Re: [v6ops] Google Alert - IPv6

[Tom Herbert <tom@herbertland.com>]

On Thu, Nov 2, 2017 at 10:12 AM, Dave O'Reilly <rfc@daveor.com> wrote:
> Tom, I have a question.
>
> You say:
>
>>>
>> Mark,
>>
>> I think the point is that for privacy we _don't_ want IP addresses to
>> identify individuals, but it is work to ensure that they don't. The
>> fact that a device can be shared makes the coupling weaker, but
>> probably not weak enough to be considered good privacy unless the
>> population sharing the device is large enough to avoid statistical
>> inference.
>>
>
> I never understood this to be a design consideration of IPv4 (I don’t know about IPv6 but perhaps others could enlighten me?). In either case, is it the case that “we don’t want IP addresses to identify individuals”? Is it not more the case that the evolution of technologies on the Internet has, as a side effect, meant that IP addresses don’t identify individuals?

Dave,

It wasn't and isn't a design consideration of IPv4. However, it seems
to be an accidental side effect of NAT. With a large population of NAT
users behind a NAT address there is a strong decoupling between an
address and the device or individual associated with the device as
viewed externally.

That can be contrasted with some of the addressing concepts of IPv6
which entailed used stable identifiers based on a permanent MAC
address. In the absence of any mechanisms like NAT that obfuscate
addresses, addresses with stable identifiers allow unrelated flows to
be correlated to have come from the same source device. When the
device is a personal device, then the address can then be correlated
to an individual with some degree of accuracy that they are the user.
This issue is addressed in RFC4941 which randomizes interface
identifiers. RFC4941 allows an IPv6 address to be changed with some
frequency, but isn't really intended to give a different source
address per flow like NAT effectively does.

>
>
>
>>> There really needs to be something else that supports or proves use of a
>>> device other than an assumption that an IP address is tightly coupled to a
>>> device's owner, and therefore all actions associated with an IP address are
>>> thoe se of the device's owner.
>>
>> I believe there is. It is common for apps, like email, social
>> networking, etc. to login to a service with username and password.
>> When login is done, the service now has a mapping of an individual to
>> an IP address. That mapping could then be exploited to identify the
>> same individual in completely unrelated communications, hence breaking
>> privacy. This could be done external to the device and the network
>> provider and across different jurisdictions. The problem is
>> exacerbated if the app is always connected so that whenever the
>> devices gets a new IP address to user mapping maintained by some third
>> party is kept up to date. Also, in this case, randomizing addresses at
>> some frequency may no provide much benefit to privacy unless every
>> connection gets a different source address (which is effectively is
>> what CGNAT gives).
>>
>
> You don’t even need to log in to anything - isn’t this exactly how doubleclick et-al work? They drop a cookie on your browser and then follow you around the Internet on all sites with double-click banners?
>
IIRC (I spent some time working in ads), cookies aren't used that way
any more since it's an obvious violation of privacy. There is need for
remarketing and cross device advertising, but the correlations can be
made within double-click system and not exposed to just any
advertiser. Companies such as Google obviously collect a lot of PII,
and it's clear that they have obligation and got to great pains to
protect it (grant it Equifax and others seem to be glaring failures in
protecting PII).

> Same problem for any application layer identifying information - but also a bit beyond the scope of the CGNAT discussion...
>
Right, but similar to security, if we want to build a system that has
good privacy characteristics then privacy at every layer, even
networking layer, should be considered.

Tom