Ethics of RIPE Atlas Measurements
As many of you know, RIPE Atlas is built on the voluntary contributions of thousands of probe hosts worldwide. On the surface, RIPE Atlas may very well look like a convenient black box that produces useful data in an easy way. But please remember that, as a RIPE Atlas user, you are using someone else's Internet connection to do your measurements. As such, you are effectively a guest of these volunteers.
That said, when creating your measurements, please:
- DO spend some time thinking about whether the volunteers will be OK with the traffic you generate from their Internet connection. Do your best to consider the laws and customs of your hosts.
- DO consider the ethical and/or business rules of your own organisation. Consider the possibility that some people may regard your use of RIPE Atlas as human subject research, because the hosts tend to be human beings.
- DO bear in mind that the RIPE NCC may terminate your access to RIPE Atlas when your research creates complaints about unethical behaviour. Also, your behaviour may cause features to be removed and therefore other people may be affected by your behaviour.
- DON'T regard RIPE Atlas as a convenient black box, but keep in mind that, at the end of the day, you are a guest using someone else's Internet connection.
- DO be especially careful when you enjoy exemptions from standard restrictions or you have obtained extra credits.
Note that this is not an exclusive list. It is intended to make you aware of some of the potential issues and to encourage you to think carefully before starting your measurements.
The following material expands on these considerations and provides additional reading that may help you recognise ethical considerations surrounding your use of RIPE Atlas.
RIPE Atlas is an extensive measurement network, where the vantage points (sources of measurements) are hosted by volunteers: mostly individuals at home, but also some institutions (ISPs, IXPs, academia, various other businesses). All of these entities are aware that the probes they host will send out measurement traffic - that's the whole point of the network.
However, such trust has limits: the "measurers" also have to think about what it really means to carry out their measurements. For example, does a ping packet to a particular IP address have risks? Probably not. Neither does a traceroute measurement. But what about a DNS query? Is it safe to look up just about anything in every jurisdiction? How about explicitly looking for "this should be forbidden in some jurisdictions" names?
A researcher would probably refrain from sending traffic from their own home network if they suspected that this might get them into personal legal trouble. This is one of the reasons why, though the network is technically capable of executing HTTP measurements, they are only allowed towards "safe" destinations: the RIPE Atlas anchors (see HTTP Measurements with RIPE Atlas for more details).
Randy had been working with academic colleagues in Ebonia (name changed, of course) for many years. Ebonia was undergoing political change, maybe not for the better. His friends there wondered if the network was being censored or subverted. He thought it would be a good RIPE Atlas project to measure access and possible redirection to social media and news sites. When he mentioned this to his RIPE Atlas project friends, they whacked him with a clue bat. What if a probe host in Ebonia got in trouble for their probe doing an https access to a site that the Ebonian authorities did not like? When people with guns arrived at 3am, explaining that the probe was part of an Internet measurement study was not likely to help. Randy felt pretty silly for not having thought of this.
The lesson was that probe hosts are, in a sense, experimental subjects. And we experimenters have ethical responsibilities toward those subjects. Recently, ACM SIGCOMM had a major poolpah because of analogous research (see http://ensr.oii.ox.ac.uk/2015/09/10/workshop-report-acm-sigcomm-ethics/).
In the case of the Ebonian project, we wanted the consent of the probe hosts. Luckily, in this case, we were close to those folk handing out the probes; and these folk had significant authority to represent the probe hosts. And they very much wanted to the experiment done. So it is an ongoing measurement today.
A RIPE Atlas probe at somebody's home
This is not the first instance by far where ethical aspects of active Internet measurements are considered. Other people have thought about this before. Earlier this month Mark Allman and Craig Partridge published a detailed study on Ethical Considerations in Network Measurement Papers in which they discuss "Why ethical issues are different for network measurement versus traditional human-subject research, and propose requiring measurement papers to include a section on ethical considerations."
There was also the Menlo report, published by CAIDA in 2012, that discusses "Ethical Principles Guiding Information and Communication Technology Research". And even earlier, in 1978, the Belmont report was released, which summarised "ethical principles and guidelines for research involving human subjects".
Also note the paper on The Moral Character of Cryptographic Work in which the author states that the obligation for [ethic of responsibility] stems from three basic truths: that the work of scientists and engineers transforms society; that this transformation can be for the better or for the worse; and that what we do is arcane enough that we bring an essential perspective to public discourse.
Relevant Examples Involving RIPE Atlas
Some of the recent examples where researchers had to consider the potential risks of their actions include:
- Google search results: at some point the RIPE NCC was approached by researchers who wanted to check how similar results Google gives to various search terms in different regions/countries. We insisted on only using generic, risk-free search terms such as "cat" and "dog".
Research on Global Network Interference Detection over the RIPE Atlas Network (by Collin Anderson and Philipp Winter)
Various recent studies on DNS censorship, e.g.:
- A RIPE Atlas View of Meddling with the Internet in Turkey: In March 2014 RIPE Atlas observed latencies to Google's 184.108.40.206 DNS resolver service drop in Turkey. Emile Aben analysed this.
- DNS Censorship as Seen by RIPE Atlas: Stéphane Bortzmeyer is using RIPE Atlas to verify that more and more governments, authorities and courts are requesting censorship of Internet content.
- Operator Level DNS Hijacking and other DNS related censorship in Iran: Babak Farrokhi published a series of articles in which he describes how he is using RIPE Atlas to observe DNS censorship and hijacking. The newest one in this series being Orange Blacklisting: A Case for Measuring Censorship by Stéphane Bortzmeyer.
There are other examples where RIPE Atlas has been used to look into these kinds of topics.
When designing, maintaining, operating and enhancing the RIPE Atlas system, we are always consciously thinking about the ethical impact such activities may have (see more on this in the IP Journal issue outlining RIPE Atlas). But that in itself is not enough; users also have to ensure that they too are taking ethical principles into account when using the RIPE Atlas infrastructure.
- Network System Ethics and Workshop on Ethics in Networked Systems Research (2015)
- Ethical Considerations in Network Measurement Papers (2016)
- Philosophy Meets Internet Engineering: Ethics in Networked Systems Research
- SIGCOMM 2015 Workshop on Ethics in Network Systems Research
- Ethical Review Process for Big Data Research
- Conducting an Ethical Study of Web Traffic
- Protecting human research participants in the age of big data (a response in PNAS to the Facebook emotional contagion study)
- Beyond the Belmont Principles: Ethical Challenges, Practices, and Beliefs in the Online Data Research Community (a survey of researchers and their ethics practices)
- And on a lighter note: Victor Frankenstein’s Institutional Review Board Proposal (1790)