Presence and IntComm WG

[Jamey Hicks <>]

Candace Holman wrote:

> We started this discussion to talk about the social controversy space 
> in technology decisions that are being made for PIC/ALS, and collect 
> some ideas for a paper.  I'm new to this list, but expected more 
> argument.
>
> Jeremy said:
> "...the centralized architecture favors the government in that it has
> a single point to tap with an appropriate court order.  The latter 
> [edge architecture] presents a technical barrier to that law 
> enforcement approach.  Each stakeholder has a clearly defined interest 
> and each of the architectures
> tilts the field."
>
> Let me become his devil's advocate, but anyone can answer these 
> questions.  What kind of privacy can you provide with an edge server 
> that doesn't work on a central server of similar design?   Tell me 
> more about the technical barrier to law enforcement.  What would 
> prevent the government from asking the service provider to provide a 
> point to tap on the edge server?  What are the details?  What if the 
> hackers wanted to do the tapping, is each type of server secured by 
> the same means? 

I think you have a good point.  There is no real technical reason why an 
edge server would provide you with more privacy than a centralized 
server.  It does mean that law enforcement might have to do a little 
more investigation until they determine which edge server they need 
access to.

I think the real difference in this context between a centralized server 
and an edge server is administrative control: who sets and implements 
the policies.  I think of an edge server as something that you or your 
organization sets the policies for and a centralized server as something 
that a service provider or government sets the policies for.

As an example of edge servers, consider DHCP servers.  I've heard 
several stories about how law enforcement has requested logs from DHCP 
servers so that they could tie IP addresses to particular ethernet cards 
in the case of illegally downloading music files.  The administrator of 
the DHCP server can set policies that enhance privacy by either being 
very stringent about what requests they will respond to or by flushing 
the logs after a short period of time.  The latter seems to be a good 
strategy as far as that goes.

So, law enforcement can and does request to tap into edge servers.

If the edge server is maintained by a malicious organization, it will be 
more difficult for law enforcement to get cooperation to tap into that 
server, which leads us to the question of breaking into the system.

Again, there is not a technical difference in the security between a 
centralized server and an edge server.  Busier servers often seem to 
present more interesting targets, so there are more attempts against 
them.  But then busier servers often have bigger IT budgets and so have 
more care taken about their security.

> If you don't want to address that issue, another social issue we can 
> discuss has to do with anonymous subscription, protecting anonymity 
> and preventing forged identity.  The teams are privacy pundits (civil 
> liberties organizations, people who don't want to be stalked, 
> criminals who don't want to be found, etc) vs data miners (marketing 
> organizations, the customer who requires a follow-me communication 
> service level from her consultant, homeland security agents, etc).  I 
> think at this point in time we have both bases covered, but does 
> anyone see technology decisions being made where one "team" is being 
> favored over the other?
Anonymous access and preventing forged identity are two separate issues, 
and both should be addressed.  These two concerns are at odds with each 
other as well.

Anonymity:

I think that true anonymous access is a special case.  It is difficult 
to implement given the end-to-end nature of the internet protocols.  For 
two parties to communicate via IP, they need to know the address of the 
other party.  To remain anonymous, there must be nothing to tie that IP 
address to the person wishing to remain anonymous.  Using an IP address 
from a large DHCP pool or pools can achieve this purpose.  Assuming the 
maintainer of the DHCP server is not keeping logs the DHCP requests and 
responses, which contains the user's MAC address. 

To remain anonymous, one would be more successful by using anonymizer 
services.  One of the technical requirements of anonymizer services is 
that they do not keep logs, so there is nothing with which to respond to 
an wiretap request.  Such services are beneficial to people avoiding 
being stalked or being fired for whistleblowing.  They are also useful 
to criminals.

Privacy Policies

A common problem with databases containing information about users is 
that if a data miner joins two or more such databases they can learn 
more than the users wanted to disclose.  It is very difficult to prevent 
this technically.  Well, OK, it is probably an undecideable problem and 
therefore impossible to prevent technically without preventing useful 
and valid information requests.  In the medical research community, I 
think they manually review information requests to verify that the 
queries yield statistically useful data without reducing the anonymity 
of patients.

Preventing Forged Identity:

First we need one or more mechanisms to verify identity, then we need to 
get all the users to use it.  Actually, there are many mechanisms 
available to authenticate users, but in practice it has been difficult 
to get people to use them.  Practically, I think we need to get 2 or 3 
mechanisms widely implemented.  But even getting vendors to agree on a 
couple of choices is really hard.  Vendors see huge value in the 
ownership of identity databases.

I think that it will come down to two types of mechanisms: federations 
(e.g. shibboleth) and chains-of-trust (e.g. pgp or gpg keychains).  
Social network software is another example of the chain of trust idea.  
I trust Joe who identifies Alice, so I'll believe the message is from 
Alice.   Now that I think about it, federations are just chains of trust 
at the organizational level rather than the individual level.


-Jamey