**Session Date/Time:** 04 Sep 2025 16:00 # [DULT](../wg/dult.html) ## Summary The DULT Working Group held its virtual interim meeting to discuss progress on the threat modeling document. Key updates were presented on clarifying scope, expanding attacker and victim taxonomies, introducing new "other" taxonomy characteristics, and refining the attack matrix. A significant discussion occurred regarding establishing consensus on risk levels within the attack matrix and the document's readiness for broader community review, with a target to publish a new version for external feedback within the next month. Considerations for diverse user contexts, such as reliable power/internet and device/account sharing, were also raised. ## Key Discussion Points * **Threat Modeling Document Updates:** * **Scope and Applicability:** Clarified to include small, non-discoverable Bluetooth-enabled accessories, with larger devices able to opt-in. Attacker profiles include those using native tracking applications, physically modifying tags (e.g., disabling speakers), or altering firmware/creating custom devices. Victim profiles encompass all levels of technological fluency and resources, accounting for potential lack of smartphone access or inability to install detection apps due to device monitoring. * **Attacker Characteristics Taxonomy:** Expanded to include proximity to victim (e.g., live together, relocated), level of motivation (low/high), and access to resources (financial, technological education, unethical private investigators). These are understood as spectra but discretized for modeling purposes. * **Victim Characteristics Taxonomy:** Enhanced with "expectation of unwanted tracking" (knows, suspects, or not expecting tracking), alongside existing tech savviness and access to resources. This new characteristic helps inform whether a victim might use active measures to find a tag. * **Other Taxonomy Characteristics (New):** Introduced "accessory usage" (attacker only, victim only, or both controlling tags) and "tag placement" (on person, in proximity, nearby but not for tracking causing false positives, or multiple tags/placement types). * **Refined Attack Matrix:** Factors now include scope (identifying which DULT documents—accessory, finding, network—are relevant), impact (low/medium/high), likelihood (low/medium/high), risk level (low/medium/high), affected users (victims only/all users), and mitigation availability. * **Consensus on Attack Matrix Risk Levels:** * A discussion arose regarding how the working group would reach consensus on the subjective low/medium/high ratings in the attack matrix and the potential impact on protocol design. * The chair, Sean, noted the challenge in adjudicating debates over specific risk levels. * Maggie, one of the document authors, indicated that the "scope" column aims to direct which DULT documents should address specific threats. She stated that the "risk level" column is most critical, as high-risk items demand significant attention, while low-risk items might be acknowledged with explanations in the security considerations sections of other documents if no specific mitigation is pursued. * Brent suggested adding clear justifications and potentially ranges for debatable risk levels within the document text to facilitate debate. * **Expanded Threats and Scenarios:** Scenarios were broadened to include stranger stalking situations and contexts where a victim controls a tag, or both attacker and victim control tags. The focus for technologies remains on Bluetooth, as no specific input for other technologies has been provided by the community. * **Future Steps for Threat Modeling Document:** * Questions were posed regarding the representativeness of current scenarios and potential omissions. * Consideration of balancing scenarios drawn from direct experience versus those derived from limited research data (e.g., UK domestic violence program statistics, which may have representation biases). * Identification of unique security considerations for unwanted location tracking beyond victim account access (listed as a To-Do). * Emphasis on incorporating the needs of non-tag owners who are potential victims, and tag owners who are not attackers, to ensure legitimate usage and privacy are maintained. * Commitment to continued revision of the taxonomy. * **Document Readiness for Wider Review:** * A poll of the room was taken for whether the document should be sent for wider community input, potentially leveraging contacts with researchers. * Jesse indicated willingness to contact Dr. Lean Tanzer regarding scenario input. * Maggie stated the document is "pretty close" to done, with remaining work on terminology, remote disablement, and a recent issue raised by Brent. She anticipated publishing a next version within the month, ready for broader sharing. * **Contextual Considerations:** Eva highlighted the importance of considering assumptions about reliable power/internet access and the notion of one device/account belonging to a single person, especially in the Global South and in contexts where account/device sharing is common in relationships. ## Decisions and Action Items * Christine volunteered to serve as scribe until 12:30. * Jesse/Maggie will coordinate contacting Dr. Lean Tanzer regarding input on scenarios from research data. * Maggie will address remaining items in the threat model document, including terminology, remote disablement, and an issue recently raised by Brent. * Chair Sean will encourage IETF volunteers to complete their reviews of the threat model document, with the aim of publishing a new version before the October 20th cutoff date for the next IETF meeting. * All working group participants are encouraged to review the current editor's copy of the threat model document on GitHub and provide comments via the mailing list or GitHub. ## Next Steps * Continue refining the threat modeling document based on internal review and the specific items identified (terminology, remote disablement, Brent's issue). * Publish the next version of the threat modeling document within the next month, making it available for broader community review and feedback outside of the IETF. * The chairs will consider the scheduling and feasibility of an in-person working group meeting in November.