RIPE Atlas is now three years old, and is moving from a prototype to production service. Based on our experience so far, observing typical usage and listening to user feedback, we suggest opening up the publication of measurement data further. In this article we aim to clarify the current situation regarding privacy, and ask for community input about our suggested plan to move forward.
One of the main purposes of RIPE Atlas is to share information about Internet performance, which we collect via the active measurements performed by the thousands of probes in the RIPE Atlas network.
The RIPE NCC collects this information and develops interesting results and analyses based on the aggregated data, such as latency maps . The more measurement data that's collected, the better the results, such as greater resolution of the maps.
Users can contribute by running their own user-defined measurements and sharing this data by marking the results "public". Users also have the option of making their measurement data less publicly available. Currently:
- ~3,447 out of 4,540 probes are marked "public" (76%)
- ~93% of all user-defined measurements are marked "public"
As RIPE Atlas becomes a full production service, we'd like to suggest making all future measurement data fully public, while keeping users' personal information private.
At the end of the article you can find a table showing an overview of the current situation and the proposed changes.
The second goal of this article is to explain exactly what is and isn't public in the current system.
Current practice
At the beginning of the RIPE Atlas project, we thought it would be a good idea to make it possible for users to choose whether to mark their probe and measurements as "public" or not. This was done in case, for some reason, certain users did not want to openly share their measurement results with others.
We want to explain in detail the consequences of marking measurements and probes "public" or not, in order to prevent unrealistic expectations.
Measurements not marked "public"
By default, a user-defined measurement (UDM) is marked "public", although the user can explicitly uncheck this field. When a UDM is not marked "public", it is not included in the lists of all public measurements for all other users to see.
However, since each UDM is performed from multiple probes hosted by different users, hosts of those probes involved in the measurement will be able to see this specific UDM in their "Assigned UDMs" list when logged in to RIPE Atlas. The name of the person who started the measurement will not be shown, but the IP address of the destination, or the hostname if that was used as a target, will be visible. It is also possible for the host of the probe being used for the measurement to download the UDM results.
For example, if you have used my RIPE Atlas probe for your measurement that is not marked "public", this is what I will be able to see (under My Atlas) when logged in:
"Assigned UDMs" as seen by the owner of the probe being used for that UDM
Probes not marked "public"
It is possible to choose not to list your probe as "public", in which case it will not appear in the list visible to all RIPE Atlas users.
Probes not marked "public" are still used for the built-in measurements that the RIPE NCC runs, and results are used to create maps and in an aggregated form for other analyses. Information about these probes on the map will not show their IP addresses. However, the IP address of the probe cannot be hidden in the aggregated data. For example, in the analysis of the Hurricane Sandy impact , aggregated data from built-in measurements was used, including non-"public" probes. As seen in the figure below, in the interactive map for visualising effects of Hurricane Sandy, the traceroutes do reveal the IP addresses of probes, even if those probes were not marked "public".
Traceroute results used in analysis of effects of Hurricane SandyProbes not marked "public" can also be used by other RIPE Atlas users to perform their own UDMs. Those users will see the IP addresses of these probes used in their UDMs as a "source IP". In case of traceroute measurements, internal hop IP addresses are also displayed.
"Public" probes
When a probe is marked "public", it is listed in the display of all the public probes (available under My Atlas > Probes). Logged-in users can see the built-in measurements the probe is involved in, as well as result logs, probe IDs, uptime information, assigned user-defined measurements, and the probe's last 25 connections to the RIPE Atlas infrastructure.
Personal information
Even if the probe is marked "public", the personal details of the probe host are never revealed . RIPE Atlas users cannot see configuration settings, MAC addresses, DNS entries or email addresses for any probe in the RIPE Atlas network.
Reasons to have open measurement data
We believe there are several compelling philosophical reasons to move towards a system in which all probes and measurements are "public":
- Sharing information about Internet performance is at the heart of collaborative efforts such as RIPE Atlas
- Public measurement data adds the greatest value to everyone taking part in RIPE Atlas: other users, network operators, researchers and the wider Internet community
- Having open measurement data, in addition to the already open measurement source code, would strengthen the growing "open" movement , which we believe is worth supporting
- To help limit the load on individual probes, users need to be able to see all the measurements running to the target of their choice
- Collecting non-"public" measurement data mixed with "public" data results in additional operational overhead
- The details of what is considered "public" and non-"public" are complex, and removing the distinction would help clarify the documentation and communication that we provide for our users
- Allowing for non-"public" measurement data is extremely operationally expensive
- The more public measurement data that is collected, the more useful the results and services we can provide to the whole Internet community
Users' personal data and privacy
Although we believe that having public measurement data contributes the most to the goal of RIPE Atlas, the RIPE NCC greatly values our users' privacy. Therefore:
- The name, personal details (home address) and contact details (email address) of probe hosts are not shared with other users, third parties or the general public
- The names and contact details of the users involved in a particular measurement are not publicly available
- RIPE Atlas does not use the email addresses specified as the username for the RIPE NCC account for regular communication with probe hosts (except for operational reasons); instead, we have an opt-in mailing list for probe hosts, and there is an option to specify a separate email address for system notifications
Suggested changes
As RIPE Atlas becomes a full production service, we would like to move towards making the probes and measurement data as open as possible. In order to reach that goal, we suggest the following steps:
- From a future date onwards, make all new probes "public", and make new measurements "public" both for new and existing RIPE Atlas users (i.e. no longer offer the option to not mark new probes and new measurements as "public")
- The proposed date to implement these changes is mid-April 2014
- We are looking for your comments and feedback by 1 February 2014
Always private | Private (now) | Public (now) | Public (future) | |
Probe marked public |
Email address MAC address DNS entry Config details |
IP address List of built-in measurements List of UDMs IP address (on the map) |
All new probes included in "Public Probes" list Source IP in other people's UDMs Internal hop IPs in traceroutes |
|
Probe NOT marked public |
Same as above |
IP address (on the map) Not included in "Public Probes" list |
Source IP in other people's UDMs Internal hop IPs in traceroutes |
Same as before (only for old probes) |
Measurement marked public | Username of the owner |
Results Source & destination |
All new measurements included in "Public Measurements" list Results, source & destination IP/hostname |
|
Measurement NOT marked public |
Username of the owner | Not included in "Public Measurements" list | Listed as "Assigned UDM" on probes involved: source IP and target hostname visible |
Same as before (only for old measurements) |
Comments 7
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.
sm •
I disagree with you. You have not to choose the policy on probes installed on a network which is not yours.
Hide replies
Stephan Mueller •
With all due respect, there was already a policy in place, when people started requesting probes, and then added them to their network. Now, we want to have a discussion on which are viable changes and which are not. What is it exactly that you disagree on? Any specific points in the suggested changes?
Hide replies
sm •
I disagree with revoking private status.
Stephan Mueller •
I'm not a networking guru, but wouldn't public "Internal hop IPs in traceroutes" be something admins could be worried about, or am I mislead by "internal hop"?
Hide replies
Robert Kisteleki •
In order to (theoretically) be able to filter "internal hops", one would need to know how to define them, which in itself is not easy. Are these the NAT-looking hops? How about probes behind (multiple) firewalls? And so on. Beyond this: would we need to provide two versions of all this data (one filtered and one not)? This can become very complex very quickly.
Riccardo Alessandri •
I would like to have again the possibility to create a new "non-public" measurements via web interface. I think that disabling this opportunity is too aggressive way to force people to make their own measurements public.
Vesna Manojlovic •
Hi Riccardo, It is still possible to create "non-public" measurements, but only using API. We are reasoning that if the web interface would allow it too, it would be too easy for users to un-intentionally create non-public measurements. We want to encourage our users to make their measurements public because openly available data adds the greatest value to everyone taking part in RIPE Atlas, and sharing information is at the heart of such collaborative efforts.