Re: draft-gont-6man-managing-privacy-extensions-00.txt

[Scott W Brim <scott.brim@gmail.com>]

On Fri, Mar 11, 2011 at 08:01, Mark Townsley <mark@townsley.net>
wrote:
>> On Mar 11, 2011, at 3:32 AM, Christian Huitema wrote:
>>
>> I'm saying the reasons people are tempted to disable RFC4941 are
>> misplaced.
>>
>> +1
>>
>> Consider that if I want privacy and you won't let me use RFC4941, I
>> might just make up a new MAC address each time I connect.
>>
>> Consider also the effect of unique identifiers on tracking. The MAC
>> address follows you when you roam. By embedding it in the IPv6
>> address, we are effectively offering a "super cookie" to all web
>> services. Is it really what we want? In addition to privacy issues,
>> displaying the MAC address allows third parties to track hardware
>> purchase, and enables other attacks by providing the data necessary
>> for MAC spoofing. In short, it looked like a great idea at the
>> time... but wasn't.
>
> One person's attack is another's targeted ad business case ;-)
>
> That aside, the considerations proposed in this document may be
> relevant to this discussion:
>
> http://tools.ietf.org/html/draft-brim-mobility-and-privacy-00 - Mark

Since you called it out :-) ... I think less in terms of privacy than
confidentiality scopes.  Privacy is the right to withhold information.
Confidentiality is an agreement that a second party will honor your
wish for privacy from others, i.e. that information you give them will
not be given to others.  We give others information all the time,
including hardware addresses.  Confidentiality issues are at least as
important as privacy.

Forcing people to reveal information to a larger scope than they wish,
i.e. forcing loss of privacy, is a significant issue that must be
taken into account by everyone doing protocol work.  If we design our
systems so that non-privacy addresses used locally must be also be
used globally, we are designing away the possibility of both privacy
and confidentiality.  Requiring an end user to use a MAC or any
persistent identifier for all communications with everything else on
the Internet is probably illegal in an increasing number of countries
around the world.  (On the other hand, in some countries it is
probably illegal to NOT require it.)
However, it's perfectly legitimate to require an identifier within an
enterprise -- there is a confidentiality agreement.

How can the enterprise get the information it needs without requiring
users to give away privacy for other communications?  An algorithmic
mapping from a hardware identifier to a different one at the
enterprise boundary does not solve the problem, because (1) all those
problems around non-globalness of addresses/locators/identifiers, and
(2) that mapped identifier is also persistent, and usage can be
tracked.

Blue sky: Could the SP allow privacy addresses, at least for global
use, and log its own mappings between privacy addressses and MACs or
other persistent identifiers?  Then it can always trace back to
determine who did what if necessary.

Scott