[ooni-dev] On the ethics of soliciting measurements and informed consent

Dan O'Huiginn daniel at ohuiginn.net
Fri Jan 2 17:52:04 UTC 2015

Some further thoughts:

ACTIVE CONSENT. Users should probably be shown the legal/privacy warning
when first using ooni, and have to signal their agreement/understanding.

FILTERING BY CONSENT. Once we have a appropriate warnings in place, we
should encourage researchers to use only that data which comes with
consent. We could include a flag in the data reported. But it might be
enough just to track (and document) the version number after which we
get adequate consent.

ACADEMIC ETHICS REQUIREMENTS. Whatever we come up with for ensuring
consent, we should check it will be sufficient for academics to use our
data. AIUI ethics boards react to specific research proposals, so we
can't get a general all-clear for ooni. The best we can do is for
somebody to propose an ooni-based project, and share with us the
feedback from their university ethics committee.

PUBLISHING CONTENT. ooni users aren't just *downloading* objectionable
content, but *publishing* it in the form of reports. It'd take a
bloody-minded lawyer to make that argument, but there's no shortage of
them in the world...

MONITORING BY THE MONITORED. All sites in our the http_requests have a
complete list of ooni users, don't they? [maybe not identified as such,
but you just need to control 2 and take the intersection of their log
files]. And once your user list is shared by hackforums.net and
911lies.org, you may as well just consider it public ;)


On 02/01/15 18:30, Dan O'Huiginn wrote:
> Hi folks,
> Firstly, hello! Having met Arturo and Vasilis at the 31C3, I'm keen to
> get involved more.
> On consent: at an absolute minimum, I agree we need better warnings for
> users.
> Below is some proposed text to inform users about the risks of OONI. I'm
> willing to take on the job of refining this based on feedback.
> IMO we need two versions. One short and simple, that users should have
> to read (and agree to?) before first running ooniprobe. The second
> comprehensive, to be put on the website and in the docs.
> WARNING: Running OONI may be illegal in your country, or forbidden by
> your ISP. By running OONI you will connect to web services which may be
> banned, and use web censorship circumvention methods such as Tor. The
> OONI project will publish data submitted by probes, possibly including
> your IP address or other identifying information. In addition, your use
> of OONI will be clear to anybody who has access to your computer, and to
> anybody who can monitor your internet connection (such as your employer,
> ISP or government).
> [link to long version]
> OONI does several things which may be illegal in your country, and/or
> banned by your ISP.
> OONI's http test will download data from controversial websites,
> specifically targeting those which may be censored in your country.
> These may include, for example, sites containing pornography or hate
> speech. You can find a list of sites checked at
> https://github.com/citizenlab/test-lists
> Even where these sites are not blocked, it may be illegal to access
> them. It may also be illegal to bypass censorship, as OONI attempts by
> using Tor.
> In the most extreme case, any form of network monitoring could be
> illegal or banned, or even considered a form of espionage.
> [Include link to some resource on relevant laws globally. Someone like
> the EFF must have one of these; does anybody have a link?]
> about your internet connection to the whole world. Particular groups,
> such as your ISP and web services used by the ooni tests, will be able
> to discover even more detailed information about you.
> THE PUBLIC will be able to see the information collected by OONIprobe.
> This will definitely include your approximate location, the network
> (ASN) you are connecting from, and when you ran ooniprobe. Other
> identifying information, such as your IP address, is not deliberately
> collected, but may be included in HTTP headers or other metadata. The
> full page content downloaded by OONI could potentially include further
> information, for example if a website includes tracking codes or custom
> content based on your network location.
> You can see what information OONI releases to the public at
> https://ooni.torproject.org/reports/. You should expect this information
> to remain online PERMANENTLY. [include details of retention policy, once
> we have one]
> THE OONI PROJECT will also be able to see your IP address [What other
> info do we get?]
> all web traffic generated by OONI, including your IP address, and will
> likely be able to link it to you personally. These organizations might
> include your government, your ISP, and your employer.
> ANYBODY WITH ACCESS TO YOUR COMPUTER, now or in the future, may be able
> to detect that you have installed or run ooni
> SERVICES CONNECTED TO BY OONI will be able to see your IP address, and
> may be able to detect that you are using OONI
> On 28/12/14 06:50, royaen wrote:
>> Hi Arturo and all,
>> When it comes to ethics of soliciting measurements and informed consent,
>> I have a different take which has been my research topic over the past
>> years.  There are many reasons why I think that directly measuring
>> censorship is scary.  First of all, you need to acquire reliable vantage
>> points to run your measurements. Volunteering one’s machine to foreign
>> researchers, or operating a device on their behalf, might be viewed by
>> the government as espionage.  Besides, many regions, especially places
>> where we don’t have good infrastructure, have a limited number of
>> companies/volunteers (if any) that allow foreigners to rent computers
>> inside the country.  All the current direct approaches, such as RIPE
>> Atlas [1] or other distributed platforms or volunteers running Raspberry
>> Pis are often easy to spot and data collected from them may not be
>> reliable.  For example, regarding China, we showed [2] that censorship
>> is different in CERNET (China Education and Research Network) compared
>> to other ISPs.
>> When it comes to measuring connectivity, I believe that it is better to
>> involve the whole country in doing the measurements rather than
>> volunteers whose safety is at stake.  Therefore, I have developed
>> effective methods for remotely measuring Internet censorship around the
>> world, without requiring access to any of the machines whose
>> connectivity is tested to or from. These techniques are based on novel
>> network inference channels, a.k.a idle scans. That is, given two
>> arbitrary IP addresses on the Internet that meet some simple
>> requirements such as global IPID behaviour, our proposed technique can
>> discover packet drops (e.g., due to censorship) between the two remote
>> machines, as well as infer in which direction the packet drops are
>> occurring.  Here are more references to read [3,4]. Basically, for one
>> of the idle scans (hybrid idle scan), we only create unsolicited packets
>> (a bunch of SYNACK and RST segments) between two remote IPs, and look at
>> the changes in the global IPID variable to infer whether censorship is
>> happening and if so, in which direction packets are dropped.           
>> Back to my main point, why I am trying so hard to convince you that we
>> also need to use side channels and how this relates to ethics, well,
>> here is the story: The discussion you brought up has been discussed
>> heavily in academia in the past six months after two papers got rejected
>> from the IMC conference because of ethics. One of them was my paper [2]
>> after having received good reviews on the technical contribution. Here
>> is the link to the reviews:
>> https://imc2014.cs.wisc.edu/hotcrp/paper/243?cap=0243a2kWYrwVqbv0
>> I personally just got an email with above link from IMC, and because of
>> having had a single-entry visa, I couldn’t attend IMC or the Citizen Lab
>> workshop where a lot of the discussions about ethics were taking place.
>> The ethical issues that usually come up are two: First, using idle
>> scans, no consent from users is collected. Second, censors could
>> mistakenly assume that two machines measured by us are deliberately
>> communicating with each other.  This could have negative consequences if
>> a censor believes that a user is communicating with a sensitive or
>> forbidden IP address.
>> In response to the latter argument, it is unlikely that a censor would
>> come to such a conclusion as only RST segments are created from a client
>> inside a country to a server and only SYN/ACK segments are sent from a
>> server to a client inside the censoring country.  An adversary would not
>> witness a full TCP handshake, let alone any actual data transfer. 
>> One mitigation technique that I have been focusing on is to use routers
>> instead of end points for the side channel measurements.
>> If you or anyone else is interested in using these techniques, I am more
>> than happy to help.
>> Roya
>> [1] http://cartography.io/
>> [2] http://arxiv.org/abs/1410.0735
>> [3]http://arxiv.org/pdf/1312.5739v1.pdf
>> [4]http://www.usenix.org/event/sec10/tech/full_papers/Ensafi.pdf
>> _______________________________________________
>> ooni-dev mailing list
>> ooni-dev at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/ooni-dev

More information about the ooni-dev mailing list