You are here: Home > Publications > RIPE Labs > Robert Kisteleki > Ethics of RIPE Atlas Measurements

Ethics of RIPE Atlas Measurements

This article is intended to make RIPE Atlas users aware of ethical issues that could arise when using RIPE Atlas. We do not intend to propose any new formal processes or procedures to address the relevant ethical issues, but we do want to encourage members of the RIPE Atlas community to consider the ethical impact of their behaviour when using RIPE Atlas.

 

As many of you know, RIPE Atlas is built on the voluntary contributions of thousands of probe hosts worldwide. On the surface, RIPE Atlas may very well look like a convenient black box that produces useful data in an easy way. But please remember that, as a RIPE Atlas user, you are using someone else's Internet connection to do your measurements. As such, you are effectively a guest of these volunteers.

That said, when creating your measurements, please:

  • DO spend some time thinking about whether the volunteers will be OK with the traffic you generate from their Internet connection. Do your best to consider the laws and customs of your hosts.
  • DO consider the ethical and/or business rules of your own organisation. Consider the possibility that some people may regard your use of RIPE Atlas as human subject research, because the hosts tend to be human beings.
  • DO bear in mind that the RIPE NCC may terminate your access to RIPE Atlas when your research creates complaints about unethical behaviour. Also, your behaviour may cause features to be removed and therefore other people may be affected by your behaviour.
  • DON'T regard RIPE Atlas as a convenient black box, but keep in mind that, at the end of the day, you are a guest using someone else's Internet connection.
  • DO be especially careful when you enjoy exemptions from standard restrictions or you have obtained extra credits.

Note that this is not an exclusive list. It is intended to make you aware of some of the potential issues and to encourage you to think carefully before starting your measurements. 

The following material expands on these considerations and provides additional reading that may help you recognise ethical considerations surrounding your use of RIPE Atlas.

Background

RIPE Atlas is an extensive measurement network, where the vantage points (sources of measurements) are hosted by volunteers: mostly individuals at home, but also some institutions (ISPs, IXPs, academia, various other businesses). All of these entities are aware that the probes they host will send out measurement traffic - that's the whole point of the network.

However, such trust has limits: the "measurers" also have to think about what it really means to carry out their measurements. For example, does a ping packet to a particular IP address have risks? Probably not. Neither does a traceroute measurement. But what about a DNS query? Is it safe to look up just about anything in every jurisdiction? How about explicitly looking for "this should be forbidden in some jurisdictions" names? 

A researcher would probably refrain from sending traffic from their own home network if they suspected that this might get them into personal legal trouble. This is one of the reasons why, though the network is technically capable of executing HTTP measurements, they are only allowed towards "safe" destinations: the RIPE Atlas anchors (see HTTP Measurements with RIPE Atlas for more details).

Randy had been working with academic colleagues in Ebonia (name changed, of course) for many years. Ebonia was undergoing political change, maybe not for the better. His friends there wondered if the network was being censored or subverted. He thought it would be a good RIPE Atlas project to measure access and possible redirection to social media and news sites. When he mentioned this to his RIPE Atlas project friends, they whacked him with a clue bat. What if a probe host in Ebonia got in trouble for their probe doing an https access to a site that the Ebonian authorities did not like? When people with guns arrived at 3am, explaining that the probe was part of an Internet measurement study was not likely to help. Randy felt pretty silly for not having thought of this.

The lesson was that probe hosts are, in a sense, experimental subjects. And we experimenters have ethical responsibilities toward those subjects. Recently, ACM SIGCOMM had a major poolpah[0] because of analogous research (see http://ensr.oii.ox.ac.uk/2015/09/10/workshop-report-acm-sigcomm-ethics/).

In the case of the Ebonian project, we wanted the consent of the probe hosts. Luckily, in this case, we were close to those folk handing out the probes; and these folk had significant authority to represent the probe hosts. And they very much wanted to the experiment done. So it is an ongoing measurement today.

A RIPE Atlas probe at somebody's home

Previous Work

This is not the first instance by far where ethical aspects of active Internet measurements are considered. Other people have thought about this before. Earlier this month Mark Allman and Craig Partridge published a detailed study on Ethical Considerations in Network Measurement Papers in which they discuss "Why ethical issues are different for network measurement versus traditional human-subject research, and propose requiring measurement papers to include a section on ethical considerations."

There was also the Menlo report, published by CAIDA in 2012, that discusses "Ethical Principles Guiding Information and Communication Technology Research". And even earlier, in 1978, the Belmont report was released, which summarised "ethical principles and guidelines for research involving human subjects".

Also note the paper on The Moral Character of Cryptographic Work in which the author states that the obligation for [ethic of responsibility] stems from three basic truths: that the work of scientists and engineers transforms society; that this transformation can be for the better or for the worse; and that what we do is arcane enough that we bring an essential perspective to public discourse.

Relevant Examples Involving RIPE Atlas

Some of the recent examples where researchers had to consider the potential risks of their actions include:

There are other examples where RIPE Atlas has been used to look into these kinds of topics. 

Conclusion

When designing, maintaining, operating and enhancing the RIPE Atlas system, we are always consciously thinking about the ethical impact such activities may have (see more on this in the IP Journal issue outlining RIPE Atlas). But that in itself is not enough; users also have to ensure that they too are taking ethical principles into account when using the RIPE Atlas infrastructure.

Other References

 

 

2 Comments

Babak Farrokhi says:
13 Nov, 2016 02:56 PM
This is a very important issue that researchers should keep in mind when running RIPE Atlas measurements. They may want to select their probe origins carefully, keeping in mind that some DNS or HTTP requests would cause trouble for the probe host.
While RIPE Atlas already has relevant measures to prevent eventual misuse, but some normal requests may trigger alerts in some networks that is undesired for probe hosts.
On the other hand I believe people hosting probes should also be aware of such potential issues, when deploying in networks with strict policies (or have IDS monitoring their traffic) or in regions with restrictive regulations.
Stéphane Bortzmeyer says:
14 Nov, 2016 11:48 PM
@Babak HTTP requests cannot create a problem today, since they are directed only to the Anchors. Indeed, one of the reasons of this limitation is precisely the risk for the probe owner. DNS requests can be more dangerous. Today, they are less often monitored than HTTP requests in most cases, so they are often "under the radar", but this may change in the future (NSA's MoreCowBell and so on).

Warning probe owners of the potential risks is certainly a good thing. We must be aware that it will mean, in the future, less probes in what are precisely the most interesting countries :-(
Add comment

You can add a comment by filling out the form below. Only plain text is possible. Web and email addresses will be transformed into clickable links. Comments are moderated so they won't appear immediately.