Robert Kisteleki

Ethics of RIPE Atlas Measurements

Author image
Robert Kisteleki
Contributors: Randy Bush, Vesna Manojlovic, Daniel Karrenberg, Mirjam Kühne, Stéphane Bortzmeyer, Emile Aben

8 min read

0 Please read the article before liking.
3
Article lead image

This article is intended to make RIPE Atlas users aware of ethical issues that could arise when using RIPE Atlas. We do not intend to propose any new formal processes or procedures to address the relevant ethical issues, but we do want to encourage members of the RIPE Atlas community to consider the ethical impact of their behaviour when using RIPE Atlas.


 

As many of you know, RIPE Atlas is built on the voluntary contributions of thousands of probe hosts worldwide. On the surface, RIPE Atlas may very well look like a convenient black box that produces useful data in an easy way. But please remember that, as a RIPE Atlas user, you are using someone else's Internet connection to do your measurements. As such, you are effectively a guest of these volunteers.

That said, when creating your measurements, please:

  • DO spend some time thinking about whether the volunteers will be OK with the traffic you generate from their Internet connection. Do your best to consider the laws and customs of your hosts.
  • DO consider the ethical and/or business rules of your own organisation. Consider the possibility that some people may regard your use of RIPE Atlas as human subject research, because the hosts tend to be human beings.
  • DO bear in mind that the RIPE NCC may terminate your access to RIPE Atlas when your research creates complaints about unethical behaviour. Also, your behaviour may cause features to be removed and therefore other people may be affected by your behaviour.
  • DON'T regard RIPE Atlas as a convenient black box, but keep in mind that, at the end of the day, you are a guest using someone else's Internet connection.
  • DO be especially careful when you enjoy exemptions from standard restrictions or you have obtained extra credits.

Note that this is not an exclusive list. It is intended to make you aware of some of the potential issues and to encourage you to think carefully before starting your measurements. 

The following material expands on these considerations and provides additional reading that may help you recognise ethical considerations surrounding your use of RIPE Atlas.

Background

RIPE Atlas is an extensive measurement network, where the vantage points (sources of measurements) are hosted by volunteers: mostly individuals at home, but also some institutions (ISPs, IXPs, academia, various other businesses). All of these entities are aware that the probes they host will send out measurement traffic - that's the whole point of the network.

However, such trust has limits: the "measurers" also have to think about what it really means to carry out their measurements. For example, does a ping packet to a particular IP address have risks? Probably not. Neither does a traceroute measurement. But what about a DNS query? Is it safe to look up just about anything in every jurisdiction? How about explicitly looking for "this should be forbidden in some jurisdictions" names? 

A researcher would probably refrain from sending traffic from their own home network if they suspected that this might get them into personal legal trouble. This is one of the reasons why, though the network is technically capable of executing HTTP measurements, they are only allowed towards "safe" destinations: the RIPE Atlas anchors (see HTTP Measurements with RIPE Atlas for more details).

Randy had been working with academic colleagues in Ebonia (name changed, of course) for many years. Ebonia was undergoing political change, maybe not for the better. His friends there wondered if the network was being censored or subverted. He thought it would be a good RIPE Atlas project to measure access and possible redirection to social media and news sites. When he mentioned this to his RIPE Atlas project friends, they whacked him with a clue bat. What if a probe host in Ebonia got in trouble for their probe doing an https access to a site that the Ebonian authorities did not like? When people with guns arrived at 3am, explaining that the probe was part of an Internet measurement study was not likely to help. Randy felt pretty silly for not having thought of this.

The lesson was that probe hosts are, in a sense, experimental subjects. And we experimenters have ethical responsibilities toward those subjects. Recently, ACM SIGCOMM had a major poolpah[0] because of analogous research (see http://ensr.oii.ox.ac.uk/2015/09/10/workshop-report-acm-sigcomm-ethics/).

In the case of the Ebonian project, we wanted the consent of the probe hosts. Luckily, in this case, we were close to those folk handing out the probes; and these folk had significant authority to represent the probe hosts. And they very much wanted to the experiment done. So it is an ongoing measurement today.

A RIPE Atlas probe at somebody's home

Previous Work

This is not the first instance by far where ethical aspects of active Internet measurements are considered. Other people have thought about this before. Earlier this month Mark Allman and Craig Partridge published a detailed study on Ethical Considerations in Network Measurement Papers in which they discuss "Why ethical issues are different for network measurement versus traditional human-subject research, and propose requiring measurement papers to include a section on ethical considerations."

There was also the Menlo report, published by CAIDA in 2012, that discusses "Ethical Principles Guiding Information and Communication Technology Research". And even earlier, in 1978, the Belmont report was released, which summarised "ethical principles and guidelines for research involving human subjects".

Also note the paper on The Moral Character of Cryptographic Work in which the author states that the obligation for [ethic of responsibility] stems from three basic truths: that the work of scientists and engineers transforms society; that this transformation can be for the better or for the worse; and that what we do is arcane enough that we bring an essential perspective to public discourse.

Relevant Examples Involving RIPE Atlas

Some of the recent examples where researchers had to consider the potential risks of their actions include:

There are other examples where RIPE Atlas has been used to look into these kinds of topics. 

Conclusion

When designing, maintaining, operating and enhancing the RIPE Atlas system, we are always consciously thinking about the ethical impact such activities may have (see more on this in the IP Journal issue outlining RIPE Atlas). But that in itself is not enough; users also have to ensure that they too are taking ethical principles into account when using the RIPE Atlas infrastructure.

Other References

 

 

0 Please read the article before liking.
3

You may also like

View more

About the author

Author image

For many years I have been the leader of the Research and Development team at the RIPE NCC leading a dedicated team of thinkers to support the RIPE community by providing network research, data analysis and prototype tool development and services including RIPE Atlas and RIPEstat. As of 2023, I'm working as a principal engineer in order to assist the CTO and the RIPE NCC's information services.

Comments 3

The comments section is closed for articles published more than a year ago. If you'd like to inform us of any issues, please contact us.

Profile picture

Babak Farrokhi

This is a very important issue that researchers should keep in mind when running RIPE Atlas measurements. They may want to select their probe origins carefully, keeping in mind that some DNS or HTTP requests would cause trouble for the probe host. While RIPE Atlas already has relevant measures to prevent eventual misuse, but some normal requests may trigger alerts in some networks that is undesired for probe hosts. On the other hand I believe people hosting probes should also be aware of such potential issues, when deploying in networks with strict policies (or have IDS monitoring their traffic) or in regions with restrictive regulations.

Profile picture

Stéphane Bortzmeyer

@Babak HTTP requests cannot create a problem today, since they are directed only to the Anchors. Indeed, one of the reasons of this limitation is precisely the risk for the probe owner. DNS requests can be more dangerous. Today, they are less often monitored than HTTP requests in most cases, so they are often "under the radar", but this may change in the future (NSA's MoreCowBell and so on). Warning probe owners of the potential risks is certainly a good thing. We must be aware that it will mean, in the future, less probes in what are precisely the most interesting countries :-(

Profile picture

Stéphane Bortzmeyer

Another reference which may be useful is the paper "Ethical issues in research using datasets of illicit origin" by Daniel R. Thomas, Sergio Pastrana, Alice Hutchings , Richard Clayton and Alastair R. Beresford https://dl.acm.org/citation.cfm?id=3131389 (PDF in https://www.cl.cam.ac.uk/~drt24/papers/2017-ethical-issues.pdf or on Sci-Hub) It is mostly about leaked datasets (such as the Patreon database) but it talks also about active network measurements (such as the Carna scan).