Human Rights Protocol Considerations Research Group B. Martini Internet-Draft Harvard Kennedy School Intended status: Informational N. ten Oever Expires: April 25, 2019 University of Amsterdam October 22, 2018 QUIC Human Rights Review draft-martini-hrpc-quichr-00 Abstract QUIC is a new transport protocol that provides low-latency communication and security. QUIC's key features include faster connection establishment, stream-based multiplexing, improved loss recovery, and no head-of-line blocking. This document assesses the potential human rights implications emerging from the deployment of QUIC. The assessment is done based on the methodology articulated in [RFC8280]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 25, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Martini & ten Oever Expires April 25, 2019 [Page 1] Internet-Draft QUIC-HR October 2018 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Vocabulary Used . . . . . . . . . . . . . . . . . . . . . . . 3 3. Review Methodology and Process . . . . . . . . . . . . . . . 5 4. Human Rights Considerations . . . . . . . . . . . . . . . . . 7 4.1. Connectivity . . . . . . . . . . . . . . . . . . . . . . 7 4.1.1. Latency . . . . . . . . . . . . . . . . . . . . . . . 7 4.1.2. Congestion Control and Loss Recovery . . . . . . . . 8 4.1.3. Reduced Head-Of-Line Blocking . . . . . . . . . . . . 8 4.1.4. Resources . . . . . . . . . . . . . . . . . . . . . . 8 4.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.2.1. Encryption . . . . . . . . . . . . . . . . . . . . . 8 4.2.2. Transparent Proxying . . . . . . . . . . . . . . . . 9 4.2.3. Multiple Streams . . . . . . . . . . . . . . . . . . 9 4.2.4. Packet Number Encryption . . . . . . . . . . . . . . 9 4.2.5. Padding . . . . . . . . . . . . . . . . . . . . . . . 10 4.2.6. Lawful Intercept . . . . . . . . . . . . . . . . . . 10 4.2.7. Spin Bit . . . . . . . . . . . . . . . . . . . . . . 10 4.2.8. Packet Injection . . . . . . . . . . . . . . . . . . 11 4.3. Content Agnosticism . . . . . . . . . . . . . . . . . . . 12 4.4. Security . . . . . . . . . . . . . . . . . . . . . . . . 12 4.5. Internationalization . . . . . . . . . . . . . . . . . . 12 4.6. Censorship Resistance . . . . . . . . . . . . . . . . . . 12 4.7. Open Standards . . . . . . . . . . . . . . . . . . . . . 13 4.8. Heterogeneity Support . . . . . . . . . . . . . . . . . . 13 4.9. Anonymity . . . . . . . . . . . . . . . . . . . . . . . . 13 4.10. Pseudonymity . . . . . . . . . . . . . . . . . . . . . . 13 4.11. Confidentiality . . . . . . . . . . . . . . . . . . . . . 14 4.12. Integrity . . . . . . . . . . . . . . . . . . . . . . . . 14 4.13. Authenticity . . . . . . . . . . . . . . . . . . . . . . 14 4.14. Adaptability . . . . . . . . . . . . . . . . . . . . . . 14 4.15. Outcome Transparency . . . . . . . . . . . . . . . . . . 14 4.15.1. Encryption . . . . . . . . . . . . . . . . . . . . . 15 4.15.2. Permissionless Innovation and Its Challenges . . . . 15 4.15.3. Privacy, Power and Consolidation . . . . . . . . . . 16 4.15.4. Transparency and IoT . . . . . . . . . . . . . . . . 17 5. Conclusions and Recommendations . . . . . . . . . . . . . . . 18 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 7. Security Considerations . . . . . . . . . . . . . . . . . . . 19 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 9. Review Team Information . . . . . . . . . . . . . . . . . . . 19 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 10.1. Informative References . . . . . . . . . . . . . . . . . 19 Martini & ten Oever Expires April 25, 2019 [Page 2] Internet-Draft QUIC-HR October 2018 10.2. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 1. Introduction This is a review done within the framework of the Human Rights Review Team, and it was conducted by Beatrice Martini and Niels ten Oever. The Human Rights Review Team aims to implement and improve the guidelines for human rights considerations provided in [RFC8280], and seeks to mitigate potentially adverse human rights impacts that IETF and IRTF documents might have. Human Rights Reviews are developed by a group of individuals in the IRTF and IETF. They work collaboratively and provide their knowledge and input to the assessments, in an effort to contribute to the IETF open review process. Human Rights Reviews are individual contributions. The authors hope that the comments will be taken into consideration by the draft authors, Working Groups and the IESG. This review concerns the QUIC protocol in general, and the following drafts in particular: draft-ietf-quic-transport-12, draft-ietf-quic- tls-12, draft-ietf-quic-invariants-01. 2. Vocabulary Used Anonymity The condition of an identity being unknown or concealed [RFC4949]. Censorship Technical mechanisms, including both blocking and filtering, that state or private actors can use to block or degrade Internet traffic. For further details on the various elements of Internet censorship, see [Halletal]. Censorship resistance Methods and measures to mitigate Internet censorship. Confidentiality The property that data is not disclosed to system entities unless they have been authorized to know the data [RFC4949]. Connectivity The extent to which a device or network is able to reach other devices or networks to exchange data. The Internet is the tool for providing global connectivity [RFC1958]. Different types of connectivity are further specified in [RFC4084]. Content agnosticism Treating network traffic identically regardless of content. Martini & ten Oever Expires April 25, 2019 [Page 3] Internet-Draft QUIC-HR October 2018 Heterogeneity "The Internet is characterized by heterogeneity on many levels: devices and nodes, router scheduling algorithms and queue management mechanisms, routing protocols, levels of multiplexing, protocol versions and implementations, underlying link layers (e.g., point-to-point, multi-access links, wireless, FDDI, etc.), in the traffic mix and in the levels of congestion at different times and places. Moreover, as the Internet is composed of autonomous organizations and Internet service providers, each with their own separate policy concerns, there is a large heterogeneity of administrative domains and pricing structures." [FIArch] As a result, per [FIArch], the heterogeneity principle proposed in [RFC1958] needs to be supported by design. Human rights Principles and norms that are indivisible, interrelated, inalienable, universal, and mutually reinforcing. Human rights have been codified in national and international bodies of law. The Universal Declaration of Human Rights [UDHR] is the most well-known document in the history of human rights. The aspirations from [UDHR] were later codified into treaties such as the International Covenant on Civil and Political Rights [ICCPR] and the International Covenant on Economic, Social and Cultural Rights [ICESCR], after which signatory countries were required to reflect them in their national bodies of law. It is also broadly recognized that not only states, but also non-state actors must respect human rights. Integrity The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner [RFC4949]. Linkability Establishing the identity of a host across several IP addresses. Open standards As stated in [RFC2026]: "Various national and international standards bodies, such as ANSI, ISO, IEEE, and ITU- T, develop a variety of protocol and service specifications that are similar to Technical Specifications defined here. National and international groups also publish "implementors' agreements" that are analogous to Applicability Statements, capturing a body of implementation-specific detail concerned with the practical application of their standards. All of these are considered to be 'open external standards' for the purposes of the Internet Standards Process." Openness Absence of centralized points of control - "a feature that is assumed to make it easy for new users to join and new uses to unfold" [Ziewitzetal]. Martini & ten Oever Expires April 25, 2019 [Page 4] Internet-Draft QUIC-HR October 2018 Ossification The increasing inflexibility of the network which results in the inability to deploy a new protocol or protocol extensions due to the unchangeable nature of infrastructure components that have come to rely on particular features of current protocols. Permissionless innovation The freedom and ability to freely create and deploy new protocols on top of the communications constructs that currently exist. Privacy The right of an entity (usually an individual), acting on its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share its personal information with others [RFC4949]. The right of individuals to control or influence what information related to them may be collected and stored, and by whom and to whom that information may be disclosed. Privacy is a broad concept regarding the protection of individual or group autonomy and the relation between an individual or group and society, including government, companies, and private individuals. It encompasses a wide range of rights, including protections from intrusions into family and home life, control of sexual and reproductive rights, and communications secrecy. It is commonly recognized as a core right that underpins human dignity and other values such as freedom of association and freedom of speech. The right to privacy is also recognized in nearly every national constitution and in most international human rights treaties. The right to privacy is also legally protected at the national level through provisions in civil and/or criminal codes. Pseudonymity The ability to use a persistent identifier that is not immediately linked to an individual's offline identity. Pseudonymity is an critical feature for many end users, as it allows them different degrees of disguised identity and privacy online. "Pseudonymity is strengthened when less personal data can be linked to the pseudonym; when the same pseudonym is used less often and across fewer contexts; and when independently chosen pseudonyms are more frequently used for new actions (making them, from an observer's or attacker's perspective, unlinkable)." [RFC6973] 3. Review Methodology and Process This section describes how the review was undertaken. Martini & ten Oever Expires April 25, 2019 [Page 5] Internet-Draft QUIC-HR October 2018 We started our review by examining the Internet Drafts which were active on June 7, 2018 on the QUIC Working Group Datatracker (https://datatracker.ietf.org/wg/quic/documents). Inferential reading of the documents resulted in the decision to focus our efforts on three specific drafts: draft-ietf-quic- transport-12, draft-ietf-quic-tls-12, draft-ietf-quic-invariants-01. From the study of these documents through the perspective of the Guidelines for Human Rights Protocol Considerations outlined in [RFC8280], we formulated a questionnaire, to be used as a tool to guide semi-structured interviews with QUIC Working Group chairs and document authors. We engaged in a total of seven interviews, which took place during IETF102 (July 14-20, 2018). These were then transcribed and analyzed. The analysis focused on the identification of potential positive or negative impacts on human rights, and on the categorization of our findings according to the Guidelines for Human Rights Protocol Considerations outlined in [RFC8280]. One particular aspect that is critical to consider is the pace at which the QUIC Working Group operates, which is regarded across the IETF community as notably faster than usual. This means that while the general design that is outlined in the QUIC Internet Drafts is fairly stable, numerous details are in constant change. When it comes to conducting an interview-based research, this also means that some of the expressed points of view might be overtaken by intervening changes. To address this specific characteristic of the work on the QUIC protocol, we decided to set a time point to examine active Internet Drafts and current Working Group discussions. The time point is June 7, 2018. In addition to that, we also kept discussing with the interviewees, reviewing notes from the following New York interim meeting (September 19-20), and following selected mailing list threads, until our final review of this very document, on October 17, 2018. The content examined until the set time point (June 7, 2018) is what should be considered the core subject of our examination. However, as we aim to helpfully contribute to the efforts of the QUIC Working Group, we also decided to monitor potential updates and emerging discussions which took place in the following months, with the aim to provide relevant and applicable feedback. Martini & ten Oever Expires April 25, 2019 [Page 6] Internet-Draft QUIC-HR October 2018 4. Human Rights Considerations The Human Rights Protocols Considerations Research Group (HRPC) welcomes the drafts draft-ietf-quic-transport, draft-ietf-quic-tls, draft-ietf-quic-invariants. In particular, we welcome the efforts to improve connectivity on high latency, low bandwidth and high loss connections, and the application of encryption by default. Conclusions and recommendations can be found at the end of this document. No implications for Accessibility ([RFC8280], sec. 6.2.11), Localization ([RFC8280], sec. 6.2.12), Decentralization ([RFC8280], sec. 6.2.13), and Reliability ([RFC8280], sec 6.2.14) have been found. 4.1. Connectivity Overall, QUIC is expected to result in a greatly improved Internet service for users worldwide, and in particular for those who currently do not have high bandwidth or lossless connections. Regions that currently do not benefit from reliable connectivity, would be provided with a significantly improved service. These advancements have positive implications in regards to human rights such as freedom of expression, freedom of association, right to political participation. 4.1.1. Latency QUIC was designed as a new transport protocol to provide connections with lower latency than previous protocols. One of the most important differences between TCP and QUIC connections is that QUIC connection establishment takes 0 RTTs when a server is known by a client and up to a few RTTs for the first connection to an unknown server. By allowing for Zero-Round Trip Time (0-RTT) resumption of connections, QUIC performs better than TCP on high latency and high loss connections. When a web client uses TCP and TLS, it requires two to three round trips with a server to establish a secure connection before the browser can send a request. With QUIC, if a client has communicated with a server before (within a specific time period), it can start sending data without any round trips, so that web pages will load faster. An example of QUIC's performance can be observed on a well-optimized site like Google Search, where connections are often pre-established, Martini & ten Oever Expires April 25, 2019 [Page 7] Internet-Draft QUIC-HR October 2018 and QUIC's faster connections can only speed up some requests. Still, QUIC improves mean page load time by 8% globally, and up to 13% in regions where latency is higher. [Behretal] 4.1.2. Congestion Control and Loss Recovery QUIC's congestion control is based on TCP NewReno [RFC6582], a congestion window based congestion control. The signals QUIC provides for congestion control are generic and are designed to support different algorithms. In this way, QUIC can be configured to fit best in different contexts. Compared to TCP, QUIC offers more detailed feedback information for loss detection. For example, it uses a monotonically increasing packet number and does not retransmit on the packet-level but on the content-level. This allows QUIC to distinguish retransmissions from the originally sent packets, avoiding retransmission ambiguities. Overall, comparing it to previously existing protocols, QUIC implements better estimation of connection RTTs and detects and recovers from loss more efficiently. 4.1.3. Reduced Head-Of-Line Blocking HTTP/2 allows multiple objects to be fetched over the same connection, using multiple streams within a single flow. In TCP, if a loss occurs in one stream, all streams stall while waiting for packet recovery. Differently, QUIC allows other streams to continue to exchange packets even if one stream is blocked due to a missing packet [MolaviKakhkietal]. 4.1.4. Resources QUIC is relatively expensive to implement, both in terms of code (size and complexity) and processing (including memory overheads). This can represent a barrier to adoption and the benefits that come with that. 4.2. Privacy 4.2.1. Encryption QUIC incorporates the key negotiation features of TLS 1.3, requiring all connections to be encrypted. Encryption improves the security and privacy of user data. It is built into QUIC, using AEAD algorithms such as AES-GCM and ChaCha20 Martini & ten Oever Expires April 25, 2019 [Page 8] Internet-Draft QUIC-HR October 2018 for both privacy and integrity. QUIC authenticates the parts of its headers that it does not encrypt, so attackers cannot modify any part of a message [Behretal]. Furthermore, in addition to improving privacy, encryption helps to address the ossification of network protocols caused by middleboxes that assume certain information to be present in the clear [Kuehlewindetal]. 4.2.2. Transparent Proxying Many cellular and high-latency networks use transparent TCP proxies to reduce end-to-end delays and improve loss recovery. However, by encrypting the transport headers, QUIC prevents transparent proxying, thus protecting their integrity [MolaviKakhkietal]. 4.2.3. Multiple Streams By establishing connection with multiple streams, QUIC creates higher opacity for the observer. Comparing QUIC to TLS over TCP, QUIC significantly reduces the amount of information that an observer can acquire about communications they are looking at. In TCP, all of the information regarding the protocol flow at a transport layer is exposed, and can be used to identify active communications. In QUIC, it is possible to have an established connection with an end point and to run multiple streams over that connection. Consequently, an observer who is looking at someone's connection, would not be able to tell the difference between the streams. 4.2.4. Packet Number Encryption In QUIC packet numbers are encrypted. From a general standpoint, the number assigned to each packet carries very little information. For example, it is possible to observe that a packet sent a certain time and the packet that was sent immediately after probably have increasing packet numbers. But when traffic is carried over multiple paths, it becomes observable at many points, and this has privacy implications. For example, as stated in [draft-huitema-quic-mpath-req-01]: "[...] if packets belonging to a given connection carry some unique identifiers, observers could use these identifiers to track client Martini & ten Oever Expires April 25, 2019 [Page 9] Internet-Draft QUIC-HR October 2018 migrations through several paths, and thus potentially expose the successive locations of a particular user." 4.2.5. Padding Bit padding is the addition of one or more extra bits to a transmission or storage unit to make it conform to a standard size. QUIC (like HTTP/2 and TLS) offers a padding mechanism that can be used as a defense against traffic analysis for protected packets. It is important to note that its use is discretionary by implementations. 4.2.6. Lawful Intercept The lawful intercept of content in QUIC works similarly to TLS over TCP. An intercept can: force the acceptance of an alternate certificate; cooperate with or coerce the non-monitored endpoints to obtain session keys for decryption of traffic; exploit endpoint vulnerabilities to place monitoring devices directly on the endpoint on the other side of the crypto boundary. Forcing TLS 1.3 avoids some common exploit vectors in TLS 1.2 and strengthens the ciphersuites. 4.2.7. Spin Bit When Google offered the IETF the opportunity to take the work on QUIC and produce an open standard that could be used by all [Wilketal], it sparked off a debate within the IETF as to how much transport information should be deliberately kept unknown to the network. As an explicit design goal, QUIC provides far less information about its operation to devices on path than TCP does. In TCP, the sequence and acknowledgement numbers and timestamps (if the respective option is in use) can be seen by on-path observers, and used to estimate end-to-end latency. Differently from previous transport protocols, QUIC splits the information it uses for its own operation from its wire image. As a consequence, QUIC's wire image currently does not expose any information that can be used for passive latency measurement techniques [draft-ietf-quic-spin-exp-00]. At the June 2017 interim meeting of the QUIC Working Group, a proposal was made to add a latency spin bit to QUIC's wire image, in order to allow for passive measurability of RTT equivalent to TCP [Trammell01]. Martini & ten Oever Expires April 25, 2019 [Page 10] Internet-Draft QUIC-HR October 2018 The spin bit is an explicit signal for passive measurability of round-trip time. It causes one bit in the header to 'spin', generating one edge (a transition from 0 to 1 or from 1 to 0) once per end-to-end RTT. During the following months, the proposal to add this facility to the QUIC protocol has been further discussed and researched. At IETF101 the Working Group agreed upon the reservation of three bits for experimentation with passive RTT measurement, with the result of this experimentation to inform an eventual working group decision whether to include the bit in the shipping version 1 of the protocol, scheduled to be complete by November 2018. [Trammell02] From its designers' perspective, the spin bit was formulated to be a minimal-risk, maximum-utility signal fit for a single purpose: on- path measurement of end-to-end RTT, to generate RTT samples for a variety of passive latency measurement tasks. The key argument in favor of the spin bit originates from the notion that measurement is fundamental to the operation of networks and at- scale services, whether for management, security, optimization, and that if it is at all possible to safely design passive measurability of any metric explicitly into a protocol, this signal represents how to do it. [Trammell01] The argument made by those who are not in favor of the addition of the spin bit to the protocol, is that the exposure of any information beyond the IP header and the base essentials of a UDP header is not necessary and not safe. They point out that how this bit may be used, were it to be added to the protocol, is unknown. This could represent an infringement of the user privacy. Furthermore, an exposed bit might cause for ossification of the bit itself, which would, to some extent, defeat QUIC's efforts to elude the intrusive and ossifying grip of network middleware. [Huston] 4.2.8. Packet Injection It is viable for network operators to add data to packets in order to do traffic monitoring and/or management. It is not uncommon for network operators to routinely tag packets as they enter the network for their own purposes, and simply erase the tag when they leave the network. Packet modification or injection cannot be prevented in QUIC. However, the protocol takes steps to ensure that its own state is not affected by this kind of activity. Martini & ten Oever Expires April 25, 2019 [Page 11] Internet-Draft QUIC-HR October 2018 4.3. Content Agnosticism The QUIC protocol itself is content agnostic. While it is currently being optimized for HTTP traffic, it can also be used with other application layer protocols (e.g. see [draft-huitema-quic-dnsoquic-05]). 4.4. Security QUIC improves security by making encryption an inherent part of the transport protocol, instead of adding it as a optional layer on top of it. This protects the integrity of the data by preventing tampering on the path, and ensures end-to-end confidentiality between the two communicating hosts. Furthermore, it ensure that no on-path party can emulate an endpoint. By encrypting all Internet traffic by default it is harder for researchers and network operators to analyze network traffic. This is a specific design goal, but it also makes research into the promulgation of malware, cookies and other artefacts much harder, since in this case access to the stream needs to be provided by the end point. 4.5. Internationalization [draft-ietf-quic-transport-12] does not define human readable strings, except for where it states that the Reason Phrase in the CONNECTION_CLOSE and APPLICATION_CLOSE frames "SHOULD be a UTF-8 encoded string [RFC3629]". The QUIC protocol demands that this SHOULD be an UTF-8 string, while UTF-8 is actually not required. Also, there is currently no space to declare the charset used. So it is recommended that this SHOULD becomes a MUST. [draft-ietf-quic-transport-12] does not allow for the use of language tags. If it would request these tags, it would allow implementations to signal in which language Reason Phrases are rendered. 4.6. Censorship Resistance Encryption makes monitoring and filtering of the traffic more complex, thus hindering fine-grained censorship. Furthermore, in QUIC it is also harder to terminate connections, since in the protocol the only parties that can terminate the connection are those actually involved in the connection once it exists. This means that a middlebox cannot reset a connection, but needs to continue to block it, keeping state. Considering this, it Martini & ten Oever Expires April 25, 2019 [Page 12] Internet-Draft QUIC-HR October 2018 can be stated that QUIC makes censorship harder because it requires the censor to invest more resources and efforts. QUIC is also improving the protection against DDoS through observation of the handshake for connection confirmation, and through the need to validate new connections in case of a connection migration. It is worth noting that it is almost impossible to make the handshake resilient to injection attacks, and the general consensus has been not to spend cycles trying. This means that handshakes can easily be disrupted by a censor. Post-handshake, QUIC is very resilient to attempts to reset the connection by a third party. 4.7. Open Standards QUIC is published as open standard. 4.8. Heterogeneity Support The design of the QUIC transport protocol is currently specifically tailored to be used with TLS1.3 and HTTP2. It is explicitly constructed in a modular manner and is designed to support other application layer protocols in the future as well. 4.9. Anonymity Persistent static identifiers, consistently linking to a particular person or small, well-defined group of people, are one of the main threats to anonymity. This is especially concerning when the identifier is used in repeatedly used in multiple contexts, thus raising an issue of linkability. In QUIC, linkability would occur in case a connection ID was used on multiple network paths. In order to provide some protection against linkability in case of connection migration, QUIC uses different connection IDs when different local addresses are used. Furthermore, packet numbers are encrypted to ensure they are not used to establish a link between different connection IDs. However, it is important to note that traffic analysis might still allow to correlate different streams. 4.10. Pseudonymity Keeping different identities isolated from each other is critical to protect and preserve pseudonymity. QUIC contributes to this by using different connections IDs for different local addresses. Martini & ten Oever Expires April 25, 2019 [Page 13] Internet-Draft QUIC-HR October 2018 4.11. Confidentiality Through the use of cryptography, QUIC integrates security, confidentiality, authenticity, and integrity directly into the transport protocol rather than having them layered on top of it. Any server that offers QUIC to benefit from its latency improvements will automatically provide all the aforementioned attributes to their user. 4.12. Integrity The use of TLS1.3 in QUIC makes on-path attacks either visible or nearly impossible to carry out. So, if an actor forces the traffic to go through one middlebox and decrypt the traffic itself, their action is made detectable. This also protects the integrity of the datastream, prevents tampering, and averts the injection of extra data in the stream. 4.13. Authenticity Except for the initial handshake, the encryption in QUIC is provided by TLS1.3, which uses asymmetric cryptography to authenticate the hosts. This enables verification of authenticity. 4.14. Adaptability QUIC has a modular approach, and is designed for adaptation. The only commitments in the protocol are the requirement to run on UDP, the packet header, and the version negotiation phase. The remainder of the protocol is quite flexible and can be further adapted. By preventing the ossification of the protocol by middleboxes through the encryption of transport headers, QUIC enhances the adaptability of the architecture. As a transport protocol, QUIC tries to be agnostic for application layer protocols, even though it is currently tailored to work with HTTP/2. 4.15. Outcome Transparency Outcome transparency concerns the intelligibility of the effects of a protocol in relation to its users, protocol developers, and implementers, and its potential consequences (e.g. lack of authenticity may lead to lack of integrity and negative externalities)[RFC8280]. Martini & ten Oever Expires April 25, 2019 [Page 14] Internet-Draft QUIC-HR October 2018 QUIC represents a remarkable evolution of the transport layer with significant impact on the Internet architecture and, most importantly, the service provided to users. 4.15.1. Encryption The IETF has reached consensus on the fact that pervasive monitoring is an attack (see [RFC7258]), and that a response to mitigate this is represented by ubiquitous encryption, which would also reinforce the end-to-end nature of the network [RFC2775] [RFC3724] [RFC7754]. With the advent of QUIC, encryption becomes the default on the transport level. This has a critical impact on the protection of user privacy. Furthermore, it has implications concerning network operators that had previously used visible parts of protocols to, among other things, manage, operate, and secure their networks [RFC8404]. Encryption also improves the integrity of the datastream, as QUIC allows to protect users against injections of ads by network operators. 4.15.2. Permissionless Innovation and Its Challenges As suggested by interviewees during the research phase of this review, and to acquire a more contextualized understanding of protocol development efforts over time, it is relevant to pay attention to the history of SCTP (Stream Control Transmission Protocol). SCTP is a protocol for transmitting multiple streams of data at the same time between two end points that have established a connection in a network, standardized in [RFC4960]. As outlined in the comparison between SCTP and QUIC presented in [draft-joseph-quic-comparison-quic-sctp-00], the deployment of SCTP is not particularly widespread. In-network devices, like NAT gateways for example, do not support SCTP well. NAT gateways need to be upgraded to be SCTP-aware, the modification of middleboxes is very expensive, and Internet service providers, focusing on the sustainability of their business, update the devices in accordance with the benefit that this can represent for their revenues. Furthermore, an early version of QUIC (now popularly called gQUIC) was initially designed and deployed by a large content provider, Google. It was implemented in 2012, and the company invested significant resources to develop it, for example conducting thorough A/B-testing in order to assess how the protocol would interact with Martini & ten Oever Expires April 25, 2019 [Page 15] Internet-Draft QUIC-HR October 2018 the network, and how the middleboxes would respond. QUIC is now widely used in Chrome clients accessing Google services. In 2015, an Internet Draft of a specification for QUIC was submitted to the IETF for standardization, and the following year the QUIC Working Group was established. A growing number of contributors from the corporate, academic, nonprofit sector have joined the protocol development work since, and what has been achieved to date is the result of a notable and labor-intensive collaborative effort. So, on one hand, the history of QUIC shows that permissionless innovation is still possible. On the other hand, it also shows what remarkable efforts and resources are needed to carry out such an ambitious project. While permissionless innovation still exists, the threshold and costs for innovation seem to rise significantly and increasingly. Also, a look at the actors and dynamics involved in QUIC's history should not underestimate the power of Google's authority. A different developing actor might have been able to invest a similar amount of resources into the development of a protocol. Still, without an impressive user base and traffic stream as Google's, they might have received a less supportive response from network operators. Having said that, it is expected that QUIC will improve the current situation by providing a more capable transport which aims to overcome ossification and allow for changes in the protocol due to its modularity. 4.15.3. Privacy, Power and Consolidation The most relevant privacy advantage provided by QUIC is gained by users who have different kinds of traffic relations with one end point. In fact, QUIC does not allow network providers to easily differentiate between, for instance, HTTP requests, DNS requests and real time voice packets, thus strengthening user privacy, and also improving performance. It is important to note, though, that QUIC does not actually hide or attempt to hide the application protocol being used on a connection. The ALPN offered by the client is protected only by a key which can be calculated by any party who can work with the QUIC version in use. On the other hand, this creates a concentration of different kinds of traffic with one end point, thus giving the service provider access to more categories of privacy sensitive information. Martini & ten Oever Expires April 25, 2019 [Page 16] Internet-Draft QUIC-HR October 2018 In the current reality of the Internet, the biggest hosts are controlled by large, consolidated, transnational corporations. This creates an extreme power differential between end users on the one hand, and service providers and content operators on the other hand. In order to protect privacy and secure information, it is important that the user makes a careful and informed decision about the hosting provider and plan they choose. While ubiquitous encryption changes the relation between service providers and content operators, placing them at the same end of the spectrum, it remains to be seen whether if it can help users take and retain control within the overall power structures of Internet governance and economics. One of the problems with deploying fully encrypted protocols like QUIC is that deployment is far easier for organizations that already have integrated observability, traceability, and tooling in their back-ends, which not surprisingly happen to be the big players. If there was any chance to make running a QUIC server relatively easy, thus enabling a greater diversification of end points, QUIC could contribute to a power shift in favor of the end user. However, running a QUIC infrastructure is currently expected to be more demanding than running a HTTP/2 or HTTP/1 infrastructure. It would be truly compelling if this consideration could be discussed further, and ideally addressed by the development and release of openly available tooling allowing for more accessible ways to run a QUIC server. 4.15.4. Transparency and IoT End-to-end encryption on the transport layer makes monitoring and filtering of the traffic more complex, and can lead to the adoption of other network management practices to obtain this information. This has implications on the management of Internet of Things (IoT) devices. If an IoT device adopts QUIC, it will be harder for the user who owns the device to monitor what data is communicated with third parties. It would also be more difficult to conduct research into the promulgation of malware, cookies and other artefacts. Adequate tooling to protect the right to privacy of IoT users has not yet been developed. Martini & ten Oever Expires April 25, 2019 [Page 17] Internet-Draft QUIC-HR October 2018 5. Conclusions and Recommendations The QUIC protocol provides significant human rights improvements for end users. It dramatically improves connectivity for users on high-loss, high- latency connections. Users will benefit from lower latencies and will not need to restart sessions as often. And in those cases in which they will need to restart a session, they will able to do so without having to re-do the initial handshake. Another key improvement is represented by the use of encryption by default, which provides authentication, stream integrity, adaptability of the protocol by overcoming ossification, and improved protection from third party monitoring and metadata analysis. The following is a list of potential improvements that we invite the QUIC Working group to take into consideration, wishing for the protocol to have even greater positive implications for human rights. - As the QUIC Working Group is expected to deliberate on the potential inclusion of the spin bit in the main specification of the protocol at the upcoming IETF103 (November 3-9, 2018), we suggest to consider not to include it. Our recommendation is motivated by the concerns raised in regards to its implications on user privacy, as reported in this very document, and also shared by some of the interviewees. - Consider deploying IP header encryption as an optional extension. - Evaluate the addition of language tagging and charset identification in the case of Reason Phrase in the CONNECTION_CLOSE and APPLICATION_CLOSE. - Examine the opportunity to translate the QUIC specification into other languages. - Discuss the viability to make tooling for running QUIC servers openly available. - Observe and iteratively assess the implications of QUIC on the power relations between end user on one end of the spectrum, and network operators and service providers on the other one. Martini & ten Oever Expires April 25, 2019 [Page 18] Internet-Draft QUIC-HR October 2018 6. Acknowledgements The authors thank (in alphabetical order) Mike Bishop, Janardhan Iyengar, Daniel Kahn Gillmor, Mirja Kuehlewind, Mark Nottingham, Martin Thomson, and Brian Trammell for their generous contribution to our research and review. This document does not necessarily reflect their opinion, but solely that of the authors. 7. Security Considerations As this draft concerns a research document, there are no security considerations. 8. IANA Considerations This document has no actions for IANA. 9. Review Team Information The discussion list for the Human Rights Review Team is located at the e-mail address hr-rt@irtf.org [1]. Information on the group and information on how to subscribe to the list is at https://www.irtf.org/mailman/listinfo/hr-rt [2] Archives of the list can be found at: https://www.irtf.org/mail- archive/web/hr-rt/current/index.html [3] 10. References 10.1. Informative References [Behretal] Behr, M. and I. Swett, "Introducing QUIC Support for HTTPS Load Balancing", June 2018, . [Cuietal] Cui, Y., Li, T., Liu, C., Wang, X., and M. Kuehlewind, "Innovating Transport with QUIC: Design Approaches and Research Challenges", IEEE Internet Computing, Vol 21(2), pp. 72-76 , March 2017, . Martini & ten Oever Expires April 25, 2019 [Page 19] Internet-Draft QUIC-HR October 2018 [draft-huitema-quic-dnsoquic-05] Huitema, C., Shore, M., Mankin, A., Dickinson, S., and J. Iyengar, "Specification of DNS over Dedicated QUIC Connections (work in progress)", June 2018, . [draft-huitema-quic-mpath-req-01] Huitema, C., "QUIC Multipath Requirements (work in progress)", January 2018, . [draft-ietf-quic-invariants-01] Thomson, M., "Version-Independent Properties of QUIC (work in progress)", March 2018, . [draft-ietf-quic-spin-exp-00] Trammell, B. and M. Kuehlewind, "The QUIC Latency Spin Bit (work in progress)", April 2018, . [draft-ietf-quic-tls-12] Thomson, M. and S. Turner, "Using Transport Layer Security (TLS) to Secure QUIC (work in progress)", May 2018, . [draft-ietf-quic-transport-12] Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed and Secure Transport (work in progress)", May 2018, . [draft-joseph-quic-comparison-quic-sctp-00] Joseph, A., Li, T., He, Z., Cui, Y., and L. Zhang, "A Comparison Between SCTP and QUIC (work in progress)", March 2018, . [FIArch] Future Internet Architecture (FIArch) Group, "Future Internet Design Principles", January 2012, . Martini & ten Oever Expires April 25, 2019 [Page 20] Internet-Draft QUIC-HR October 2018 [Gratzer] Gratzer, F., ""QUIC - Quick UDP Internet Connections"", Seminar Innovative Internet-Technologien und Mobilkommunikation SS2016 , 2016, . [Halletal] Hall, J., Aaron, M., and B. Jones, "A Survey of Worldwide Censorship Techniques (work in progress)", April 2015, . [Huston] Huston, G., "Just One QUIC Bit", APNIC , March 2018, . [ICCPR] United Nations General Assembly, "International Covenant on Civil and Political Rights", December 1966, . [ICESCR] United Nations General Assembly, "International Covenant on Economic, Social and Cultural Rights", December 1966, . [Kuehlewindetal] Kuehlewind, M., Buehler, T., Trammell, B., Neuhaus, S., Muentener, R., and G. Fairhurst, "A Path Layer for the Internet: Enabling Network Operations on Encrypted Protocols", IEEE International Conference on Network and Service Management (CNSM) , November 2017, . [MolaviKakhkietal] Molavi Kakhki, A., Jero, S., Choffnes, D., Nita-Rotaru, C., and A. Mislove, "Taking a Long Look at QUIC", Proceedings of IMC '17, London, United Kingdom , November 2017, . [RFC1958] Carpenter, B., Ed., "Architectural Principles of the Internet", RFC 1958, DOI 10.17487/RFC1958, June 1996, . [RFC2026] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, DOI 10.17487/RFC2026, October 1996, . Martini & ten Oever Expires April 25, 2019 [Page 21] Internet-Draft QUIC-HR October 2018 [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, DOI 10.17487/RFC2775, February 2000, . [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003, . [RFC3724] Kempf, J., Ed., Austein, R., Ed., and IAB, "The Rise of the Middle and the Future of End-to-End: Reflections on the Evolution of the Internet Architecture", RFC 3724, DOI 10.17487/RFC3724, March 2004, . [RFC4084] Klensin, J., "Terminology for Describing Internet Connectivity", BCP 104, RFC 4084, DOI 10.17487/RFC4084, May 2005, . [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, . [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", RFC 4960, DOI 10.17487/RFC4960, September 2007, . [RFC6582] Henderson, T., Floyd, S., Gurtov, A., and Y. Nishida, "The NewReno Modification to TCP's Fast Recovery Algorithm", RFC 6582, DOI 10.17487/RFC6582, April 2012, . [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, DOI 10.17487/RFC6973, July 2013, . [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 2014, . [RFC7754] Barnes, R., Cooper, A., Kolkman, O., Thaler, D., and E. Nordmark, "Technical Considerations for Internet Service Blocking and Filtering", RFC 7754, DOI 10.17487/RFC7754, March 2016, . Martini & ten Oever Expires April 25, 2019 [Page 22] Internet-Draft QUIC-HR October 2018 [RFC8280] ten Oever, N. and C. Cath, "Research into Human Rights Protocol Considerations", RFC 8280, DOI 10.17487/RFC8280, October 2017, . [RFC8404] Moriarty, K., Ed. and A. Morton, Ed., "Effects of Pervasive Encryption on Operators", RFC 8404, DOI 10.17487/RFC8404, July 2018, . [Trammell01] Trammell, B., "Explicit Passive Measurability and the QUIC Spin Bit", APNIC , May 2018, . [Trammell02] Trammell, B., "And Yet, It Spins", March 2018, . [UDHR] United Nations General Assembly, "The Universal Declaration of Human Rights", December 1948, . [Wilketal] Wilk, A., Hamilton, R., and I. Swett, "A QUIC Update on Google's Experimental Transport", April 2015, . [Ziewitzetal] Ziewitz, M. and I. Brown, "A Prehistory of Internet Governance", Research Handbook on Governance of the Internet, ed I. Brown, 3-26. Cheltenham: Edward Elgar , 2013. 10.2. URIs [1] mailto:hr-rt@irtf.org [2] https://www.irtf.org/mailman/listinfo/hr-rt [3] https://www.irtf.org/mail-archive/web/hr-rt/current/index.html Authors' Addresses Martini & ten Oever Expires April 25, 2019 [Page 23] Internet-Draft QUIC-HR October 2018 Beatrice Martini Harvard Kennedy School EMail: mail@beatricemartini.it Niels ten Oever University of Amsterdam EMail: mail@nielstenoever.net Martini & ten Oever Expires April 25, 2019 [Page 24]