Re: [privacydir] Privacy Terminology: What are useful terms?

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 13 July 2011 09:40 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: privacydir@ietfa.amsl.com
Delivered-To: privacydir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE11321F8BE4 for <privacydir@ietfa.amsl.com>; Wed, 13 Jul 2011 02:40:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.555
X-Spam-Level:
X-Spam-Status: No, score=-102.555 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CMOjmXgWTZQj for <privacydir@ietfa.amsl.com>; Wed, 13 Jul 2011 02:39:59 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 5F9C721F8BE5 for <privacydir@ietf.org>; Wed, 13 Jul 2011 02:39:59 -0700 (PDT)
Received: (qmail invoked by alias); 13 Jul 2011 09:39:58 -0000
Received: from letku214.adsl.netsonic.fi (EHLO [10.0.0.6]) [194.29.195.214] by mail.gmx.net (mp070) with SMTP; 13 Jul 2011 11:39:58 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX19XMTwEJWtXOXZfOcsMOBKEeodBD65bwz6vrKYg6d 6RF3DxNfsX5kUO
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <CAKDKvuy80Rg4S8Pju2LqU7ew27oN2MNN_Z+FjWFVDiF=aGV7aA@mail.gmail.com>
Date: Wed, 13 Jul 2011 12:39:57 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <E3350ABE-A2A1-42BB-B446-54A90A0A64BC@gmx.net>
References: <5821BF1F-0FEF-4C6C-89A5-3A33BDE4F843@gmx.net> <CAKDKvuy80Rg4S8Pju2LqU7ew27oN2MNN_Z+FjWFVDiF=aGV7aA@mail.gmail.com>
To: Nick Mathewson <nickm@torproject.org>
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Cc: privacydir@ietf.org
Subject: Re: [privacydir] Privacy Terminology: What are useful terms?
X-BeenThere: privacydir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Privacy Directorate to develop the concept of privacy considerations for IETF specifications and to review internet-drafts for privacy considerations." <privacydir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacydir>, <mailto:privacydir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/privacydir>
List-Post: <mailto:privacydir@ietf.org>
List-Help: <mailto:privacydir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacydir>, <mailto:privacydir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2011 09:40:03 -0000

Hi Nick, 

thank you for your feedback. I like the examples you provided. 
It may be useful to add examples to the draft as well to make the text more interesting to read. 

On Jul 8, 2011, at 9:40 PM, Nick Mathewson wrote:

> Hello, Hannes!
> 
> On Tue, Jul 5, 2011 at 6:48 AM, Hannes Tschofenig
> <hannes.tschofenig@gmx.net> wrote:
> [...]
>> From your experience, what other terminology is useful to have?
> 
> I'm going to answer from the perspective of my own work on anonymity
> and privacy with Tor, recognizing that not everybody's needs are the
> same as our own.
> 
> We use "Linkability" and subject "Anonymity" in approximately the same
> ways that you do.  (We mostly use the "attacker cannot sufficiently
> distinguish" formulation, not the "Attacker cannot distinguish"
> formulation.  In practice, the attacker's inability to link X and Y
> with certainty is mostly useless if the attacker can nevertheless link
> X and Y with strong probability.  When we're being precise, we use
> these terms to mean the degree of the attacker's uncertainty.)
> 
> We also use "Anonymity" to refer to unlinkability between an IOI and its origin.
> 
> We use a stronger definition of "pseudonym": we only consider X to be
> a pseudonym when it is an identifier that is unlinkable to its subject
> by an attacker of interest.  (Thus, by our lights, "Batman" is a
> pseudonym since Batman's enemies do not know he is Bruce Wayne, but
> "Ad-Rock" is not a pseudonym since Beastie Boys fans worldwide know
> that he is really Adam Horovitz.)
> 

Ok. 

> We don't use "undetectability" or "unobservability".
> 
> 
I have seen the unobservability term being used in security protocols when the traffic characteristics shall be hidden (via padding). 
Aren't you doing something similar in Tor? If you do, how do you call that property? 

> Some additional terminology in common use that we use:
> 
>   * Instead of "sender" and "receiver" anonymity, we usually speak of
> "initiator" and "responder" anonymity.  (In systems that provide
> bidirectional communication, most everybody "sends" and "receives".)
> 
Such a change makes sense to me. We actually use these terms in various IETF protocols as well. 
IKEv2, for example, talks about initiator and responder for exactly the same reason. 


>   * We talk about one kind of or item being "distinguishable" from
> another.  (For example, a protocol is "indistinguishable" from HTTPS
> to the extent that an attacker can't tell instances of that protocol
> from regular HTTPS connections.)

Could be useful. 

> 
>  * We use "profiling" to mean learning information about an anonymous
> subject's activities without necessarily linking them to any specific
> transaction.  For example, if an attacker concludes that I play WoW,
> read reddit.com, and upload videos, then my activities have been
> profiled, even if the attacker is unable to identity which connections
> or accounts are mine.

Profiling may be a useful term to add. 
Btw, I searched through the Tor documents and couldn't really find a definition. 

> 
> Some additional terminology that I think might be idiosyncratic:
> 
>   * We use "linkable session" to refer to a set of actions by a
> subject that the system makes no effort to render unlinkable from one
> another.

Could you provide an example? 

> 
>   * We refer as a "linking identifier" to any parameter P that an
> attacker can observe about an IOI and use to link it to similar IOIs
> that have similar values for P.  For example, the window size header
> transmitted in a typical HTTP request is a linking identifier.
> 
I wasn't aware that the window size header has such a characteristic. 
Is there a paper you could recommend to learn more about this aspect? 

> 
> Many thanks for all your work here!
> 
Thanks for the review. 

Ciao
Hannes

> yrs,
> -- 
> Nick