IETF Logo Mail Archive

Re: [ietf-privacy] Privacy and Identifiers - draft-moonesamy-privacy-identifiers-01

S Moonesamy <sm+ietf@elandsys.com> Tue, 17 September 2013 17:43 UTC

Return-Path: <sm@elandsys.com>
X-Original-To: ietf-privacy@ietfa.amsl.com
Delivered-To: ietf-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4CFA11E853D for <ietf-privacy@ietfa.amsl.com>; Tue, 17 Sep 2013 10:43:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.555
X-Spam-Level:
X-Spam-Status: No, score=-102.555 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gMstSNed58M7 for <ietf-privacy@ietfa.amsl.com>; Tue, 17 Sep 2013 10:43:37 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id AC27111E82B7 for <ietf-privacy@ietf.org>; Tue, 17 Sep 2013 10:43:34 -0700 (PDT)
Received: from SUBMAN.elandsys.com ([197.224.158.202]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r8HHhImc009280 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 17 Sep 2013 10:43:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1379439812; bh=DzO3c2XE1BWAUjnXM2rGJUqfbc3Zdj7MwUXwwPZ0LnY=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=QoGtZ0dQ9zm2rPDShexCjdJ1Lo0hfwwFOc8R4fn439FXvZ+q0vFSNQfp1wG5rDgB+ 39F3dQhisg0alhy06j0tUOQY5GT8g8RwQxv/JeJRCz2ftTXIAL0e4qW3QEJgE2+lhN fNActxmOTn25JrQGSZurHR1tEFAx04L1Ok/P1mOQ=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1379439812; i=@elandsys.com; bh=DzO3c2XE1BWAUjnXM2rGJUqfbc3Zdj7MwUXwwPZ0LnY=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=VPwI6jDIxxp62MU6ME4ESfUhSyac5Yp26paZtPbIitGnDsZ65kmP9nJZO6N3lHSF9 1vDYEUK3CQUzSM2mFq+LMZYMg6AbzXD71Lj3Z2uCe+phw4mn6lWBczomoabZRv8sUK Hq6FQWCwEC08/S/8Ui5gc48w18oZ++udH+fQmmjQ=
Message-Id: <6.2.5.6.2.20130917084141.0e3918e8@elandnews.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Tue, 17 Sep 2013 10:42:23 -0700
To: mohamed.boucadair@orange.com
From: S Moonesamy <sm+ietf@elandsys.com>
In-Reply-To: <94C682931C08B048B7A8645303FDC9F36EF1241331@PUEXCB1B.nanter re.francetelecom.fr>
References: <6.2.5.6.2.20130914080154.0bbdf140@elandnews.com> <94C682931C08B048B7A8645303FDC9F36EF1241331@PUEXCB1B.nanterre.francetelecom.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: ietf-privacy@ietf.org
Subject: Re: [ietf-privacy] Privacy and Identifiers - draft-moonesamy-privacy-identifiers-01
X-BeenThere: ietf-privacy@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Internet Privacy Discussion List <ietf-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-privacy>
List-Post: <mailto:ietf-privacy@ietf.org>
List-Help: <mailto:ietf-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2013 17:43:39 -0000

Hi Med,
At 04:56 17-09-2013, mohamed.boucadair@orange.com wrote:
>One comment I have when reading this reco from your draft:
>
>       It is recommended that an identifier be used at the layer at which
>       its functionality is necessary for communication to be
>       established.
>
>is, from a privacy perspective, there is no justification for it. If 
>the information is present in the packet, does it really matter if 
>it is used in other layers? Why reusing that info will impact the 
>privacy? Take the example of TCP that use the IP address for the 
>pseudo header checksum, SIP, SDP, etc. If you have in mind 
>particular identifiers, it would be valuable to explicit them rather 
>than having a generic statement.

The problem is secondary use (see RFC 6973 Section 5.2.3) and consent 
[1].  The draft argues that consent is implicit if the information is 
necessary for communication.  If it is necessary to send out the IP 
address in the TCP session, that does not mean that the protocol at a 
higher layer can take it and put it in a header field.  As an 
example, please see Section 8.2 and 8.2 of 
draft-ietf-appsawg-http-forwarded-10.

 From a privacy perspective I can find out your approximate location 
the source IP address used for your SIP call.  There are times when 
that can be embarrassing, e.g. you told your manager that you are 
calling from work while the source IP address points to another 
location.  Let's say that we have to document the privacy 
implications in our document.  The reuse cases will be more work for 
us as we have to think of more possibilities.  The way to avoid that 
is apply some form of layering when we tackle privacy.

The examples in Section 4 (of the draft) were chosen as the related 
specifications explain what these identifiers are above.  There isn't 
any explanation in plain English for identifiers used in other 
specifications.  I could take the RFC 6973 approach and write a long 
document.  My guess is that people won't read it. :-)  The approach I 
adopted was to keep it simple.  A generic statement can be argued 
both ways.  For example, you can argue that the identifier is 
necessary at the higher layer without having to ask the user for 
consent.  I used "recommendation" instead of "requirement" so as not 
to impose constraints.

>If we take the example of an IP address as an identifier, even if it 
>is revealed in various layers, this does not mean that one single 
>individual/user is associated with that identifier. Take the example 
>of multiple machines behind the same CPE, or multiple subscribers 
>behind the same CGN, etc. Nevertheless:
>* the configuration of a browser may be used easily to track user 
>(e.g., https://panopticlick.eff.org/)
>* some application headers (e.g., referer) may contribute to ease 
>the correlation between many pieces of information (e.g., a web 
>email account and a social networking account for instance)
>
>Discussing issues related to correlating information leaked by 
>applications would be useful to record in this document.

I commented about a draft recently (see 
http://www.ietf.org/mail-archive/web/homenet/current/msg03100.html 
).  In a NAT scenario we cannot say that there is only one person 
behind the CPE.  The same applies to CGN.  In an IPv6 scenario we can 
narrow down (or might assume) that it is one person or device using 
the IPv6 address.  When the legislator writes the law the questions 
that he or she will ask is:

   (a) Does the IP address identify one person?

   (b) Does the IP address identify the location from which the call was made?

Note that there is some ambiguity in the questions.  The legislator 
would like to have easy answers.  This is where someone explains that 
the IP address can be used to identify the person.  For (b) the 
explanation might be that the IP address can be used to identify the 
location.  It can be lead to events such as 
http://www.tmz.com/2013/04/05/selena-gomez-swatted/

The browser sends a lot of information (re. the link you 
provided).  There are already some good questions in RFC 6973.  I 
chose not to discuss it in the draft to keep the discussion 
simple.  What I would like to see, for example, is what you did.  You 
mentioned that correlation can be a problem and you thought about 
some other problems.  I don't have the answers.  However, it is a 
step forward if you and I can talk about privacy and try and 
understand how the identifiers can be used.

Regards,
S. Moonesamy

1. 
http://www.cnil.fr/les-themes/internet-telephonie/fiche-pratique/article/ce-que-le-paquet-telecom-change-pour-les-cookies/

v2.23.0 | Report a Bug | By Email