IETF Logo Mail Archive

Re: [Ideas] Concerns of privacy and identity

Alexander Clemm <alexander.clemm@huawei.com> Tue, 26 September 2017 01:48 UTC

Return-Path: <alexander.clemm@huawei.com>
X-Original-To: ideas@ietfa.amsl.com
Delivered-To: ideas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E8381345EA for <ideas@ietfa.amsl.com>; Mon, 25 Sep 2017 18:48:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L-VP1X8tfG1R for <ideas@ietfa.amsl.com>; Mon, 25 Sep 2017 18:48:09 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A482132D18 for <ideas@ietf.org>; Mon, 25 Sep 2017 18:48:09 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml708-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DWF36116; Tue, 26 Sep 2017 01:48:07 +0000 (GMT)
Received: from SJCEML702-CHM.china.huawei.com (10.208.112.38) by lhreml708-cah.china.huawei.com (10.201.108.49) with Microsoft SMTP Server (TLS) id 14.3.301.0; Tue, 26 Sep 2017 02:48:06 +0100
Received: from SJCEML521-MBX.china.huawei.com ([169.254.1.175]) by SJCEML702-CHM.china.huawei.com ([169.254.4.207]) with mapi id 14.03.0301.000; Mon, 25 Sep 2017 18:48:03 -0700
From: Alexander Clemm <alexander.clemm@huawei.com>
To: Tom Herbert <tom@herbertland.com>, "ideas@ietf.org" <ideas@ietf.org>
Thread-Topic: [Ideas] Concerns of privacy and identity
Thread-Index: AQHTNIW9Ge81i/0Hm0K3mo/9CARZYqLGQhPA
Date: Tue, 26 Sep 2017 01:48:03 +0000
Message-ID: <644DA50AFA8C314EA9BDDAC83BD38A2E0EAA5342@sjceml521-mbx.china.huawei.com>
References: <CALx6S36HThu4tRieGz2JVE-esJhLeZXDeCqXPp=-KNYzyFMt+Q@mail.gmail.com>
In-Reply-To: <CALx6S36HThu4tRieGz2JVE-esJhLeZXDeCqXPp=-KNYzyFMt+Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.213.48.149]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020202.59C9B1D7.00D2, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.1.175, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: c1ce0f1bf6c139fb8df29d08c6a54292
Archived-At: <https://mailarchive.ietf.org/arch/msg/ideas/qdmKaFGTSer5TGzXbQFg7AOL824>
Subject: Re: [Ideas] Concerns of privacy and identity
X-BeenThere: ideas@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussions relating to the development, clarification, and implementation of control-plane infrastructures and functionalities in ID enabled networks." <ideas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ideas>, <mailto:ideas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ideas/>
List-Post: <mailto:ideas@ietf.org>
List-Help: <mailto:ideas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ideas>, <mailto:ideas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Sep 2017 01:48:12 -0000

Hi Tom,

Couple of replies inline, <ALEX>

On a general level, performing a detailed analysis of implications on anonymity and privacy are part of the charter.   I think this is the context in which we should be having this discussion, i.e. to perform the analysis.  I don't think we need updates to the charter (that we just converged on); it is already covered.  

>From a personal perspective, I certainly have as big concerns about privacy as a private citizen as anybody else.  The ability to provide greater privacy while protecting myself against attackers who want to phish/impersonate/otherwise attack me is from my perspective a very important motivator for this work.  The current state of the art isn't so great from this perspective, or is it?   Let's work on providing some better alternatives.  I think in IDEAS we can make interesting contributions here and by all means we will need to include a detailed analysis.  And we can absolutely update wording in draft-cc-ideas-identity-use-cases as needed.  

Regards
--- Alex

-----Original Message-----
From: Ideas [mailto:ideas-bounces@ietf.org] On Behalf Of Tom Herbert
Sent: Saturday, September 23, 2017 9:05 AM
To: ideas@ietf.org
Subject: [Ideas] Concerns of privacy and identity

Hello,

I still have deep concerns about the identity concepts in IDEAS and the potential for abuse and breaking users' fundamental privacy and anonymity.

I find the last paragraph is section 4.1 of
draft-ccm-ideas-identity-use-cases-01 to be particularly worrisome.
Reading this, I don't see how it's not describing a global database of individual users' identities on the Internet that governments will be able access at their discretion .

<ALEX> 
Really we are talking about endpoints here.  I think many of the concerns that you raise concern peoples personally identifiable information like social security or passport numbers.  This is what is needed nor implied here.  

A service provider may of course still have a customer database, with customers' private information, credit card information, etc.   A SP today is able to correlate this information with your phone number, with your IP lease information, with your port information.  All of this is orthogonal to IDEAS.  
 </ALEX>

A key sentence is:

"to convey an authorized network entity who is behind a given
(ephemeral) IDf that is visible on the wire."

The "who" could be construed as meaning individuals here. "authorized network entity" could mean anyone in the path including governments that would assume they are self-authorized to track users.

The rest of the lines in the paragraph mentions "legitimate need to know" and " Legitimate parties include ... regulatory authorities".
What is legitimate is subjective-- what one party considers a legitimate need to know, another may not. Regulatory authority pretty much means government.

<ALEX> The implication behind a system like GRIDS is that an end user has a trust relationship with their network provider.  So, if you don't trust your network provider, there is an issue, and in that way, clearly there is potential for abuse.  You should probably stop using your mobile phone service as well  - how do you know Verizon does not share your information (including your customer records and current location) in real time with the government or with cyber criminals?  

Legitimate uses can include uses that are needed to provide a service feature, for example accounting and charging, or providing security features such as protection against impersonation, both people who try to impersonate you, and people who try to impersonate someone else when they contact you.    

In addition to the network provider, there is everybody else.  This is where we find a lot of potential attack vectors and security threats, and we should be able to protect our privacy and remain anonymous.  So, the contribution of IDEAS will be to provide greater privacy/anonymity/protection against outside threats and observers.    

So, how can we better word this in the draft to bring this across?  

</ALEX>


I believe the identity effort has good intentions and there may be real benefits. Perhaps the idea is that a policy will be articulated on who the authorized parties are and what the authorized uses of the data. The obvious problem with that is that IETF, nor anyone else, can enforce policy across the Internet. Besides that, it's almost becoming a daily occurrence that databases with personally identifying information is hacked-- a global database of Internet users would be subject to similar attacks.


It seems to me that the only guaranteed way prevent misuse of identity is to either build the mechanism such that misuse is provably impossible, or to not build a mechanism at all.

<ALEX> Proving that misuse for a mechanism will be impossible will be a very high bar to clear.  We should provide detailed analysis and security considerations, but not make this an entrance criteria.  </ALEX>

In any case, I suggest the following be added to the charter:

"IDEAS will not create a protocol, mechanism, or database that records or disseminates identities of individuals or any other personally identifiable information. IDEAS will not create any mechanism that could allow a third party in communications to track packets back to individual users."

<ALEX> 
I don't think we need an addition to the charter.  We will provide a detailed analysis of privacy etc ramifications, which is already contained in the charter.  
</ALEX>

Thanks,
Tom

_______________________________________________
Ideas mailing list
Ideas@ietf.org
https://www.ietf.org/mailman/listinfo/ideas

v2.23.0 | Report a Bug | By Email