacy Considerations for
525 Internet Protocols [RFC6973], especially section 6.1.2 ? Does the
526 protocol collect personally derived data? Does the protocol generate
527 or process anything that can be, or be tightly correlated with,
528 personally identifiable information? Does the protocol utilize data
529 that is personally-derived, i.e. derived from the interaction of a
530 single person, or their device or address? Does this protocol
531 generate personally derived data, and if so how will that data be
532 handled?
534 Explanation: Pseudonymity - the ability to use a persistent
535 identifier not linked to one's offline identity" straight away - is
536 an important feature for many end-users, as it allows them different
537 degrees of disguised identity and privacy online.
539 Example: Designing a standard that exposes personal data, it is
540 important to consider ways to mitigate the obvious impacts. While
541 pseudonyms cannot be simply reverse engineered - some early
542 approaches simply took approaches such as simple hashing of IP
543 addreses, these could then be simply reversed by generating a hash
544 for each potential IP address and comparing it to the pseudonym -
545 limiting the exposure of personal data remains important.
547 Pseudonymity means using a pseudonym instead of one's "real" name.
548 There are many reasons for users to use pseudoyms, for instance to:
549 hide their gender, protect themselves against harassment, protect
550 their families' privacy, frankly discuss sexuality, or develop a
551 artistic or journalistic persona without retribution from an
552 employer, (potential) customers, or social surrounding.
553 [geekfeminism] The difference between anonymity and pseudonymity is
554 that a pseudonym often is persistent. "Pseudonymity is strengthened
555 when less personal data can be linked to the pseudonym; when the same
556 pseudonym is used less often and across fewer contexts; and when
557 independently chosen pseudonyms are more frequently used for new
558 actions (making them, from an observer's or attacker's perspective,
559 unlinkable)." [RFC6973]
561 Impacts:
563 - Right to non-discrimination
565 - Right to freedom of assembly and association
567 3.2.10. Accessibility
569 Question(s): Is your protocol designed to provide an enabling
570 environment for people who are not able-bodied? Have you looked at
571 the W3C Web Accessibility Initiative for examples and guidance?
573 Explanation: The Internet is fundamentally designed to work for all
574 people, whatever their hardware, software, language, culture,
575 location, or physical or mental ability. When the Internet meets
576 this goal, it is accessible to people with a diverse range of
577 hearing, movement, sight, and cognitive ability [W3CAccessibility].
578 Sometimes in the design of protocols, websites, web technologies, or
579 web tools, barriers are created that exclude people from using the
580 Web.
582 Example: The HTML protocol as defined in [HTML5] specifically
583 requires that every image must have an alt attribute (with a few
584 exceptions) to ensure images are accessible for people that cannot
585 themselves decipher non-text content in web pages.
587 Impacts:
589 - Right to non-discrimination
591 - Right to freedom of assembly and association
593 - Right to education
595 - Right to political participation
597 3.2.11. Localization
599 Question(s): Does your protocol uphold the standards of
600 internationalization? Have made any concrete steps towards
601 localizing your protocol for relevant audiences?
603 Explanation: Localization refers to the adaptation of a product,
604 application or document content to meet the language, cultural and
605 other requirements of a specific target market (a locale)
606 [W3Ci18nDef]. It is also described as the practice of translating an
607 implementation to make it functional in a specific language or for
608 users in a specific locale (see Internationalization).
610 Example: The Internet is a global medium, but many of its protocols
611 and products are developed with a certain audience in mind, that
612 often share particular characteristics like knowing how to read and
613 write in ASCII and knowing English. This limits the ability of a
614 large part of the world's online population from using the Internet
615 in a way that is culturally and linguistically accessible. An
616 example of a protocol that has taken into account the view that
617 individuals like to have access to data in their native language can
618 be found in [RFC5646]. This protocol labels the information content
619 with an identifier for the language in which it is written. And this
620 allows information to be presented in more than one language.
622 Impacts:
624 - Right to non-discrimination
626 - Right to participate in cultural life, arts and science
628 - Right to freedom of expression
630 3.2.12. Decentralization
632 Question(s): Can your protocol be implemented without one single
633 point of control? If applicable, can your protocol be deployed in a
634 federated manner? What is the potential for discrimination against
635 users of your protocol? How can the use of your protocol be used to
636 implicate users? Does your protocol create additional centralized
637 points of control?
639 Explanation: Decentralization is one of the central technical
640 concepts of the architecture of the networks, and embraced as such by
641 the IETF [RFC3935]. It refers to the absence or minimization of
642 centralized points of control; a feature that is assumed to make it
643 easy for new users to join and new uses to unfold [Brown]. It also
644 reduces issues surrounding single points of failure, and distributes
645 the network such that it continues to function if one or several
646 nodes are disabled. With the commercialization of the Internet in
647 the early 1990's there has been a slow move to move away from
648 decentralization, to the detriment of the technical benefits of
649 having a decentralized Internet.
651 Example: The bits traveling the Internet are increasingly susceptible
652 to monitoring and censorship, from both governments and Internet
653 service providers, as well as third (malicious) parties. The ability
654 to monitor and censor is further enabled by the increased
655 centralization of the network that creates central infrastructure
656 points that can be tapped in to. The creation of peer-to-peer
657 networks and the development of voice-over-IP protocols using peer-
658 to-peer technology in combination with distributed hash table (DHT)
659 for scalability are examples of how protocols can preserve
660 decentralization [Pouwelse].
662 Impacts:
664 - Right to freedom of expression
666 - Right to freedom of assembly and association
668 3.2.13. Reliability
670 Question(s): Is your protocol fault tolerant? Does it degrade
671 gracefully? Can your protocol resist malicious degradation attempts?
672 Do you have a documented way to announce degradation? Do you have
673 measures in place for recovery or partial healing from failure? Can
674 your protocol maintain dependability and performance in the face of
675 unanticipated changes or circumstances?
677 Explanation: Reliability ensures that a protocol will execute its
678 function consistently and error resistant as described, and function
679 without unexpected result. A system that is reliable degenerates
680 gracefully and will have a documented way to announce degradation.
681 It also has mechanisms to recover from failure gracefully, and if
682 applicable, allow for partial healing. It is important here to draw
683 a distinction between random degradation and malicious degradation.
684 Many current attacks against TLS, for example, exploit TLS's ability
685 to gracefully degrade to older cipher suites - from a functional
686 perspective, this is good. From a security perspective, this can be
687 very bad. As with confidentiality, the growth of the Internet and
688 fostering innovation in services depends on users having confidence
689 and trust [RFC3724] in the network. For reliability it is necessary
690 that services notify the users if a delivery fails. In the case of
691 real-time systems in addition to the reliable delivery the protocol
692 needs to safeguard timeliness.
694 Example: In the modern IP stack structure, a reliable transport layer
695 requires an indication that transport processing has successfully
696 completed, such as given by TCP's ACK message [RFC0793], and not
697 simply an indication from the IP layer that the packet arrived.
698 Similarly, an application layer protocol may require an application-
699 specific acknowledgement that contains, among other things, a status
700 code indicating the disposition of the request (See [RFC3724]).
702 Impacts:
704 - Right to freedom of expression
706 - Right to security
708 3.2.14. Confidentiality
710 Question(s): Does this protocol expose information related to
711 identifiers or data? If so, does it do so to each other protocol
712 entity (i.e., recipients, intermediaries, and enablers) [RFC6973]?
713 What options exist for protocol implementers to choose to limit the
714 information shared with each entity? What operational controls are
715 available to limit the information shared with each entity?
717 What controls or consent mechanisms does the protocol define or
718 require before personal data or identifiers are shared or exposed via
719 the protocol? If no such mechanisms or controls are specified, is it
720 expected that control and consent will be handled outside of the
721 protocol?
723 Does the protocol provide ways for initiators to share different
724 pieces of information with different recipients? If not, are there
725 mechanisms that exist outside of the protocol to provide initiators
726 with such control?
728 Does the protocol provide ways for initiators to limit which
729 information is shared with intermediaries? If not, are there
730 mechanisms that exist outside of the protocol to provide users with
731 such control? Is it expected that users will have relationships that
732 govern the use of the information (contractual or otherwise) with
733 those who operate these intermediaries? Does the protocol prefer
734 encryption over clear text operation?
736 Does the protocol provide ways for initiators to express individuals'
737 preferences to recipients or intermediaries with regard to the
738 collection, use, or disclosure of their personal data?
740 Explanation: Confidentiality refers to keeping your data secret from
741 unintended listeners [BCP72]. The growth of the Internet depends on
742 users having confidence that the network protects their personal data
743 [RFC1984].
745 Example: Protocols that do not encrypt their payload make the entire
746 content of the communication available to the idealized attacker
747 along their path. Following the advice in [RFC3365], most such
748 protocols have a secure variant that encrypts the payload for
749 confidentiality, and these secure variants are seeing ever-wider
750 deployment. A noteworthy exception is DNS [RFC1035], as DNSSEC
751 [RFC4033]does not have confidentiality as a requirement. This
752 implies that, in the absence of changes to the protocol as presently
753 under development in the IETF's DNS Private Exchange (DPRIVE) working
754 group, all DNS queries and answers generated by the activities of any
755 protocol are available to the attacker. When store-and-forward
756 protocols are used (e.g., SMTP [RFC5321]), intermediaries leave this
757 data subject to observation by an attacker that has compromised these
758 intermediaries, unless the data is encrypted end-to-end by the
759 application-layer protocol or the implementation uses an encrypted
760 store for this data [RFC7624].
762 Impacts:
764 - Right to privacy
766 - Right to security
768 3.2.15. Integrity
770 Question(s): Does your protocol maintain, assure and/or verify the
771 accuracy of payload data? Does your protocol maintain and assure the
772 consistency of data? Does your protocol in any way allow for the
773 data to be (intentionally or unintentionally) altered?
775 Explanation: Integrity refers to the maintenance and assurance of the
776 accuracy and consistency of data to ensure it has not been
777 (intentionally or unintentionally) altered.
779 Example: Integrity verification of data is important to prevent
780 vulnerabilities and attacks, like man-in-the-middle-attacks. These
781 attacks happen when a third party (often for malicious reasons)
782 intercepts a communication between two parties, inserting themselves
783 in the middle changing the content of the data. In practice this
784 looks as follows:
786 Alice wants to communicate with Bob.
787 Corinne forges and sends a message to Bob, impersonating Alice. Bob
788 cannot see the data from Alice was altered by Corinne.
789 Corinne intercepts and alters the communication as it is sent between
790 Alice and Bob.
791 Corinne is able to control the communication content.
793 Impacts:
795 - Right to freedom of expression
797 - Right to security
799 3.2.16. Authenticity
801 Question(s): Do you have sufficient measures to confirm the truth of
802 an attribute of a single piece of data or entity? Can the attributes
803 get garbled along the way (see security)? If relevant have you
804 implemented IPsec, DNSsec, HTTPS and other Standard Security Best
805 Practices?
807 Explanation: Authenticity ensures that data does indeed come from the
808 source it claims to come from. This is important to prevent certain
809 attacks or unauthorized access and use of data.
811 Example: Authentication of data is important to prevent
812 vulnerabilities and attacks, like man-in-the-middle-attacks. These
813 attacks happen when a third party (often for malicious reasons)
814 intercepts a communication between two parties, inserting themselves
815 in the middle and posing as both parties. In practice this looks as
816 follows:
818 Alice wants to communicate with Bob.
819 Alice sends data to Bob.
820 Corinne intercepts the data sent to Bob.
821 Corinne reads (and potentially alters) the message to Bob.
822 Bob cannot see the data did not come from Alice but from Corinne.
824 When there is proper authentication the scenario would be as follows:
826 Alice wants to communicate with Bob.
827 Alice sends data to Bob.
828 Corinne intercepts the data sent to Bob.
829 Corinne reads and alters the message to Bob.
830 Bob can see the data did not come from Alice but from Corinne.
832 Impacts:
834 - Right to privacy
836 - Right to freedom of expression
838 - Right to security
840 3.2.17. Adaptability
842 Question(s): Is your protocol written in such a way that is would be
843 easy for other protocols to be developed on top of it, or to interact
844 with it? Does your protocol impact permissionless innovation? See
845 'Connectivity' above.
847 Explanation: Adaptability is closely interrelated with permissionless
848 innovation, both maintain the freedom and ability to freely create
849 and deploy new protocols on top of the communications constructs that
850 currently exist. It is at the heart of the Internet as we know it,
851 and to maintain its fundamentally open nature, we need to be mindful
852 of the impact of protocols on maintaining or reducing permissionless
853 innovation to ensure the Internet can continue to develop.
855 Example: WebRTC generates audio and/or video data. In order to
856 ensure that WebRTC can be used in different locations by different
857 parties it is important that standard Javascript APIs are developed
858 to support applications from different voice service providers.
859 Multiple parties will have similar capabilities, in order to ensure
860 that all parties can build upon existing standards these need to be
861 adaptable, and allow for permissionless innovation.
863 Impacts:
865 - Right to education
867 - Freedom of expression
869 - Freedom of assembly and association
871 3.2.18. Outcome Transparency
873 Question(s): Are the effects of your protocol fully and easily
874 comprehensible, including with respect to unintended consequences of
875 protocol choices?
877 Explanation: certain technical choice may have unintended
878 consequences.
880 Example: lack of authenticity may lead to lack of integrity and
881 negative externalities, of which spam is an example. Lack of data
882 that could be used for billing and accounting can lead to so-called
883 "free" arrangements which obscure the actual costs and distribution
884 of the costs, for example the barter arrangements that are commonly
885 used for Internet interconnection; and the commercial exploitation of
886 personal data for targeted advertising which is the most common
887 funding model for the so-called "free" services such as search
888 engines and social networks.
890 Impacts: - Freedom of expression - Privacy - Freedom of assembly and
891 association - Access to information
893 3.2.19. Anonymity
895 Example: Often protocols expose personal data, it is important to
896 consider ways to mitigate the obvious privacy impacts. A protocol
897 that uses data that could help identify a sender (items of interest)
898 should be protected from third parties. For instance if one wants to
899 hide the source/destination IP addresses of a packet, the use of
900 IPsec in tunneling mode (e.g., inside a virtual private network) can
901 be helpful to protect from third parties likely to eavesdrop packets
902 exchanged between the tunnel endpoints.
904 Question(s): Does you protocol make use of persistent identifiers?
905 Can it be done without them? If your protocol collects data and
906 distributes it (see [RFC6235]), you should anonymize the data, but
907 keep in mind that "anonymizing" data is notoriously hard. Do not
908 think that just dropping the last byte of an IP address "anonymizes"
909 data. If your protocol allows for identity management, there should
910 be a clear barrier between the identities to ensure that they cannot
911 (easily) be associated with each other. Did you have a look at the
912 Privacy Considerations for Internet Protocols [RFC6973], especially
913 section 6.1.1 ?
915 Explanation: Anonymity refers to the condition of an identity being
916 unknown or concealed [RFC4949]. Even though full anonymity is hard
917 to achieve, it is a non-binary concept. Making pervasive monitoring
918 and tracking harder is important for many users as well as for the
919 IETF [RFC7258]. Achieving a higher level of anonymity is an
920 important feature for many end-users, as it allows them different
921 degrees of privacy online. Anonymity is an inherent part of the
922 right to freedom of opinion and expression and the right to privacy.
923 Avoid adding identifiers, options or configurations that create or
924 might lead to patterns or regularities that are not explicitely
925 required by the protocol.
927 Example: An example is DHCP where sending a persistent identifier as
928 the client name was not mandatory but, in practice, done by many
929 implementations, before [RFC7844].
931 Impacts:
933 - Right to non-discrimination
935 - Right to political participation
937 - Right to freedom of assembly and association
939 - Right to security
941 4. Document Status
943 5. Acknowledgements
944 6. Security Considerations
946 As this document concerns a research document, there are no security
947 considerations.
949 7. IANA Considerations
951 This document has no actions for IANA.
953 8. Research Group Information
955 The discussion list for the IRTF Human Rights Protocol Considerations
956 Research Group is located at the e-mail address hrpc@ietf.org [1].
957 Information on the group and information on how to subscribe to the
958 list is at https://www.irtf.org/mailman/listinfo/hrpc
960 Archives of the list can be found at: https://www.irtf.org/mail-
961 archive/web/hrpc/current/index.html
963 9. References
965 9.1. Informative References
967 [BCP72] IETF, "Guidelines for Writing RFC Text on Security
968 Considerations", 2003, .
971 [Bless] Bless, R. and C. Orwat, "Values and Networks", 2015.
973 [Brown] Brown, I. and M. Ziewitz, "A Prehistory of Internet
974 Governance", Research Handbook on Governance of the
975 Internet. Cheltenham, Edward Elgar. , 2013.
977 [FIArch] "Future Internet Design Principles", January 2012,
978 .
981 [geekfeminism]
982 Geek Feminism Wiki, "Pseudonymity", 2015,
983 .
985 [Hill2014]
986 Hill, R., "Partial Catalog of Human Rights Related to ICT
987 Activities", 2014,
988 .
990 [HTML5] W3C, "HTML5", 2014, .
992 [ICCPR] United Nations General Assembly, "International Covenant
993 on Civil and Political Rights", 1976,
994 .
997 [ICESCR] United Nations General Assembly, "International Covenant
998 on Economic, Social and Cultural Rights", 1966,
999 .
1002 [IRP] Internet Rights and Principles Dynamic Coalition, "10
1003 Internet Rights & Principles", 2014,
1004 .
1008 [newegg] Mullin, J., "Newegg on trial: Mystery company TQP rewrites
1009 the history of encryption", 2013, .
1013 [notewell]
1014 IETF, "Note Well", 2015, .
1017 [patentpolicy]
1018 W3C, "W3C Patent Policy", 2004,
1019 .
1021 [Penney] Penney, J., "Chilling Effects: Online Surveillance and
1022 Wikipedia Use", 2016, .
1025 [Pouwelse]
1026 Pouwelse, Ed, J., "Media without censorship", 2012,
1027 .
1030 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
1031 RFC 793, DOI 10.17487/RFC0793, September 1981,
1032 .
1034 [RFC1035] Mockapetris, P., "Domain names - implementation and
1035 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
1036 November 1987, .
1038 [RFC1958] Carpenter, B., Ed., "Architectural Principles of the
1039 Internet", RFC 1958, DOI 10.17487/RFC1958, June 1996,
1040 .
1042 [RFC1984] IAB and IESG, "IAB and IESG Statement on Cryptographic
1043 Technology and the Internet", BCP 200, RFC 1984,
1044 DOI 10.17487/RFC1984, August 1996, .
1047 [RFC2026] Bradner, S., "The Internet Standards Process -- Revision
1048 3", BCP 9, RFC 2026, DOI 10.17487/RFC2026, October 1996,
1049 .
1051 [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and
1052 Languages", BCP 18, RFC 2277, DOI 10.17487/RFC2277,
1053 January 1998, .
1055 [RFC3365] Schiller, J., "Strong Security Requirements for Internet
1056 Engineering Task Force Standard Protocols", BCP 61,
1057 RFC 3365, DOI 10.17487/RFC3365, August 2002,
1058 .
1060 [RFC3724] Kempf, J., Ed., Austein, R., Ed., and IAB, "The Rise of
1061 the Middle and the Future of End-to-End: Reflections on
1062 the Evolution of the Internet Architecture", RFC 3724,
1063 DOI 10.17487/RFC3724, March 2004, .
1066 [RFC3935] Alvestrand, H., "A Mission Statement for the IETF",
1067 BCP 95, RFC 3935, DOI 10.17487/RFC3935, October 2004,
1068 .
1070 [RFC3979] Bradner, S., Ed., "Intellectual Property Rights in IETF
1071 Technology", RFC 3979, DOI 10.17487/RFC3979, March 2005,
1072 .
1074 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1075 Rose, "DNS Security Introduction and Requirements",
1076 RFC 4033, DOI 10.17487/RFC4033, March 2005,
1077 .
1079 [RFC4101] Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101,
1080 DOI 10.17487/RFC4101, June 2005, .
1083 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy
1084 Extensions for Stateless Address Autoconfiguration in
1085 IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007,
1086 .
1088 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
1089 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
1090 .
1092 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
1093 DOI 10.17487/RFC5321, October 2008, .
1096 [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying
1097 Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646,
1098 September 2009, .
1100 [RFC6108] Chung, C., Kasyanov, A., Livingood, J., Mody, N., and B.
1101 Van Lieu, "Comcast's Web Notification System Design",
1102 RFC 6108, DOI 10.17487/RFC6108, February 2011,
1103 .
1105 [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization
1106 Support", RFC 6235, DOI 10.17487/RFC6235, May 2011,
1107 .
1109 [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in
1110 Internationalization in the IETF", BCP 166, RFC 6365,
1111 DOI 10.17487/RFC6365, September 2011, .
1114 [RFC6701] Farrel, A. and P. Resnick, "Sanctions Available for
1115 Application to Violators of IETF IPR Policy", RFC 6701,
1116 DOI 10.17487/RFC6701, August 2012, .
1119 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
1120 Morris, J., Hansen, M., and R. Smith, "Privacy
1121 Considerations for Internet Protocols", RFC 6973,
1122 DOI 10.17487/RFC6973, July 2013, .
1125 [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
1126 Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
1127 2014, .
1129 [RFC7624] Barnes, R., Schneier, B., Jennings, C., Hardie, T.,
1130 Trammell, B., Huitema, C., and D. Borkmann,
1131 "Confidentiality in the Face of Pervasive Surveillance: A
1132 Threat Model and Problem Statement", RFC 7624,
1133 DOI 10.17487/RFC7624, August 2015, .
1136 [RFC7725] Bray, T., "An HTTP Status Code to Report Legal Obstacles",
1137 RFC 7725, DOI 10.17487/RFC7725, February 2016,
1138 .
1140 [RFC7844] Huitema, C., Mrugalski, T., and S. Krishnan, "Anonymity
1141 Profiles for DHCP Clients", RFC 7844,
1142 DOI 10.17487/RFC7844, May 2016, .
1145 [RFC8280] ten Oever, N. and C. Cath, "Research into Human Rights
1146 Protocol Considerations", RFC 8280, DOI 10.17487/RFC8280,
1147 October 2017, .
1149 [Saltzer] Saltzer, J., Reed, D., and D. Clark, "End-to-End Arguments
1150 in System Design", ACM TOCS, Vol 2, Number 4, November
1151 1984, pp 277-288. , 1984.
1153 [UDHR] United Nations General Assembly, "The Universal
1154 Declaration of Human Rights", 1948,
1155 .
1157 [UNHRC2016]
1158 United Nations Human Rights Council, "UN Human Rights
1159 Council Resolution "The promotion, protection and
1160 enjoyment of human rights on the Internet" (A/HRC/32/
1161 L.20)", 2016, .
1165 [W3CAccessibility]
1166 W3C, "Accessibility", 2015,
1167 .
1169 [W3Ci18nDef]
1170 W3C, "Localization vs. Internationalization", 2010,
1171 .
1173 [Zittrain]
1174 Zittrain, J., "The Future of the Internet - And How to
1175 Stop It", Yale University Press , 2008,
1176 .
1179 9.2. URIs
1181 [1] mailto:hrpc@ietf.org
1183 Author's Address
1185 Niels ten Oever
1186 ARTICLE 19
1188 EMail: mail@nielstenoever.net