Re: [arch-d] Call for Comment: <draft-iab-privacy-partitioning-03> (Partitioning as an Architecture for Privacy)

Eliot Lear <> Thu, 07 December 2023 16:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 22DBEC09037E; Thu, 7 Dec 2023 08:21:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.396
X-Spam-Status: No, score=-5.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, GB_ABOUTYOU=0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sDmEWzcveAdA; Thu, 7 Dec 2023 08:20:57 -0800 (PST)
Received: from ( [IPv6:2a00:bd80:aa::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 0C085C14F5E0; Thu, 7 Dec 2023 08:20:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=upstairs; t=1701966052; bh=DaZrMBcywzFMz512OJZIyG5IWRcD4IorU87EXaCegVo=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=LAZ/CzZAnCmUW4Fh8uxxTXQNgCLRyQDOsnqJYWmICu8P9Rjzra9NnkxhDoFZaoi5m yGFGqYhI0vKZ9126Coyri/weVLtY6nzqAddwqPFkyjdIjzMi8XOIErS46ZMdwsG8uB aadhbGb7haly0iPPHzDrlkmQ02AOD79wCM4wcbtM=
Received: from [IPV6:2001:420:2d03:1300:c56c:9a6:8c36:b368] ([IPv6:2001:420:2d03:1300:c56c:9a6:8c36:b368]) (authenticated bits=0) by (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTPSA id 3B7GKnG61783448 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 7 Dec 2023 17:20:50 +0100
Content-Type: multipart/alternative; boundary="------------t50qm1MZ5tinlZcWFUUwbnty"
Message-ID: <>
Date: Thu, 07 Dec 2023 11:20:46 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: "Mirja Kuehlewind (IETF)" <>
Cc: Martin Thomson <>,, The IAB <>
References: <> <> <> <>
From: Eliot Lear <>
Autocrypt:; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNGUVsaW90IExlYXIgPGxlYXJAbGVhci5jaD7CwI4EEwECADgCGwMCHgECF4AWIQSY0L2Q Rh2wkqeyYR2HtmtG2dJ6MwUCWxJwMwULCQgHAgYVCAkKCwIEFgIDAQAKCRCHtmtG2dJ6M8KI B/46pFrJX+4Ockl2fHR303ais9Lyx8jv6mXKKOr8WR0UYcJ0syQrhaaZNG1VV98tYQHHK9F5 y7hH4YCsrr3odZ6zoavnx5X1X/2xw8y732f/irVoOOkYLid9IGPxa2e2nYXCZpde5/yvv3we XVE4mG4dEAD5T8iKS4Hz/3fKGJQ15o79Jv92HgC7RpCt0WaiQ0b6acP3PuwjDJzJzLFZzb7j IiB3izxQESSWE1GNRmoAK/k0gW6kmx1/87tQENrK+3Nn4CJSFQWF6entLnY7UeVm95wbMQkJ evwddDWUO2huDbmZnmxgKXGzSSpuNq7n8ICAOlbt0HfdJAZQfy25bwvezsBNBFMe1UQBCAC0 WV7Ydbv95xYGPhthTdChBIpPtl7JPCV/c6/3iEmvjpfGuFNaK4Macj9le20EA5A1BH7PgLGo HOiPM65NysRpZ96RRVX3TNfLmhGMFr5hPOGNdq+xcGHVutmwPV9U7bKeUNRiPFx3YdEkExdd qV2E8FltT0x2FSKe2xszPPHB6gVtMckX5buI9p1K3fbVhXdvEkcYY/jB0JEJGyhS5aEbct5c HUvDAkT81/YFK5Jfg8RRwu1q1t1YuIJSOWAZQ9J9oUsg6D9RpClU+tIFBoe3iTp1AUfJcypu cGKgLYKtpu/aygcpQONHYkYW5003mPsrajFhReVF5veycMbHs4u5ABEBAAHCwF8EGAECAAkF AlMe1UQCGwwACgkQh7ZrRtnSejOSuQgA27p2rYB7Kh20dym6V8c62pWpBHHTgxr/32zevxHS iXl6xvUCg5T8WUwfUk8OvgDcBErK/blDAMXQzSg3sp450JhR8RnXHXF5Zz2T04X7HnlIVJGw f2CjnwyEAJCqMzaCmI+g3Imvg/8L4nyBFvhlFHDv+kIvMiujyycjPAu7xxKplBs1/IEwmDoA MjneFmawvfeQnwdMhSKK8PjKSuzGU5uUmxj3GBfRqvTM0qpmhMPFOmDhJSmH55HLAky2Mlmq JYXJPt/9EfSEhFiua1M6gLiuNEuPkp+8jcnHQqKr0IeHt8UqcwLt2mGfIyl0FVdF9hvWPjNR zGbgqoT1Di03RQ==
In-Reply-To: <>
Archived-At: <>
Subject: Re: [arch-d] Call for Comment: <draft-iab-privacy-partitioning-03> (Partitioning as an Architecture for Privacy)
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Dec 2023 16:21:03 -0000

Hi Mirja,

I think the document is "on the right track".  As to my examples: use 
them or not, but if you do, think bigger than just IETF protocols, but 
the point is to ground the work in real outcomes.


On 07.12.2023 07:25, Mirja Kuehlewind (IETF) wrote:
> Hi Eliot,
> Our focus of the document was to give examples in the context of IETF 
> protocols. The examples you list are application layer examples or at 
> least are not directly covered by IETF technology. So I’m actually not 
> quite sure what I should take away from this for the document…?
> Also you say in the beginning that the document is not quite ready yet 
> for publishing, however, it hard for me to actually understand what 
> you think is missing. Can you be a bit more concrete?
> Mirja
>> On 9. Oct 2023, at 09:52, Eliot Lear <> wrote:
>> Hi IAB,
>> If that was Martin's way of saying that you are on the right track 
>> but not quite there, then I agree ;-) I think the document is 
>> delightful and well written, as far as it goes.  Congratulations on 
>> that part!
>> &TL;DR you should ground your work detailed examples.  I've provided 
>> several extreme ones below; beware the incentive models in play.  
>> IMHO don't click the "publish" button quite yet.
>> Feel free to use these worked examples (or not, or your own), 
>> applying IETF building blocks and identifying missing parts to 
>> demonstrate how it might all fit together, and make the document more 
>> relatable and thus more consumable to the reader.  You'll need to 
>> blow those blocks out.  That, my friends, is my view of what an 
>> architecture means ;-)  Such examples can demonstrate the strengths 
>> and weaknesses you mention in Sections 4.2 and 5 (as well as others).
>> Here are the examples.  A brief commentary and one nit follows below.
>> Goal #1: I Buy a book from Big Book And Other Company (BBAOC) without 
>> having to reveal any particulars about yourself.
>> This is one of my favorite thought experiments, involving use of 
>> tokens for postal addresses, and some sort of blinded payment 
>> protocol.  For simplification purposes, let's assume a single postal 
>> jurisdiction. Let's now follow the flow:
>>  1. I get a token from my postal company.
>>  2. I go to BBAOC web site, presumably using oblivious HTTP and DoH.
>>  3. I select a book.
>>  4. I now somehow send my postal token to BBAOC.
>>  5. BBAOC must now transmit that token to their postal provider, and
>>     postal provider must return a shipping + tax value.
>>  6. BBAOC contacts payment service with some information I provide,
>>     and I am now charged the cost book + shipping and tax; a payment
>>     service transaction id is generated.  The transaction is
>>     recorded, and a BBAOC transaction id is returned.
>>  7. BBAOC prints a label with my token as a QR code (let's say) and
>>     delivers it to the post.
>>  8. Post as IdP is able to actually decode the token, and ships
>>     package to me.
>>  9. I receive the book with a copy of the BBAOC transaction id.
>> 10. I read the book.
>> In the above example, BBAOC does not know who I am, and does not know 
>> my address.  I'll note also that BBAOC cannot provide me status 
>> information about the shipment unless I provide some identity such as 
>> an email address, but that can be somewhat anonymized, as Apple has 
>> done.  No login required.
>> Next let's add several variants.
>> Goal #2: Return book
>> Between Steps 9 and 10 from above, I discover that I have received 
>> the wrong book.
>>  1. I must now return to BBAOC's web site and generate a label.
>>  2. I use the BBAOC transaction id generated in step 6 above as an
>>     index.
>>  3. I enter that, and am able to generate a label. That too might be
>>     a QR code that contains shipping and and perhaps transaction
>>     info, perhaps signed.
>>  4. I go to the post office and deliver the package, and get a
>>     receipt with a postal transaction code bound to QR code.
>>  5. Post scans label and ships.
>>  6. BBAOC receives package and then contacts payment service with the
>>     financial service transaction id generated in step 6 above,
>>     saying “reverse it”.
>>  7. Payment service issues confirmation, and this too is recorded and
>>     a new transaction id generated.
>>  8. BBAOC informs me of both.
>>  9. I get my money, BBAOC gets the book back.
>> Goal #3: Buy a surprise gift for a friend
>> The flow from #1 may be used, with the following changes:
>>  1. I must retrieve a token from the recipient, which means at least
>>     the first gift cannot be a surprise. But let's say that this happens.
>>  2. Now I provide my friend's token instead of my own.
>>  3. The process flows as before.
>> This addresses a case that repeats itself regularly. Many years ago, 
>> I asked a friend for his address, I drop shipped a book to him, and 
>> he was infuriated that his information now rested with the book 
>> company.  I did thoughtlessly violate his privacy, even in the act of 
>> trying to provide him a gift.
>> All of this *could* be made to work.  A few notes:
>>   * The 3rd example might lead people to believe that privacy
>>     advocates are sometimes party poopers ;-)
>>   * If BBAOC offers their own shipping, the postal privacy benefits
>>     are entirely nullified.
>>   * If I provide my friend's postal token to others, I have violated
>>     their privacy.  I must have permission.
>>   * If BBAOC offers their own payment service, the financial privacy
>>     benefits are entirely nullified.
>>   * If BBAOC offers a platform to sellers, then it stands as a middle
>>     man in the transaction, must provide the postal token, and
>>     presumably will handle the financial matters; but the flow
>>     largely holds.
>>   * For electronic services/commerce (e.g., no physical product or
>>     service), this flow would dramatically simplify, but for one
>>     aspect: taxes.
>>   * There are a _great many_ UX issues in these examples.  Entering
>>     tokens and transaction ids? Bah.
>>   * I might want BBAOC to keep a search history because I derive
>>     value from that.  The key is that it be my choice not theirs,
>>     right?  A reasonable question to address: what is the privacy
>>     cost of that?
>>   * _There is no incentive for BBAOC to employ this model – unless
>>     they offer postal and financial service.
>>     _
>> That last point is probably worth a few words.  In particular, if 
>> they really are the post, you may be unwittingly advocating more 
>> centralization, because the blinding of some may mean aggregation by 
>> others. Those tokens come from somewhere.  This, by the way, is 
>> similar, but not identical, to what Google has been accused of 
>> doing[1].  @mnot might wish to comment. IMHO It's important to 
>> surface this point so that we understand the societal limits and 
>> risks of an architecture.
>> Relaxing my constraint about a single postal jurisdiction for a 
>> moment, it's probably worth noting that the UPU[2] might need to do 
>> some standardization to make all of this work.  What are _their_ 
>> incentives?
>> As I'm sure many of you know, EKR has spent a good amount of time 
>> writing up challenges with age verification[3], which would be 
>> another apt example. He would also do a good job in poking holes in 
>> my examples ;-)
>> Another example to play out would be how a healthcare provider might 
>> use this model without adversely impacting the patient.
>> Finally one nit: I find Section 6 point 1 to be unsupported to the 
>> point of naivete in an adversarial model.  But my assertion is just 
>> as unsupported. Rather than us spending many emails going round and 
>> round on that point, might I suggest that you note that this is an 
>> issue to be considered at another time?
>> Eliot
>> [1] 
>> [2]
>> [3]
>> On 09.10.2023 02:19, Martin Thomson wrote:
>>> This document feels incomplete.  I'll give a few examples of applications of the general concept that aren't covered.
>>> Separating identity from the right to communicate is a major concept that is not as fully explored as it could be.
>>> This is something that the draft does discuss in a way, because it talks about using intermediaries to shield the identity of entities that wish to initiate communication.
>>> The entire class of use for pseudonymous identifiers isn't really given a solid treatment.  I work with people who provide email aliases for privacy purposes.  There, the underlying concept is that an email address typically serves two distinct functions: a) an identifier, and b) authorization to communicate.
>>> When creating temporary email addresses, especially when these are unique for each context, we break the identification part (a).  We give the recipient the means to communicate with us, but deny them the means to identify.  Identification means correlation across multiple contexts.  (As an aside, that's a failing in RFC 6973, which treats identification and correlation as distinct threats rather than facets of the same and distinct only in degree.)
>>> A contextually-bound pseudonymous identifier provides no correlating power. Again, this relies on having intermediaries that can be trusted not to collude and reveal the true identity, so I believe that this qualifies as a partitioning.
>>> The same basic idea also underpins Web Push (RFC 8030).  Websites are given the means to send push messages to user agents, but are denied the means of identification.  Here, the privacy guarantees are stronger than email because the intermediary does not need to be entrusted with viewing the message contents.  End-to-end protected email is possible, but email comes with very different expectations.
>>> I believe that this identity separation concept is also a property that is inherent to ICN architectures, but I'm not as qualified to comment on that as others, including some IAB members.  Similarly, I believe that it would be possible to more fully capitalize on randomized IPv6 ULAs (RFC 4941), but there are folks on the IAB better positioned to handle that as well.
>>> Finally, it is maybe not in scope, but I wonder how the authors perceive the relation between this work and contextual integrity.  It seems like maybe this is a foundational principle that is implied throughout, perhaps along with other principles.  However, it's not really clear which aspects of privacy are potentially responsive to the types of partitioning that are discussed.  There is missed opportunity here, I think. Just looking at specific privacy risks (those listed in Section 5 of RFC 6973 are a good start), it is obvious how partitioning helps (or doesn't) with some, but not all.
>>> Cheers,
>>> Martin
>>> On Sat, Oct 7, 2023, at 04:50, IAB Executive Administrative Manager wrote:
>>>> This is an announcement of an IETF-wide Call for Comment on
>>>> draft-iab-privacy-partitioning-03.
>>>> The document is being considered for publication as an Informational
>>>> RFC within the IAB stream and is available for inspection at:
>>>> <>
>>>> The Call for Comment will last until 2023-11-03. Please send comments
>>>> Abstract
>>>>    This document describes the principle of privacy partitioning, which
>>>>    selectively spreads data and communication across multiple parties as
>>>>    a means to improve privacy by separating user identity from user
>>>>    data.  This document describes emerging patterns in protocols to
>>>>    partition what data and metadata is revealed through protocol
>>>>    interactions, provides common terminology, and discusses how to
>>>>    analyze such models.
>>>> _______________________________________________
>>>> Architecture-discuss mailing list
>>> _______________________________________________
>>> Architecture-discuss mailing list
>> _______________________________________________
>> Architecture-discuss mailing list