#ooni log

17:59:10 <hellais> #startmeeting
17:59:10 <MeetBot> Meeting started Mon Mar 16 17:59:10 2015 UTC.  The chair is hellais. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:59:10 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
17:59:24 <hellais> ok let's start this
18:00:40 <hellais> #topic who is here?
18:00:45 * irl is here
18:00:45 * isabela is around
18:01:12 <aagbsn> i'm here
18:02:31 <aagbsn> quick report back on our circumvention study in iran - i emailed afisk@getlantern.org, no reply yet. I checked out the various source projects at github.com/getlantern, and ran the linux and windows clients while capturing traffic
18:03:00 <hellais> aagbsn: ok cool
18:03:07 <aagbsn> the linux version of the client set itself into "GIVE" mode (according to logs) without warning. I dont think I accidentally captured user traffic but I haven't reviewed the pcapcs yet
18:04:14 <aagbsn> I started writing up a description of the tool, it seems it will be a bit tricky to document / test all the parts because the state of the project is a bit unclear
18:04:37 <aagbsn> I read through all the tickets on their github tracker, it appears that they might be ditching some of the legacy code in the near future
18:05:40 <hellais> yeah I think all the java stuff is destined to be dropped in the near future
18:05:50 <aagbsn> I also pcap'd torbrowserbundle with fteproxy, and started writing up a description of fteproxy
18:06:13 <aagbsn> yeah. it's not clear for our purpose what evaluating whether the tool works or not should be
18:06:23 <aagbsn> because by design they do not proxy all traffic, just a whitelisted set of domains
18:07:37 <aagbsn> their design uses cloudflare domain tricks, like meek, to forward traffic (the project called flashlight). That isn't the same system that exits traffic via other users
18:07:54 <aagbsn> so, I captured traffic for the most recent version of the .exe available on their website
18:09:32 <aagbsn> we'll probably not be able to test all websites for censorship circumvention because of the whitelist
18:10:18 <hellais> well the goal of this analysis phase is to have enough documentation to be able to implement a test that can reliably detect if the tool is working in Iran
18:10:35 <hellais> so I would not dig too deep into it's inner workings
18:10:37 <aagbsn> yes, and it will be tricky to know what working means
18:10:54 <hellais> well the real test will be actually running the tools
18:11:05 <aagbsn> because for the currently shipping binary, it isn't a single tool
18:11:08 <hellais> and checking if it can bootstrap and you can visit some website
18:11:38 <aagbsn> hellais: yes, but if 'some website' isn't on their whitelist, it will pass unproxied, and detect that it is blocked
18:11:41 <aagbsn> is that what we wnat?
18:11:43 <hellais> aagbsn: how does the lantern browser get access to the internet?
18:13:43 <aagbsn> it gets a list of listening proxies from a google xmpp server, using cloudflare domain ssl tricks if google is blocked. there is a http proxy that requests matching the whitelist are sent to
18:14:41 <aagbsn> those requests get transported to users running the software in GIVE mode, if they are ssl, and if they are not ssl, they are passed through lantern infrastructure
18:15:09 <aagbsn> as best I can tell from reading the various tickts/code. I need to confirm this by looking at the pcaps
18:15:25 <aagbsn> so, there's still more work to do there
18:16:59 <aagbsn> in the meanwhile I switched to writing up fteproxy
18:18:30 <hellais> aagbsn: but I mean when you use the software how is it that you access a blocked website?
18:18:39 <hellais> do you use their browser or your normal browser?
18:19:10 <aagbsn> this week I want to finish up the fteproxy & scramblesuit & obfs3 analysis/spec
18:19:17 <hellais> in either case there is probably some protocol that this browser speaks with lantern to say get me this site.
18:19:30 <aagbsn> http proxy iirc
18:20:37 <hellais> then in the end the OONI test will be just a matter of launching ./run_lantern_master_tool (where run_latern_master_tool will probably be a series of hacks to get it to believe it's not running headless) and then speak HTTP to the local proxy
18:20:40 <aagbsn> there are .pac files that specify when to use a proxy or not
18:21:04 <aagbsn> we'll need some kind of google accounts for each of the probes
18:21:53 <hellais> then if we want to be kind to the lantern developers we also test all of their various strategies separately and tell the which ones work and which don't, but a user reading a report will just want to see lantern: true|false
18:22:11 <hellais> aagbsn: yeah we can get some of those
18:22:21 <hellais> anyways we can talk more about this later
18:22:44 <hellais> I wanted to give a little update on the informed consent topic
18:23:16 <hellais> last week I was in Oxford for a conference around ethics and internet research where I proposed the problem of OONI
18:23:29 <aagbsn> ok, that's all from me for now then :)
18:25:36 <hellais> most agree on the fact that we need some authoritative and knowledgable figure to review the risks of running OONI before we have a large user base
18:26:00 <aagbsn> likely those risks vary from country to country
18:26:58 <aagbsn> did anyone have feedback on the current informed consent document?
18:27:23 <irl> there was a lot of discussion on the mailing list
18:27:24 <hellais> there was one person that is the editor of this medical scientific journal that said that as is OONI research would not be accepted for publication in any medical journal and no IRB would approve
18:27:50 <irl> i still think it's best that we provide as much information as we think is relevant, but don't actually make any statements in a way that might imply us accepting responsibility
18:27:57 <irl> any statements we make should still come with no warranty
18:28:25 <aagbsn> hellais: do they mean with respect to analysis of the contributed data? Or using the tools to collect their own data for publication?
18:28:29 <hellais> today with vasilis we had a call with some lawyers from harvard that will be examining our texts
18:28:48 <hellais> as well as providing a risk assessment for some set of countries
18:28:54 <aagbsn> excellent!
18:28:57 <irl> awesome
18:29:40 <hellais> we will be working with them in the upcoming months to formulate how the risk is impacted by the various deployment strategies and if there are some precautions that we can take in order to minimise them
18:29:56 <aagbsn> somewhat surprised, as I had thought that groups have published analysis of public data
18:30:18 <irl> i mean, medical ethics is likely stricter than ethics for other journals
18:30:20 <aagbsn> such as the internet census (highly questionable origin) and aol search data
18:30:40 <hellais> tbh I don't understand how you can apply medical ethics criterial to network measurement
18:30:55 <irl> heh
18:31:08 <hellais> I mean there was a lot of talk about benefit vs risk for the volunteer
18:31:31 <hellais> which makes sense if you are participating to a study on a new eye medicine that could pontentially make you blind
18:31:52 <hellais> so you are risking to go blind, but you have the benefit of potentially seeing better
18:31:56 <anadahz> this is a really big topic, especially if you consider that most of the medical applications/services are based on closed and proprietary software
18:32:01 <hellais> but in our case the benefit for the user is a bit fuzzy and indirect
18:32:18 <hellais> aagbsn: public != ok to use in research
18:32:46 <hellais> aagbsn: as an example there is currently a lot of debate in the research community about the internet census 2012 data and if it's ok to use it in a paper
18:32:56 <aagbsn> anadahz: remind me to tell you later about how some doctors use proprietary and 'secure' email tools to send health records. someone i know received medical records this way with an 'encrypted' header that was nothing of the sort
18:33:04 <hellais> I believe some papers have been rejected from some journals because they were using it
18:33:19 <aagbsn> hm
18:34:06 <aagbsn> collin anderson has used OONI to do measurements, but with his own tests & probes
18:34:27 <aagbsn> so, OONI as an infrastructure platform is also useful to researchers who may not use user-supplied data
18:34:55 <aagbsn> we should help them understand the scenario where this sort of application is possible for research
18:36:02 <hellais> well the goal with this legal study is to have a way to say "hey you researcher that wants to use OONI or collect data with OONI for your research, it's ok these lawyers said so"
18:36:49 <aagbsn> hm, I should think that in the computer science field it would be more obvious that using the open source tools would be OK, even if using the user-supplied data isn't
18:37:28 <hellais> well it's a matter of how you acquire the data
18:37:28 * irl is at a university wanting to use ooni for a paper, so it would be useful if the paper wasn't rejected based on the source of the data.
18:37:50 <hellais> if for example I collect data by infecting them with some malware it's not ok
18:37:58 <hellais> if I tell them that I will be collecting the data then it's ok
18:38:07 <hellais> potentially even if the data is personal
18:38:13 <irl> yep, it's just informed consent.
18:38:32 <hellais> like during this conference there was one person that talked about this project they did to map out outbreaks of epidemics
18:39:01 <hellais> and they installed on the phones of volunteers this software agent that would track them wherever they went and record the IDs of the bluetooth devices they encoutered
18:39:31 <aagbsn> oh the latter seems troublesome
18:39:37 <hellais> they also wanted to expand it with the ability to have a "danger detector" that would tell you where you should not go, since there are potentially infected people there
18:39:42 <hellais> they said ok to the first part
18:39:45 <hellais> but not to the last
18:40:19 <hellais> that is to say that the devil is in the details and there are many ways to do something, but not all of them are ethically ok
18:44:59 <aagbsn> seems strange that sniffing random peoples bluetooth devices would be ok, but proving information based on that collection wasn't. clearly this isn't so clear
18:45:31 <hellais> aagbsn: the information was not all public
18:45:52 <hellais> aagbsn: it was all stored on a system at the university that only 2 people had access to and wiped at the end of the study
18:47:01 <hellais> in other news, we thought a bit about the possible ways to implement signing of reports
18:47:07 <aagbsn> did you have any positive feedback on ooni?
18:47:28 <aagbsn> or interest in running probes or working with the data?
18:47:29 <hellais> aagbsn: I wouldn't say there were particularly positive feedback
18:47:57 <hellais> aagbsn: joss wright said he would be interested in coming to the data viz hackfest
18:48:20 <aagbsn> ok, great :)
18:48:35 <hellais> aagbsn: but the majority of the people there were of the non technical, philosphically variety
18:49:58 * irl has to think about disappearing in about 15-20 minutes.
18:50:17 <hellais> irl: ah ok so let's talk a bit about the OTF proposal now
18:50:21 <irl> cool
18:50:55 <hellais> I don't remember if I said this last time, but basically we have concluded that it makes most sense to split them up into 3 separate ones
18:51:03 <hellais> CPP, ORG, OONI
18:51:19 <irl> ok, we discussed this on the call but didn't have a conclusion
18:51:27 <aagbsn> I think we did mention that at the last irc meeting also
18:51:32 <hellais> this means that we need to submit a new concept notes by May 1st
18:51:46 <irl> ok, so a new document.
18:51:49 <hellais> correct
18:51:54 <aagbsn> hellais: is that the earliest we can submit?
18:52:09 <hellais> so we need to take all the stuff that is OONI stuff in the CPP and ORG proposal and put it in our own one
18:52:18 <irl> so i'm working directly on adding functionality to OONI, so I guess I'm mainly concerned with that one.
18:52:32 <hellais> as well as add other things that we believe are important that are not in scope of CPP nor ORG
18:52:43 <irl> ok cool.
18:52:55 <hellais> aagbsn: we can submit it when we want, but they will review it only starting from May 1st
18:53:07 <aagbsn> ok
18:53:08 <irl> hellais: can you send round a new google docs link for the new document by email?
18:53:12 <sbs> hellais: is this proposal a shared google doc or something?
18:53:15 <hellais> irl: yes I will do that
18:53:19 <irl> awesome
18:53:42 <hellais> I have also talked about this with Karen from Tor and she will also help us with it
18:53:50 <irl> also awesome
18:55:16 <hellais> sbs: any updates from anna regarding the hackfest?
18:55:16 <anadahz> In case that you haven't seen yet there is a ticket about OONI roadmap: https://trac.torproject.org/projects/tor/wiki/org/roadmaps/OONI
18:55:31 <hellais> (There are plans to do a OONI data viz hackfest in Rome in May)
18:55:40 <irl> yep, but that doesn't necessarily have the OTF activities on it
18:55:49 <aagbsn> oh snap, did you pick rogh dates yet?
18:55:57 <aagbsn> I will be unavailble the latter two weeks of may
18:56:10 <hellais> not yet
18:56:28 <sbs> hellais: she told me she was very interested, she was talking with the technical staff and pinging me back when she will have news
18:56:43 <hellais> OTF got back to me saying that they have received the request, but haven't spoken to them verbally about it yet
18:56:52 <hellais> sbs: awesome!
18:57:11 <irl> hellais: would there be any travel budget in there?
18:57:25 <hellais> aagbsn: if you already know the exact dates send them to me so I can keep them in mind when scheduling it
18:57:32 <irl> i'm not sure what my budgets look like but likely not good, but it would be good to meet up for organising and a bit of hacking.
18:58:12 <aagbsn> hellais: yes, I believe the 15th onwards
18:58:17 <hellais> irl: yes the plan is to get budget for OONI devs to come as well as data visualization and designer types
18:58:41 <irl> awesome. so when there's a date i'll book that time with $boss.
18:58:51 <hellais> making it an open call where people can submit their CV to us and if it looks good and they have a cool project to hack on in the days of the hackfest we can pay for their travel and accomodation
18:59:04 <irl> very awesome.
19:00:46 <hellais> the next steps for what we should be focusing on this week are:
19:01:27 <aagbsn> hellais: update: 17th onwards
19:01:41 <hellais> 1) Continue work on the Iran study, by the end of this week anadahz, aagbsn and I should have completed the analysis of the tools and pushed the code to the repository
19:01:48 <hellais> err text
19:03:02 <hellais> that is me: Psiphon, Tor, obfs4. vasilis: obfs2, scotty, meek, openvpn. aagbsn: obfs3, lantern, scramblesuit, fte
19:03:27 <hellais> 2) Get the shared document for the concept notes and start putting the content of the other proposals inside of that
19:04:34 <hellais> 3) Start thinking of what text and graphics should go on the open call for the open data hackfest
19:05:19 <hellais> https://docs.google.com/document/d/1-2bf8UUOkcCM7g1ItzOY-4BYRBkI91QndWSgh8RdEx4/edit?usp=sharing
19:05:25 <hellais> here is the google doc for that last one
19:06:00 <hellais> anything else we should talk about?
19:06:18 <hellais> ah we also have 4)
19:06:59 <hellais> 4) Create tickets for the roadmap https://trac.torproject.org/projects/tor/wiki/org/roadmaps/OONI and add missing steps to roadmap, creating tickets when needed
19:07:15 <hellais> #link open data hackfest document https://docs.google.com/document/d/1-2bf8UUOkcCM7g1ItzOY-4BYRBkI91QndWSgh8RdEx4/edit?usp=sharing
19:07:24 <hellais> #link ooni roadmap https://trac.torproject.org/projects/tor/wiki/org/roadmaps/OONI
19:08:12 <anadahz> hellais: have you ordered the ooni stickers?
19:09:16 <hellais> anadahz: yes I have 250 of the fancy variety (two sided print with on the back some text on what ooni is and links)
19:09:38 <hellais> and 1000 of the cheaper sort, one sided square
19:10:01 <hellais> as soon as I get them I will relay some of them over to you all
19:10:49 <irl> woo stickers
19:11:13 <aagbsn> awesome
19:11:23 <anadahz> awesome!!
19:12:08 <irl> ok, so once there is the link for the new concept notes, i can get going there. for now though i'll have to disappear.
19:12:28 <hellais> irl: great, thanks for attending the meeting :)
19:12:54 <irl> mondays are looking better now, so i should be able to attend more.
19:13:02 <irl> have fun all. (:
19:13:11 <aagbsn> can we use an etherpad e.g. https://pad.riseup.net/p/otf_ooni_concept_notes
19:13:58 <hellais> riseup deletes the pads after 1 month of inactivity
19:14:03 <aagbsn> isabela: did you have any questions?
19:14:25 <aagbsn> hellais: yes, we should have completed/exported by then, no?
19:16:05 <hellais> aagbsn: hopefully ;)
19:16:49 <isabela> nope
19:16:58 <hellais> if somebody here has a way of reaching to the citizenlab people it would be cool if they could check out this pull request:
19:16:59 <isabela> just learning
19:17:11 <hellais> #link test lists management pull request https://github.com/citizenlab/test-lists/pull/4
19:17:39 <hellais> I most recently added a tool that allow somebody to add a URL to the test list by searching through the list for similar URLs already present
19:17:55 <hellais> and prompting the user to input all the various identifiers needed
19:18:10 <hellais> I would like to eventually make that into a web form
19:19:55 <hellais> also this week in OONI, lorenzo has been working on the iOS app and has implemented support for viewing the log of a test and listing the currently running measurements: https://github.com/lorenzoprimi/libight_iOS
19:20:16 <hellais> #link libight iOS https://github.com/lorenzoprimi/libight_iOS
19:21:03 <sbs> hellais: about the app, I've yet to understand why it crashes on my Mac
19:21:12 <hellais> lol
19:21:21 <sbs> hellais: it's in my TODO list to understand that :)
19:21:47 <hellais> sbs: that is quite weird indeed, I am able to run it successfully on mine
19:22:10 <sbs> hellais: indeed, I'm seeking for another Mac, so we can make a majority report
19:22:28 <hellais> heheheh
19:22:42 <hellais> is there anything else?
19:23:21 <sbs> no, I spent some time studying C++ and looking at how other projects use C++11 w/ async code
19:23:31 <sbs> so I was not very productive
19:24:32 <hellais> ack!
19:24:59 <hellais> if there is nothing else I would say we call this gathering adjourned
19:26:05 <hellais> thanks for attending!
19:26:07 <hellais> #endmeeting