Re: [ietf-privacy] [Tzdist] [saag] Fwd: WGLC for draft-ietf-tzdist-service-05

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 30 January 2015 21:20 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: ietf-privacy@ietfa.amsl.com
Delivered-To: ietf-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E1431A9132; Fri, 30 Jan 2015 13:20:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AA2x73-avNsm; Fri, 30 Jan 2015 13:20:53 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id C89061A872D; Fri, 30 Jan 2015 13:20:52 -0800 (PST)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 5C21FF984; Fri, 30 Jan 2015 16:20:49 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 473CF201D1; Fri, 30 Jan 2015 16:20:48 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Lester Caine <lester@lsces.co.uk>, saag@ietf.org, ietf-privacy@ietf.org, Eliot Lear <lear@cisco.com>
In-Reply-To: <54CBC609.4010309@lsces.co.uk>
References: <CADZyTkkLu6qQ9LCqDkTHA9o+-YVvQuaUp33kqkAt=PRaQS-Jew@mail.gmail.com> <CADZyTkkCrvTam_ba7Tq6A-cHAVZn+ktKqwWsr_PNQaz2jyTkUQ@mail.gmail.com> <874mr9aucv.fsf@alice.fifthhorseman.net> <54CBC609.4010309@lsces.co.uk>
User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Fri, 30 Jan 2015 16:20:48 -0500
Message-ID: <87egqcq827.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf-privacy/ynmE9iNoJb5VERSt3NaQiXXtu-8>
Cc: Time Zone Data Distribution Service <tzdist@ietf.org>
Subject: Re: [ietf-privacy] [Tzdist] [saag] Fwd: WGLC for draft-ietf-tzdist-service-05
X-BeenThere: ietf-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Internet Privacy Discussion List <ietf-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-privacy/>
List-Post: <mailto:ietf-privacy@ietf.org>
List-Help: <mailto:ietf-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jan 2015 21:20:59 -0000

On Fri 2015-01-30 12:57:29 -0500, Lester Caine wrote:
> On 30/01/15 02:13, Daniel Kahn Gillmor wrote:
>> Clients requesting multiple unusual TZs together are more easily
>> identifiable to servers, than clients who request only one.  Should
>> clients request all their interested TZs at once, or spread out their
>> polling updates over time?  HTTP pipelining is clearly more efficient;
>> but what are the privacy implications if you have a system service that
>> does this?
>
> I've cherry picked here since the one thing that seems to have been
> missed is that the main target for tzdist is to provide a mirror of the
> TZ data. This is a complete set of tz information, and if my own
> distribution method is followed many of the  'security and tracking'
> risks being listed can never arise?

The specification i read seemed to encourage clients to pick up specific
zones of interest, not the full set of data.  And the draft certainly
makes allowances for fetching specific sections (by time, by space) of
the TZ info.  So i'm not sure if what you call "my own distribution
method" is intended to be the normal use case.  If it is, maybe that
needs to be highlighted specifically in the draft?

Is there some set of client profiles (or use cases, if you prefer) that
are clearly distinct, with different implications?  Can we identify
them?

> The clients computer has a local copy of TZ, and any local processing is
> done against that copy. On a regular basis they ask tzdist if there has
> been an update to the version of TZ they are using. If yes then all of
> the are pulled down. A monitoring tap has no idea where the client is?
> The only know that someone has updated from v to v+1 of the TZ data?

Yep, this is a useful approach for keeping inside a broader anonymity
set (but hm, timing issues might still be a concern).

However, systems using this approach are really solving the general
problem of "how to i get the latest version/updates of $X" where $X is
anything digital: software updates already fulfil this role on modern
operating systems.  A deployed system on the Internet today that doesn't
have a software update mechanism is probably bound for trouble -- if it
*does* have a software update mechanism, why not suggest using that for
the TZ info?  Debian systems just pull in a new version of the tzdata
package during system updates, for example.  I haven't checked, but i
would assume that Microsoft Update and Apple's Software Update would
treat TZ data the same way that they treat other system updates.  Is
that not the case?

Given that the all-tzdata-as-a-software-update mechanism is already
available, I sort of assumed that this draft was intended for systems
that don't already have such a mechanism.

> Client using subsets of the data such as embedded devices will be asking
> for a specific timezone, but that traffic will be within a local
> network. We know already where they are so we don't need any cleaver
> processing to hide the fact that we are in that physical location? I've
> just posted about local servers providing a specific subset of data -
> within the building it's serving - o you already have an even better
> idea of location than timezone :)

Are embedded devices guaranteed to be as stationary as you're making
them out to be?  Some embedded devices are embedded in cars or mobile
telephones.  Their motion within and between timezones seems like
something that would have serious privacy implications, if their queries
are linkable over time.

> As with just about any system, accessing the data can be abused exposing
> other information. We do need to identify what are 'secure' ways of
> accessing the data and what ars insecure, but not exposing anything that
> could not be deduced by other means anyway.

To kickstart a privacy considerations section, it might help to work
from a concrete example (though clearly that won't be an exhaustive
review).  How about:

Consider an internet-connected bedside alarm clock (i think this counts
an embedded device) that i take with me when i travel.  It updates
itself (using NTP?) to keep it on-time, and it uses this proposed
mechanism to make sure it's got the TZ up-to-date.  

What should this device do as a client of this service?  What are the
privacy implications of these choices?  How do the privacy
considerations change for the client with respect to a passive or active
network observer, as compared to the Provider itself?

        --dkg