Markdown Version | Session Recording

Session Date/Time: 28 Jul 2022 17:30

hrpc Meeting Minutes

Summary

The hrpc session featured two insightful presentations: one on the sustainability of computing and its broader ecological impacts, and another on understanding and responding to technology abuse, particularly in the context of intimate partner violence (IPV). Both speakers highlighted the need for the technical community to broaden its threat models and consider societal impacts beyond traditional technical metrics. The session also included updates and discussions on two working group documents: draft-irtf-hrpc-guidelines and draft-irtf-hrpc-association.

Key Discussion Points

Welcome and Logistics

• The chairs welcomed participants, both in-room and online, reminding them of IETF/IRTF policies (MeetEcho for queue, masks, Note Well).
• A call for note-takers was made, and Nick was thanked for volunteering.
• The IRTF's role in long-term research and publishing informational RFCs, focusing on the Universal Declaration of Human Rights (UDHR) and its overlap with internet standards, was reiterated. Specific focus areas include freedom of expression, freedom of association, and privacy (often in conjunction with pearg).

Speaker 1: Barath — "Computing Within Limits"

• Motivation: Barath shared his personal journey from traditional networking research to broader ecological sustainability, emphasizing the need for systems thinking.
• The "Limits to Growth" Context: He referenced the 1970s "Limits to Growth" study, which posited ecological limits and the dynamic interplay of feedback loops in social, economic, and technological systems.
• Energy and Climate Change: Discussed the increasing global energy footprint of computing and the societal challenge of transitioning from fossil fuels. He highlighted the "2000-watt lifestyle" as a sustainability target and the geopolitical/economic considerations of finite resources.
• Scaling Renewables Challenge: Citing Saul Griffith's analysis, he noted the immense physical infrastructure required to build out renewable energy (e.g., 100 square meters of solar PV built every second for 20 years to meet targets). Manufacturing capacity is currently insufficient, suggesting an overshoot on climate goals.
• Two Scenarios from "Limits to Growth": We are currently facing a simultaneous resource crisis (industrial/economic faltering due to insufficient non-renewable resources) and a pollution crisis (ecological overshoot leading to declining food production), as predicted by the updated 2004 model.
• Sustainable Computing vs. Computing for Sustainability:
  • Sustainable Computing: Making computing itself use fewer resources (e.g., less energy, less e-waste, design for reuse/repair). This accounts for ~5% of global energy.
  • Computing for Sustainability: Using computing to make other, larger sectors of society more sustainable (e.g., agriculture, transportation, power generation), which account for much larger portions of global emissions. Barath argued this is where 95% of the impact lies.
• Critique of Optimization Mindset: He warned against merely optimizing "broken systems" (e.g., monoculture industrial agriculture), which can further entrench unsustainable practices. Instead, new approaches like state-space planning for agroecosystems are needed.
• IETF's Role:
  • Leveraging the networking community's expertise in complex systems thinking.
  • Setting standards for "green" network facilities, moving beyond simple annual energy offsets to real-time renewable energy use.
  • Focusing on climate-resilient networking infrastructure, which could have ripple effects on other infrastructures.
  • Keeping older equipment running longer, especially on renewable power, as embodied energy (manufacturing) accounts for a significant portion of computing's energy footprint.
• General Discussion: The talk spurred discussion on trade-offs, the cultural aspects shaping societal choices, and the challenge of competing with large-scale geopolitical events or celebrity influence on public discourse.

Speaker 2: Alana — "Understanding and Responding to Technology Abuse"

• Definition: Technology abuse is the use of digital technology to intimidate, threaten, monitor, impersonate, harass, or harm victims, especially in intimate partner violence (IPV).
• IPV-Aware Threat Models: Traditional computer security threat models often assume an attacker with no physical or social proximity. In IPV, the abuser is known to the target, has personalized information, and may have had physical access, making common security practices (e.g., using family names for passwords) vulnerable.
• The Clinic to End Tech Abuse (CETA):
  • A free consultative service at Cornell Tech, partnering with NYC agencies.
  • Trains volunteers in coercive control dynamics to assist survivors.
  • Serves as a research, education, and policy hub focusing on IPV and technology.
• Taxonomy of Tech Abuse Attacks:
  1. Account and Device Compromise: Monitoring communications, deleting accounts/evidence, impersonation.
  2. Ownership-Based Attacks: Abuser owns the phone contract, device setup, or accounts for social benefits (e.g., Medicare), using this control to harm.
  3. Exposure of Private Information: Non-consensual intimate images (broadly defined), doxing, identity theft, blackmail.
  4. Harassment: Spoofing calls, mass emails, posting private information for others to harass.
  5. Technology Assisted Monitoring: Installing AV devices, personal trackers (AirTags, Tiles), or misusing IoT devices within a home for surveillance.
• Practical Observations: Abusers often use multiple attack vectors. Dual-use apps (e.g., "Find My Phone") are more common than dedicated spyware, and tech abuse is generally not technically sophisticated.
• CETA's Intervention Protocols:
  • Context-Sensitive: Prioritize identifying who has access, documenting evidence, and assessing potential abuse escalation if access is removed.
  • Safety Planning: Crucial to ensure survivor safety, as removing access can provoke physical violence or other harm.
  • Cascade Awareness: Understanding how interconnected accounts (recovery emails, 2FA) provide access.
  • Trauma-Informed: Empowering survivors to make choices about their technology, respecting their decisions, and avoiding advice to completely abandon technology.
• Open Issues (for the technical community):
  • IPV-Aware Protocols for Data-Collecting Devices: How to balance utility (e.g., anti-theft) with IPV/stalking threats (e.g., AirTags). This requires cross-platform detection and potentially neutral third-party holding of suspicious tracker data.
  • ID Verification in IPV Context: Current systems assume the person recovering an account knows nothing about the legitimate owner. This fails when an abuser knows personal details or controls recovery mechanisms (e.g., Android data recovery leading to total loss of digital evidence). Ethical questions about backing up data without robust recovery.
  • Application Communication and Data Literacy: How to design apps to give users ownership over their data for evidentiary/safety purposes, even those with low technical literacy. Examples include Apple's Safety Check (positive) vs. unfriendly JSON data dumps for critical history (negative).
• General Discussion:
  • Engagement with manufacturers: Some positive engagement exists, particularly around language and documenting evidence, but persistent issues like Android data recovery remain unaddressed.
  • Role of law enforcement: Often has data but chooses to ignore it; tech experts can provide legitimacy as expert witnesses. Education of law enforcement is also important.
  • Biometrics: Risk of coercion in IPV contexts means Biometrics cannot be seen as an "end-all-be-all" for identity verification or consent.
  • Browser-level protections: Suggestions included masking history for sensitive websites (like abortion clinics or IPV support sites) and improving secure, IPV-aware password management.

Working Group Document: draft-irtf-hrpc-guidelines

• Status Update: Niels presented an update on the draft-irtf-hrpc-guidelines (Human Rights Protocol Considerations guidelines).
• IRTF Chair's Feedback (Colin): Colin reiterated concerns raised in previous reviews: the draft is too abstract, doesn't concretely relate the UN declaration to national guidance, and lacks nuance/depth in technical recommendations with insufficient specific examples for engineers.
• Authors' Response (Niels, Mallory): The authors expressed surprise, believing a recent version (-13) had addressed these comments, and that many examples are extensively covered in RFC 8280. They felt the IRTF chair's comments might be based on an older version or a misunderstanding of the document's scope (international framework vs. local laws).
• Discussion: There seemed to be a disconnect between the authors' perception of the draft's state and the chair's review. Adrian also raised a question about the "right to delegation" as a human right in protocols.

Working Group Document: draft-irtf-hrpc-association

• Status Update: Niels presented on draft-irtf-hrpc-association (Freedom of Association on the Internet).
• Objective: Establishes the relationship between the human rights to freedom of assembly and association and internet protocols.
• Structure: It includes a literature review leading to seven research sub-questions, which are then answered with issue-centric examples/case studies related to IETF protocols.
• Recent Work: Nits, copy-editing, deeper referencing, and addressing feedback from Duck Shepherd Nick Doty.
• Key Discussion Point - Structure: A debate regarding whether examples should be issue-centric (as currently) or protocol-centric. Nick Doty, the duck shepherd, confirmed that the issue-centric approach makes sense, though minor wording changes might improve clarity.
• Proposed Title Change: "The Human Right to Freedom of Association and Assembly and Internet Protocols" was proposed to clarify the document's focus.
• Next Steps: Authors will further expand and embed examples more closely to the sub-questions.

Next Steps / AOB

• No new work proposals were brought forward during AOB.

Decisions and Action Items

• draft-irtf-hrpc-guidelines:
  • Action Item: Authors (Niels, Mallory) and IRTF Chair (Colin) to schedule an offline call with the co-author (Gersh) to clarify review comments and determine next steps. Colin will re-send his written feedback.
• draft-irtf-hrpc-association:
  • Decision: Adopt the proposed title change: "The Human Right to Freedom of Association and Assembly and Internet Protocols."
  • Decision: Maintain the current issue-centric structure for examples.
  • Action Item: Authors to release a new version with expanded and more precise examples, closely connected to the research sub-questions, and consider wording changes for clarity (per Nick Doty's feedback).
  • Action Item: Nick Doty to re-review the updated version of the draft.
  • Action Item: Call for community review on the mailing list for the next version.
• General hrpc Direction:
  • Action Item: Chairs to explore potential new work areas within hrpc related to the sustainability of computing (e.g., standards for green networking facilities, climate-resilient infrastructure).
  • Action Item: Chairs to explore potential new work areas within hrpc related to updating threat models for technology abuse, documenting attack taxonomies, and user empowerment in technology design.