**Session Date/Time:** 06 Nov 2025 16:30 # IABOPEN ## Summary The IABOPEN session provided updates on various IAB initiatives, including new work assistance, ongoing technical programs, and reports from recent workshops. A significant portion of the session was dedicated to an invited talk on ETSI's activities, exploring potential collaboration with the IETF, and a report on the joint IAB/W3C TAG workshop on age-based online content restrictions. The session concluded with an invited talk detailing the technical impact and collateral damage of Italy's "Piracy Shield" content blocking platform. Discussions highlighted the IETF's role in providing technical guidance in policy-driven areas, the complexities of inter-SDO collaboration, and the critical importance of architectural considerations in internet governance. ## Key Discussion Points * **IAB Program and Initiative Updates:** * The IAB announced a new "New Work Help Desk" to assist individuals in bringing new work to the IETF, offering advice and support. * The E-Impact technical program is concluding, with thanks extended to all participants. The EDM program is ongoing, with a follow-up lunch meeting scheduled. * An upcoming IP Address Geo-location workshop is planned for the first week of December, aiming to understand current usage, identify gaps and problems, and explore opportunities for IETF engagement. 32 submissions have been accepted. * The IAB has submitted input to the WISIS 20 process (elements paper and zero draft), with subsequent negotiations now primarily at the government level. * **ETSI Overview and Collaboration:** * Diego Lopez, speaking as an individual with involvement in both organizations, provided an introduction to ETSI. He described ETSI as a 35-year-old standards organization, originally focused on European telecommunications but now globally engaged in ICT standardization, cybersecurity, and IoT, with over 900 members. * ETSI publishes all standards free of charge and offers open access to drafts. It is officially recognized by the European Union and provides technical guidance. * ETSI's technical activities include Technical Committees (member-only, EU-linked), Industry Specification Groups (open to non-members), Software Development Groups (open source communities), and Specialist Task Forces (expert-hired work). It also hosts global partnerships like 3GPP and OneM2M. * Deliverables range from normative specifications and informative reports to reference implementations and "demonstrative deliverables" (experimental results like Plugtests and Proof of Concepts). * Areas of relevance to IETF include networking, cloud computing, IoT, network virtualization, automation, and security (including lawful interception). * Diego Lopez highlighted ETSI's request for a formal liaison relationship with the IETF, emphasizing that the IETF LLC addresses previous legal status concerns. He suggested that stronger collaboration could involve formal MOUs and mutual awareness, or less formal engagement to apply IETF work to specific industry needs (e.g., railroad, telcos) that may not be "internet at large" concerns. * Discussion on ETSI's status as a global vs. European-centered organization ensued, with some individuals emphasizing its global reach (e.g., chairs from Japan/China) and others noting its unique relationship with EU mandates, which can lead to divergent standardization efforts. The sense of those present indicated that a formal liaison could help avoid duplication and facilitate mutual referencing of standards. * **Age Restrictions Workshop Report:** * Mark Nottingham reported on the joint IAB/W3C TAG workshop held to address the architectural implications of age-based online content restrictions, a topic driven by increasing global legislation. The workshop aimed to build a shared understanding of technical and architectural choices, not to identify a single solution. * The 2.5-day workshop included diverse participants from IETF, W3C, tech vendors, civil society, and government, operating under a modified Chatham House rule. * **Key observations and takeaways:** * Effective collaboration across technical, policy, and vendor communities is crucial but currently lacking. * Technical solutions alone are insufficient; a "whole of society" approach is needed. * Clear definitions of roles and a common vocabulary are important. * There is no single "silver bullet" technical solution; a blended approach is necessary to address diverse situations and edge cases (e.g., age estimation vs. government ID). * A healthier approach involves shared responsibility across the ecosystem (parents, society, governments, tech actors) rather than pinning liability on one party. * A next step could involve mapping identified risks to proposed architectures. * The IAB and W3C TAG plan to produce a report by the end of the year. * An individual (ITU-T SG17 representative) expressed strong interest in the workshop's findings and requested a liaison statement from the IAB to inform their own work on child protection. * Discussion acknowledged the contentious nature of age restrictions and the workshop's focus on technical/architectural impacts rather than the policy desirability. The IETF's role was identified as speaking from technical authority to highlight unanticipated impacts on the Internet architecture, particularly regarding architectural choices (e.g., network-based vs. device-based enforcement) that affect internet openness. Concerns were raised about the IETF overstepping its narrow technical expertise into broader political domains. * An individual noted that the EU's child protection guidelines explicitly require "age assurance." * Information sharing and privacy concerns related to age verification services were highlighted, with a suggestion to investigate ongoing research in this area and integrate measurement aspects into architectural designs. * The need for continuous engagement mechanisms for coordination across stakeholders (policymakers, technical community, civil society) was emphasized, as the issue is larger than any single SDO can address. * **Piracy Shield and its Efficacy in Italy (Invited Talk by Raffaele Sommese):** * Raffaele Sommese presented a study on Italy's "Piracy Shield" platform, designed to block illegal streaming content, noting similar initiatives are being considered globally. * The original 2023 law mandated blocking of IPs and domains for *sole* illegal football streaming activity within 30 minutes, with no unblocking. This led to significant collateral damage, including the blocking of Cloudflare, Imperva, and Google Drive (for over a day). * A 2024 law update softened criteria to *predominantly* illegal activity, introduced a 5-day unblocking request window (but the block list remains private), and mandated global DNS provider compliance and ISP reporting of suspicious user activity. * The study found that Piracy Shield grants private entities embedded blocking powers, lacks transparency, and causes widespread collateral damage. AGCOM's defense, based on the sheer number of blocked resources, was critiqued as an ineffective metric. * By reconstructing the block list (from a leaked GitHub repo and AGCOM's verification portal), the study identified over 10,000 IPv4 addresses and 400,000 FQDNs blocked from Feb 2024 to June 2025, with 98% of IPs and 44% of FQDNs remaining blocked. * **Collateral Damage Findings:** * IP leasing: 24% of blocked IPs were leased; 4% were re-leased to unsuspecting users after blocking, disrupting their legitimate services in Italy. * Shared hosting: Over 7,000 FQDNs were collateral damage, including 510 non-streaming websites (e.g., Albanian websites, Portuguese hosting company impacting 325 domains, many unaware of blocks). * Anycast IPs: 167 Anycast IPs were blocked, disrupting services that leverage Anycast for resilience (e.g., during DDoS attacks), including a Google Anycast IP. * Streamers were found to evade blocks by migrating to IPv6 (unblocked) or new IPv4 addresses, demonstrating that they are ahead of the platform's blocking mechanisms. * **Recommendations:** Policymakers should reassess blocking frameworks; IP-level blocks should be avoided; block lists should be public; and alternative, less harmful enforcement mechanisms should be explored, such as legal action and "following the money" for paid piracy services. * Discussion highlighted that governments often make "bad laws" and expect compliance, and that links between piracy and organized crime can be a motivation. Italian ISPs deeply dislike Piracy Shield due to implementation burden and user complaints. The need for technical defenses (e.g., encrypted protocols) against such blocking was expressed. ## Decisions and Action Items * The IAB will send a liaison statement to ITU-T SG17 regarding the findings and ongoing work related to the age restrictions workshop. * The IAB and W3C TAG will produce a report on the Age Restrictions Workshop, with a draft targeted for release by the end of the year. ## Next Steps * The IAB and W3C TAG will continue internal discussions on whether to issue additional statements to guide policy discussions on age assurance, focusing on technical impacts. * The IAB will explore appropriate venues for higher-layer coordination between policymakers, the technical community, and other stakeholders on age assurance, recognizing this as a complex issue that spans beyond individual SDOs. * The IAB will review ETSI's request for a formal liaison relationship with the IETF.