Internet DRAFT - draft-bray-privacy-choices

draft-bray-privacy-choices







Network Working Group                                       T. Bray, Ed.
Internet-Draft                                       Textuality Services
Intended status: Standards Track                          April 11, 2015
Expires: October 13, 2015


               Privacy Choices for Internet Data Services
                     draft-bray-privacy-choices-01

Abstract

   This document argues in favor of Internet service providers deploying
   technologies which offer increased privacy to users of their
   services.  The discussion is independent of any particular privacy
   technology.  The approach is to consider common objections to the the
   deployment of such technologies, and show that these objections are
   not well-founded.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 13, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of




Bray                    Expires October 13, 2015                [Page 1]

Internet-Draft Privacy Choices for Internet Data Services     April 2015


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Background  . . . . . . . . . . . . . . . . . . . . . . . . .   3
     4.1.  Asymmetric failure cost . . . . . . . . . . . . . . . . .   3
     4.2.  Privacy technology cost . . . . . . . . . . . . . . . . .   3
   5.  Common objections to privacy-technology deployment  . . . . .   4
     5.1.  Free public data  . . . . . . . . . . . . . . . . . . . .   4
     5.2.  Privacy at user option  . . . . . . . . . . . . . . . . .   4
     5.3.  Failures of privacy technology  . . . . . . . . . . . . .   4
     5.4.  Affordability of privacy technology . . . . . . . . . . .   5
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   Privacy issues are becoming increasingly important to users of
   Internet services, and the providers of those services must choose
   how much privacy it is appropriate to provide their users.

   When discussing the deployment of privacy technology, certain
   objections are encountered repeatedly: That privacy protection is
   inappropriate for freely-public information and "brochure-ware", that
   it is too flawed to be worthwhile, that privacy choices are best left
   to end users, and that the cost of deploying privacy protection is
   too high.

   This document considers these these arguments and shows that they are
   flawed; the conclusion is that in almost every case, the best choice
   for a service provider and its users is the one that maximmizes
   privacy.

2.  Summary

   This document attempts to establish the following:

   1.  Whether or not information is considered "public" is not a good
       criterion for choosing whether or not to deploy privacy
       technologies for its users.

   2.  Privacy choices are difficult and context-dependent, so it's
       inappropriate to ask users to make them.





Bray                    Expires October 13, 2015                [Page 2]

Internet-Draft Privacy Choices for Internet Data Services     April 2015


   3.  Privacy techologies offer benefits to users of data services even
       when those technologies are imperfect.

   4.  Cost should not be a significant factor while considering the
       deployment of privacy technologies.

3.  Terminology

   The term "data service" means any Internet-mediated offering that is
   accessible to the general public.  Examples would include Web sites,
   HTTP APIs, streaming media, and various flavors of chat.

   In this document, "privacy protection" means technology whose
   deployment increases the cost and difficulty, for anyone but the user
   and provider of a data service, of ascertaining who is accessing
   which services and what messages are being exchanged between the user
   and the service.  Obvious examples are encryption and authentication
   technologies.

4.  Background

   This section establishes two background facts that will serve to
   support this document's central arguments.

4.1.  Asymmetric failure cost

   There are two classes of privacy-related failure in the operation of
   data services.  A positive failure occurs when privacy was provided
   but was not necessary; a negative failure is when privacy was not
   provided, but was necessary for prudent use of the data service.

   The cost of these failure classes is not symmetric; negative failures
   can endanger businesses, property, and lives, while positive failures
   usually incur at most a little extra expense.

4.2.  Privacy technology cost

   A wide variety of privacy technologies are available to Internet data
   service providers.  They include public-key infrastructure,
   transport-level encryption, server-side encryption-at-rest, and
   token-based authentication/authorization technologies which reduce
   the use of passwords.

   In every case, the monetary and engineering cost of acquiring the
   necessary resources and deploying the required software has been
   falling steadily in recent years, both absolutely and as a proportion
   of the total cost of service development and deployment.




Bray                    Expires October 13, 2015                [Page 3]

Internet-Draft Privacy Choices for Internet Data Services     April 2015


5.  Common objections to privacy-technology deployment

5.1.  Free public data

   It is reasonable to question whether, for freely-available public
   data, such as the contents of an online reference work or a
   promotional Web site, it makes sense to deploy privacy protection.

   Unfortunately, it is very difficult to predict when a person
   accessing online information might suffer negative consequences.  For
   example, some governments criminalize certain behaviors to the extent
   that accessing free public reference documents concerning that
   behavior could lead to arrest and prosecution.

   Bearing this in mind, and given the asymmetric cost of privacy
   failure modes, the conclusion is that the "public" or "free" status
   of information is not a good argument against the deployment of
   privacy technology.

   There is another, subtler point: If one groups available data
   services into those which are non-controversial and thus require no
   privacy protection, and those which are controversial and do, some
   will conclude that anything with privacy protection must be
   controversial and thus subject to suspicion.  This effect is better
   avoided.

5.2.  Privacy at user option

   It is often argued that privacy choices are best left to the users of
   data services; and thus, that opt-in privacy is an appropriate
   strategy.

   However, the technical and social factors forming the context for
   such choices are complex; even experts often disagree on privacy
   requirements.  Thus, the end-users of a data service are likely not
   well-equipped to make good choices.

   Bearing this in mind, and given the asymmetric cost of privacy
   failure modes, it is usually best to remove the necessity for making
   these choices, by always providing the maximum practical amount of
   privacy protection.

5.3.  Failures of privacy technology

   Internet privacy technologies are known to be imperfect.
   Cryptography algorithms have been compromised and there is widespread
   dissatisfaction with the PKI infrastructure.




Bray                    Expires October 13, 2015                [Page 4]

Internet-Draft Privacy Choices for Internet Data Services     April 2015


   Furthermore, it is widely agreed that an attacker who wishes to
   attack a target's privacy has many means, ranging from social
   engineering to hardware hacking to zero-day exploits, to bypass
   privacy protection.

   Therefore, it is reasonable to question the deployment of privacy
   protection, which may create an unrealistic expectation of safety
   when in fact that is not achievable.

   However, this line of argument fails on economic grounds.
   Deployments of privacy technology, however imperfect, generally have
   the effect of increasing the cost to an attacker of invading end-
   users' privacy.  Every time that cost goes up, certain surveillance
   activities, whether by government bodies or criminals, become
   uneconomic and will be abandoned, with the effect of globally
   increasing the security and privacy of Internet data services.

5.4.  Affordability of privacy technology

   Privacy technologies are not free; there are monetary costs for
   accessing PKI infrastructure, and bandwidth/computation costs related
   to encryption, authentication, and authorization.

   Service providers may find it difficult to justify such expenses,
   particularly those who have severe budget constraints.

   However, the monotonic decline in privacy technology costs decreases
   the force of this argument with every passing year.  It is hard to
   imagine a situation where an organization can afford to acquire
   server resources, domain names, internet connectivity, and software
   deployment expertise, but still cannot afford to offer privacy
   protection.

   There is a subtle related issue: Those who are operating on low
   budgets are often providing data services to disadvantaged groups,
   whose members may be in particular need of privacy protection.

Author's Address

   Tim Bray (editor)
   Textuality Services

   Email: tbray@textuality.com
   URI:   https://www.tbray.org/







Bray                    Expires October 13, 2015                [Page 5]