Re: On the european response to Snowden from David Singer on 2015-01-27 (public-privacy@w3.org from January to March 2015)

From: David Singer <singer@apple.com>
Date: Tue, 27 Jan 2015 15:33:21 +0100
To: Mike O'Neill <michael.oneill@baycloud.com>
Cc: Danny Weitzner <djweitzner@csail.mit.edu>, Rigo Wenning <rigo@w3.org>, public-privacy@w3.org
Message-id: <6C906DF6-F70C-4B70-97E7-118CD9E2F922@apple.com>

Thanks Mike, comments inline

> 1) Signalling.
>  We saw a bit of this in the DNT discussions. How to create a signal conveying a user's explicit agreement for something or their preferences for something to one or more entities that may exist across multiple origins, in a secure untamperable way. This may eventually be superseded by:

A challenging problem.  These signals and preferences tend to be small, and padding them and then signing them digitally would seem to be using a sledgehammer to crack a walnut.  But maybe the walnut is growing in importance.  Other ideas?

> 2) Anonymity.
>  To ensure privacy we should be able to trawl the net anonymously, but with some identity available through defined transactional processes. For example we may allow a subset of our identity to be discovered by some parties we know about and have reached agreement with. This might just be a broad audience categorisation (male, geek, whatever) or it might be more specific (MEP, a particular child's parent, member of a club). Visible identity changes with circumstances i.e. I could anonymously apply for a loan or agree to pay for a purchase but I would need to be accountable. My legal identity would have to be discoverable in certain agreed circumstances. We may also agree, through membership of a "rule of law" jurisdiction ,that our identity is discoverable by law enforcement under agreed (by society) circumstances.
> 
> This may go beyond HTTP, i.e. IPv6 anon. auto configuration everywhere or a new internetworking layer, focus on stopping fingerprinting, and it is a big one. It will need heavy guns.

Online anonymity — secrecy — is hard, as you know. ToR is hardly an easy or universal solution. I recently did the thought experiment “what if every router was a NAT box?” — this would mean that IP addresses would be useless as proxies for identity — and the answer is that anonymity would improve but many other things (e.g. phone calls) would suffer. Again, ideas for this would be good.

> 3) Encryption.
> 
> There is talk about making end-to-end encryption illegal. While this may seem silly and is probably a shot across the bows, https everywhere stirs the hornet's nest. I think an answer involves some process whereby https is made more secure (via certificate pinning etc.), available to anyone but that law enforcement is given the means to determine identity through an internationally agreed process i.e. along the lines of 2).
> 
> I think any backdooring process will just end up helping the bad guys, so we have full ETO encryption available but if the net can properly ensure privacy and security only a minority will need it.

So you envisage encryption that is end-to-end and backdoor free, but nonetheless accessible to lawful intercept. Challenging in today’s environment, but maybe there is a solution.

David Singer
Manager, Software Standards, Apple Inc.

Received on Tuesday, 27 January 2015 14:34:20 UTC