Approaching the IETF - A View from Civil Society

My name is Dan Sexton and I'm the Chief Technology Officer for the Internet Watch Foundation, a UK based charity that tackles child sexual abuse material online. My background and career have always been in technology, but it has only been since joining the IWF that I became properly aware of how technical progress can have unintended negative consequences, including its effects on the safety of children online.

Some of that progress, in the form of technical standards, has been developed at the Internet Engineering Task Force (IETF), and so I wanted to understand how the standard settings body works and how civil society groups like the IWF could positively engage in the process.

IETF 116

I attended the IETF 116 meeting in Yokohama, Japan, at the end of March 2023 to host a meeting on the topic of ‘privacy preserving web filtering’, to attend sessions on standards development relevant to our work at IWF, and to engage with members of the standards community. I had previously attended an event at IETF 115 London, but Yokohama was my first full in-person experience as an active IETF participant.

Internet standards can have significant impact on our lives, and I believe it’s important that stakeholders from a diverse range of backgrounds participate in the standards-setting processes. In the remainder of this article, I want to share some of my experiences as a newcomer at the IETF 116 meeting as a way of hopefully helping others who are taking their first steps with the community.

TL:DR - If you're considering engaging with the IETF, please do! Especially if you come from the policy making or end-user communities or civil society. Don’t be put off by some of the unintended barriers to entry. As with any community, I believe that better decisions are made by diverse groups and urge others that wish to involve themselves in the development of future Internet standards to consider adding their expertise to the IETF. We will all benefit from strong and effective standards bodies, I’m glad that I was able to take the first steps as a new IETF participant and look forward to continuing to doing so in the future.

The IETF - an overview

The IETF holds meetings three times per year, typically rotating between the Americas (usually the US or Canada), Europe and Asia/Australasia for the three meetings. The main agenda comprises a large number of research and working groups that meet over the course of a week. Working groups cover standards development in different technical areas and produce and refine Internet-Drafts which, if agreed by ‘rough consensus’, ultimately go on to become standards that are often (but not always) adopted by industry.

Standards can be technical innovations from industry which may already be implemented and are seeking wider standardisation. QUIC, for example, was developed and implemented by Google before coming to IETF to be standardised. Standards can also cover new developments, informational documents, best practice in a given area and more general principles without reference to specific technologies. When published by the IETF, the standards are known as RFCs (request for comments), each with an individual number; e.g., RFC 8890.

First observations

While not everyone involved in the IETF attended in person, there were over 1,000 participants onsite in Yokohama, with a further 600 or so joining remotely from around the world. After attending the first few working group meetings, it was clear to me who the well-known - and presumably influential - attendees were, by their level of participation in the discussion, their overall confidence, and by how comfortable they appeared in the environment. Many of these individuals also appeared to hold, or have previously held, formal positions of authority in the IETF, for example as working group chairs or area directors, the latter being responsible for overseeing multiple working groups and providing technical leadership in a specific subject area throughout the IETF.

The IETF community ratifies, or accepts, work through debate. Influence often appeared to relate to an individual’s willingness to stand up in a room (or on a mailing list) and argue in support of or against others as well as their technical ability to support those arguments with reference to past RFCs or accepted IETF practices. This meant disagreements were common, including robust discussions on everything from the distance between the hotel and the venue to the validity of documenting the differences between IP-based blocking with IPv4 and IPv6. The mailing list included heated exchanges with strongly held views on the pros and cons of mask wearing.

Community culture

One of the research groups that met during the week - the Research and Analysis of Standard-Setting Processes Proposed Research Group - featured several presentations from academics that considered IETF processes and culture. The primary talk in the research group was from Corinne Cath on her PhD research into the IETF culture and practices. As a newcomer to the IETF, I found this to be particularly timely and helpful.

In the research group discussion, Corinne stated that the IETF is "procedurally open but in practice quite thorny" and "an organisation that prides itself in abrasiveness…informal practices within the IETF are exclusionary because they are masculine practices" making the IETF "unattractive for participants who don’t identify as male". In her thesis, Corinne argued that engineers focused on issues that were relevant to communication rights, and mainly on concerns prevalent in technical communities such as individualism, privacy and freedom from government interference (Cath, p.16).

Corinne also noted that the civil society groups American Civil Liberties Union (ACLU), the Centre for Democracy and Technology (CDT), the Electronic Frontier Foundation (EFF), and ARTICLE19 directly participate in Internet governance organisations. While those groups have successfully engaged with, and earned respect from, the IETF engineering communities, they generally share the same values and focus on communication rights, online privacy, and concerns about government interference online.

Overall, my impression is that there is a strong cyberlibertarian strand running through many of the more established members of the IETF community, and that the overall culture is one where strong challenge is tolerated. Because of this, it can feel quite daunting for new participants to engage, especially if their views and experiences diverge from the established orthodoxy.

Community engagement

As is common with many conferences, in-person participation enables additional informal discussion with others outside of the main meeting agenda. I took the opportunity to engage with a number of long-standing IETF participants to understand the best way to approach the community with new ideas. The feedback I received was that "IETF takes things that are 70% done at takes them that last 30%" - the advice for future meetings was to bring something practical, such as a solution or Internet-Draft (i.e., an initial draft for a future RFC) that the IETF community can review and debate, either in-person or on one of the many mailing lists.

Whilst the post is focused on my observations from attending a physical meeting, it is worth noting that the formal IETF processes require decisions of working groups to be ratified on mailing lists. Consequently, there are a large number of separate mailing lists, most associated with individual working groups. Any active IETF participant needs ensure that they subscribe to these as well as taking part in any in-person discussions.

Role of the IETF

Based on observations of discussions in several working groups, I noticed that there appears to be some conflict regarding the IETF’s role in creating or refusing to create Internet standards. Is it there to create standards and best practice, regardless of whether the community agrees with what is being standardised? Or does it use standards to decide how the internet should and should not work by publishing some RFCs and obstructing others?

Some members of the community seem to focus more on identifying the best theoretical technical solutions whereas others appear to be more pragmatic, or perhaps have more focus on current operational practices. This may reflect differences in roles and experience. I noted that, probably unsurprisingly, the developer community seems to well-represented, whereas there were rather fewer people from end-user organisations, civil society, government bodies, etc.

Side meeting on privacy preserving web filtering

One of the reasons I went to IETF 116 was to follow up on a discussion I started with some members of the community during a side meeting at IETF 115 in November 2022. I was able to schedule a further side meeting during IETF 116 early one evening focused on the topic of privacy-preserving web filtering, as I believe it is technically possible to prevent child sexual abuse material from being circulated without impinging on privacy, breaking encryption, etc.

My side meeting in Yokohama was well attended by 30-40 people from a variety of backgrounds. I gave a short presentation outlining the problem and clarifying why the distribution and hosting of child sexual abuse material is an online problem, one that has grown exponentially in scale since the early days of the Internet. Participants were provided snapshots of data to support this assessment, including statistics from the IWF annual report, WeProtect Global Threat Assessment, and academic research. The slides also touched on solutions, with reference to feedback from 115, including client-side filtering and closed environment filtering (for example in school and enterprise networks).

One of the stronger criticisms of raising the topic was that 'we [the IETF] have already discussed this' and there was no reason to keep rehashing the same argument. As a new attendee, I argued both that I was not part of or aware of previous discussions (which is reason in itself to reassess the previous consensus), and also that the imminent adoption of online safety regulation in the UK and EU is a strong reason to revisit these discussions.

The other pertinent question was what role, if any, the IETF has in the topic of online filtering. Feedback from many of those present was that the community provides analysis and comments on solutions, but that the IETF itself does not develop anything, it creates\debates\ratifies new or existing internet technologies that are seeking standardisation. I proposed that even if the community as a whole does not agree with filtering, if it is happening or going to happen, then the IETF does have a role in documenting best practice, creating standards which do not impinge on user privacy.

I described how privacy enhancing technology has demonstrated that two bits of information (such as URLs) can be compared, matched, and actioned without knowing anything of value about either part or communicating anything to third parties. Much of the discussion focused on client-side filtering, specifically Google’s Safe Browsing suite, which already performs a very similar URL based function to protect users against malware and social engineering threats. Some felt that the optional nature of Safe Browsing (on by default, but end users could turn if off) mostly mitigated ‘slippery slope’ concerns around monitoring, surveillance or censorship outside of the intended purpose(s).

I believe the side meeting would have benefitted from a practical example of how privacy-preserving web filtering could be done at a network level to move beyond the theoretical ‘slippery slope’ arguments to a more technical (rather than ideological or emotion) assessment of real-world solutions. While I felt the meeting was productive and stimulated useful conversations during and after, I do not plan to host another side meeting on the same topic without an accompanying Internet-Draft, which would need to justify why the topic is of relevant to the IETF.

Concluding thoughts

As noted above, IETF working group business is discussed and progressed over mailing lists and it is necessary to engage in these lists to view, participate and influence ongoing work between in person meetings. However, the in-person meetings are extremely valuable to build understanding about how the IETF works, who is participating and formally and informally influencing the standards that underpin much of the interoperability of the global Internet.

The IETF is highly technical in nature and difficult to engage with and understand without some level of technical expertise. The rituals and policies are also unusual, likely evolving from early technical communities, and much like other somewhat closed institutions must be observed and learnt to be able to engage in the ‘proper way’. While not overly political, the community that participants have a clear focus on online privacy and appear to be largely welcoming to civil society engagement from groups which share those values and have sufficient technical expertise.

Areas where I believe improvements could be made that would lead to better outcomes are two-fold. The nature of the debate can, at times, be very robust and I can see why many would be deterred from contributing or even participating as a result. Similarly, there is very limited diversity amongst participants, be that in terms of gender, ethnicity, or background, with a large percentage of people being white, male attendees from Western Europe or North America, mainly working for companies in the tech sector.

Despite the steep learning curve, I am glad that I made the considerable investment in time and money to attend the meeting in Yokohama and certainly intend to attend future meetings in person where possible, diary and finances permitting. Whilst there are some significant if unintentional barriers to entry, I found many members of the community are willing to provide the help needed to guide new participants.

As with any community, I believe that better decisions are made by diverse groups and urge others that wish to involve themselves in the development of future Internet standards to consider adding their expertise to the IETF. We will all benefit from strong and effective standards bodies, I’m glad that I was able to take the first steps as a new IETF participant and look forward to continuing to doing so in the future.