| Network Working Group | M. Hansen |
| Internet-Draft | ULD Kiel |
| Intended status: Informational | H. Tschofenig |
| Expires: July 28, 2012 | Nokia Siemens Networks |
| R. Smith | |
| JANET(UK) | |
| January 27, 2012 |
Privacy Terminology
draft-iab-privacy-terminology-00.txt
Privacy is a concept that has been debated and argued throughout the last few millennia by all manner of people. Its most striking feature is that nobody seems able to agree upon a precise definition of what it actually is. In order to discuss privacy in any meaningful way a tightly defined context needs to be elucidated. The specific context of privacy used within this document is that of "personal data", any information relating to a data subject; a data subject is an identified natural person or a natural person who can be identified, directly or indirectly. This context is highly relevant since a lot of work within the IETF involves defining protocols that can potentially transport (either explicitly or implicitly) personal data.
This document aims to establish a basic lexicon around privacy so that IETF contributors who wish to discuss privacy considerations within their work can do so using terminology consistent across the area.
Note: This document is discussed at https://www.ietf.org/mailman/listinfo/ietf-privacy
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 28, 2012.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Privacy is a concept that has been debated and argued throughout the last few millennia by all manner of people, including philosophers, psychologists, lawyers, and more recently, computer scientists. Its most striking feature is that nobody seems able to agree upon a precise definition of what it actually is. Every individual, every group, and every culture have their own different views and preconceptions about the concept - some mutually complimentary, some distinctly different. However, it is generally (but not unanimously!) agreed that the protection of privacy is "A Good Thing" and often, people only realize what it was when they feel that they have lost it.
In order to discuss privacy in any meaningful way a tightly defined context needs to be elucidated. The specific context of privacy used within this document is that of "personal data", any information relating to a data subject; a (data) subject is an identified natural person or a natural person who can be identified, directly or indirectly. We A lot of work within the IETF involves defining protocols that can potentially transport personal data and can therefore either, by dint of design decisions when creating them, enable either privacy protection or result in privacy breaches. While identifiers and data elements communicated in protocols often do not assume a specific association with a human using the software. However, a protocol may help or simplify the re-identification of a natural person by the choice of their identifiers and other state that is established and communicated, particularly when information from various sources is combined and analyzed together.
Work in this area of privacy and privacy protection over the last few decades has centered on the idea of data minimization; it uses terminologies such as anonymity, unlinkability, unobservability, and pseudonymity. These terms are often used in discussions about the privacy properties of systems.
The core principal of data minimization is that the ability for others to collect personal data should be removed or at least minimized when this is either not desirable or when it cannot be entirely prevented.
Data minimization is the only generic strategy to enhance individual privacy in cases where valid personal information is used since all valid personal data inherently provides some linkability. Other techniques have been proposed and implemented that aim to enhance privacy by providing misinformation (inaccurate or erroneous information, provided usually without conscious effort to mislead or deceive) or disinformation (deliberately false or distorted information provided in order to mislead or deceive). However, these techniques are out of scope for this document.
We use the term 'attacker' in this writeup to refer to an entity that violates the privacy expectations of a data subject. The attacker may not only be an entity that is external to the system but, in many cases, the attacker is actually one of the communication partners. When necessary we use the term initiator and responder to refer to the communication interaction of a protocol. This particular terminology is used to highlight that many protocols utilize bidirectional communication where both ends send and receive data. We assume that the attacker uses all information available to infer (probabilities of) his items of interest (IOIs). These IOIs may be attributes (and their values) of personal data, or may be actions such as who sent, or who received, which messages.
This document aims to establish a basic lexicon around privacy so that IETF contributors who wish to discuss privacy considerations within their work (see [I-D.iab-privacy-considerations]) can do so using terminology consistent across areas. Note that it does not attempt to define all aspects of privacy terminology, rather it just establishes terms to some of the most common ideas and concepts.
To enable anonymity of a subject, there always has to be an appropriate set of subjects with potentially the same attributes. The set of all possible subjects is known as the anonymity set, and membership of this set may vary over time.
The set of possible subjects depends on the knowledge of the attacker. Thus, anonymity is relative with respect to the attacker. Therefore, an initiator may be anonymous (initiator anonymity) only within a set of potential initiators - their initiator anonymity set - which itself may be a subset of all subjects who may send a message. Conversely a responder may be anonymous (responder anonymity) only within a set of potential responders - their responder anonymity set. Both anonymity sets may be disjoint, may overlap, or may be the same.
Unlinkability of two (or more) messages may of course depend on whether their content is protected against the attacker. In the cases where this is not true, messages may only be unlinkable if we assume that the attacker is not able to infer information about the initiator or responder from the message content itself. It is worth noting that even if the content itself does not betray linkable information explicitly, deep semantical analysis of a message sequence can often detect certain characteristics which link them together, e.g., similarities in structure, style, use of some words or phrases, consistent appearance of some grammatical errors, etc.
The unlinkability property can be considered as a more "fine-grained" version of anonymity since there are many more relations where unlinkability might be an issue than just the relation of "anonymity" between subjects and IOIs. As such, it may sometimes be necessary to explicitly state to which attributes anonymity refers to (beyond the subject to IOI relationship). An attacker might get to know information on linkability of various messages while not necessarily reducing anonymity of the particular subject. As an example an attacker, in spite of being able to link all encrypted messages in a set of transactions, does not learn the identify of the subject who is the source of the transactions.
There are several items of terminology heavily related to unlinkability:
In contrast to anonymity and unlinkability, where the IOI is protected indirectly through protection of the IOI's relationship to a subject or other IOI, undetectability is the direct protection of an IOI. For example, undetectability can be regarded as a possible and desirable property of steganographic systems.
If we consider messages as IOIs, then undetectability means that messages are not sufficiently discernible from, e.g., "random noise".
In the context of IETF protocols almost all identifiers are pseudonyms since there is typically no requirement to use real names in protocols. However, in certain scenario it is reasonable to assume that real names will be used and it will be worthwhile to point out this circumstance.
For Internet protocols it is important whether protocols allow identifiers to be recycled dynamically, what the lifetime of the pseudonyms are, to whom they get exposed, how subjects are able to control disclosure, and how often they can be changed over time (and what the consequences are when they are regularly changed). These aspects are described in [I-D.iab-privacy-considerations].
Achieving anonymity, unlinkability, and maybe undetectability may enable the ideal of data minimization. Unfortunately, it would also prevent a certain class of useful two-way communication scenarios. Therefore, for many applications, we need to accept a certain amount of linkability and detectability while attempting to retain unlinkability between the subject and their transactions. This is achieved through appropriate kinds of pseudonymous identifiers. These identifiers are then often used to refer to established state or are used for access control purposes, see [I-D.iab-identifier-comparison].
The term 'real name' is the antonym to "pseudonym". There may be multiple real names over a lifetime -- in particular legal names. For example, a human being may possess the names which appear on their birth certificate or on other official identity documents issued by the State; for a legal person the name under which it operates and which is registered in official registers (e.g., commercial register or register of associations). A human being's real name typically comprises their given name and a family name. Note that from a mere technological perspective it cannot always be determined whether an identifier of a subject is a pseudonym or a real name.
Additional useful terms are:
Sender pseudonymity is defined as the sender being pseudonymous, recipient pseudonymity is defined as the recipient being pseudonymous.
Anonymity through the use of pseudonyms is stronger where ...
Parts of this document utilizes content from [anon_terminology], which had a long history starting in 2000 and whose quality was improved due to the feedback from a number of people. The authors would like to thank Andreas Pfitzmann for his work on an earlier draft version of this document.
Within the IETF a number of persons had provided their feedback to this document. We would like to thank Scott Brim, Marc Linsner, Bryan McLaughlin, Nick Mathewson, Eric Rescorla, Alissa Cooper, Scott Bradner, Nat Sakimura, Bjoern Hoehrmann, David Singer, Dean Willis, Christine Runnegar, Lucy Lynch, Trend Adams, Mark Lizar, Martin Thomson, Josh Howlett, and Mischa Tuffield.
This document introduces terminology for talking about privacy within IETF specifications. Since privacy protection often relies on security mechanisms then this document is also related to security in its broader context.
This document does not require actions by IANA.
| [I-D.iab-privacy-considerations] | Cooper, A, Tschofenig, H, Aboba, B, Peterson, J and J Morris, "Privacy Considerations for Internet Protocols", Internet-Draft draft-iab-privacy-considerations-01, October 2011. |
| [id] | Identifier - Wikipeadia", Wikipedia , URL: http://en.wikipedia.org/wiki/Identifier, 2011. | , "