Re: [saag] Liking Linkability from Henry Story on 2012-10-21 (public-privacy@w3.org from October to December 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 22 Oct 2012 00:13:56 +0200
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Kingsley Idehen <kidehen@openlinksw.com>, Ben Laurie <ben@links.org>, Mouse <mouse@rodents-montreal.org>, "public-philoweb@w3.org" <public-philoweb@w3.org>, "public-identity@w3.org" <public-identity@w3.org>, "saag@ietf.org" <saag@ietf.org>, "public-privacy@w3.org" <public-privacy@w3.org>, Sam Hartman <hartmans-ietf@mit.edu>, "public-webid@w3.org" <public-webid@w3.org>
Message-Id: <FFFD96E7-2D45-4BA3-8EE1-6BB55D3CCCEE@bblfish.net>

It would be nice if we could remove the ad-hominem attacks here. These
issues can be worked out clearly and calmly by careful reasoning and
attending to some existing definitions. 

Below I show how I agree with  Dick Hard and Ben Laurie that public 
keys are identifiers. But the point of this thread entitled 
"Liking Linkability" is that this is not the problem to privacy that
it is thought to be. Indeed my point is that linkability is very important 
to increase privacy.... 

On 21 Oct 2012, at 23:17, Dick Hardt <dick.hardt@gmail.com> wrote:

> 
> On Oct 21, 2012, at 9:32 AM, Kingsley Idehen <kidehen@openlinksw.com> wrote:
> 
>> On 10/18/12 3:29 PM, Ben Laurie wrote:
>>> 
>>> I really feel like I am beating a dead horse at this point, but
>>> perhaps you'll eventually admit it. Your public key links you. Access
>>> control on the rest of the information is irrelevant. Indeed, access
>>> control on the public key is irrelevant, since you must reveal it when
>>> you use the client cert. Incidentally, to observers as well as the
>>> server you connect to.
>>> 
>> A public key links to a private key.
> 
> A public key or private key *is* an identifier. If there is a 1:1 mapping of public/private key pair to a user, and if the key pair is used at more than one place, then those places know it is the same user and the activities at each of those places is linked.

Note Dick, that I (Henry Story) agree with you and Ben Laurie here: A public key is 
an identifier. If you use the same public key to identify yourself at various sites
then those  sites can link you. This may be what you do intend to do though, and so 
this is not a priori a bad thing. Which is why the title of this post is "Liking Linkability".

In this thread my argument has consisted in a making two points:

 1. that showing someone an identifier - be it public key or other string with an 
 inverse functional relation to an agent - may not be a linkability problem
 ( because you may not consider the agent receiving the information as the enemy )

 2. Show how linkability is important for privacy

1. linkability
--------------

If we look at the definition given of linkability in 

  https://tools.ietf.org/html/draft-hansen-privacy-terminology-03

it says:

[[
      Definition:  Unlinkability of two or more Items Of Interest (e.g.,
      subjects, messages, actions, ...) from an attacker's perspective
      means that within a particular set of information, the attacker
      cannot distinguish whether these IOIs are related or not (with a
      high enough degree of probability to be useful).

]]

It is defining unlinkability in terms of  "two or more items of interest 
from an attacker's perspective".

So my point is simply: who is the attacker? If you make the site you are 
authenticating to with OpenID, BrowserId, or WebID  be considered 
the attacker then you should not use any of those technologies. If on the 
other hand you  consider that those sites are *not* the attacker - because say, 
you only give  them your identity when you are sure that you want to do so -
then the negative linkability claim cannot be made according to the above 
definition.

Or at the very least it is a very different problem at that point: if you 
exclude the site you are authenticating to as the enemy, then identifying yourself
with your public key is not a linkability problem according to the above definition.
It would be if some other agent listening in on the conversation could surmise
your public key. They would then be able to know that you talked to site B. (If they
also knew the content of the conversation then they would know even more, and your 
privacy problem would indeed be greater)

2. linkability's importance to privacy
--------------------------------------

I then argued that one cannot make a simple claim that linkability is a bad thing.
In fact there are good reasons to believe that certain types of linkability
are very important to create distributed social networks - which I call the social web.
A Social Web would clearly be a big improvement for privacy over how things are 
being done currently. I don't want to repeat this whole thread here since that was 
the argument I made in the initial post in this thread which is archived here:

 http://lists.w3.org/Archives/Public/public-privacy/2012OctDec/0003.html

> 
>> You are the one being utterly obstinate here.
> 
> Not true … and I don't think that was a productive comment.

I don't think that comment is fruitful either. This case can be
argued well without ad-hominem attacks. 

> 
>> I encourage you to make you point with clear examples so that others can juxtapose your views and ours.
> 
> Perhaps my explanation above makes the point clear to you.
> 
> -- Dick

Social Web Architect
http://bblfish.net/

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Sunday, 21 October 2012 22:14:37 UTC