Re: [Pearg] Adoption call for "Randomized Response Mechanisms in RRT Measurements for HTTP/3"
Amelia Andersdotter <amelia.ietf@andersdotter.cc> Sun, 08 November 2020 23:58 UTC
Return-Path: <amelia.ietf@andersdotter.cc>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F86E3A0FF3 for <pearg@ietfa.amsl.com>; Sun, 8 Nov 2020 15:58:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dtZ_OpSjRtwn for <pearg@ietfa.amsl.com>; Sun, 8 Nov 2020 15:58:10 -0800 (PST)
Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D025A3A0FF9 for <pearg@irtf.org>; Sun, 8 Nov 2020 15:58:09 -0800 (PST)
X-Originating-IP: 212.76.239.56
Received: from [192.168.0.233] (unknown [212.76.239.56]) (Authenticated sender: amelia@andersdotter.cc) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 899E840006; Sun, 8 Nov 2020 23:58:06 +0000 (UTC)
To: Mirja Kuehlewind <mirja.kuehlewind=40ericsson.com@dmarc.ietf.org>, Christopher Wood <caw@heapingbits.net>, "pearg@irtf.org" <pearg@irtf.org>
References: <33ba4995-ea2d-45d8-9b01-05ea9b8ddbce@www.fastmail.com> <F27FD790-74CA-44CC-98FB-ED3B24E17B6D@ericsson.com> <D76F769D-C147-4EE9-8639-0881DD82F135@ericsson.com>
Reply-To: amelia.ietf@andersdotter.cc
From: Amelia Andersdotter <amelia.ietf@andersdotter.cc>
Message-ID: <bf7cade8-116b-77bc-efce-4b332ec785cc@andersdotter.cc>
Date: Mon, 09 Nov 2020 00:54:52 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <D76F769D-C147-4EE9-8639-0881DD82F135@ericsson.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/4N-kM4iu3hAhKQXzrGxHUI6HN90>
Subject: Re: [Pearg] Adoption call for "Randomized Response Mechanisms in RRT Measurements for HTTP/3"
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Nov 2020 23:58:14 -0000
Hi Mirja, Correct - the over-all conclusion is that RRM is not ultimately very useful. Throughout last year and this spring we were also on the hunt for other potential areas of application, but we run into similar a situation: a feature which can be made more private by RRM obfuscation can be made even more private by simply being disabled. We put it still in a draft since not all research leads down beneficial paths (combating positive outcome bias!). A third potential area for RRM is for padding bits (randomizing padding bits rather than padding with only 0s). best regards, Amelia On 2020-11-02 14:18, Mirja Kuehlewind wrote: > Hi again, > > I just realized (as I had two windows open) that I'm citing below text from an old version of the predecessor draft (which had quic in the name). This text was removed/changed in the current draft, however, I think those point still remain valid. The current draft only says: > > "It is not clear that RRM would ultimately bring any particular > privacy benefit beyond what is already guaranteed in the present > specification of the spin bit in Section 17.3.1 [I-D-QUIC]." > > My conclusion to this point is that there is no additional benefit and the obfuscation proposed in this document will in many cases render the signal completely unusable and will likely not reach the goal to preserve any utility as many transmissions are short and there is already a lot of noise in the network. Therefore it is really preferred (and much easier) to disable spinbit support if privacy is seen at risk (e.g. in cases where VPNs are used as it was already discussed and agreed in the QUIC wg). > > Mirja > > > On 02.11.20, 13:35, "Pearg on behalf of Mirja Kuehlewind" <pearg-bounces@irtf.org on behalf of mirja.kuehlewind=40ericsson.com@dmarc.ietf.org> wrote: > > Hi Chris, hi all, > > sorry for my late reply. I finally found some time to review this draft. > > First of all one quick question: why was the name changed from QUIC to HTTP/3 given the draft discusses a function of the QUIC...? > > Then I'm not really in support for the adoption of this draft for two main technical reasons: > > 1) As stated in the draft, there are already proposed mechanisms QUIC specification to address the need to disable the spinbit: > "it is unclear whether RRM > has advantages larger than already existing privacy mechanisms > included in the QUIC draft (such as making the spin bit optional, or > requiring that 1/8 of all streams are not measurable)" > > 2) Further the document says: > " But the whole point of differential > privacy mechanisms, including RRM, is using statistical methods to > ensure that data can be made more privacy-preserving while also > preserving the data utility. In the case of the spin bit, it is the > utility of the data that allegedly violates privacy, which means > differential privacy is an intuitively bad tool to address privacy > concerns." > For this reason there is the option in QUIC to disable the spinbit entirely. Trying to add further fuzziness to the spinbit (when decided by the endpoint to enable) will in most cases simply make the signal unusable. This is because to measure the RTT you already need a certain amount of packets, also because there might network interfere that already make the signal noisy, and many transmission are short. > > Further the draft actually does not discuss the privacy risk of this information. There was an extensive analysis in the QUIC working group that concluded that "[t]he geolocation threat appears negligible and no other threats were identified" (see https://www.ietf.org/proceedings/100/slides/slides-100-quic-sessa-spin-bit-evaluation-design-team-report-00) I don't think this group should adopt an document that is based on assumption which has been neglected by the working group that is actually specifying the protocol. > > Mirja > > > On 16.10.20, 15:22, "Pearg on behalf of Christopher Wood" <pearg-bounces@irtf.org on behalf of caw@heapingbits.net> wrote: > > This message starts a two week adoption call for "Randomized Response Mechanisms in RRT Measurements for HTTP/3," located here: > > https://tools.ietf.org/html/draft-andersdotter-rrm-for-rrt-in-http3-00 > > Please review the draft and indicate whether or not you would like to see this draft adopted by PEARG. > > This call for adoption ends on October 30, 2020. > > Best, > Chris, for the chairs > > -- > Pearg mailing list > Pearg@irtf.org > https://protect2.fireeye.com/v1/url?k=250a60b8-7baace75-250a2023-866132fe445e-bbbcd97773754954&q=1&e=53be6d3f-ae58-498c-beca-e2dba355cbfd&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fpearg > > -- > Pearg mailing list > Pearg@irtf.org > https://protect2.fireeye.com/v1/url?k=b161e66f-eefadc2a-b161a6f4-867b36d1634c-6b4135653ff1b0b3&q=1&e=2e7581ce-31bf-495b-a51a-9cc1f39e00c6&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fpearg > -- ^\...~...~...~...~...~.../^ Amelia Andersdotter IETF SHMOO WG Co-Chair https://datatracker.ietf.org/group/shmoo/about/ Director of Strategic Initiatives, CENTR www.centr.org ^\...~...~...~...~...~.../^
- [Pearg] Adoption call for "Randomized Response Me… Christopher Wood
- Re: [Pearg] Adoption call for "Randomized Respons… Christopher Wood
- Re: [Pearg] Adoption call for "Randomized Respons… Mirja Kuehlewind
- Re: [Pearg] Adoption call for "Randomized Respons… Mirja Kuehlewind
- Re: [Pearg] Adoption call for "Randomized Respons… Amelia Andersdotter
- Re: [Pearg] Adoption call for "Randomized Respons… Christian Huitema
- Re: [Pearg] Adoption call for "Randomized Respons… Stephen Farrell