Proposing Making RIPE Atlas Data More Public

RIPE Atlas is now three years old, and is moving from a prototype to production service. Based on our experience so far, observing typical usage and listening to user feedback, we suggest opening up the publication of measurement data further. In this article we aim to clarify the current situation regarding privacy, and ask for community input about our suggested plan to move forward.

One of the main purposes of RIPE Atlas is to share information about Internet performance, which we collect via the active measurements performed by the thousands of probes in the RIPE Atlas network.

The RIPE NCC collects this information and develops interesting results and analyses based on the aggregated data, such as latency maps . The more measurement data that's collected, the better the results, such as greater resolution of the maps.

Users can contribute by running their own user-defined measurements and sharing this data by marking the results "public". Users also have the option of making their measurement data less publicly available. Currently:

~3,447 out of 4,540 probes are marked "public" (76%)
~93% of all user-defined measurements are marked "public"

As RIPE Atlas becomes a full production service, we'd like to suggest making all future measurement data fully public, while keeping users' personal information private.

At the end of the article you can find a table showing an overview of the current situation and the proposed changes.

The second goal of this article is to explain exactly what is and isn't public in the current system.

Current practice

At the beginning of the RIPE Atlas project, we thought it would be a good idea to make it possible for users to choose whether to mark their probe and measurements as "public" or not. This was done in case, for some reason, certain users did not want to openly share their measurement results with others.

We want to explain in detail the consequences of marking measurements and probes "public" or not, in order to prevent unrealistic expectations.

Measurements not marked "public"

By default, a user-defined measurement (UDM) is marked "public", although the user can explicitly uncheck this field. When a UDM is not marked "public", it is not included in the lists of all public measurements for all other users to see.

However, since each UDM is performed from multiple probes hosted by different users, hosts of those probes involved in the measurement will be able to see this specific UDM in their "Assigned UDMs" list when logged in to RIPE Atlas. The name of the person who started the measurement will not be shown, but the IP address of the destination, or the hostname if that was used as a target, will be visible. It is also possible for the host of the probe being used for the measurement to download the UDM results.

For example, if you have used my RIPE Atlas probe for your measurement that is not marked "public", this is what I will be able to see (under My Atlas) when logged in:

Assigned UDMs "Assigned UDMs" as seen by the owner of the probe being used for that UDM

Probes not marked "public"

It is possible to choose not to list your probe as "public", in which case it will not appear in the list visible to all RIPE Atlas users.

Probes not marked "public" are still used for the built-in measurements that the RIPE NCC runs, and results are used to create maps and in an aggregated form for other analyses. Information about these probes on the map will not show their IP addresses. However, the IP address of the probe cannot be hidden in the aggregated data. For example, in the analysis of the Hurricane Sandy impact , aggregated data from built-in measurements was used, including non-"public" probes. As seen in the figure below, in the interactive map for visualising effects of Hurricane Sandy, the traceroutes do reveal the IP addresses of probes, even if those probes were not marked "public".

Traceroute results used in analysis of effects of Hurricane Sandy

Probes not marked "public" can also be used by other RIPE Atlas users to perform their own UDMs. Those users will see the IP addresses of these probes used in their UDMs as a "source IP". In case of traceroute measurements, internal hop IP addresses are also displayed.

"Public" probes

When a probe is marked "public", it is listed in the display of all the public probes (available under My Atlas > Probes). Logged-in users can see the built-in measurements the probe is involved in, as well as result logs, probe IDs, uptime information, assigned user-defined measurements, and the probe's last 25 connections to the RIPE Atlas infrastructure.

Personal information

Even if the probe is marked "public", the personal details of the probe host are never revealed . RIPE Atlas users cannot see configuration settings, MAC addresses, DNS entries or email addresses for any probe in the RIPE Atlas network.

View of a RIPE Atlas probe marked "public"

Reasons to have open measurement data

We believe there are several compelling philosophical reasons to move towards a system in which all probes and measurements are "public":

Sharing information about Internet performance is at the heart of collaborative efforts such as RIPE Atlas

Public measurement data adds the greatest value to everyone taking part in RIPE Atlas: other users, network operators, researchers and the wider Internet community

Having open measurement data, in addition to the already open measurement source code, would strengthen the growing "open" movement , which we believe is worth supporting

There are also practical, operational reasons for making all RIPE Atlas measurements public:

To help limit the load on individual probes, users need to be able to see all the measurements running to the target of their choice

Collecting non-"public" measurement data mixed with "public" data results in additional operational overhead

The details of what is considered "public" and non-"public" are complex, and removing the distinction would help clarify the documentation and communication that we provide for our users

Allowing for non-"public" measurement data is extremely operationally expensive

The more public measurement data that is collected, the more useful the results and services we can provide to the whole Internet community

Users' personal data and privacy

Although we believe that having public measurement data contributes the most to the goal of RIPE Atlas, the RIPE NCC greatly values our users' privacy. Therefore:

The name, personal details (home address) and contact details (email address) of probe hosts are not shared with other users, third parties or the general public

The names and contact details of the users involved in a particular measurement are not publicly available

RIPE Atlas does not use the email addresses specified as the username for the RIPE NCC account for regular communication with probe hosts (except for operational reasons); instead, we have an opt-in mailing list for probe hosts, and there is an option to specify a separate email address for system notifications

We plan to keep all these measures in place in order to continue protecting our users' privacy, and if you have other suggestions about how we can improve on these measures, please let us know.

However, for the technical reasons mentioned above, it is important for RIPE Atlas probe hosts to realise that the IP addresses and hostnames of the source and destination of every measurement can be seen by a subset of other probe hosts.

Also, we may include your name and country location on the "Community" pages to promote the most active users and new probe hosts.

Suggested changes

As RIPE Atlas becomes a full production service, we would like to move towards making the probes and measurement data as open as possible. In order to reach that goal, we suggest the following steps:

From a future date onwards, make all new probes "public", and make new measurements "public" both for new and existing RIPE Atlas users (i.e. no longer offer the option to not mark new probes and new measurements as "public")
The proposed date to implement these changes is mid-April 2014
We are looking for your comments and feedback by 1 February 2014

This means that all probes and measurements that were not marked "public" by April 2014 would remain non-"public" (with all the caveats stated above), but all new probes and measurements will be public by default.

The table below provides an overview of the current situation and the proposed changes.

	Always private	Private (now)	Public (now)	Public (future)
Probe marked public	Email address MAC address DNS entry Config details		IP address List of built-in measurements List of UDMs IP address (on the map)	All new probes included in "Public Probes" list Source IP in other people's UDMs Internal hop IPs in traceroutes
Probe NOT marked public	Same as above	IP address (on the map) Not included in "Public Probes" list	Source IP in other people's UDMs Internal hop IPs in traceroutes	Same as before (only for old probes)
Measurement marked public	Username of the owner		Results Source & destination	All new measurements included in "Public Measurements" list Results, source & destination IP/hostname
Measurement NOT marked public	Username of the owner	Not included in "Public Measurements" list	Listed as "Assigned UDM" on probes involved: source IP and target hostname visible	Same as before (only for old measurements)

Your feedback

We are looking for the opinions of RIPE Atlas users and the RIPE community, and will not make any changes to the current situation until we get your feedback and decide together the best way forward. Please let us know whether you agree with our plan or whether you have other suggestions.

Please send us your feedback by 1 February 2014.

Please let us know what you think on the MAT Working Group Mailing List.

For private feedback, please contact Vesna Manojlovic, Senior Community Builder, at BECHA@ripe.net .

Comments 7

Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.

sm • 03 Jan 2014 02:32

I disagree with you. You have not to choose the policy on probes installed on a network which is not yours.

Stephan Mueller • 04 Jan 2014 02:58

With all due respect, there was already a policy in place, when people started requesting probes, and then added them to their network. Now, we want to have a discussion on which are viable changes and which are not. What is it exactly that you disagree on? Any specific points in the suggested changes?

sm • 04 Jan 2014 22:16

I disagree with revoking private status.

Stephan Mueller • 04 Jan 2014 03:03

I'm not a networking guru, but wouldn't public "Internal hop IPs in traceroutes" be something admins could be worried about, or am I mislead by "internal hop"?

Robert Kisteleki • 15 Jan 2014 13:36

In order to (theoretically) be able to filter "internal hops", one would need to know how to define them, which in itself is not easy. Are these the NAT-looking hops? How about probes behind (multiple) firewalls? And so on. Beyond this: would we need to provide two versions of all this data (one filtered and one not)? This can become very complex very quickly.

Riccardo Alessandri • 19 Aug 2015 09:07

I would like to have again the possibility to create a new "non-public" measurements via web interface. I think that disabling this opportunity is too aggressive way to force people to make their own measurements public.

Vesna Manojlovic • 21 Aug 2015 10:57

Hi Riccardo, It is still possible to create "non-public" measurements, but only using API. We are reasoning that if the web interface would allow it too, it would be too easy for users to un-intentionally create non-public measurements. We want to encourage our users to make their measurements public because openly available data adds the greatest value to everyone taking part in RIPE Atlas, and sharing information is at the heart of such collaborative efforts.

Proposing Making RIPE Atlas Data More Public

Vesna Manojlovic