Re: [privacydir] Privacy Terminology: What are useful terms?

Nick Mathewson <nickm@torproject.org> Fri, 08 July 2011 18:40 UTC

Return-Path: <nick.a.mathewson@gmail.com>
X-Original-To: privacydir@ietfa.amsl.com
Delivered-To: privacydir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 821DA21F8B9D for <privacydir@ietfa.amsl.com>; Fri, 8 Jul 2011 11:40:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EIJ4s4qLgR9n for <privacydir@ietfa.amsl.com>; Fri, 8 Jul 2011 11:40:04 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8282F21F8B98 for <privacydir@ietf.org>; Fri, 8 Jul 2011 11:40:01 -0700 (PDT)
Received: by wyj26 with SMTP id 26so1738693wyj.31 for <privacydir@ietf.org>; Fri, 08 Jul 2011 11:40:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=xhy6jaFJdY1fAMvxa/6oB5CyqAKiZLMKTNC9twnDoFk=; b=Uf/zC91bmbDif6DfvEYXrYFR3n+eKULnViSUqGOQwlwFihf/PPnjjDJ7EJL830q13d Klf799NiPsOSFl0knNdXmRv0o7q1/ojkLB5dP+OW7gr3fu50tgYXkDmy7yBWRN0RLKUD 6FwsNmLs1Hp12xKHRvzfSu+BjXAvkDkzhGiHM=
MIME-Version: 1.0
Received: by 10.216.122.10 with SMTP id s10mr936017weh.34.1310150400586; Fri, 08 Jul 2011 11:40:00 -0700 (PDT)
Sender: nick.a.mathewson@gmail.com
Received: by 10.216.156.1 with HTTP; Fri, 8 Jul 2011 11:40:00 -0700 (PDT)
In-Reply-To: <5821BF1F-0FEF-4C6C-89A5-3A33BDE4F843@gmx.net>
References: <5821BF1F-0FEF-4C6C-89A5-3A33BDE4F843@gmx.net>
Date: Fri, 8 Jul 2011 14:40:00 -0400
X-Google-Sender-Auth: fDar2qr19ZoWF_p2k5t4oteJeiU
Message-ID: <CAKDKvuy80Rg4S8Pju2LqU7ew27oN2MNN_Z+FjWFVDiF=aGV7aA@mail.gmail.com>
From: Nick Mathewson <nickm@torproject.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset=ISO-8859-1
Cc: privacydir@ietf.org
Subject: Re: [privacydir] Privacy Terminology: What are useful terms?
X-BeenThere: privacydir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Privacy Directorate to develop the concept of privacy considerations for IETF specifications and to review internet-drafts for privacy considerations." <privacydir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacydir>, <mailto:privacydir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/privacydir>
List-Post: <mailto:privacydir@ietf.org>
List-Help: <mailto:privacydir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacydir>, <mailto:privacydir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2011 18:44:19 -0000

Hello, Hannes!

On Tue, Jul 5, 2011 at 6:48 AM, Hannes Tschofenig
<hannes.tschofenig@gmx.net> wrote:
 [...]
> From your experience, what other terminology is useful to have?

I'm going to answer from the perspective of my own work on anonymity
and privacy with Tor, recognizing that not everybody's needs are the
same as our own.

We use "Linkability" and subject "Anonymity" in approximately the same
ways that you do.  (We mostly use the "attacker cannot sufficiently
distinguish" formulation, not the "Attacker cannot distinguish"
formulation.  In practice, the attacker's inability to link X and Y
with certainty is mostly useless if the attacker can nevertheless link
X and Y with strong probability.  When we're being precise, we use
these terms to mean the degree of the attacker's uncertainty.)

We also use "Anonymity" to refer to unlinkability between an IOI and its origin.

We use a stronger definition of "pseudonym": we only consider X to be
a pseudonym when it is an identifier that is unlinkable to its subject
by an attacker of interest.  (Thus, by our lights, "Batman" is a
pseudonym since Batman's enemies do not know he is Bruce Wayne, but
"Ad-Rock" is not a pseudonym since Beastie Boys fans worldwide know
that he is really Adam Horovitz.)

We don't use "undetectability" or "unobservability".

Some additional terminology in common use that we use:

   * Instead of "sender" and "receiver" anonymity, we usually speak of
"initiator" and "responder" anonymity.  (In systems that provide
bidirectional communication, most everybody "sends" and "receives".)

   * We talk about one kind of or item being "distinguishable" from
another.  (For example, a protocol is "indistinguishable" from HTTPS
to the extent that an attacker can't tell instances of that protocol
from regular HTTPS connections.)

  * We use "profiling" to mean learning information about an anonymous
subject's activities without necessarily linking them to any specific
transaction.  For example, if an attacker concludes that I play WoW,
read reddit.com, and upload videos, then my activities have been
profiled, even if the attacker is unable to identity which connections
or accounts are mine.

Some additional terminology that I think might be idiosyncratic:

   * We use "linkable session" to refer to a set of actions by a
subject that the system makes no effort to render unlinkable from one
another.

   * We refer as a "linking identifier" to any parameter P that an
attacker can observe about an IOI and use to link it to similar IOIs
that have similar values for P.  For example, the window size header
transmitted in a typical HTTP request is a linking identifier.


Many thanks for all your work here!

yrs,
-- 
Nick