Re: [arch-d] Possible IAB Adoption of draft-kpw-iab-privacy-partitioning

[Vittorio Bertola <vittorio.bertola@open-xchange.com>]

 

> Il 13/12/2022 17:32 CET Mirja Kuehlewind <ietf@kuehlewind.net> ha scritto:
>  
>  
> Hi Vittorio,
>  
> I see that we already have an issue to I believe address your main point. I still would like to comment on some point below as I don’t think you interpreted the discussion in the draft entirely right.
> 
Let's see if I can make myself clear so that my objections make more sense.

>  
> The text says "Policy and contractual agreements between entities involved in partitioning”. This means e.g. the client might have a contractual relationship with the operator of the relay (e.g. it could be operated by the access network provider).
> 
This is just "e.g.", but the text you quote above also allows for another case, the one in which the operators of the two proxies - the two entities whose non-collusion is vital to preserve the user's privacy - have a contractual relationship between them. In fact, this is the case that we have seen in current deployments; the client (if by client you mean an application acting according to the end-user's will) has no control on where the traffic goes, it is decided by the maker of the device or of the browser.

> In this case there is already trust to the entity and there is an incentive for the operator to maintain this trust and provide a good service.
> 
Well, who is the "client"? Is it the user, or is it the application and its maker? Given how little choice you have today e.g. in mobile OSes, can you really say that the user chose the client application freely and so has such a trust in them that it becomes transitive, i.e. the user also trusts whoever the client application's maker decides to make a commercial agreement with? This does not look credible in policy and in behavioural terms.
 
Just imagine: the user goes and buy a random IoT device on Amazon, from an unknown random brand, choosing by lowest price. Does this mean that they trust the maker to route their traffic as well, possibly bypassing any local network configuration that they have made?

> 
> > The other suggestion is to just add more and more intermediaries, and this is really baffling. First, privacy is about reducing the number of entities that have a chance to access your data, not increasing it. Second, I am lost at what is now the vision of the IETF's technical leadership on intermediaries; I've seen continuous bashing of the very idea of in-network intermediation for years, including drafts that propose principles to remove or at least reduce existing intermediaries as far as possible (e.g. https://datatracker.ietf.org/doc/draft-thomson-tmi/ ), and here is one that actually proposes to take traffic that was happily scattered throughout the Internet and make it all go through new intermediaries.
> > 
>  
> Yes, this draft and the protocols in work in the IETF that are discussed in the draft will add more intermediates. However, one important point is that those intermediates are explicitly involved by the clients action (in contrast to NATs or transparent proxies).
> 
Again, this depends on whether the client acts in the interest of the end-user or in the interest of its maker.

> Further, this document does not propose to spread all your information to all entities. Instead it assumes a certain set of information that is worth sharing (because the client wants to use a certain service) and proposed to divide/partition that information among multiple entities, so each entities see less than when all information is only shared with one entity. If you share the same information with multiple or all entities, this will decrease your privacy but that not what the draft says. Also of course you can partition your data in a (wrong) way that reduces privacy and that’s definitely the hard part as discussed in the section on limits.
> 
This all depends on who chooses the intermediaries and how trusted they really are. If I can trust the new intermediaries, of course my privacy will be better; on the other hand, if the new intermediaries do not act in my interest, now I have two more entities that can monitor and process all my traffic, and even if they only see a part of it, they can collude or use other techniques.
 
The assumption that things are generally more likely to go well than to go poorly is unwarranted, depends on business and behavioural factors and should be justified on non-technical grounds.
 
Regarding centralisation, I understand that you see this document more like a definition of terms than as a recommendation, yet it is going to be taken as such, and the economic incentives of this kind of intermediary service, like for CDNs, are all in favour of centralisation in terms of ownership (not in terms of server distribution, of course). As soon as this document becomes the IAB's suggestion to at least consider this model, the necessary caution should be included.

--

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com mailto:vittorio.bertola@open-xchange.com
Office @ Via Treviso 12, 10144 Torino, Italy