[discuss] What kind of "governance" do you want? (was Re: What is MSism?)

Mon Mar 31 11:13:59 UTC 2014

Hi Andrea,

On 03/31/2014 06:33 AM, Andrea Glorioso wrote:
> Dear Stephen,
> 
> On Sunday, March 30, 2014, Stephen Farrell <stephen.farrell at cs.tcd.ie>
> wrote:
>>
>>
>> I figure we do want and need to do better in how the
>> Internet is run, e.g. in terms of getting requirements from
>> less well connected parts of the world, or in terms of
>> figuring out whatever it is that the EU commission want
>> when they talk about taking public policy into account
>> when developing technical standards (which totally puzzles
>> me at least;-).
>>
> 
> I'm puzzled that you, of all, are puzzled. :)

Well, I'm constantly puzzled by all sorts of stuff. Its
just surprising I don't bump into things more often:-)

In this case though its interesting that you're puzzled
that I'm puzzled...

> How is this *not* "taking public policy into account when developing
> technical standards":
> https://datatracker.ietf.org/doc/draft-farrell-perpass-attack/ ?
> 
> (The fact that the document goes to great lengths to not take a position on
> the merits of what it defines "pervasive monitoring" does not, in my view,
> change the fact that such "pervasive monitoring" is, obviously, an issue of
> public policy of great importance, whatever opinion one might have about
> it).

The process of getting rough consensus on that document did
not at any stage involve assessing whether IETF participants
think that pervasive monitoring (PM) is morally wrong or anything
similar. I assume that it is the case that many of those who
support the document might well think that, but that's just
a baseless assumption really. I do know that some folks who
do think PM, as reported, is morally wrong did not support
this particular document.

What the IETF process did do was establish that there is a
rough consensus that the IETF need to take this technical
attack into account when designing protocols.

So from my perspective, the IETF did not explicitly take
(anyone's) public policy into account in handling this
document. Those people who commented on it probably did
consider public policy issues in deciding whether to make
technical comments and in terms of what to say but that's
very different. And of course given we had hundreds of
comments, I'd be happy to bet a beer that there's no way
to sensibly describe something called a single "public
policy" that all those folks took into account.

> How is this *not* taking steps to facilitate a structured conversation
> (using more than a mailing list) about technical issues with public policy
> implications: https://trac.tools.ietf.org/group/ppm-legacy-review/ ?

(That good idea btw was originally suggested by Christian Huitema
and Avri Doria and Scott Brim have done great work to help get
those reviews started.)

That process is aiming to have folks review existing RFCs to see
if there are places we can do better on PM and privacy. (And we
know there are.) Given that we consider both PM and privacy
as things with technical meaning (albeit perhaps without utterly
"crisp" definitions) we can do those reviews from a technical
point of view and as above without (as a group) considering
anyone's specific public policy.

If people with an interest in public policy (a term that also
puzzles me since I don't know what it does not encompass;-) want
to jump in and help, that's great, assuming they do technical
reviews and make sound technical points when they write up those
reviews. A review that simply stated "RFCnnnn section x.y runs
counter to pulic-policy-foo" would be fairly useless I think.
Or if such public-policy-people wanted to pay a pointy-head-tech
to do such some reviews of RFCs they consider important that'd
also be just fine assuming we get good technical reviews done.

But none of the above has involved or involves the IETF asking
any question of anyone about public policy. The IETF at least
assume that those doing the technical work take that into account
themselves however they want, and we just look at the technical
output. (More or less what Andrew said up-thread.)

If you (i.e. the EU commission, or you personally) think that
that does mean the IETF are taking public policy into account
wonderfully then that would be fine by me, since we'd have been
doing whatever it is you want for about a decade and a half.
(I'm happy to be puzzled-but-content:-)

BTW, I've been told and accept that RFC2804 is a better
write up from this perspective in that it says things like
the above explicitly whereas draft-farrell-perpass-attack
doesn't as explicitly call that out in the text itself. And
before someone asks, no, I do not want to modify that
draft, it was quite enough work to get it done as-is thanks;-)

As a separate point, but related to the PM issue in general,
if someone were to ask any government or the EU commission what
they think about PM, I'm quite sure that the response would be
schizophrenic - it seems to me personally that most such
organisations want to both protect privacy but also to snoop
to the greatest extent they can (without being carelessly
caught;-) So even if there were some way for an organisation
like the IETF to "ask" for comment or involvement or whatever
I doubt there would be a single real answer to such a question
at least for this topic. In the EU case for example, I guess
we'd get quite different answers from those who are involved
in work on the privacy directive vs. those working on the
cybersecurity directive. I don't think that's at all specific
to the EU, btw, I'm sure similar issues arise everywhere.
And I also think that many IETF participants are aware of
all that, and do take it into account already.

> By the way, whether this is done with the "broad involvement of all
> stakeholders" is a different issue. I don't believe in this or other cases
> it has been or is currently the case, but I know well the opinion of most
> IETF participants as we discussed at length in the IAB InternetGovTech
> mailing list, where I still owe an answer or two to some people.

Yep, different sub-topic all right. And maybe better explored
via some other example since the relevant folks who argue to
snoop in all our countries are probably not going to turn
up openly as stakeholders. (Some of the relevant organisations
will turn up, but mainly wearing their information assurance
hats and will mostly be notably silent on the PM topic;-)

S.

> 
> Best,
> 
> Andrea
> 
> 