[ Standards Bulletin 1.02 -- August 7, 2002

[
[ Policy Updates and Analysis from the Internet Standards World
[ Provided by
[ The Center for Democracy & Technology's
[ Internet Standards, Technology, and Policy Project

Welcome to the second issue of the Standards Bulletin, a new publication from CDT's Internet Standards, Technology, & Policy Project. This series is intended to provide updates and analysis about public policy implications of the work of the organizations that design the technical standards on which the Internet is based.

This Bulletin provides an update on significant developments that took place at the 54th meeting of the Internet Engineering Task Force ("IETF"), in Yokohama, Japan from July 14 through 19, 2002. John Morris of the Standards Project attended and participated in the IETF meetings.

1 - Standards Spotlight: IETF's OPES Working Group.

For the past year, the Standards Project has been engaged in discussions within the IETF about a proposed new Internet protocol named "Open Pluggable Edge Services" ("OPES"). If adopted, the OPES protocol would allow the content of Internet communications between two computers -- for example, a client and a server -- to be modified en route by a third party. There are a number of positive uses for such technology, but serious questions exist about OPES' impact on data integrity and privacy.

Background and Technical Overview:

Historically, most Internet communications have been viewed as "end-to-end." In basic terms, "end-to-end" has meant that data on the Internet moves from the sender to the receiver (from one "end" to the other) without modification bydevices within the network. The "end-to-end" concept has been viewed by many as a fundamental design principle of the Internet.

But in practice, the "end-to-end" principle is not immutable. On the World Wide Web, for example, many network operators have made use of caching and/or content distribution services -- networks of disparate machines that distribute Web content across numerous servers. Such caching speeds up the delivery of Web content, since content can be delivered to users from nearby caches rather than from a central point. Caching also can reduce the demand on the original publisher's server, and reduce the amount of traffic crossing the Internet as a whole.

As it is currently being considered, the OPES protocol would create a generic framework to allow the operators of caches and other edge proxy servers to provide additional services. In simple terms, an OPES-enabled caching or proxy server would review passing data (i.e., content or requests for content) for specific flags. When predetermined rules are met, the server will either modify the content in some way or pass the content on to a separate server for processing. OPES is being designed to perform these services without introducing unacceptable delay for the user.

The OPES protocol is being designed to encompass a wide range of business models and to provide value-added services to both publishers and users. OPES-enabled services might include insertion of local or regional content (such as local sports scores), insertion of targeted advertisements, language translation, content filtering, or the reformatting of content for display on wireless devices. Many OPES services, such as virus scanning, would be performed for users' benefit. Using OPES to perform these services would permit greater customization of content while maintaining the benefits of caching.

OPES is not the first method to modify content prior to delivery to the end user. Similar services already exist online. However, OPES would standardize such methods to a significant extent. As such, it is likely that OPES would make this kind of content manipulation far more common. Before that standardization takes place, the Standards Project believes that several important policy questions about OPES must be answered.

Key Public Policy Concerns:

Policy concerns about the OPES protocol range from the conceptual to the specific. Of greatest concern is the possibility that broad adoption of the OPES protocol could significantly increase the amount of unauthorized and/or malicious interference with Internet communications by third parties. The policy concerns about OPES include:

• IETF's adoption of OPES will diminish the end-to-end design principles that have characterized the Internet's development, making future innovation more challenging;
• if content modifications by third parties become accepted practice (as OPES would likely encourage), then unauthorized modifications will be more likely and more tempting to network operators. For example, an ISP might insert advertising into a web page without the permission of the website or the recipient;
• the increasing efficiency of content modifications by intermediaries will lead to a corresponding increase in the ability of bad actors to perform unauthorized modifications;
• OPES-like technology could be used by governmental authorities in some countries (those with few ISPs) to censor web content;
• OPES raises concerns about the privacy practices of third parties that modify the content in transit (and may thereby see confidential information about the recipient);
• unless an end user is notified of all OPES services used on content, the user might not be aware of the source and reliability of the content received; and
• OPES raises the question of whether a content provider or an end user should be able to veto the execution of an OPES service on certain communications, and how conflicts between OPES preferences should be handled.

Even with such concerns, there compelling reasons why the OPES standard is likely to be developed: (a) OPES can add significant value when used properly, (b) OPES-like methods already exist and would be further developed if IETF does not design OPES, and (c) the Internet would be better off if OPES-like methods are governed by the careful and precise rules and protections likely to be part of any IETF-approved protocol.

IETF Debate and Action:

Many of these concerns are being considered by technologists within the IETF. In early August 2001, the Standards Project submitted extensive comments on OPES to the Internet Engineering Steering Group (IESG), a governing committee of the IETF. The Standards Project then discussed the protocol with OPES' supporters on the OPES mailing list. Those supporters have since advanced a number of changes that address some of our concerns. In late September follow-up comments, the Standards Project suggested that the OPES protocol effort should be permitted to proceed, so long as strong privacy and data integrity protections could be incorporated into it.

In the fall of 2001, the IESG asked the Internet Architecture Board (IAB) -- the group that provides architectural guidance to IETF -- to review the concerns raised by the Standards Project and others about OPES. In November, IAB recommended that if OPES is to move forward, it must ensure that any OPES service is authorized by the sender or the receiver of a communication, and must include strong protections for data integrity and privacy.

The charter of the proposed OPES Working Group was changed to reflect the guidance given by the IAB. With these changes, the OPES Working Group has been formally approved by the IETF leadership.

Current Status:

The Standards Project has participated in the OPES working group since its creation. One major policy issue discussed both on the OPES mailing lists and at the July 2002 IETF meeting in Yokohama, Japan, has been whether content providers should be given notice when users request OPES services. A privacy question exists, since in certain cases OPES-related information could include personal and private information about the user -- for example, the fact that an end user who has impaired vision contracts with an OPES service provider (to modify web content before delivery to make it more visually accessible) is not a fact that the content publisher needs to learn.

In light of these privacy concerns, the current proposals in the OPES working group call for end users to receive notice of OPES services performed at the request of content publishers. They do not facilitate notice in the other direction.

The exact mechanism of end user notice, and the options to be provided, are still under discussion. There still remains extensive work to ensure that the notice, privacy, and data integrity guidelines set out by the IAB are actually followed in the group's work product. The OPES Working Group is scheduled to conclude its initial stage of work before Fall 2002, but it is likely that timetable will be pushed back.

CDT's original comments on OPES are at http://www.imc.org/ietf-openproxy/mail-archive/msg00828.html.
The IAB's analysis of OPES is at http://www.ietf.org/rfc/rfc3238.txt.
The charter of the OPES working group is at http://www.ietf.org/html.charters/opes-charter.html.
The home page of the OPES working group is at http://www.ietf-opes.org/.

2 - Standards and Intellectual Property.

The final day of the IETF meeting in Yokohama was allocated exclusively to an unusual plenary "birds of a feather" (or "BOF") session to discuss issues of intellectual property rights. Discussion centered around whether a working group would be formed to clarify and/or modify the IETF's approach to intellectual property issues involving patents, trademarks, and copyrights.

Historically, many of the key standards developed by the IETF have been publicly available for use without payment of any license fees -- the standards were either in the public domain or, if patented, were available on a royalty-free basis. However, the IETF has never explicitly required that working groups disavow patented technology, though working groups are generally expected to consider the downsides of using encumbered technology.

With increasing regularity, the work of IETF working groups has been slowed by claims that proposed standards use patented technology. At times, this has significantly hampered working group activity, and there is general consensus that the IETF's patent procedures need clarification and strengthening in order to minimize the harm of such claims on IETF work.

These questions were the main topic at the BOF session in Yokohama. Most participants agreed that the patent, trademark and copyright procedures of the IETF should be improved and clarified.

Prior to the Yokohama meeting, some voices had called on IETF to embrace "royalty free" or "open source" technology -- in other words, to avoid the use of any patented technology that would not be made freely available. (The World Wide Web Consortium, another major standards body, has been considering such an approach for some time.) In Yokohama, however, there was no substantial discussion of changing the IETF's fundamental patent approach. At this point, it is unlikely that the IETF will affirmatively embrace royalty free or open source technology -- though its processes will continue to favor such free availability.

Since the Yokohama meeting, the IETF leadership has formally approved the creation of a working group to discuss intellectual property rights issues. The charter of the IPR working group can be found at http://www.ietf.org/html.charters/ipr-charter.html.

3 - Standards Update: Quick Dispatches on Standards & Policy

1. GEOPRIV Working Group Continues Focus on Requirements for Protecting Privacy of Geo-Location Information. The GEOPRIV working group met in full at Yokohama, and key participants met informally throughout the week. At the formal working group meeting, Standards Project Director John Morris made two separate presentations: the first on elements of privacy and fair information practices in GEOPRIV, and the second on some key issues that remain unresolved since the working group's Interim Meeting in June. The working group is likely to build a core set of privacy protections into the GEOPRIV protocol, which will then facilitate linkages to more complex and comprehensive location privacy rules. Such an approach would permit GEOPRIV to support basic privacy protection even when deployed in situations with low computational power or limited bandwidth.

   The work of the GEOPRIV working group was discussed in more detail in Standards Bulletin 1.01, http://www.cdt.org/standards/bulletin/1.01.shtml.

   The most recent submission by the Standards Project to the GEOPRIV working group can be found at "The use of Multiple Locations in the Location Object," Internet-Draft, May 2002, http://www.cdt.org/standards/draft-morris-geopriv-location-object-issues-00.txt (original text format), http://www.cdt.org/standards/draft-morris-geopriv-location-object-issues-00.pdf (PDF format)

CDT Standards Bulletin Subscription Information

To subscribe to CDT's Standards Bulletin list, send mail to majordomo@cdt.org. In the BODY of the message type "subscribe standards" without the quotes.

To unsubscribe from CDT's Standards Bulletin list, send mail to majordomo@cdt.org. In the BODY of the message type "unsubscribe standards" without the quotes.

Detailed information about online civil liberties issues may be found at http://www.cdt.org/, and more information about Internet standards and public policy can be found at http://www.cdt.org/standards/.

This document may be redistributed freely in full or linked to http://www.cdt.org/standards/bulletin/1.02.shtml.

Excerpts may be re-posted with prior permission of ari@cdt.org

Standards Bulletin 1.02 Copyright 2002 Center for Democracy and Technology

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy