ietf-openproxy
[Top] [All Lists]

Re: CDT Comments on OPES

2001-08-15 13:56:04

While I am happy to pay the price of liberty, this level of
introspection seems particularly useless, especially in
light of the ease with which actual violations occur
on the Internet.  Oh well.

The end-to-end principle is not a guarantee of some kind
of democratic and contractual agreement between a 'user'
and a 'URL'.  It's an observation that there are some things
that cannot be composed of hop-by-hop services.  Obviously
some things can be composed of hop-by-hop, things like
packet delivery.  And some things at the application layer
are best done by distributed systems.  

Caching proxy servers are part and parcel of the success 
of the web - these are servers delegated to act for users 
or website owners.  They currently have no security model.

In addition, content has become complex, and its assembly
may have many hands in it.  The composition, interpretation,
and delivery of complex content is carried out by multiple
proxies and surrogates.  It's simply not possible for large
websites to achieve this kind of coherence and business
model without a distributed system with multiple administrative
authorities.  There is no security model for this, currently.

The OPES charter requires a security model.  Part of that model
includes the definition of authorization and data integrity.  If
there is not a traceable chain of authorization, then there is
no integrity.  Your ISP example seems to imply that there
can be no traceable authorization from an 'endpoint' to a
regional ISP.  That's a security issue you've analyzed in detail,
I presume?  Or something you decided to make up, in order
to derail technology and save democracy?

The OPES drafts have not addressed this, in part, because
OPES is not a WG and has not yet drafted the security
requirements in detail.  That's where input would be useful.

There are several models for authorization and data integrity
that OPES could adopt.  These have a vast range in
formality and complexity.  The IETF will most likely adopt
a simple, lightweight set of tactics.  However, it is certainly
premature to judge the intentions or outcomes of OPES
even before the security requirements have been drafted
and discussed.

It is possible to interpret 'democracy' so that it becomes
synonymous shoes in the machinery, I suppose.

Hilarie

John Morris <jmorris(_at_)cdt(_dot_)org> 08/15/01 09:26AM >>>

In response to Michael Condry's comments on our prior comments on the 
OPES proposals, there are certainly a number of points on which 
Michael and I are in complete agreement, including:

*  properly implemented, OPES has the potential to provide valuable 
services to content providers and/or end users;

*  "OPES is not about destruction of the Internet" (and to be crystal 
clear, I do not believe that any proponent of OPES has anything but 
honorable intentions to provide a service capability that some large 
Internet users and providers want);

*  not all transparent proxies in the middle of the network are "bad"; and

*  transparent proxies that alter content without consent of either 
the content provider or end user are "bad."

There are a number of other points, however, where I do not agree 
with Michael, and I believe his comments either sidestep my concerns 
or gloss over details about the current OPES proposals.

First, on the big picture question of whether OPES diminishes the 
end-to-end principle, it is strained to suggest that OPES 
transformations happens at an endpoint simply because one endpoint 
has (in theory) authorized the transformation.  Almost by definition, 
OPES will not be implemented at any actual endpoint, and in fact may 
well be implemented by a regional ISP separated by a number of other 
ISPs from actual end users.  OPES will move decision-making 
intelligence away from actual endpoints and somewhat into the middle 
of the network (albeit, certainly, fairly close to an endpoint). 
This movement, as I understand it, is a movement away from the 
end-to-end principle.

More important than whether a particular theoretical principle is 
diminished, however, is the fact that OPES will continue a trend 
toward giving larger, wealthier, corporate speakers significant 
advantages in their ability to deliver content or services. 
Michael's comments correctly assert that OPES is similar in concept 
to content delivery networks such as Akamai, etc.  That, however, is 
precisely one of the concerns about OPES.  Just as content delivery 
networks raise serious questions about the historic relative parity 
between large and small speakers (see http:// 
www.cfp2000.org/papers/morrisberman.pdf for a discussion of CDNs and 
speech on the Internet), OPES will facilitate delivery of services by 
those able to contract with CDNs or big ISPs around the country, to 
the detriment of smaller or upstart service providers trying to 
compete.

Beyond big picture or theoretical concerns about the OPES proposals, 
there continue to be significant concerns about specific elements of 
OPES.  I must admit, however, that I am confused by Michael's 
comments.  Two of the comments appear to go much farther than the 
OPES proposal documents go:

.... Quite the opposite; OPES creates an environment
were a secure policy can be created and be applied to deliver 
content in the way
the customer wishes to see it AND content provider wishes to have it
presented....

     (I emphasized the "AND" - it was "and" in the original)

and

... So saying "no transformation" is legal and will be followed if a party
(content provider OR consumer) desires that action.

     (I emphasized the "OR" - it was "or" in the original)

Taken together, these and other comments suggest that OPES will 
involve a REAL TIME handshaking or negotiation process in which BOTH 
the content provider AND the end user affirmately consent to the OPES 
transformation.  I have not previously understood the OPES documents 
to suggest such a real time negotiation.

Such a real time negotiation would answer many concerns raised by my 
original comments.  Critically, both the content provider and the end 
user would get notice of the proposed OPES transformation, and would 
have the ability to opt out of such transformation.

I do not believe, however, that the OPES documents in fact suggest 
mutually negotiated consent.  To the contrary, it is not clear in the 
documents that an end user will even be notified that an OPES 
transformation took place.  By the same token, it is not clear that a 
content provider will be notified prior to a end user-requested 
transformation.  Moreover, nothing in the OPES documents suggests 
that the NON-requesting party will have the ability to give a "no 
transformation" instruction.  If I am wrong about these, then some of 
my concerns may well be misplaced.

Michael's assertion that

There is no "third party" in OPES.

misunderstands, I believe, our concerns and the meaning of the 
phrase.  The whole point of OPES is that third party service 
providers (meaning some entity other than the original content 
provider or the end user -- the only "first" parties involved) can 
"transform" a communication as it passes by.  Certainly the third 
party provider is in theory acting at the request of one of the first 
parties, but that does not make the provider something other than a 
third party.  When the NY Times contracts with Doubleclick to insert 
an ad banner on a Times page, Doubleclick is still a third party. 
Critically, for purposes of things like P3P, the end user is made 
aware of the fact of the Doubleclick ad insertion, and the end user 
has an opportunity (using a P3P implementation) to interrogate 
Doubleclick directly and decide whether to accept content from 
Doubleclick.  As far as I can tell with OPES, there is no guarantee 
that an end user will even know the identify of an OPES service 
provider, much less have an opportunity to evaluate such things as 
the privacy policies of the third party provider.

Finally, Michael's comments dismiss our concern about the risk of 
abuse or misuse of the OPES tools once they are finalized and 
popularized:

Your assertion that OPES creates an environment whereby an entity (ISP,
government or whomever) could become a content censor or gatekeeper
misses the mark completely....

I completely agree that (a) the OPES designers intend for all OPES 
transformations to be requested by either the content provider or end 
user, and (b) such consent would greatly reduce the risk of 
censorship or abuse.  BUT, other than the moral hope and belief that 
OPES will not be misused, there is little in the documents to 
demonstrate that it CANNOT be misused.  The tools being created by 
the OPES effort, as far as I can tell, will execute defined rules and 
proxylets even if an ISP or government has overriden the 
"requirement" that rules and proxylets must be approved by a content 
provider or end user.  As noted above, as far as I can tell, the OPES 
tools will not require a real time negotiation with the content 
provider or end user.  In the absence of such negotiation, abuse of 
the OPES tools would likely be a trivial matter to accomplish (and 
even with such negotiation, abuse is still possible).

Whether or not OPES proceeds within the IETF framework, I am hopeful 
that the specific concerns about its implementation can be considered 
carefully during the design process.  I welcome the opportunity to 
continue a conversation about these issues.

John Morris


At 4:36 PM -0700 8/13/01, Michael W. Condry wrote:
CDT readers, IESG, and OPES mailing list:

It is truly unfortunate that a few people who were highly concerned
about matters not in the realm of OPES but "might be made to sound like
it" have created such erroneous perceptions that misguided efforts
such as the writing of policy statement below ever occur. This happens
all too often when the subject matter changes in an unmoderated electronic
mail thread but the "Subject" field is not reflected to represent this
change.

OPES is not about destruction of the Internet or diminishing the
Internet's end-to-end principle. Quite the opposite; OPES creates an 
environment
were a secure policy can be created and be applied to deliver 
content in the way
the customer wishes to see it and content provider wishes to have it
presented. OPES creates an environment were the evolution of today's 
Internet can
move to a MORE secure and more desirable mechanism for information delivery.

OPES allows the operation of content delivery as an IP endpoint that provides
services explicitly requested by either the content provider or 
content consumer.
There is no "third party" in OPES. The content transformations are
done BY REQUEST not by "third party" intervention. As to particulars in the
services, they are expressed in the rule language and must be adhered
to. So saying "no transformation" is legal and will be followed if a party
(content provider or consumer) desires that action.

Many folks are concerned about "transparent proxies" and other invisible
devices that are intermediaries in the end-to-end model. These devices
can change the requested content in a manner undesired by the consumer,
content provider (or both). This "violates" the end-to-end model since
the content is changed not by an endpoint. OPES clearly does not allow this.
On the other hand, all transparent devices are not bad, as caches have
greatly improved the performance of the Web and in fact are a factor in
making the Web happen.

Your assertion that OPES creates an environment whereby an entity (ISP,
government or whomever) could become a content censor or gatekeeper
misses the mark completely. Rather than restricting access to the
universe of Internet content and services, OPES, at the end-user's or
content provider's desire or willingness to pay, provides better access to
value-added services and some content, with NO restriction to 
content or services
not associated with OPES. This case is identical to that of today's Content
Delivery Networks, such as Akamai, Speedera and Digital Island.

If you wish to focus the policy outlined below on intermediaries (non IP
endpoints) that transform content in the "middle" without control by the
endpoints, or to focus on intermediaries with no plans to engage
industry in order to ensure privacy and security--it would be a 
reasonable policy.
Please do not identify these issues with OPES because they do not apply.

Michael Condry
co-chair of OPES


At 01:56 PM 8/9/2001, John Morris wrote:

FYI, below are comments circulated a few days ago to the IESG, 
providing a public policy perspective on some of the issues raised 
by the OPES working group proposal.  Many of the issues discussed 
have been discussed on this list and/or the IETF list; some are 
addressed in the current charter draft, while others are not. 
Whether or not the IETF working group is established, I am hopeful 
that these comments can make a constructive contribution to the 
discussion of the proposed OPES tools.  John Morris

----------------------------------------
John B. Morris, Jr.
Director, Internet Standards, Technology
& Policy Project
Center for Democracy and Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
(202) 637-9800
(202) 637-0968 fax
jmorris(_at_)cdt(_dot_)org 
http://www.cdt.org 
----------------------------------------

1.0 Summary

We write to outline serious policy concerns raised by the proposal 
that the IETF/IESG create a working group on "Open Pluggable Edge 
Services" (OPES).

As outlined below, OPES would further diminish the "end to end" 
principles that have been so important to the development of the 
Internet.  OPES would reduce both the integrity, and the perception 
of integrity, of communications over the Internet, and would 
significantly increase uncertainly about what might have been done 
to content as it moved through the network.  OPES would also 
increase the risk that ISPs can exercise bottleneck control over 
users' access to the Internet, and could favor certain content and 
application providers over others.

On the threshold question of whether the IETF should sponsor and 
sanction the proposed OPES working group, we believe that the risks 
of OPES outweigh the benefits of IETF review and control.  In the 
event that the IESG approves the creation of the OPES working 
group, we suggest below a set of requirements for OPES that would 
mitigate policy concerns.

2.0 Background

The Center for Democracy and Technology first became aware of the 
OPES proposals through the work of its newly created Internet 
Standards, Technology & Policy Project [see 
http://www.cdt.org/standards/]. (The comments below are submitted 
on behalf of CDT, and not the Project participants.) CDT is a 
nonprofit public interest group that promotes civil liberties and 
democratic values online. CDT has over the years been very involved 
in protecting free speech, privacy, and openness on the Internet, 
and these comments reflect those public policy goals.


3.0 Concerns Raised by OPES

3.1 Content Manipulation, Free Expression, and Privacy

OPES would significantly increase the risk of unauthorized 
interference with or manipulation of communications as they 
traverse the Internet.  OPES would diminish end to end network 
design principles and facilitate third-party alteration of, or 
action based on, communications without the notice or consent of 
end point parties. As such it creates major concerns for free 
expression and privacy online.

The one party consent model defined in the proposed charter poses a 
threat to the model of trust built into the end to end model, as 
well as allowing third parties to interfere with the free flow of 
information that has become a hallmark of Internet communication. 
For example, OPES could facilitate third-party or state-sponsored 
censorship of Internet content without the knowledge or consent of 
end users; OPES could also facilitate third-party manipulation of 
content for commercial purposes (such as advertising) without the 
consent of the end parties.  OPES could also facilitate 
surveillance systems like Carnivore, risking individual privacy and 
discouraging unpopular expression on the web.  Those who wish to 
publish content with complete integrity may be forced to use 
end-to-end encryption of communications, raising barriers to entry 
in the cost of publishing and decreasing potential benefits of 
caching.

Undeniably, as proposed, OPES would require the consent of either 
the sender or receiver.  Also undeniably, the IETF process would 
likely ensure that this and other security and privacy concerns 
would be honored in a proper implementation of OPES.

At bottom, however, OPES is not a protocol for communications 
between computers or networks, but rather is a self-contained 
facility to manipulate content.  The core functions of OPES 
(rule-based review of content, diversion of selected content, and 
execution of proxylets or other content manipulations) can be 
implemented entirely within one server (or linked servers).  There 
is no fundamental need that certain protections and guidelines be 
followed to, for example, ensure interoperability among networks. 
It appears unlikely that meaningful security and validation 
requirements could be made to be so integral to OPES that such 
requirements could not be easily overridden within an individual 
implementation of OPES.

The wide proliferation of OPES implementations would, it seems, be 
likely to lead to the modification of such implementations to v
facilitate unauthorized manipulations of content.  The incentives 
for unauthorized manipulations are clearly present on the Internet, 
and OPES would make such improper actions easier to implement. 
Just very recently we have seen examples of largely unauthorized 
manipulation of content for marketing purposes by third parties. 
[See, e.g., http://slashdot.org/features/01/07/31/2015216.shtml or 
http://www.salon.com/tech/feature/2001/08/02/parasite_capital/index.ht 
ml].  OPES seems likely to facilitate such schemes.

3.2  Facilitating Gatekeepers

OPES could further promote the creation of bottleneck power in the 
hands of Internet Service Providers.  Over the past few years, the 
Internet has seen broadband ISPs move toward a business model of 
contracting with "preferred" content providers and facilitating the 
fast delivery of that content over competing, non-preferred 
content. OPES would significantly increase the potential of ISPs to 
enter into preferential or even exclusive contracts with service 
providers ("the exclusive language translation services offered to 
users of XYZ ISP").  These preferred and exclusive arrangements can 
serve to reduce innovation and competition for content and services 
on the Internet.  Although high bandwidth content is already 
subject to potential discrimination in delivery over some ISPs, 
OPES would likely increase such potential for discrimination among 
service providers.  This bottleneck and/or gatekeeper power raises 
serious public policy concerns.

3.3 Suggested Action

Ultimately, from a public policy perspective, we believe that the 
risks of OPES outweigh its undeniable potential benefits.  We 
understand that, in the absence of an IETF sanctioned 
implementation of OPES, the same capabilities are likely to be 
created elsewhere (through iCAP and other techniques).  It is our 
perception, however, that IETF sanction would further promote the 
acceptance and use of these techniques, and in turn that would lead 
to the significant risk of abuse.


4.0 Proposed OPES Policy Requirements

We fully appreciate that there is not a clear and obvious answer to 
the question of whether the IETF/IESG should create an OPES working 
group.  If such a working group is created, we would look forward 
to making a constructive contribution to that effort.  In such a 
context, we suggest that certain requirements be added to the OPES 
charter.  None of these safeguards would provide protection against 
non-complying implementations of OPES, but they would at least 
define the ground rules for proper implementations of OPES.  The 
requirements we would suggest are:

4.1 End Point Notice

A metatag indicating that some OPES manipulation has been performed 
on a given communication should be available to the end points of 
an exchange.  Concerned parties should also be notified as to the 
nature of the OPES service provided (thereby creating a nontrivial 
requirement of the creation of a vocabulary or taxonomy of OPES 
services, as discussed below). This full disclosure will be 
especially important if OPES services are used routinely and an 
object is manipulated in several different ways by a variety of 
services.

4.2 Consent

As the OPES proposals currently anticipate and require, no content 
should be subject to an OPES manipulation without the clear consent 
of either the sender or ultimate recipient of the communication.

4.3 End Point Veto

The consent of one party is not sufficient to protect the speech 
and privacy interests of all end point parties subject to OPES 
services. Both a sender and the ultimate recipient should be able 
to veto the use of OPES manipulation, through the use of (for 
example in the web context) metatags.  For example, a web user 
should be able to include a "no OPES" metatag in an initial http 
request, and the responding web site should honor that metatag 
(even if only by refusing the request as some web sites now do if 
cookies are not accepted - an unfortunate result but at least one 
that is honest).  Similarly, a web publisher should be able to 
include a "no OPES" tag that is honored by OPES servers later in 
the communication.

4.4 Other Goals - Privacy, Negotiation

PRIVACY:  Because there is unlikely to be an opportunity for a 
prior review (by the end user or the user's P3P agent) of the 
privacy policies of the OPES server (or a third party server called 
out by OPES), such OPES-related privacy policies should be 
reflected in the privacy policies of any content publisher who 
chooses to use OPES. Thus, publishers who wish to use OPES should 
take responsibility for the use or dissemination of information by 
an OPES service provider. We believe that addressing this need, or 
some direct and effective method that a user can interrogate the 
privacy policy of an OPES provider, should both be a part of OPES 
and should be included in revisions to the P3P specification.

NEGOTIATION: It would be desirable for all parties to have the 
ability to communicate their respective wishes regarding OEPS 
services to achieve some mutually satisfactory result.  Given that 
many OPES services may be performed on a given object, both parties 
should be able to decide which must be overridden.  For example, a 
web publisher might demand that the quality of her images are not 
downgraded by an OPES compression service, and a user may consent 
to a longer download time and bypass that OPES service for that 
particular image.  The same user might not agree to disable an OPES 
virus scan at the request of the content provider.

We recognize that such negotiation capability poses several large 
design problems and hence propose it as a goal to be explored 
rather than a requirement for moving forward.

5.0 Conclusion

We appreciate the opportunity to present our views on the OPES 
proposals, and we look forward to further contributing on this 
issue in appropriate venues.  For questions or further information 
about this document please feel free to contact John Morris 
<jmorris(_at_)cdt(_dot_)org> or Alan Davidson <abd(_at_)cdt(_dot_)org> at 
CDT. ##


Michael W. Condry
Director,  Network Edge Technology

----------------------------------------
John B. Morris, Jr.
Director, Internet Standards, Technology
    & Policy Project
Center for Democracy and Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
(202) 637-9800
(202) 637-0968 fax
jmorris(_at_)cdt(_dot_)org 
http://www.cdt.org 
----------------------------------------

<Prev in Thread] Current Thread [Next in Thread>