Re: [arch-d] Call for Comment: <draft-iab-privacy-partitioning-03> (Partitioning as an Architecture for Privacy)
Eliot Lear <lear@lear.ch> Mon, 09 October 2023 07:52 UTC
Return-Path: <lear@lear.ch>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF027C15152D; Mon, 9 Oct 2023 00:52:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.396
X-Spam-Level:
X-Spam-Status: No, score=-0.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, GB_ABOUTYOU=0.5, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNzfEV0hfZ99; Mon, 9 Oct 2023 00:52:30 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [IPv6:2a00:bd80:aa::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16D5DC15152C; Mon, 9 Oct 2023 00:52:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1696837942; bh=VKs6WHbTNpmdMONLvNTRYTm7hAKcPCFjPZus2udWMDU=; h=Date:Subject:To:References:From:In-Reply-To:From; b=X5kYZzifKcWpFkSQSdi4E4Mtvxg2M8Hj+rjK22C2JbH8/I5HNtVrYuvMZmpr9/M8g 7+yPUL3bME5+XM+wRBsBgBQnMY5D0bOhW8dBvRYs8moA2RW1+mIk5BTqxPsbWQxyez XxIvuhrozk1n5FIRzLzhj5PF6OZvTU2W13wLESuY=
Received: from [IPV6:2001:420:c0c0:1011::4] ([IPv6:2001:420:c0c0:1011:0:0:0:4]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTPSA id 3997qKSh1335683 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Mon, 9 Oct 2023 09:52:22 +0200
Content-Type: multipart/alternative; boundary="------------Ns2RzWUwhn74lacCi5Ithekn"
Message-ID: <399aa7ad-da6a-4f05-873e-ba290840246a@lear.ch>
Date: Mon, 09 Oct 2023 09:52:19 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Martin Thomson <mt@lowentropy.net>, architecture-discuss@ietf.org, iab@iab.org
References: <169661465706.21376.5494557288067922968@ietfa.amsl.com> <2972d671-5a24-4b98-b4c6-ec5d2985f0c0@betaapp.fastmail.com>
From: Eliot Lear <lear@lear.ch>
Autocrypt: addr=lear@lear.ch; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNGUVsaW90IExlYXIgPGxlYXJAbGVhci5jaD7CwI4EEwECADgCGwMCHgECF4AWIQSY0L2Q Rh2wkqeyYR2HtmtG2dJ6MwUCWxJwMwULCQgHAgYVCAkKCwIEFgIDAQAKCRCHtmtG2dJ6M8KI B/46pFrJX+4Ockl2fHR303ais9Lyx8jv6mXKKOr8WR0UYcJ0syQrhaaZNG1VV98tYQHHK9F5 y7hH4YCsrr3odZ6zoavnx5X1X/2xw8y732f/irVoOOkYLid9IGPxa2e2nYXCZpde5/yvv3we XVE4mG4dEAD5T8iKS4Hz/3fKGJQ15o79Jv92HgC7RpCt0WaiQ0b6acP3PuwjDJzJzLFZzb7j IiB3izxQESSWE1GNRmoAK/k0gW6kmx1/87tQENrK+3Nn4CJSFQWF6entLnY7UeVm95wbMQkJ evwddDWUO2huDbmZnmxgKXGzSSpuNq7n8ICAOlbt0HfdJAZQfy25bwvezsBNBFMe1UQBCAC0 WV7Ydbv95xYGPhthTdChBIpPtl7JPCV/c6/3iEmvjpfGuFNaK4Macj9le20EA5A1BH7PgLGo HOiPM65NysRpZ96RRVX3TNfLmhGMFr5hPOGNdq+xcGHVutmwPV9U7bKeUNRiPFx3YdEkExdd qV2E8FltT0x2FSKe2xszPPHB6gVtMckX5buI9p1K3fbVhXdvEkcYY/jB0JEJGyhS5aEbct5c HUvDAkT81/YFK5Jfg8RRwu1q1t1YuIJSOWAZQ9J9oUsg6D9RpClU+tIFBoe3iTp1AUfJcypu cGKgLYKtpu/aygcpQONHYkYW5003mPsrajFhReVF5veycMbHs4u5ABEBAAHCwF8EGAECAAkF AlMe1UQCGwwACgkQh7ZrRtnSejOSuQgA27p2rYB7Kh20dym6V8c62pWpBHHTgxr/32zevxHS iXl6xvUCg5T8WUwfUk8OvgDcBErK/blDAMXQzSg3sp450JhR8RnXHXF5Zz2T04X7HnlIVJGw f2CjnwyEAJCqMzaCmI+g3Imvg/8L4nyBFvhlFHDv+kIvMiujyycjPAu7xxKplBs1/IEwmDoA MjneFmawvfeQnwdMhSKK8PjKSuzGU5uUmxj3GBfRqvTM0qpmhMPFOmDhJSmH55HLAky2Mlmq JYXJPt/9EfSEhFiua1M6gLiuNEuPkp+8jcnHQqKr0IeHt8UqcwLt2mGfIyl0FVdF9hvWPjNR zGbgqoT1Di03RQ==
In-Reply-To: <2972d671-5a24-4b98-b4c6-ec5d2985f0c0@betaapp.fastmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/hpa0Xhbff6PaUxJ-t7jTiXVr9pY>
Subject: Re: [arch-d] Call for Comment: <draft-iab-privacy-partitioning-03> (Partitioning as an Architecture for Privacy)
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2023 07:52:35 -0000
Hi IAB,
If that was Martin's way of saying that you are on the right track but
not quite there, then I agree ;-) I think the document is delightful
and well written, as far as it goes. Congratulations on that part!
&TL;DR you should ground your work detailed examples. I've provided
several extreme ones below; beware the incentive models in play. IMHO
don't click the "publish" button quite yet.
Feel free to use these worked examples (or not, or your own), applying
IETF building blocks and identifying missing parts to demonstrate how it
might all fit together, and make the document more relatable and thus
more consumable to the reader. You'll need to blow those blocks out.
That, my friends, is my view of what an architecture means ;-) Such
examples can demonstrate the strengths and weaknesses you mention in
Sections 4.2 and 5 (as well as others).
Here are the examples. A brief commentary and one nit follows below.
Goal #1: I Buy a book from Big Book And Other Company (BBAOC) without
having to reveal any particulars about yourself.
This is one of my favorite thought experiments, involving use of tokens
for postal addresses, and some sort of blinded payment protocol. For
simplification purposes, let's assume a single postal jurisdiction.
Let's now follow the flow:
1. I get a token from my postal company.
2. I go to BBAOC web site, presumably using oblivious HTTP and DoH.
3. I select a book.
4. I now somehow send my postal token to BBAOC.
5. BBAOC must now transmit that token to their postal provider, and
postal provider must return a shipping + tax value.
6. BBAOC contacts payment service with some information I provide, and
I am now charged the cost book + shipping and tax; a payment service
transaction id is generated. The transaction is recorded, and a
BBAOC transaction id is returned.
7. BBAOC prints a label with my token as a QR code (let's say) and
delivers it to the post.
8. Post as IdP is able to actually decode the token, and ships package
to me.
9. I receive the book with a copy of the BBAOC transaction id.
10. I read the book.
In the above example, BBAOC does not know who I am, and does not know my
address. I'll note also that BBAOC cannot provide me status information
about the shipment unless I provide some identity such as an email
address, but that can be somewhat anonymized, as Apple has done. No
login required.
Next let's add several variants.
Goal #2: Return book
Between Steps 9 and 10 from above, I discover that I have received the
wrong book.
1. I must now return to BBAOC's web site and generate a label.
2. I use the BBAOC transaction id generated in step 6 above as an index.
3. I enter that, and am able to generate a label. That too might be a
QR code that contains shipping and and perhaps transaction info,
perhaps signed.
4. I go to the post office and deliver the package, and get a receipt
with a postal transaction code bound to QR code.
5. Post scans label and ships.
6. BBAOC receives package and then contacts payment service with the
financial service transaction id generated in step 6 above, saying
“reverse it”.
7. Payment service issues confirmation, and this too is recorded and a
new transaction id generated.
8. BBAOC informs me of both.
9. I get my money, BBAOC gets the book back.
Goal #3: Buy a surprise gift for a friend
The flow from #1 may be used, with the following changes:
1. I must retrieve a token from the recipient, which means at least the
first gift cannot be a surprise. But let's say that this happens.
2. Now I provide my friend's token instead of my own.
3. The process flows as before.
This addresses a case that repeats itself regularly. Many years ago, I
asked a friend for his address, I drop shipped a book to him, and he was
infuriated that his information now rested with the book company. I did
thoughtlessly violate his privacy, even in the act of trying to provide
him a gift.
All of this *could* be made to work. A few notes:
* The 3rd example might lead people to believe that privacy advocates
are sometimes party poopers ;-)
* If BBAOC offers their own shipping, the postal privacy benefits are
entirely nullified.
* If I provide my friend's postal token to others, I have violated
their privacy. I must have permission.
* If BBAOC offers their own payment service, the financial privacy
benefits are entirely nullified.
* If BBAOC offers a platform to sellers, then it stands as a middle
man in the transaction, must provide the postal token, and
presumably will handle the financial matters; but the flow largely
holds.
* For electronic services/commerce (e.g., no physical product or
service), this flow would dramatically simplify, but for one aspect:
taxes.
* There are a _great many_ UX issues in these examples. Entering
tokens and transaction ids? Bah.
* I might want BBAOC to keep a search history because I derive value
from that. The key is that it be my choice not theirs, right? A
reasonable question to address: what is the privacy cost of that?
* _There is no incentive for BBAOC to employ this model – unless they
offer postal and financial service.
_
That last point is probably worth a few words. In particular, if they
really are the post, you may be unwittingly advocating more
centralization, because the blinding of some may mean aggregation by
others. Those tokens come from somewhere. This, by the way, is
similar, but not identical, to what Google has been accused of
doing[1]. @mnot might wish to comment. IMHO It's important to surface
this point so that we understand the societal limits and risks of an
architecture.
Relaxing my constraint about a single postal jurisdiction for a moment,
it's probably worth noting that the UPU[2] might need to do some
standardization to make all of this work. What are _their_ incentives?
As I'm sure many of you know, EKR has spent a good amount of time
writing up challenges with age verification[3], which would be another
apt example. He would also do a good job in poking holes in my examples ;-)
Another example to play out would be how a healthcare provider might use
this model without adversely impacting the patient.
Finally one nit: I find Section 6 point 1 to be unsupported to the point
of naivete in an adversarial model. But my assertion is just as
unsupported. Rather than us spending many emails going round and round
on that point, might I suggest that you note that this is an issue to be
considered at another time?
Eliot
[1]
https://www.theverge.com/2023/8/7/23823878/google-privacy-tracking-incognito-mode-lawsuit-summary-judgment-denied
[2] https://www.upu.int/en/Home
[3] https://educatedguesswork.org/posts/uk-age-verification/
On 09.10.2023 02:19, Martin Thomson wrote:
> This document feels incomplete. I'll give a few examples of applications of the general concept that aren't covered.
>
> Separating identity from the right to communicate is a major concept that is not as fully explored as it could be.
>
> This is something that the draft does discuss in a way, because it talks about using intermediaries to shield the identity of entities that wish to initiate communication.
>
> The entire class of use for pseudonymous identifiers isn't really given a solid treatment. I work with people who provide email aliases for privacy purposes. There, the underlying concept is that an email address typically serves two distinct functions: a) an identifier, and b) authorization to communicate.
>
> When creating temporary email addresses, especially when these are unique for each context, we break the identification part (a). We give the recipient the means to communicate with us, but deny them the means to identify. Identification means correlation across multiple contexts. (As an aside, that's a failing in RFC 6973, which treats identification and correlation as distinct threats rather than facets of the same and distinct only in degree.)
>
> A contextually-bound pseudonymous identifier provides no correlating power. Again, this relies on having intermediaries that can be trusted not to collude and reveal the true identity, so I believe that this qualifies as a partitioning.
>
> The same basic idea also underpins Web Push (RFC 8030). Websites are given the means to send push messages to user agents, but are denied the means of identification. Here, the privacy guarantees are stronger than email because the intermediary does not need to be entrusted with viewing the message contents. End-to-end protected email is possible, but email comes with very different expectations.
>
> I believe that this identity separation concept is also a property that is inherent to ICN architectures, but I'm not as qualified to comment on that as others, including some IAB members. Similarly, I believe that it would be possible to more fully capitalize on randomized IPv6 ULAs (RFC 4941), but there are folks on the IAB better positioned to handle that as well.
>
> Finally, it is maybe not in scope, but I wonder how the authors perceive the relation between this work and contextual integrity. It seems like maybe this is a foundational principle that is implied throughout, perhaps along with other principles. However, it's not really clear which aspects of privacy are potentially responsive to the types of partitioning that are discussed. There is missed opportunity here, I think. Just looking at specific privacy risks (those listed in Section 5 of RFC 6973 are a good start), it is obvious how partitioning helps (or doesn't) with some, but not all.
>
> Cheers,
> Martin
>
> On Sat, Oct 7, 2023, at 04:50, IAB Executive Administrative Manager wrote:
>> This is an announcement of an IETF-wide Call for Comment on
>> draft-iab-privacy-partitioning-03.
>>
>> The document is being considered for publication as an Informational
>> RFC within the IAB stream and is available for inspection at:
>> <https://datatracker.ietf.org/doc/draft-iab-privacy-partitioning/>
>>
>> The Call for Comment will last until 2023-11-03. Please send comments
>> toarchitecture-discuss@ietf.org andiab@iab.org.
>>
>> Abstract
>>
>> This document describes the principle of privacy partitioning, which
>> selectively spreads data and communication across multiple parties as
>> a means to improve privacy by separating user identity from user
>> data. This document describes emerging patterns in protocols to
>> partition what data and metadata is revealed through protocol
>> interactions, provides common terminology, and discusses how to
>> analyze such models.
>>
>> _______________________________________________
>> Architecture-discuss mailing list
>> Architecture-discuss@ietf.org
>> https://www.ietf.org/mailman/listinfo/architecture-discuss
> _______________________________________________
> Architecture-discuss mailing list
> Architecture-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/architecture-discuss
>
- [arch-d] Call for Comment: <draft-iab-privacy-par… IAB Executive Administrative Manager
- Re: [arch-d] Call for Comment: <draft-iab-privacy… Martin Thomson
- Re: [arch-d] Call for Comment: <draft-iab-privacy… Eliot Lear
- Re: [arch-d] Call for Comment: <draft-iab-privacy… Mirja Kuehlewind (IETF)
- Re: [arch-d] Call for Comment: <draft-iab-privacy… Eliot Lear
- Re: [arch-d] Call for Comment: <draft-iab-privacy… Tommy Pauly
- Re: [arch-d] Call for Comment: <draft-iab-privacy… Tommy Pauly