Network Working Group T. Bray, Ed. Internet-Draft Textuality Services Intended status: Standards Track September 10, 2014 Expires: March 14, 2015 Privacy Choices for Internet Data Services draft-bray-privacy-choices-00 Abstract This document considers the factors Internet data service providers should consider when making choices concerning privacy options, and presents arguments in favor of choices resulting in more privacy for their services' users. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 14, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Bray Expires March 14, 2015 [Page 1] Internet-Draft Privacy Choices for Internet Data Services September 2014 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Privacy-technology arguments . . . . . . . . . . . . . . . . 2 3.1. Positive and negative failures . . . . . . . . . . . . . 2 3.2. Free public data . . . . . . . . . . . . . . . . . . . . 3 3.3. Making privacy choices . . . . . . . . . . . . . . . . . 3 3.4. Failures of privacy technology . . . . . . . . . . . . . 3 3.5. Cost of privacy technology . . . . . . . . . . . . . . . 4 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction Privacy issues are becoming increasingly visible, and service providers must choose how much privacy is appropriate in the context of their services. There are arguments that privacy protection is inappropriate for freely-public information and "brochure-ware", that it is too flawed to be worthwhile, that privacy choices are best left to end users, and that the cost of deploying privacy protection is too high. This document argues that these arguments are flawed and that in almost every case, the best choice for a service provider and its users is the one that maximmizes privacy. 2. Terminology The term "data service" means any Internet-mediated offering that is accessible to the general public. Examples would include Web sites, HTTP APIs, streaming media, and various flavors of chat. In this document, "privacy protection" means technology whose deployment increases the cost and difficulty, for anyone but the user and provider of a data service, of ascertaining who is accessing which services and what messages are being exchanged between the user and the service. Obvious examples are encryption and authentication technologies. 3. Privacy-technology arguments 3.1. Positive and negative failures There are two classes of privacy-related failure in the operation of data services. A positive failure occurs when privacy was provided but was not necessary; a negative failure is when privacy was not Bray Expires March 14, 2015 [Page 2] Internet-Draft Privacy Choices for Internet Data Services September 2014 provided, but was necessary for safe or prudent use of the data service. The cost of these failure classes is not symmetric; negative failures can endanger businesses, property, and lives, while positive failures usually incur at most a little extra expense. 3.2. Free public data It is reasonable to question whether, for freely-available public data, such as the contents of an online reference work or a promotional Web site, it makes sense to deploy privacy protection. Here are some reasons to answer that question in the affirmative: 1. It is very difficult to predict when accessing information might lead to negative consequences. For example, some governments criminalize certain behaviors to the extent that accessing free public reference documents concerning that behavior could lead to arrest and prosecution. 2. If one groups available data services into those which are non- controversial and thus require no privacy protection, and those which are controversial and do, some will conclude that anything with privacy protection must be controversial and thus subject to suspicion. This effect is better avoided. 3.3. Making privacy choices Service providers may argue that privacy choices are best left to the users of their services; and thus, that opt-in privacy is an appropriate strategy. However, the technical and social factors forming the context for such choices are very complex; even experts often disagree on privacy requirements. Thus, the end-users of a data service are likely not well-equipped to make good choices. Because of this, and because of the asymmetric costs of positive and negative privacy failures, it is usually best to remove the necessity for making these difficult choices, by always providing the maximum achievable amount of privacy protection. 3.4. Failures of privacy technology Internet privacy technologies are known to be imperfect. Algorithms have been compromised and there is widespread dissatisfaction with the PKI infrastructure. Bray Expires March 14, 2015 [Page 3] Internet-Draft Privacy Choices for Internet Data Services September 2014 Furthermore, it is widely agreed that an attacker who wishes to compromise a target's privacy has many means, ranging from social engineering to hardware hacking to zero-day exploits, to bypass privacy protection. Therefore, it is reasonable to question the deployment of privacy protection, which may create an unrealistic expectation of complete safety when in fact that is not achievable. However, this line of argument fails on economic grounds. Deployments of privacy technology, however imperfect, generally have the effect of increasing the cost to an attacker of invading end- users' privacy. Every time that cost goes up, certain surveillance activities, whether by government bodies or criminals, become uneconomic and will be abandoned, with the effect of globally increasing the security and privacy of Internet data services. 3.5. Cost of privacy technology Privacy technologies are not free; there are monetary costs for accessing the PKI infrastructure and bandwidth/computation costs related to encryption and authentication. Service providers may find it difficult to justify such expenses, particularly those who have severe budget constraints. However, the cost of PKI access, computation, and bandwidth have historically been declining monotonically, decreasing the force of this argument with every passing year. It should also be noted that those who are operating on low budgets are often providing data services to disadvantaged groups, who may be in particular need of privacy protection. Author's Address Tim Bray (editor) Textuality Services Email: tbray@textuality.com URI: https://www.tbray.org/ Bray Expires March 14, 2015 [Page 4]