Internet DRAFT - draft-bray-privacy-choices
draft-bray-privacy-choices
Network Working Group T. Bray, Ed.
Internet-Draft Textuality Services
Intended status: Standards Track April 11, 2015
Expires: October 13, 2015
Privacy Choices for Internet Data Services
draft-bray-privacy-choices-01
Abstract
This document argues in favor of Internet service providers deploying
technologies which offer increased privacy to users of their
services. The discussion is independent of any particular privacy
technology. The approach is to consider common objections to the the
deployment of such technologies, and show that these objections are
not well-founded.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 13, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Bray Expires October 13, 2015 [Page 1]
Internet-Draft Privacy Choices for Internet Data Services April 2015
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3
4.1. Asymmetric failure cost . . . . . . . . . . . . . . . . . 3
4.2. Privacy technology cost . . . . . . . . . . . . . . . . . 3
5. Common objections to privacy-technology deployment . . . . . 4
5.1. Free public data . . . . . . . . . . . . . . . . . . . . 4
5.2. Privacy at user option . . . . . . . . . . . . . . . . . 4
5.3. Failures of privacy technology . . . . . . . . . . . . . 4
5.4. Affordability of privacy technology . . . . . . . . . . . 5
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
Privacy issues are becoming increasingly important to users of
Internet services, and the providers of those services must choose
how much privacy it is appropriate to provide their users.
When discussing the deployment of privacy technology, certain
objections are encountered repeatedly: That privacy protection is
inappropriate for freely-public information and "brochure-ware", that
it is too flawed to be worthwhile, that privacy choices are best left
to end users, and that the cost of deploying privacy protection is
too high.
This document considers these these arguments and shows that they are
flawed; the conclusion is that in almost every case, the best choice
for a service provider and its users is the one that maximmizes
privacy.
2. Summary
This document attempts to establish the following:
1. Whether or not information is considered "public" is not a good
criterion for choosing whether or not to deploy privacy
technologies for its users.
2. Privacy choices are difficult and context-dependent, so it's
inappropriate to ask users to make them.
Bray Expires October 13, 2015 [Page 2]
Internet-Draft Privacy Choices for Internet Data Services April 2015
3. Privacy techologies offer benefits to users of data services even
when those technologies are imperfect.
4. Cost should not be a significant factor while considering the
deployment of privacy technologies.
3. Terminology
The term "data service" means any Internet-mediated offering that is
accessible to the general public. Examples would include Web sites,
HTTP APIs, streaming media, and various flavors of chat.
In this document, "privacy protection" means technology whose
deployment increases the cost and difficulty, for anyone but the user
and provider of a data service, of ascertaining who is accessing
which services and what messages are being exchanged between the user
and the service. Obvious examples are encryption and authentication
technologies.
4. Background
This section establishes two background facts that will serve to
support this document's central arguments.
4.1. Asymmetric failure cost
There are two classes of privacy-related failure in the operation of
data services. A positive failure occurs when privacy was provided
but was not necessary; a negative failure is when privacy was not
provided, but was necessary for prudent use of the data service.
The cost of these failure classes is not symmetric; negative failures
can endanger businesses, property, and lives, while positive failures
usually incur at most a little extra expense.
4.2. Privacy technology cost
A wide variety of privacy technologies are available to Internet data
service providers. They include public-key infrastructure,
transport-level encryption, server-side encryption-at-rest, and
token-based authentication/authorization technologies which reduce
the use of passwords.
In every case, the monetary and engineering cost of acquiring the
necessary resources and deploying the required software has been
falling steadily in recent years, both absolutely and as a proportion
of the total cost of service development and deployment.
Bray Expires October 13, 2015 [Page 3]
Internet-Draft Privacy Choices for Internet Data Services April 2015
5. Common objections to privacy-technology deployment
5.1. Free public data
It is reasonable to question whether, for freely-available public
data, such as the contents of an online reference work or a
promotional Web site, it makes sense to deploy privacy protection.
Unfortunately, it is very difficult to predict when a person
accessing online information might suffer negative consequences. For
example, some governments criminalize certain behaviors to the extent
that accessing free public reference documents concerning that
behavior could lead to arrest and prosecution.
Bearing this in mind, and given the asymmetric cost of privacy
failure modes, the conclusion is that the "public" or "free" status
of information is not a good argument against the deployment of
privacy technology.
There is another, subtler point: If one groups available data
services into those which are non-controversial and thus require no
privacy protection, and those which are controversial and do, some
will conclude that anything with privacy protection must be
controversial and thus subject to suspicion. This effect is better
avoided.
5.2. Privacy at user option
It is often argued that privacy choices are best left to the users of
data services; and thus, that opt-in privacy is an appropriate
strategy.
However, the technical and social factors forming the context for
such choices are complex; even experts often disagree on privacy
requirements. Thus, the end-users of a data service are likely not
well-equipped to make good choices.
Bearing this in mind, and given the asymmetric cost of privacy
failure modes, it is usually best to remove the necessity for making
these choices, by always providing the maximum practical amount of
privacy protection.
5.3. Failures of privacy technology
Internet privacy technologies are known to be imperfect.
Cryptography algorithms have been compromised and there is widespread
dissatisfaction with the PKI infrastructure.
Bray Expires October 13, 2015 [Page 4]
Internet-Draft Privacy Choices for Internet Data Services April 2015
Furthermore, it is widely agreed that an attacker who wishes to
attack a target's privacy has many means, ranging from social
engineering to hardware hacking to zero-day exploits, to bypass
privacy protection.
Therefore, it is reasonable to question the deployment of privacy
protection, which may create an unrealistic expectation of safety
when in fact that is not achievable.
However, this line of argument fails on economic grounds.
Deployments of privacy technology, however imperfect, generally have
the effect of increasing the cost to an attacker of invading end-
users' privacy. Every time that cost goes up, certain surveillance
activities, whether by government bodies or criminals, become
uneconomic and will be abandoned, with the effect of globally
increasing the security and privacy of Internet data services.
5.4. Affordability of privacy technology
Privacy technologies are not free; there are monetary costs for
accessing PKI infrastructure, and bandwidth/computation costs related
to encryption, authentication, and authorization.
Service providers may find it difficult to justify such expenses,
particularly those who have severe budget constraints.
However, the monotonic decline in privacy technology costs decreases
the force of this argument with every passing year. It is hard to
imagine a situation where an organization can afford to acquire
server resources, domain names, internet connectivity, and software
deployment expertise, but still cannot afford to offer privacy
protection.
There is a subtle related issue: Those who are operating on low
budgets are often providing data services to disadvantaged groups,
whose members may be in particular need of privacy protection.
Author's Address
Tim Bray (editor)
Textuality Services
Email: tbray@textuality.com
URI: https://www.tbray.org/
Bray Expires October 13, 2015 [Page 5]