IETF Logo Mail Archive

Re: [lmap] Stephen Farrell's No Objection on draft-ietf-lmap-framework-12: (with COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 15 April 2015 15:29 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: lmap@ietfa.amsl.com
Delivered-To: lmap@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3F161B35CF; Wed, 15 Apr 2015 08:29:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ti-o-ibj0ORY; Wed, 15 Apr 2015 08:29:24 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDD701B35EF; Wed, 15 Apr 2015 08:29:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 1D586BEE9; Wed, 15 Apr 2015 16:29:22 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T0wy2MLgxMW3; Wed, 15 Apr 2015 16:29:20 +0100 (IST)
Received: from [192.168.1.140] (unknown [31.216.237.100]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 1B330BECF; Wed, 15 Apr 2015 16:29:20 +0100 (IST)
Message-ID: <552E83CF.3030008@cs.tcd.ie>
Date: Wed, 15 Apr 2015 16:29:19 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: "MORTON, ALFRED C (AL)" <acmorton@att.com>, The IESG <iesg@ietf.org>
References: <20150409135845.13211.89354.idtracker@ietfa.amsl.com> <4AF73AA205019A4C8A1DDD32C034631D01608849F7@NJFPSRVEXG0.research.att.com> <552B0978.2060404@cs.tcd.ie> <4AF73AA205019A4C8A1DDD32C034631D020F888560@NJFPSRVEXG0.research.att.com>
In-Reply-To: <4AF73AA205019A4C8A1DDD32C034631D020F888560@NJFPSRVEXG0.research.att.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/lmap/yyJHWapIAEX8VoeSevq-4F0Md2g>
Cc: "dromasca@avaya.com" <dromasca@avaya.com>, "lmap-chairs@ietf.org" <lmap-chairs@ietf.org>, "lmap@ietf.org" <lmap@ietf.org>
Subject: Re: [lmap] Stephen Farrell's No Objection on draft-ietf-lmap-framework-12: (with COMMENT)
X-BeenThere: lmap@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Large Scale Measurement of Access network Performance <lmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lmap>, <mailto:lmap-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lmap/>
List-Post: <mailto:lmap@ietf.org>
List-Help: <mailto:lmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lmap>, <mailto:lmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2015 15:29:26 -0000

Hi Al,

I'm fine with all below and with the separate mail about
re-identification.

S.

On 15/04/15 15:45, MORTON, ALFRED C (AL) wrote:
> Hi Stephen, 
> Thanks for your reply late Sunday,
> I'm following up on just a few points, so I've
> deleted the agreements in previous mail.
> 
> Al
> 
>> -----Original Message-----
>> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
>> Sent: Sunday, April 12, 2015 8:11 PM
> ...
>>>
>>>>
>>>> - One way in which it might be possible to provide evidence that a
>>>> system respects user privacy would be to have some kind of auditor
>>>> entity as part of the framework. For example, an MA could be setup to
>>>> send some selection of reports/instructions to (or encrypted for) the
>>>> auditor as well as to the normal destination. Did the WG consider
>>>> such an entity?
>>>> (This is not a DISCUSS as I can see pros and cons in the auditor-
>>>> approach, so I'm not sure if it'd be a good idea in the end.)
>>>
>>> An independent auditor is an interesting possibility, but it didn't
>>> come-up in discussions.  That's likely due to the scope of initial
>>> LMAP work, which limits us to design for LMAP systems under the
>>> control of a single organization. I'm assuming the auditor needs to be
>>> somehow independent to be effective.
>>
>> Well, while I think the idea has pros and cons, I don't think ruling it
>> out on the single-domain ground is really compelling.
>> Enterprises inherently qualify as single-domain but yet all (are
>> required to) do some kind of audit. And in some senses, a comms.
>> regulator could be considered as having audit of ISPs as part of it's
>> remit I guess, esp. where an ISP has (near) local monopoly.
>> So no, I don't think that gets us off the hook, in terms of whether or
>> not we ought consider an audit function.
>>
>> Maybe that's one to raise with the WG and see what folks think?
>> From my POV, it's fine to leave out of this document though, but I think
>> would be good to consider more fully as the work proceeds.
>>
>> (To be clear: I think an audit approach to privacy isn't an ultra-clear
>> winner at all. In some cases, it'd help, but I can imagine circumstances
>> where an audit function could be abused in highly privacy unfriendly
>> ways.)
>>
> 
> I'm not ruling it out, but saying that the initial phase of LMAP work
> simplifies all relationships by assuming a single system operator.
> There are many aspects to consider when multiple organizations 
> join the system. An auditor is one example where the trust boundary
> has to be extended to include an independent entity, if that's how 
> the audit is arranged.
> 
> I think it would be fair to add a recommendation for each entity in 8.1,
> (individuals, ISPs, Regulators, others) to assess the risks of LMAP 
> data collection by conducting audits of data protection methods 
> (at end of 8.6.4).
> 
> This would be an essential topic in any further phase of LMAP.
> 
> (one of my favorite quotes applies here:
> 	"However beautiful the strategy, 
>       you should occasionally look at the results.  Sir Winston Churchill  )
> 
>>>>
> ...
>>>>
>>>> - section 8: I'm not that keen on considering the privacy of
>>>> organisations at the same level as that of people. I can see why you
>>>> might do it but that is also often done as a way to minimise the
>>>> privacy of people.
>>>
>>> In this case, the specific organization is an ISP, who has
>>> responsibilities to protect the sensitive customer info they possess
>>> and to protect the private information about their network which they
>> are entitled to conceal.
>>
>> Yes, that is something one hears argued. I just think it dilutes the
>> concept of privacy if we extend that to organisations as well as people.
>> And even moreso when the last decade or so tells us that the very
>> organisations to whom this document is granting privacy "rights" are
>> ones who have in ways not honoured the privacy expectations of humans.
>>
>> I'd really encourage you to re-cast discussion of network structure in
>> terms of security and confidentiality for the organisation, but not in
>> terms of privacy.
> 
> I sometimes have trouble distinguishing between these terms, especially
> when they often result in taking the same measures to ensure their preservation.
> 
> In the US, certified accountants are often trusted more than others.
> The American Institute of CPAs website says:  
> "Privacy / Data Protection: Privacy encompasses the rights and obligations 
> of individuals and organizations with respect to the collection, use, 
> retention, disclosure, and disposal of personal information."
> 
> Here's what we said in section 8.1:
>    Although privacy is a protection extended to individuals, we include
>    discussion of ISPs and other LMAP system operators in this section.
>    These organisations have sensitive information involved in the LMAP
>    system, and many of the same dangers and mitigations are applicable.
>    Further, the ISPs store information on their Subscribers beyond that
>    used in the LMAP system (for instance billing information), and there
>    should be a benefit in considering all the needs and potential
>    solutions coherently.
> 
> We could say:
>    Although privacy is a protection extended to individuals, we discuss 
>    data protection by ISPs and other LMAP system operators in this section.
>    ...
> 
> My own view is that sensitive information is so often shared among sets 
> of individuals - in partnerships, marriages, families - that the privacy
> boundary needs to be re-drawn for each piece of info considered and/or shared. 
> 
>>
>>>
>>>>
>>>> - section 8: I didn't spot considerations related to
>>>> re-identification, which can be significant.  E.g. if I can see other
>>>> traffic that identifies a person and the re-identify that person
>>>> based on LMAP trafic later on (or elsewhere). Did the WG consider
>> that?
>>>
>>> The short answer is that if RFC 6973 had considered re-identification,
>> we would have.
>>> The closest topic we covered is Correlation, combining various
>>> separate pieces of info to obtain identity. The point is that an LMAP
>>> system could unwittingly complete an information chain if it exposes
>> any sensitive info, so don't.
>>>
>>> If a user's access with another system already gave away sensitive
>>> info, correlation is clearly easier and can result in
>>> re-identification, even when an LMAP conserves sensitive information
>> to great extent.
>>> We could add this point in 8.5.3.
>>
>> That'd be great. I think we've loads to learn about re-identification so
>> just adding an acknowledgement of the issue is probably about right for
>> now.
>>
> 
> Phil made a comment on re-identification, and I'll reply to
> it separately on that thread.
> 
> ...
> 
> Al
>

v2.23.0 | Report a Bug | By Email