Proposing Making RIPE Atlas Data More Public

Vesna Manojlovic — Dec 17, 2013 12:15 PM
Filed under: , ,
RIPE Atlas is now three years old, and is moving from a prototype to production service. Based on our experience so far, observing typical usage and listening to user feedback, we suggest opening up the publication of measurement data further. In this article we aim to clarify the current situation regarding privacy, and ask for community input about our suggested plan to move forward.

One of the main purposes of RIPE Atlas is to share information about Internet performance, which we collect via the active measurements performed by the thousands of probes in the RIPE Atlas network. 

The RIPE NCC collects this information and develops interesting results and analyses based on the aggregated data, such as latency maps. The more measurement data that's collected, the better the results, such as greater resolution of the maps. 

Users can contribute by running their own user-defined measurements and sharing this data by marking the results "public". Users also have the option of making their measurement data less publicly available. Currently:

  • ~3,447 out of 4,540 probes are marked "public" (76%)
  • ~93% of all user-defined measurements are marked "public"

As RIPE Atlas becomes a full production service, we'd like to suggest making all future measurement data fully public, while keeping users' personal information private.

At the end of the article you can find a table showing an overview of the current situation and the proposed changes.

The second goal of this article is to explain exactly what is and isn't public in the current system.

Current practice

At the beginning of the RIPE Atlas project, we thought it would be a good idea to make it possible for users to choose whether to mark their probe and measurements as "public" or not. This was done in case, for some reason, certain users did not want to openly share their measurement results with others.  

We want to explain in detail the consequences of marking measurements and probes "public" or not, in order to prevent unrealistic expectations. 

Measurements not marked "public"

By default, a user-defined measurement (UDM) is marked "public", although the user can explicitly uncheck this field. When a UDM is not marked "public", it is not included in the lists of all public measurements for all other users to see.

However, since each UDM is performed from multiple probes hosted by different users, hosts of those probes involved in the measurement will be able to see this specific UDM in their "Assigned UDMs" list when logged in to RIPE Atlas. The name of the person who started the measurement will not be shown, but the IP address of the destination, or the hostname if that was used as a target, will be visible. It is also possible for the host of the probe being used for the measurement to download the UDM results. 

For example, if you have used my RIPE Atlas probe for your measurement that is not marked "public", this is what I will be able to see (under My Atlas) when logged in: 

Assigned UDMs"Assigned UDMs" as seen by the owner of the probe being used for that UDM

Probes not marked "public"

It is possible to choose not to list your probe as "public", in which case it will not appear in the list visible to all RIPE Atlas users.  

Probes not marked "public" are still used for the built-in measurements that the RIPE NCC runs, and results are used to create maps and in an aggregated form for other analyses. Information about these probes on the map will not show their IP addresses. However, the IP address of the probe cannot be hidden in the aggregated data. For example, in the analysis of the Hurricane Sandy impact, aggregated data from built-in measurements was used, including non-"public" probes. As seen in the figure below, in the interactive map for visualising effects of Hurricane Sandy, the traceroutes do reveal the IP addresses of probes, even if those probes were not marked "public".  

Screenshot Traceroute dataTraceroute results used in analysis of effects of Hurricane Sandy 

Probes not marked "public" can also be used by other RIPE Atlas users to perform their own UDMs. Those users will see the IP addresses of these probes used in their UDMs as a "source IP". In case of traceroute measurements, internal hop IP addresses are also displayed. 

"Public" probes

When a probe is marked "public", it is listed in the display of all the public probes (available under My Atlas > Probes). Logged-in users can see the built-in measurements the probe is involved in, as well as result logs, probe IDs, uptime information, assigned user-defined measurements, and the probe's last 25 connections to the RIPE Atlas infrastructure. 

Personal information

Even if the probe is marked "public", the personal details of the probe host are never revealed. RIPE Atlas users cannot see configuration settings, MAC addresses, DNS entries or email addresses for any probe in the RIPE Atlas network. 

Public probeView of a RIPE Atlas probe marked "public" 

Reasons to have open measurement data

We believe there are several compelling philosophical reasons to move towards a system in which all probes and measurements are "public": 

  • Sharing information about Internet performance is at the heart of collaborative efforts such as RIPE Atlas
  • Public measurement data adds the greatest value to everyone taking part in RIPE Atlas: other users, network operators, researchers and the wider Internet community 
  • Having open measurement data, in addition to the already open measurement source code, would strengthen the growing "open" movement, which we believe is worth supporting
open data
There are also practical, operational reasons for making all RIPE Atlas measurements public: 
  • To help limit the load on individual probes, users need to be able to see all the measurements running to the target of their choice 
  • Collecting non-"public" measurement data mixed with "public" data results in additional operational overhead 
  • The details of what is considered "public" and non-"public" are complex, and removing the distinction would help clarify the documentation and communication that we provide for our users
  • Allowing for non-"public" measurement data is extremely operationally expensive
  • The more public measurement data that is collected, the more useful the results and services we can provide to the whole Internet community

Users' personal data and privacy

Although we believe that having public measurement data contributes the most to the goal of RIPE Atlas, the RIPE NCC greatly values our users' privacy. Therefore: 

  • The name, personal details (home address) and contact details (email address) of probe hosts are not shared with other users, third parties or the general public
  • The names and contact details of the users involved in a particular measurement are not publicly available 
  • RIPE Atlas does not use the email addresses specified as the username for the RIPE NCC account for regular communication with probe hosts (except for operational reasons); instead, we have an opt-in mailing list for probe hosts, and there is an option to specify a separate email address for system notifications
We plan to keep all these measures in place in order to continue protecting our users' privacy, and if you have other suggestions about how we can improve on these measures, please let us know.
However, for the technical reasons mentioned above, it is important for RIPE Atlas probe hosts to realise that the IP addresses and hostnames of the source and destination of every measurement can be seen by a subset of other probe hosts.
Also, we may include your name and country location on the "Community" pages to promote the most active users and new probe hosts.

Suggested changes

As RIPE Atlas becomes a full production service, we would like to move towards making the probes and measurement data as open as possible. In order to reach that goal, we suggest the following steps:

  1. From a future date onwards, make all new probes "public", and make new measurements "public" both for new and existing RIPE Atlas users (i.e. no longer offer the option to not mark new probes and new measurements as "public")
  2. The proposed date to implement these changes is mid-April 2014 
  3. We are looking for your comments and feedback by 1 February 2014 
This means that all probes and measurements that were not marked "public" by April 2014 would remain non-"public" (with all the caveats stated above), but all new probes and measurements will be public by default.

The table below provides an overview of the current situation and the proposed changes.

Always privatePrivate (now)Public (now)Public (future)

Probe marked public

Email address

MAC address

DNS entry

Config details

IP address

List of built-in measurements

List of UDMs

IP address (on the map)

All new probes included in "Public Probes" list

Source IP in other people's UDMs

Internal hop IPs in traceroutes

 

Probe NOT marked public Same as above

IP address (on the map)

Not included in "Public Probes" list

Source IP in other people's UDMs

Internal hop IPs in traceroutes

 Same as before (only for old probes) 

Measurement marked public Username of the owner

Results

Source & destination

All new measurements included in "Public Measurements" list

Results, source & destination IP/hostname

Measurement NOT marked public Username of the owner Not included in "Public Measurements" list Listed as "Assigned UDM" on probes involved: source IP and target hostname visible Same as before (only for old measurements) 

Your feedback

We are looking for the opinions of RIPE Atlas users and the RIPE community, and will not make any changes to the current situation until we get your feedback and decide together the best way forward. Please let us know whether you agree with our plan or whether you have other suggestions.

Please send us your feedback by 1 February 2014.
Please let us know what you think on the MAT Working Group Mailing List.

For private feedback, please contact Vesna Manojlovic, Senior Community Builder, at .

5 Comments

sm
sm says:
Jan 03, 2014 03:32 AM
I disagree with you. You have not to choose the policy on probes installed on a network which is not yours.
 
stephanr.mueller@gmx.de
Stephan Mueller says:
Jan 04, 2014 03:58 AM
With all due respect, there was already a policy in place, when people started requesting probes, and then added them to their network.
Now, we want to have a discussion on which are viable changes and which are not.
What is it exactly that you disagree on? Any specific points in the suggested changes?
sm
sm says:
Jan 04, 2014 11:16 PM
I disagree with revoking private status.
stephanr.mueller@gmx.de
Stephan Mueller says:
Jan 04, 2014 04:03 AM
I'm not a networking guru, but wouldn't public "Internal hop IPs in traceroutes" be something admins could be worried about, or am I mislead by "internal hop"?
robert@ripe.net
Robert Kisteleki says:
Jan 15, 2014 02:36 PM
In order to (theoretically) be able to filter "internal hops", one would need to know how to define them, which in itself is not easy. Are these the NAT-looking hops? How about probes behind (multiple) firewalls? And so on. Beyond this: would we need to provide two versions of all this data (one filtered and one not)? This can become very complex very quickly.
Add comment

You can add a comment by filling out the form below. Only plain text is possible. Web and email addresses will be transformed into clickable links. Comments are moderated so they won't appear immediately.

Related Items
Increased Reach of RIPE Atlas Anchors

Increasing the reach of RIPE Atlas anchors is one of the highest priority goals of RIPE Atlas Team. ...

Modifications to the IP Analyser to Reflect New Policy

We are in the process of implementing the policy regarding Post Depletion Adjustment of Procedures ...

RIPE Atlas: Improved Probe Pages

We've made it much easier to get an overview of the history and measurements for all the public ...

Visualising Bandwidth Capacity and Network Activity in RIPEstat Using M-Lab Data

As a result of the cooperation between the RIPE NCC and Measurement Lab (M-Lab), you can now ...

RIPE Atlas Fun: Map a RIPE Atlas Anchor

View maps based on RIPE Atlas traceroute measurements. Compare the maps to the ISP's description of ...