There are a few ways that the IAB believes the IETF community can prioritize end users, based upon our observations. This is not a complete list.
The IETF community does not have any unique insight into what is "good for end users", and it is not uncommon for us to be at a further disadvantage because of our close understanding of some -- but not all -- aspects of the Internet.
At the same time, we have a culture of considerable deference to a broader "Internet community" -- roughly what this document calls end users -- in our decision-making processes. Mere deference, however, is not adequate; even with the best intentions, we cannot assume that our experiences of the Internet are those of all of its end users or that our decisions have a positive impact upon them.
Therefore, we have not only a responsibility to analyze and consider the impacts of the IETF's work, but also a responsibility to consult with that greater Internet community. In particular, we should do so when one of our decisions has a potential impact upon end users.
The IETF community faces significant hurdles in doing so. Our work is specialized and often esoteric, and processes for developing standards often involve very long timescales. Affected parties are rarely technical experts, and they often base their understanding of the Internet upon incomplete (and sometimes inaccurate) models. Often, even when we try to engage a broader audience, their participation is minimal -- until a change affects someone in a way they don't like. Surprising the Internet community is rarely a good outcome.
Government-sponsored individuals sometimes participate in the IETF community. While this is welcome, it should not be taken as automatically representative of end users elsewhere, or even all end users in the relevant jurisdiction. Furthermore, what is desirable in one jurisdiction (or at least to its administrators) might be detrimental in others (see Section 4.4
While some civil society organizations specialize in technology and Internet policy, they rarely can participate broadly, nor are they necessarily representative of the larger Internet community. Nevertheless, their understanding of end-user needs is often profound, and they are in many ways the best-informed advocates for end-user concerns; they should be considered a primary channel for engaging the broader Internet community.
A promising approach to help fill these gaps is to identify and engage with specifically affected communities when making decisions that might affect them, for example, one or more industry associations, user groups, or a set of individuals, though we can't formally ensure that they are appropriately representative.
In doing so, we should not require them to "come to us"; unless a stakeholder community is already engaged in the IETF process effectively, the IETF community should explore how to meet with them on their terms -- take the initiative to contact them, explain our work, and solicit their feedback.
In particular, while IAB workshops, BOFs, and Bar BOFs can be an effective mechanism to gather input within our community, they rarely have the visibility into other communities that is required to solicit input, much less effective participation.
Instead, an event like a workshop may be more effective if co-located with -- and ideally hosted or co-hosted by -- a forum that's familiar to that stakeholder community. We should also raise the visibility of IETF work (or potential IETF work) in such fora through conference talks, panels, newsletter articles, etc.
For example, the IAB ESCAPE workshop [RFC 8752
] solicited input from Internet publishers and advertisers about a proposal that might affect them. While the workshop was considered successful, participation might have been improved by identifying an appropriate industry forum and working with them to host the event.
When we engage with the Internet community, we should also clearly identify tailored feedback mechanisms (e.g., subscribing to a mailing list may not be appropriate) and assure that they are well known in those communities.
The Internet Society can be an invaluable partner in these efforts; their focus on the Internet community, policy expertise, and resources can help to facilitate discussions with the appropriate parties.
Finally, we should remember that the RFC Series contains Requests For Comments; if there are serious implications of our work, we should document them and ask for feedback from the Internet community.
We should pay particular attention to the kinds of architectures we create and whether they encourage or discourage an Internet that works for end users.
For example, one of the most successful Internet applications is the Web, which uses the HTTP application protocol. One of HTTP's key implementation roles is that of the web browser -- called the "user agent" in [RFC 7230
] and other specifications.
User agents act as intermediaries between a service and the end user; rather than downloading an executable program from a service that has arbitrary access into the users' system, the user agent only allows limited access to display content and run code in a sandboxed environment. End users are diverse and the ability of a few user agents to represent individual interests properly is imperfect, but this arrangement is an improvement over the alternative -- the need to trust a website completely with all information on your system to browse it.
Defining the user agent role in standards also creates a virtuous cycle; it allows multiple implementations, allowing end users to switch between them with relatively low costs (although there are concerns about the complexity of the Web creating barriers to entry for new implementations). This creates an incentive for implementers to consider the users' needs carefully, which are often reflected into the defining standards. The resulting ecosystem has many remaining problems, but a distinguished user agent role provides an opportunity to improve it.
In contrast, the Internet of Things (IoT) has not yet seen the broad adoption of a similar role; many current systems require opaque, vendor-specific software or hardware for the user-facing component. Perhaps as a result of this, that ecosystem and its end users face serious challenges.
At its best, our work will unambiguously build a better human society. Sometimes, we will consciously be neutral and open-ended, allowing the "tussle" among stakeholders to produce a range of results (see [TUSSLE
] for further discussion).
At the very least, however, we must examine our work for negative impact on end users and take steps to mitigate it where encountered. In particular, when we've identified a conflict between the interests of end users and other stakeholders, we should err on the side of protecting end users.
Note that "negative impact on end users" is not defined in this document; that is something that the relevant body (e.g., working group) needs to discuss and come to consensus on. Merely asserting that something is harmful is not adequate. The converse is also true, though; it's not good practice to avoid identifying harms, nor is it acceptable to ignore them when brought to our attention.
The IAB and IETF have already established a body of guidance for situations where this conflict is common, including (but not limited to) [RFC 7754
] on filtering, [RFC 7258
] and [RFC 7624
] on pervasive surveillance, [RFC 7288
] on host firewalls, and [RFC 6973
] regarding privacy considerations.
Much of that advice has focused on maintaining the end-to-end properties of a connection [RFC 3724
]. This does not mean that our responsibility to end users stops there; decisions might affect them in other ways. For example, data collection by various applications even inside otherwise secure connections is a major problem on the Internet today. Also, inappropriate concentration of power on the Internet has become a concerning phenomenon -- one that protocol design might have some influence upon.
When the needs of different end users conflict (for example, two sets of end users both have reasonable desires), we again should try to minimize negative impact.
For example, when a decision improves the Internet for end users in one jurisdiction, but at the cost of potential harm to others elsewhere, that is not a good trade-off. As such, we design the Internet for the pessimal environment; if a user can be harmed, they probably will be, somewhere.
There may be cases where genuine technical need requires compromise. However, such trade-offs are carefully examined and avoided when there are alternate means of achieving the desired goals. If they cannot be, these choices and reasoning ought to be thoroughly documented.
There are several needs that are very visible to us as specification authors but should explicitly not be prioritized over the needs of end users.
These include convenience for document editors, IETF process matters, and "architectural purity" for its own sake.