Network of Excellence in Internet Science

Internet Science in standardization?

The project EINS is about the establishment of Internet Science as interdiscplinary discipline to study the Internet. The motivation for the project is that isolated mono-disciplinary views may not adequately describe what really happens on the Internet. One may now wonder if this is also true for standardization. Do we need Internet Science and with it the social sciences or non-ICT (ICT = Information and Communication technology, here it also includes mathematics, physics and similar disciplines) participation in general in our technical standardization processes? In this blog, I share some of my thoughts about this problem.

What are standards?

Technical standards, such as specified by the IETF or the W3C, are usually documents or sets of documents that describe how systems should interact with other systems. A system could be some hardware, software, or a combination of multiple such components. The components may belong to one organisation or to many different individuals. The main purpose of standards is interoperability. This includes the definition of protocols and protocol steps to define when particpating entities say what to whom, and how other entities should understand the things that were said. Furthermore, standards may also contain implementation recommendations like internal states and requirements. If there are multiple standards, one may have one standard document that describes the overall framework, another one that describes scenarios and requirements, and many smaller ones for specific technical details or extensions that add features or react to current developments. Example: TLS 1.2 is specified in IETF RFC 5246. Its predecessors have been defined in RFCs 2246 and 4346. RFCs 5288 and 5289 extend TLS 1.2 by adding new cryptographic modes and algorithms. There are many more such extensions. Other older RFCs explain how TLS should be combined with certain applications. RFC 2818 explains the use of TLS for HTTP.

Are social sciences needed in standardization?

When we look at the operation of the IETF and other organizations in the recent decades one may come to the conclusion that this is not the case. Standardization was extremely successful without the help of social sciences. The Internet changed the world. Social scientists are rarely seen or heard at IETF conferences. IETF mailing list discussions are dominated by technical people and the content is mostly technical.

However, there is one minor flaw in this observation. Technical standards are not the only form of standardization. Another form is regulation. Lawyers are probably the largest group of people contributing to regulation. As a consequence, we do have standards from people with mostly social science background that set the stage for technology and their standards.

This observation does not necessarily contradict the previous argument about the IETF's success. However, regulatory support might also have been somewhat influencial for the Internet's success. In particular open source licenses have been important for the wide deployment of the open systems (from GNU/Linux to the Apache webserver) that today form a large part of the Internet. As a consequence, the better question seems to be: When do we need the social sciences in standardization and when not?

Who ought to standardize?

Basically all people who are affected by a standard should care. As a consequence, representatives from most societal groups in the process should participate in standardization. But, do we really want non-experts to specify and select the cryptographic cipher that our security is based upon? There are questions that can only answered by few people. Here in the example, relatively few mathematicians and IT experts with special training in cryptography. For the particular question it seems implausible that other discplines can help, neither sociologists nor lawyers would be able to help. Even technology people would not be able to understand or judge the quality of standards in other fields! Thus, the same applies to them as well.

What seems to be a characteristic of the question of cryptographic ciphers is that while there are variety of methods to generate them, they serve a specific well-defined purpose. There is also no graceful degradation. Errors can make a cipher and systems based on it insecure. Such errors are usually also found by the experts who define such ciphers. Putting it all together, the scope of the question is limited, its purpose and interface clear, and necessary methods to generate and evaluate a standard all relate to one field of research. The situation may become completely different, once we do not look at the cipher, but at overall frameworks on using cryptography in larger systems like the Internet.

The idea of Internet Science is that interdisciplinary research has to be considered when trying to answer Internet-related questions. Given that, it is only natural to consider such interdisciplinarity also in standards setting. Even more, as standards setting is not only a question of a set of stakeholders from academia and industry, but also of user groups. One may be able to check if some of these groups are constantly neglected in standardization. Social scientists and non-ICT user groups are rarely to be seen at IETF events.

Why is this bad?

Humans may play a role in the technology or architecture. Psychology drives certain behaviours and technology adaption. Economics estimates the faithfulness of actors and potentials for realization. Law sets what is allowed. The human user is not a perfect machine. We are neither fully rational nor always well-behaving, and not even always problem-aware. Thus, whenever a human being or atleast a potentially not fully rational human being influences the problem, it might be that just focussing on technology is not enough. In the precense of humans, most technology decisions are about making what the human would want. This is something technology cannot know a-priori. Someone has to tell the technology or it has to find out by observation. In case of web security, the browser trusts a website because of the browser developer trusting some 3rd parties (called Certificate Authorities) and one of them asserting that the website is the right one given a certain cryptographic key is used by the server of the website. This process is full of social science aspects. Thus, we should care more about them.

Why is this good?

Many if not most questions in standards of Internet protocols are about purely technical problems and not general architectural aspects.  Other problems like good ciphers in cryptography can only be answered by few experts in cryptography. It is hard to imagine that these fundamental and very focussed problems could benefit from interdisciplinarity. But, as I said, putting them together most likely can.

Are there other forms of participation?

Whenever one participates in some kind of hacker or developer meeting, one may be surprised how many non-ICT people will be around. This may become less surprising when one considers that the
program of the meeting can include also cultural or political events. Yet, what is the benefit? One possible answer might be inspiration and pointing to problems and questions that need a technical answer. Furthermore, ICT experts are often not the best at publicity and public visibility. Alternatives of thought may lead to new ideas and increase creativity. Thus, while many particular technical decisions may only be answerable by a certain small set of people, stakeholders, social scientists, and even representatives of Joe Average could play a role in the process.

How likely is it really?

Standardization is about concrete solutions and protocols. It seems to me that non-ICT research is often not yet in the position to rather quickly provide the answers to ICT problems that people in standardization would want from them. This is not their research topic after all and also ICT research is not necessarily close to the needs of standardization. Internet Science efforts might help to provide a better inclusion.

To conclude, the Internet is not all ICT. Standardization should also reflect that, yet this is not easy and there are limits.