Internet's backroom boffins' big brainwave: Put people first in future

IETF draft hopes to balance netizens' needs and corporate interests in future standards

The Internet Engineering Task Force is being asked to formally adopt its informal philosophy that when it comes to new standards and protocols, end users' needs must come first.

The "best current practice" drawn up by Internet Architecture Board (IAB) member Mark Nottingham – currently in its fifth draft – states simply that its purpose is to ensure that "Internet Standards consider end users as their highest-priority concern."

That may seem like an obvious statement – internet standards have always been developed with widespread adoption and the average internet user in mind – but in recent years, corporate influence on internet organizations has grown and many proposed standards at the Internet Engineering Task Force (IETF) have been dragged into fights that have more to do with company interests – or fears – than end users.

The draft document is of course too diplomatic to say it that bluntly, and instead notes that "there are often situations where we need to balance the benefits of a decision between two (or more) parties. To help clarify such decisions, Section 2 mandates that end users have the highest priority."

It also gives an example in an appendix where a proposal to change a protocol in the interests of operators – making some tasks easier – would have been more efficient if end users were explicitly considered a priority.

"For example, network operators approached the HTTP Working Group in 2014 with a proposal to allow an 'explicitly authenticated proxy' to be involved in HTTPS connections, so that operators could interpose new services, improve network efficiency and meet regulatory mandates," the draft notes.

"After much discussion, the Working Group declined the new work, on the grounds that HTTPS was explicitly documented as an end-to-end encrypted protocol [RFC7230], and couldn't be changed retroactively."

If the end-user-first policy was in place, it argues, it "would have given the Working Group a way to hold a more productive and limited discussion, because it would be focused on the question: 'Does intercepting HTTPS have an unacceptable potential for harming end users?'"


There are plenty of other examples, however, where progress and discussions have gotten bogged down because of a lack of focus on end users. There are lengthy discussions going on at the IETF about breaking Transport Layer Security (TLS) to enable logging: essentially moving it from a two-party to a three-party protocol.

There are good reasons for wanting to introduce such a change, but many are concerned that it effectively writes the ability to wiretap internet communications into an internet standard. The conversation has sucked up so much time and energy that an entire thread of discussion on the TLS working group mailing list comprises members pleading with the chairs to shut down discussion on the topic.

If the IETF had an official rule that when there was conflict between two perspectives, whatever is in the end user's best interests gets priority, then the TLS discussion could have been ended a long time ago.

Every internet engineer has a story about how a specific standard got so bogged down in discussions that it either died, was compromised or took so long to emerge that what was a good idea was lost.

By stating that the end user comes first, it could put the IETF into a position to break through impasses, or stop wasting valuable time on circular arguments. Or, of course, it could simply lead to more arguments over which approach most benefits end users.

The draft does try to avoid creating an extra layer of discussion by noting that it "does not imply that a standards effort needs to be audited for user impact, or every decision weighed against end user interests," but only when "an explicit conflict between the interests of end users and other relevant parties is encountered."

Would it work? That question is, of course, subject to discussion. ®

Sponsored: Becoming a Pragmatic Security Leader

Biting the hand that feeds IT © 1998–2019