Human Rights Protocol Considerations: Bridging the Implementation Gap

By: Alp Toker

Date: October 31, 2017

line break image

A group of technologists representing civil society met at IETF 99 to answer long-running questions regarding the human rights impact of protocol design with running code. This effort builds on work done by the Internet Research Task Force’s Human Rights Protocol Considerations (HRPC) Research Group over the last two years, and explores how Internet protocols affect human rights, such as freedom of expression and freedom of assembly.

The HRPC mission was well-received at a technical plenary session at IETF 98 in Chicago, however concerns were voiced about open-ended ethical debates that risk sidetracking core IETF engineering goals. The shift from conversation to implementation marks a milestone as the human rights community steps up to demonstrate its capacity to bolster research and policy work with visible, hands-on participation in the standardisation and implementation lifecycle of Internet protocols.

In Prague, the group focused on validation of RFC 7725 that specifies the new HTTP status code 451 for use when resource access is denied as a consequence of legal demands. The number references novelist Ray Bradbury’s dystopian novel, Fahrenheit 451, in which books are outlawed and burned. The specification is intended to increase transparency around withheld content by offering a semantic alternative to the 404 “Not Found” and 403 “Forbidden” codes that carry no indication as to the underlying cause of the restriction.

Over the course of the IETF 99 Hackathon, the group spent more than 48 hours developing the following three technology components to validate and showcase different aspects of RFC 7725:

  • A crawling tool that tests online resources to identify legally withheld web content “in the wild” as part of the NetBlocks Open Source Internet observatory project
  • A web-browser extension that enables users to self-report legally withheld content
  • A plug-in for the WordPress content-management system designed to withhold pages according to criteria such as the user’s geographic origin

At the conclusion of the Hackathon, a panel of judges for the competition recognised the group’s work as “Best New Work”.

Olga Khrustaleva and I presented our implementation report at the HRPC Research Group session; our findings were a mixed verdict for RFC 7725 as it stands today. We found that existing usage of 451 codes on the public Internet is often technically invalid or misapplied; moreover, we noted that the specification does not significantly enhance transparency surrounding online censorship because of prevalent geographic restriction (or geoblocking) that continues to make state-sponsored censorship difficult to remotely discover using technical means.

Instances of 451-marked content identified by our tools included material related to gender, sexual health, and democracy that were blocked by two major Western content platforms, when served to people living in the Middle East. Most important, we found that governmental authorities in the countries in question had not taken technical measures to block the material. Rather, media platforms had proactively restricted those pages on their own servers.

Consequently, the specification may not only be failing to increase transparency, but may inadvertently be serving as an RFC stamp of approval that legitimises corporate compliance with overbearing censorship. Even when the content violates no platform rules and falls well within generally understood norms of acceptable speech, the 451 code provides an easy way out of difficult discussions with authorities. If this is the case, RFC 7725 serves as an example of the law of unintended consequences in protocol specification and design: an extension that sought to shed light on cases of censorship that may now be in use to rubber-stamp systematic violations of Article 19 of the Universal Declaration of Human Rights and other international conventions and commitments to which we are duty-bound.

While the group’s work to assess RFC 7725 is ongoing, our experience already demonstrates how implementation and data on human rights can inform protocol design. Future threads of the work planned for IETF 100 in Singapore include an examination of web surveillance and privacy in real-time communication protocols—key topics that are currently receiving mainstream news coverage. These issues, which often pit the interests of large corporations against those of the general public, can be difficult to approach in a space where vendors and their representatives often take a leadership role. It is in this light that we hope our active participation will lend a new voice to civil society, when bridging concerns arising from the IRTF with the broader spectrum of day-to-day activities at the IETF.

Internet pioneer John Gilmore once said, “the Net interprets censorship as damage and routes around it.” Even as the conversation around digital rights has grown infinitely more nuanced, there is no doubt that the collective work of the IETF on core Internet protocols will play a central role in the way society protects its most vulnerable members. The way we adapt will determine to what extent we are able to preserve and enhance those universal values and protections in the years and decades to come.