Re: [Privacy-pass] The harms of popular bits

Watson Ladd <> Thu, 21 March 2024 19:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E444FC14F6F0 for <>; Thu, 21 Mar 2024 12:34:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 94qHYculG6EM for <>; Thu, 21 Mar 2024 12:34:29 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 1B5CAC14F6E9 for <>; Thu, 21 Mar 2024 12:34:29 -0700 (PDT)
Received: by with SMTP id 5b1f17b1804b1-4146feb33e1so10486285e9.2 for <>; Thu, 21 Mar 2024 12:34:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1711049667; x=1711654467;; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6eSjE99EyjzrQSXVRJ0JeyXWUBcBCbUp47LStZFmxcg=; b=blzI0yxtM1+3RyGyIHhOQWunHvC8K+ZNW6ywCVl3Bhx4B+iZu0DbOdQoFhTrETp51S G0wQ8bIKe3sGklsMYlCM1Ptqrqkr+2Q55Cz/8SnpNyyBRRHcW6feIeWeuvA8zzmpqXUb 1Fqi0bWm+dO1dSjpgsj8T/Cv8hQTnwWJZ72vhOENIgbloV0w0/J4lK2u757mLkWkHvV9 i6MnjZfMfNRfVv+0JY9Ml1VV0gXLXkz0B4mE1T9q0oE+Pk8IYNmPiPjfbi19wON1fB/M AJlV9zF7EPWmM2qiscvTiZrjmXJ4boNTz2bX35HYbWMzxk905B9YXkUHaDO9X6tk9Rpe 9QXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1711049667; x=1711654467; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6eSjE99EyjzrQSXVRJ0JeyXWUBcBCbUp47LStZFmxcg=; b=NshHfzRqm/lqGOe6g1yCwrMsjVvBLp/YS0QnTvk/wKZ+YPC/MMpj626zVBw5RldmGP 905XYeVVtXyogJ6daGjsEzyG+gd5jJUwgHR3Q5hjexpU0Jbc5lhUQNCMmy8hfo6KDggu tTZNiezjLRcd14XP+mynbsdLtqo20RUdE1/uXiprarbfpbldNRKDwko9KZZKFYGh+lj2 OkiBUtVp8ug/gDAb5hY88TgauKZanQ71QcG8etdOatfLWBw8MEZslygOC5M0WhjQp3co Sq6MZThcbpTmfj6zUZ604v7iK7zBGBAVeKEMXB+oHaMupxMatkIfdhJy+hhvL5/CwMJ6 xJCA==
X-Forwarded-Encrypted: i=1; AJvYcCXpeUbwFqU43Jazl+9E4HTEYRG8ifKsA4AOpdo6qpRgftgtGF+JFed0Fq2DZ19CnKSsYYTl7jyM7ofjlL5kOeNayMztTGo=
X-Gm-Message-State: AOJu0Yx66XuntN4y3WSk8aDKxhopljvw//nkMRBk4T2eFuN05gzwXHQ2 iLmHiivuJu5mLnxkKsL883vsreIADcAMIaP/ud4w1GbG1yzd4ncUt6P001dGu/ZH1+a9L7Zf/+u ZOAwnLZX47YPkT+3L5bHfIFSUqoI=
X-Google-Smtp-Source: AGHT+IHi+4uqsmNkmHoQIap0kWuXETigx0KfpBel/NxIYv6nlVP868PQe8h6sOSCVp3C0vvqTlT55m4vb6KvMCcUIaA=
X-Received: by 2002:a5d:6da7:0:b0:33e:c0eb:f227 with SMTP id u7-20020a5d6da7000000b0033ec0ebf227mr103653wrs.45.1711049666946; Thu, 21 Mar 2024 12:34:26 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Watson Ladd <>
Date: Thu, 21 Mar 2024 15:34:16 -0400
Message-ID: <>
To: Steven Valdez <>
Cc: Tommy Pauly <>,
Content-Type: multipart/alternative; boundary="000000000000977817061430cbca"
Archived-At: <>
Subject: Re: [Privacy-pass] The harms of popular bits
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Pass Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Mar 2024 19:34:33 -0000

On Wed, Mar 20, 2024, 9:31 PM Steven Valdez <> wrote:

> I'm not sure that the unified vs split model makes a meaningful difference
> for this particular problem? In both cases, it's a question of whether the
> client trusts the attester on what it is using to make its attestation.
> Whether the issuer is the same server or split doesn't change what the
> issuer can see without collusion with the attester. The bigger difference
> is whether you do have a set of trusted attesters versus a wider set of
> less trustworthy attesters and then how you measure the impact of those
> differences.

So the beautiful subtly of this is it doesn't matter what the attester does
if the having of the attestation from that attester conveys more info that
just the info the attester used.  It's not an anonymity set problem: lots
of sensitive groups have many people in them.

> On Thu, Mar 21, 2024 at 9:37 AM Tommy Pauly <tpauly=
>> wrote:
>> I do think that the model (unified attester+issuer vs split
>> attester/issuer) does make a difference here. If the client (*via trust*)
>> has a better awareness of (a) what it discloses to the attester and (b)
>> what the common properties and size of of the anonymity set through that
>> attester are, then there is far less ability to have the bit be linked to
>> unwanted characteristics. I.e., if I’m using an attester that is used by an
>> Apple device, I know that the bit that I’m expressing from the Attester to
>> the Issuer (if I trust it not to leak more) is that I’m on a particular
>> device type, and then that the bit to the origins is the combination of
>> that bit with the bits of all other Attesters the Issuer trusts.
>> Tommy
>> On Mar 20, 2024, at 11:26 PM, Watson Ladd <> wrote:
>> Dear privacy pass WG,
>> I think the discussion of harms in the web context missed the issue,
>> which I'll admit was rather subtly presented. Issuers might not be issuing
>> tokens based on attributes like bot or not but rather characteristics such
>> as race or religion we'd prefer not to. This even happens innocently.
>> Using private state tokens as an example social networks and dating sites
>> have a lot of information about user interaction and humanity as a result.
>> But I don't think we want sites to hunt for tokens from dating sites that
>> may be oriented to particular demographics.
>> This can even happen unintentionally. If you have some sort of model
>> looking at how users interact based on the bits you have and then selecting
>> offers to show based on it this can end up discriminating even though the
>> bit officially means human. It's just who issued it reveals more than that,
>> even if they issue often.
>> I hope this clarifies the remarks I made at the mic.
>> Sincerely,
>> Watson
>> --
>> Privacy-pass mailing list
>> --
>> Privacy-pass mailing list
> --
>  Steven Valdez |  Chrome Privacy Sandbox | |  Cambridge,
> MA