|
Re: CDT Comments on OPES
2001-08-15 08:26:41
In response to Michael Condry's comments on our prior comments on the
OPES proposals, there are certainly a number of points on which
Michael and I are in complete agreement, including:
* properly implemented, OPES has the potential to provide valuable
services to content providers and/or end users;
* "OPES is not about destruction of the Internet" (and to be crystal
clear, I do not believe that any proponent of OPES has anything but
honorable intentions to provide a service capability that some large
Internet users and providers want);
* not all transparent proxies in the middle of the network are "bad"; and
* transparent proxies that alter content without consent of either
the content provider or end user are "bad."
There are a number of other points, however, where I do not agree
with Michael, and I believe his comments either sidestep my concerns
or gloss over details about the current OPES proposals.
First, on the big picture question of whether OPES diminishes the
end-to-end principle, it is strained to suggest that OPES
transformations happens at an endpoint simply because one endpoint
has (in theory) authorized the transformation. Almost by definition,
OPES will not be implemented at any actual endpoint, and in fact may
well be implemented by a regional ISP separated by a number of other
ISPs from actual end users. OPES will move decision-making
intelligence away from actual endpoints and somewhat into the middle
of the network (albeit, certainly, fairly close to an endpoint).
This movement, as I understand it, is a movement away from the
end-to-end principle.
More important than whether a particular theoretical principle is
diminished, however, is the fact that OPES will continue a trend
toward giving larger, wealthier, corporate speakers significant
advantages in their ability to deliver content or services.
Michael's comments correctly assert that OPES is similar in concept
to content delivery networks such as Akamai, etc. That, however, is
precisely one of the concerns about OPES. Just as content delivery
networks raise serious questions about the historic relative parity
between large and small speakers (see http://
www.cfp2000.org/papers/morrisberman.pdf for a discussion of CDNs and
speech on the Internet), OPES will facilitate delivery of services by
those able to contract with CDNs or big ISPs around the country, to
the detriment of smaller or upstart service providers trying to
compete.
Beyond big picture or theoretical concerns about the OPES proposals,
there continue to be significant concerns about specific elements of
OPES. I must admit, however, that I am confused by Michael's
comments. Two of the comments appear to go much farther than the
OPES proposal documents go:
.... Quite the opposite; OPES creates an environment
were a secure policy can be created and be applied to deliver
content in the way
the customer wishes to see it AND content provider wishes to have it
presented....
(I emphasized the "AND" - it was "and" in the original)
and
... So saying "no transformation" is legal and will be followed if a party
(content provider OR consumer) desires that action.
(I emphasized the "OR" - it was "or" in the original)
Taken together, these and other comments suggest that OPES will
involve a REAL TIME handshaking or negotiation process in which BOTH
the content provider AND the end user affirmately consent to the OPES
transformation. I have not previously understood the OPES documents
to suggest such a real time negotiation.
Such a real time negotiation would answer many concerns raised by my
original comments. Critically, both the content provider and the end
user would get notice of the proposed OPES transformation, and would
have the ability to opt out of such transformation.
I do not believe, however, that the OPES documents in fact suggest
mutually negotiated consent. To the contrary, it is not clear in the
documents that an end user will even be notified that an OPES
transformation took place. By the same token, it is not clear that a
content provider will be notified prior to a end user-requested
transformation. Moreover, nothing in the OPES documents suggests
that the NON-requesting party will have the ability to give a "no
transformation" instruction. If I am wrong about these, then some of
my concerns may well be misplaced.
Michael's assertion that
There is no "third party" in OPES.
misunderstands, I believe, our concerns and the meaning of the
phrase. The whole point of OPES is that third party service
providers (meaning some entity other than the original content
provider or the end user -- the only "first" parties involved) can
"transform" a communication as it passes by. Certainly the third
party provider is in theory acting at the request of one of the first
parties, but that does not make the provider something other than a
third party. When the NY Times contracts with Doubleclick to insert
an ad banner on a Times page, Doubleclick is still a third party.
Critically, for purposes of things like P3P, the end user is made
aware of the fact of the Doubleclick ad insertion, and the end user
has an opportunity (using a P3P implementation) to interrogate
Doubleclick directly and decide whether to accept content from
Doubleclick. As far as I can tell with OPES, there is no guarantee
that an end user will even know the identify of an OPES service
provider, much less have an opportunity to evaluate such things as
the privacy policies of the third party provider.
Finally, Michael's comments dismiss our concern about the risk of
abuse or misuse of the OPES tools once they are finalized and
popularized:
Your assertion that OPES creates an environment whereby an entity (ISP,
government or whomever) could become a content censor or gatekeeper
misses the mark completely....
I completely agree that (a) the OPES designers intend for all OPES
transformations to be requested by either the content provider or end
user, and (b) such consent would greatly reduce the risk of
censorship or abuse. BUT, other than the moral hope and belief that
OPES will not be misused, there is little in the documents to
demonstrate that it CANNOT be misused. The tools being created by
the OPES effort, as far as I can tell, will execute defined rules and
proxylets even if an ISP or government has overriden the
"requirement" that rules and proxylets must be approved by a content
provider or end user. As noted above, as far as I can tell, the OPES
tools will not require a real time negotiation with the content
provider or end user. In the absence of such negotiation, abuse of
the OPES tools would likely be a trivial matter to accomplish (and
even with such negotiation, abuse is still possible).
Whether or not OPES proceeds within the IETF framework, I am hopeful
that the specific concerns about its implementation can be considered
carefully during the design process. I welcome the opportunity to
continue a conversation about these issues.
John Morris
At 4:36 PM -0700 8/13/01, Michael W. Condry wrote:
CDT readers, IESG, and OPES mailing list:
It is truly unfortunate that a few people who were highly concerned
about matters not in the realm of OPES but "might be made to sound like
it" have created such erroneous perceptions that misguided efforts
such as the writing of policy statement below ever occur. This happens
all too often when the subject matter changes in an unmoderated electronic
mail thread but the "Subject" field is not reflected to represent this
change.
OPES is not about destruction of the Internet or diminishing the
Internet's end-to-end principle. Quite the opposite; OPES creates an
environment
were a secure policy can be created and be applied to deliver
content in the way
the customer wishes to see it and content provider wishes to have it
presented. OPES creates an environment were the evolution of today's
Internet can
move to a MORE secure and more desirable mechanism for information delivery.
OPES allows the operation of content delivery as an IP endpoint that provides
services explicitly requested by either the content provider or
content consumer.
There is no "third party" in OPES. The content transformations are
done BY REQUEST not by "third party" intervention. As to particulars in the
services, they are expressed in the rule language and must be adhered
to. So saying "no transformation" is legal and will be followed if a party
(content provider or consumer) desires that action.
Many folks are concerned about "transparent proxies" and other invisible
devices that are intermediaries in the end-to-end model. These devices
can change the requested content in a manner undesired by the consumer,
content provider (or both). This "violates" the end-to-end model since
the content is changed not by an endpoint. OPES clearly does not allow this.
On the other hand, all transparent devices are not bad, as caches have
greatly improved the performance of the Web and in fact are a factor in
making the Web happen.
Your assertion that OPES creates an environment whereby an entity (ISP,
government or whomever) could become a content censor or gatekeeper
misses the mark completely. Rather than restricting access to the
universe of Internet content and services, OPES, at the end-user's or
content provider's desire or willingness to pay, provides better access to
value-added services and some content, with NO restriction to
content or services
not associated with OPES. This case is identical to that of today's Content
Delivery Networks, such as Akamai, Speedera and Digital Island.
If you wish to focus the policy outlined below on intermediaries (non IP
endpoints) that transform content in the "middle" without control by the
endpoints, or to focus on intermediaries with no plans to engage
industry in order to ensure privacy and security--it would be a
reasonable policy.
Please do not identify these issues with OPES because they do not apply.
Michael Condry
co-chair of OPES
At 01:56 PM 8/9/2001, John Morris wrote:
FYI, below are comments circulated a few days ago to the IESG,
providing a public policy perspective on some of the issues raised
by the OPES working group proposal. Many of the issues discussed
have been discussed on this list and/or the IETF list; some are
addressed in the current charter draft, while others are not.
Whether or not the IETF working group is established, I am hopeful
that these comments can make a constructive contribution to the
discussion of the proposed OPES tools. John Morris
----------------------------------------
John B. Morris, Jr.
Director, Internet Standards, Technology
& Policy Project
Center for Democracy and Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
(202) 637-9800
(202) 637-0968 fax
jmorris(_at_)cdt(_dot_)org
http://www.cdt.org
----------------------------------------
1.0 Summary
We write to outline serious policy concerns raised by the proposal
that the IETF/IESG create a working group on "Open Pluggable Edge
Services" (OPES).
As outlined below, OPES would further diminish the "end to end"
principles that have been so important to the development of the
Internet. OPES would reduce both the integrity, and the perception
of integrity, of communications over the Internet, and would
significantly increase uncertainly about what might have been done
to content as it moved through the network. OPES would also
increase the risk that ISPs can exercise bottleneck control over
users' access to the Internet, and could favor certain content and
application providers over others.
On the threshold question of whether the IETF should sponsor and
sanction the proposed OPES working group, we believe that the risks
of OPES outweigh the benefits of IETF review and control. In the
event that the IESG approves the creation of the OPES working
group, we suggest below a set of requirements for OPES that would
mitigate policy concerns.
2.0 Background
The Center for Democracy and Technology first became aware of the
OPES proposals through the work of its newly created Internet
Standards, Technology & Policy Project [see
http://www.cdt.org/standards/]. (The comments below are submitted
on behalf of CDT, and not the Project participants.) CDT is a
nonprofit public interest group that promotes civil liberties and
democratic values online. CDT has over the years been very involved
in protecting free speech, privacy, and openness on the Internet,
and these comments reflect those public policy goals.
3.0 Concerns Raised by OPES
3.1 Content Manipulation, Free Expression, and Privacy
OPES would significantly increase the risk of unauthorized
interference with or manipulation of communications as they
traverse the Internet. OPES would diminish end to end network
design principles and facilitate third-party alteration of, or
action based on, communications without the notice or consent of
end point parties. As such it creates major concerns for free
expression and privacy online.
The one party consent model defined in the proposed charter poses a
threat to the model of trust built into the end to end model, as
well as allowing third parties to interfere with the free flow of
information that has become a hallmark of Internet communication.
For example, OPES could facilitate third-party or state-sponsored
censorship of Internet content without the knowledge or consent of
end users; OPES could also facilitate third-party manipulation of
content for commercial purposes (such as advertising) without the
consent of the end parties. OPES could also facilitate
surveillance systems like Carnivore, risking individual privacy and
discouraging unpopular expression on the web. Those who wish to
publish content with complete integrity may be forced to use
end-to-end encryption of communications, raising barriers to entry
in the cost of publishing and decreasing potential benefits of
caching.
Undeniably, as proposed, OPES would require the consent of either
the sender or receiver. Also undeniably, the IETF process would
likely ensure that this and other security and privacy concerns
would be honored in a proper implementation of OPES.
At bottom, however, OPES is not a protocol for communications
between computers or networks, but rather is a self-contained
facility to manipulate content. The core functions of OPES
(rule-based review of content, diversion of selected content, and
execution of proxylets or other content manipulations) can be
implemented entirely within one server (or linked servers). There
is no fundamental need that certain protections and guidelines be
followed to, for example, ensure interoperability among networks.
It appears unlikely that meaningful security and validation
requirements could be made to be so integral to OPES that such
requirements could not be easily overridden within an individual
implementation of OPES.
The wide proliferation of OPES implementations would, it seems, be
likely to lead to the modification of such implementations to
facilitate unauthorized manipulations of content. The incentives
for unauthorized manipulations are clearly present on the Internet,
and OPES would make such improper actions easier to implement.
Just very recently we have seen examples of largely unauthorized
manipulation of content for marketing purposes by third parties.
[See, e.g., http://slashdot.org/features/01/07/31/2015216.shtml or
http://www.salon.com/tech/feature/2001/08/02/parasite_capital/index.ht
ml]. OPES seems likely to facilitate such schemes.
3.2 Facilitating Gatekeepers
OPES could further promote the creation of bottleneck power in the
hands of Internet Service Providers. Over the past few years, the
Internet has seen broadband ISPs move toward a business model of
contracting with "preferred" content providers and facilitating the
fast delivery of that content over competing, non-preferred
content. OPES would significantly increase the potential of ISPs to
enter into preferential or even exclusive contracts with service
providers ("the exclusive language translation services offered to
users of XYZ ISP"). These preferred and exclusive arrangements can
serve to reduce innovation and competition for content and services
on the Internet. Although high bandwidth content is already
subject to potential discrimination in delivery over some ISPs,
OPES would likely increase such potential for discrimination among
service providers. This bottleneck and/or gatekeeper power raises
serious public policy concerns.
3.3 Suggested Action
Ultimately, from a public policy perspective, we believe that the
risks of OPES outweigh its undeniable potential benefits. We
understand that, in the absence of an IETF sanctioned
implementation of OPES, the same capabilities are likely to be
created elsewhere (through iCAP and other techniques). It is our
perception, however, that IETF sanction would further promote the
acceptance and use of these techniques, and in turn that would lead
to the significant risk of abuse.
4.0 Proposed OPES Policy Requirements
We fully appreciate that there is not a clear and obvious answer to
the question of whether the IETF/IESG should create an OPES working
group. If such a working group is created, we would look forward
to making a constructive contribution to that effort. In such a
context, we suggest that certain requirements be added to the OPES
charter. None of these safeguards would provide protection against
non-complying implementations of OPES, but they would at least
define the ground rules for proper implementations of OPES. The
requirements we would suggest are:
4.1 End Point Notice
A metatag indicating that some OPES manipulation has been performed
on a given communication should be available to the end points of
an exchange. Concerned parties should also be notified as to the
nature of the OPES service provided (thereby creating a nontrivial
requirement of the creation of a vocabulary or taxonomy of OPES
services, as discussed below). This full disclosure will be
especially important if OPES services are used routinely and an
object is manipulated in several different ways by a variety of
services.
4.2 Consent
As the OPES proposals currently anticipate and require, no content
should be subject to an OPES manipulation without the clear consent
of either the sender or ultimate recipient of the communication.
4.3 End Point Veto
The consent of one party is not sufficient to protect the speech
and privacy interests of all end point parties subject to OPES
services. Both a sender and the ultimate recipient should be able
to veto the use of OPES manipulation, through the use of (for
example in the web context) metatags. For example, a web user
should be able to include a "no OPES" metatag in an initial http
request, and the responding web site should honor that metatag
(even if only by refusing the request as some web sites now do if
cookies are not accepted - an unfortunate result but at least one
that is honest). Similarly, a web publisher should be able to
include a "no OPES" tag that is honored by OPES servers later in
the communication.
4.4 Other Goals - Privacy, Negotiation
PRIVACY: Because there is unlikely to be an opportunity for a
prior review (by the end user or the user's P3P agent) of the
privacy policies of the OPES server (or a third party server called
out by OPES), such OPES-related privacy policies should be
reflected in the privacy policies of any content publisher who
chooses to use OPES. Thus, publishers who wish to use OPES should
take responsibility for the use or dissemination of information by
an OPES service provider. We believe that addressing this need, or
some direct and effective method that a user can interrogate the
privacy policy of an OPES provider, should both be a part of OPES
and should be included in revisions to the P3P specification.
NEGOTIATION: It would be desirable for all parties to have the
ability to communicate their respective wishes regarding OEPS
services to achieve some mutually satisfactory result. Given that
many OPES services may be performed on a given object, both parties
should be able to decide which must be overridden. For example, a
web publisher might demand that the quality of her images are not
downgraded by an OPES compression service, and a user may consent
to a longer download time and bypass that OPES service for that
particular image. The same user might not agree to disable an OPES
virus scan at the request of the content provider.
We recognize that such negotiation capability poses several large
design problems and hence propose it as a goal to be explored
rather than a requirement for moving forward.
5.0 Conclusion
We appreciate the opportunity to present our views on the OPES
proposals, and we look forward to further contributing on this
issue in appropriate venues. For questions or further information
about this document please feel free to contact John Morris
<jmorris(_at_)cdt(_dot_)org> or Alan Davidson <abd(_at_)cdt(_dot_)org> at CDT. ##
Michael W. Condry
Director, Network Edge Technology
----------------------------------------
John B. Morris, Jr.
Director, Internet Standards, Technology
& Policy Project
Center for Democracy and Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
(202) 637-9800
(202) 637-0968 fax
jmorris(_at_)cdt(_dot_)org
http://www.cdt.org
----------------------------------------
|
|