- From: Henry Story <henry.story@bblfish.net>
- Date: Sat, 6 Oct 2012 15:49:12 +0200
- To: "public-webid@w3.org" <public-webid@w3.org>, "public-identity@w3.org" <public-identity@w3.org>, public-privacy@w3.org
- Cc: "public-philoweb@w3.org" <public-philoweb@w3.org>
- Message-Id: <88F98DFD-EF7D-4444-A9C2-FB8E15F5DA89@bblfish.net>
Notions of unlinkability of identities have recently been deployed
in ways that I would like to argue, are often much too simplistic,
and in fact harmful to wider issues of privacy on the web.
I would like to show this in two stages:
1. That linkability of identity is essential to electronic privacy
on the web
2. Show an example of an argument by Harry Halpin relating to
linkability, and by pulling it apart show how careful one has
to be with taking such arguments at face value
Because privacy is the context in which the linkability or non linkability
of identities is important, I would like to start with a simple working
definition of what constitutes privacy with the following minimal
criterion [0] that I think everyone can agree on:
"A communication between two people is private if the only people
who are party to the conversation are the two people in question.
One can easily generalise to groups: a conversation between groups
of people is private (to the group) if the only people who can
participate/read the information are members of that group"
Note that this does not deal with issues of people who were privy to
the conversation later leaking information voluntarily. We cannot
technically legislate good behaviour, though we can make it possible
for people to express context. [1]
1. On the importance of linkability of identities to privacy
============================================================
A. Issues of Centralisation
---------------------------
We can put this with the following thought experiment which I put
to Ben Laurie recently [0].
First imagine that we all are on one big social network, where
all of our home pages are at the same URL. Nobody could link
to our profile page in any meaningful way. The bigger the network
the more different people that one URL could refer to. People
that were part of the network could log in, and once logged in
communicate with others in their unlinkable channels.
But this would not necessarily give users of the network privacy:
simply because the network owner would be party to the conversation
between any two people or any group of people. Conversations
that do not wish the network owner to be party to the conversation
cannot work within that framework.
At the level of our planet it is clear that there will always be a
huge number of agents that cannot for legal or other reasons allow one
global network owner to be party to all their conversations. We are
therefore socio-logically forced into the social web.
B. Linkability and the Social Web
---------------------------------
Secondly imagine that we now all have Freedom Boxes [4], where
each of us has full control over the box, its software, and the
data on it. (We take this extreme individualistic case to emphasise
the contrast, not because we don't acknowledge the importance of
many intermediate cases as useful) Now we want to create a
distributed social network - the social web - where each of us can
publish information and through access control rules limit who can
access each resource. We would like to limit access to groups such
as:
- friends
- friends of friends
- family
- business colleagues
- ...
Limit access means, that we need to determine when accessing a
resource who is accessing it. For this we need a global identifier
so that can check with the information available to us, if the
referent of that identifier is indeed a member of one of those
groups. We can't have a local identifier, for that would require
that the person we were dealing with had an account on our private
box - which will be extremely unlikely. We therefore need a way
to identify - pseudonymously if be - agents in a global space.
Take the following example. Imagine you come to the WebID TPAC
meeting [6] and I take a picture of everyone present. I would like
to first restrict access to the picture to only those members who
were present. Clearly if I only used local identifiers, I would have
to get each one of you to first create an account on my machine. But
how would I then know that the accounts created on the FBox correspond
to the people who were at the party? It is much easier if we could
create a party members group and publish it like this
http://www.w3.org/2005/Incubator/webid/team.n3
Then I could drag and drop this group on the access control panel
of my FBox admin console to restrict access to only those members.
This shows how through linkability I can restrict access and
increase privacy by making it possible to link identities in a distributed
web. It would be quite possible furthermore for the above team.n3
resource to be protected by access control.
2. Example of how Unlinkability can be used to spread FUD
=========================================================
So here I would like to show how fears about linkability can
then bring intelligent people like Harry Halpin to make some seemingly
plausible arguments. Here is an example [2] of Harry arguing against
W3C WebID CG's http://webid.info/spec/
[[
Please look up "unlinkability" (which is why I kept referencing the
aforementioned IETF doc [sic [3] below it is a draft] which I saw
referenced earlier but whose main point seemed missed). Then explain
how WebID provides unlinkability.
Looking at the spec - to me, WebID doesn't as it still requires
publishing your public key at a URI and then having the relying party go
to your identity provider (i.e. your personal homepage in most cases,
i.e. what it is that hosts your key) in order to verify your cert, which
must provide that URI in the SAN in the cert. Thus, WebID does not
provide unlinkability. There's some waving of hands about guards and
access control, but that would not mediate the above point, as the HTTP
GET to the URI for the key is enough to provide the "link".
In comparison, BrowserID provides better privacy in terms of
unlinkability by having the browser in between the identity provider and
the relying party, so the relying party doesn't have to ping the
identity provider for identity-related transactions. That definitely
helps provide unlinkability in terms of the identity provider not
needing to knowing every time the user goes to a relying party.
]]
If I can rephrase the point seems to be the following: A WebID verification
requires that the site your are authenticating to ( The Relying Party ) verify
your identity by dereferencing ( let me add: anonymously ) your profile
page, which might only contain as much as your public key publicly. The yellow
box in the picture here:
http://www.w3.org/2005/Incubator/webid/spec/#the-webid-protocol
The leakage of information then would not be towards the Relying Party - the
site you are logging into - because that site is the one you just wilfully
sent a proof of your identity to. The leakage of information is (drum roll)
towards your profile page server! That server might discover ( through IP address
sniffing presumably ) which sites you might be visiting.
One reasonable answer to this problem would be for the Relying Party to fetch
this information via Tor which would remove the ip address sniffing problem.
But let us develop the picture of who we are loosing (potentially)
information to. There are a number of profile server scenarios:
A. Profile on My Freedom Box [4]
The FreedomBox is a personal machine that I control, running
free software that I can inspect. Here the only person who has
access to the Freedom Box is me. So if I discover that I logged
in somewhere that should come as no surprise to me. I might even
be interested in this information as a way of gathering information
about where I logged in - and perhaps also if anything had been
logging in somewhere AS me. (Sadly it looks like it might be
difficult to get much good information there as things stand
currently with WebID.)
B. Profile on My Company/University Profile Server
As a member of a company, I am part of a larger agency, namely the
Company or University who is backing my identity as member of that
institution. A profile on a University web site can mean a lot more
than a profile on some social network, because it is in part backed
by that institution. Of course as a member of that institution we
are part of a larger agent hood. And so it is not clear that the institution
and me are in that context that different. This is also why it is
often legally required that one not use one's company identity for
private business.
C. A Social Network ( Google+, Facebook, ... )
It is a bit odd that people who are part of these networks, and who
are "liking" pretty much everything on the web in a way that is clearly
visible and is encouraged by those networks to be visible to the
network, would have an issue with those sites knowing-perhaps (if the
RP does not use Tor or a proxy) where they are logging into. It is certainly
not the way the OAuth, OpenID or other protocols that are in extremely
wide use now have been developed and are used by those sites.
If we look then at BrowserId [7] Now Mozilla Persona, the only difference
really with WebID ( apart from it not being decentralised until crypto in the
browser really works ) is that the certificate is updated at short notice
- once a day - and that relying parties verify the signature. Neither of course
can the relying party get much interesting attributes this way, and if it did
then the whole of the unlinkability argument would collapse immediately.
3. Conclusion
=============
Talking about privacy is like talking about security. It is a breeding ground
for paranoia, which tend to make it difficult to notice important
solutions to the problem we actually have. Linkability or unlinkability as defined in
draft-hansen-privacy-terminology-03 [3] come with complicated definitions,
and are I suppose meant to be applied carefully. But the choice of "unlinkable"
as a word tends to help create rhethorical short cuts that are apt to hide the
real problems of privacy. By trying too hard to make things unlinkable we are moving
inevitably towards a centralised world where all data is in big brother's hands.
I want to argue that we should all *Like* Linkability. We should
do it aware that we can protect ourselves with access control (and TOR)
and realise that we don't need to reveal anything more than anyone knew
before hand in our linkable profiles.
To create a Social Web we need a Linkable ( and likeable ) social web.
We may need other technologies for running Wikileaks type set ups, but
the clearly cannot be the basic for an architecture of privacy - even
if it is an important element in the political landscape.
Henry
[0] this is from a discussion with Ben Laurie
http://lists.w3.org/Archives/Public/public-webid/2012Oct/att-0022/privacy-def-1.pdf
[1] Oshani's Usage Restriction paper
http://dig.csail.mit.edu/2011/Papers/IEEE-Policy-httpa/paper.pdf
[2] http://lists.w3.org/Archives/Public/public-identity/2012Oct/0036.html
[3] https://tools.ietf.org/html/draft-hansen-privacy-terminology-03
[4] http://www.youtube.com/watch?v=SzW25QTVWsE
[6] http://www.w3.org/2012/10/TPAC/
[7] A Comparison between BrowserId and WebId
http://security.stackexchange.com/questions/5406/what-are-the-main-advantages-and-disadvantages-of-webid-compared-to-browserid
Social Web Architect
http://bblfish.net/
Attachments
- application/pkcs7-signature attachment: smime.p7s
Received on Saturday, 6 October 2012 13:49:45 UTC