Re: [privacydir] Privacy Terminology: What are useful terms?
Nick Mathewson <nickm@torproject.org> Fri, 08 July 2011 18:40 UTC
Return-Path: <nick.a.mathewson@gmail.com>
X-Original-To: privacydir@ietfa.amsl.com
Delivered-To: privacydir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 821DA21F8B9D for <privacydir@ietfa.amsl.com>; Fri, 8 Jul 2011 11:40:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EIJ4s4qLgR9n for <privacydir@ietfa.amsl.com>; Fri, 8 Jul 2011 11:40:04 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8282F21F8B98 for <privacydir@ietf.org>; Fri, 8 Jul 2011 11:40:01 -0700 (PDT)
Received: by wyj26 with SMTP id 26so1738693wyj.31 for <privacydir@ietf.org>; Fri, 08 Jul 2011 11:40:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=xhy6jaFJdY1fAMvxa/6oB5CyqAKiZLMKTNC9twnDoFk=; b=Uf/zC91bmbDif6DfvEYXrYFR3n+eKULnViSUqGOQwlwFihf/PPnjjDJ7EJL830q13d Klf799NiPsOSFl0knNdXmRv0o7q1/ojkLB5dP+OW7gr3fu50tgYXkDmy7yBWRN0RLKUD 6FwsNmLs1Hp12xKHRvzfSu+BjXAvkDkzhGiHM=
MIME-Version: 1.0
Received: by 10.216.122.10 with SMTP id s10mr936017weh.34.1310150400586; Fri, 08 Jul 2011 11:40:00 -0700 (PDT)
Sender: nick.a.mathewson@gmail.com
Received: by 10.216.156.1 with HTTP; Fri, 8 Jul 2011 11:40:00 -0700 (PDT)
In-Reply-To: <5821BF1F-0FEF-4C6C-89A5-3A33BDE4F843@gmx.net>
References: <5821BF1F-0FEF-4C6C-89A5-3A33BDE4F843@gmx.net>
Date: Fri, 08 Jul 2011 14:40:00 -0400
X-Google-Sender-Auth: fDar2qr19ZoWF_p2k5t4oteJeiU
Message-ID: <CAKDKvuy80Rg4S8Pju2LqU7ew27oN2MNN_Z+FjWFVDiF=aGV7aA@mail.gmail.com>
From: Nick Mathewson <nickm@torproject.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: privacydir@ietf.org
Subject: Re: [privacydir] Privacy Terminology: What are useful terms?
X-BeenThere: privacydir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Privacy Directorate to develop the concept of privacy considerations for IETF specifications and to review internet-drafts for privacy considerations." <privacydir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacydir>, <mailto:privacydir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/privacydir>
List-Post: <mailto:privacydir@ietf.org>
List-Help: <mailto:privacydir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacydir>, <mailto:privacydir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2011 18:44:19 -0000
Hello, Hannes! On Tue, Jul 5, 2011 at 6:48 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: [...] > From your experience, what other terminology is useful to have? I'm going to answer from the perspective of my own work on anonymity and privacy with Tor, recognizing that not everybody's needs are the same as our own. We use "Linkability" and subject "Anonymity" in approximately the same ways that you do. (We mostly use the "attacker cannot sufficiently distinguish" formulation, not the "Attacker cannot distinguish" formulation. In practice, the attacker's inability to link X and Y with certainty is mostly useless if the attacker can nevertheless link X and Y with strong probability. When we're being precise, we use these terms to mean the degree of the attacker's uncertainty.) We also use "Anonymity" to refer to unlinkability between an IOI and its origin. We use a stronger definition of "pseudonym": we only consider X to be a pseudonym when it is an identifier that is unlinkable to its subject by an attacker of interest. (Thus, by our lights, "Batman" is a pseudonym since Batman's enemies do not know he is Bruce Wayne, but "Ad-Rock" is not a pseudonym since Beastie Boys fans worldwide know that he is really Adam Horovitz.) We don't use "undetectability" or "unobservability". Some additional terminology in common use that we use: * Instead of "sender" and "receiver" anonymity, we usually speak of "initiator" and "responder" anonymity. (In systems that provide bidirectional communication, most everybody "sends" and "receives".) * We talk about one kind of or item being "distinguishable" from another. (For example, a protocol is "indistinguishable" from HTTPS to the extent that an attacker can't tell instances of that protocol from regular HTTPS connections.) * We use "profiling" to mean learning information about an anonymous subject's activities without necessarily linking them to any specific transaction. For example, if an attacker concludes that I play WoW, read reddit.com, and upload videos, then my activities have been profiled, even if the attacker is unable to identity which connections or accounts are mine. Some additional terminology that I think might be idiosyncratic: * We use "linkable session" to refer to a set of actions by a subject that the system makes no effort to render unlinkable from one another. * We refer as a "linking identifier" to any parameter P that an attacker can observe about an IOI and use to link it to similar IOIs that have similar values for P. For example, the window size header transmitted in a typical HTTP request is a linking identifier. Many thanks for all your work here! yrs, -- Nick
- [privacydir] Privacy Terminology: What are useful… Hannes Tschofenig
- Re: [privacydir] Privacy Terminology: What are us… Nick Mathewson
- Re: [privacydir] Privacy Terminology: What are us… Hannes Tschofenig
- Re: [privacydir] Privacy Terminology: What are us… Nick Mathewson