Internet Engineering Task Force Wassim Haddad Privacy Ericsson Research Internet Draft Erik Nordmark Expires March 2006 Sun Microsystems October 2005 Privacy Terminology Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This memo introduces the terminology for the main privacy aspects. The prime goal is to avoid situations where different interpretations of the same key privacy aspects result in different requirements when designing specific solutions, thus leading to an unnecessary confusion. Haddad, Nordmark Expires March 2006 [Page 1] INTERNET-DRAFT Privacy Terminology October 2005 Table of Contents 1. Introduction.................................................2 2. Conventions used in this document............................2 3. General Terminology..........................................3 4. Privacy......................................................3 5. Location Privacy.............................................4 6. Privacy Aspects..............................................4 6.1. Anonymity..................................................4 6.2. Unlinkability..............................................5 6.3. Unobservability............................................5 6.3. Relation between Anonymity and Unlinkability...............6 6.5. Pseudonymity...............................................6 7. Security Considerations......................................6 8. References...................................................7 9. Authors'Addresses............................................7 Intellectual Property Statement.................................8 Disclaimer of Validity..........................................8 Copyright Statement.............................................8 1. Introduction Privacy is becoming a key requirement to allow deployment of specific internet services. However, privacy has many aspects, which differ in scope, properties and limitations. To avoid any possible confusion with regard to the meanings of privacy in some particular scenarios and to differentiate between requirements related to each scenario, privacy aspects have to be well defined before designing any solution. It is the intention of this memo to introduce the terminology for the main aspects of privacy. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [TERM]. Haddad, Nordmark Expires March 2006 [Page 2] INTERNET-DRAFT Privacy Terminology October 2005 3. General Terminology Item of Interest (IOI) An Item of Interest (IOI) represents what an attacker is trying to discover, learn, trace and possibly link to other IOI(s), in order to identify its target. Examples of IOI include a subject, event, action (e.g., send, receive, move, etc), specific type of messages,... Knowledge In the field of privacy, knowledge refers to the information available to an attacker about its target. In terms of IOI, knowledge can be described by the probability of one or more IOIs. We refer to any prior information available to an attacker about a specific target as background knowledge. 4. Privacy Privacy is a fundamental human right. The most common definition of privacy is the one by Alan Westin: "Pivacy is the claim of individuals, groups and institutions to determine for themesleves, when, how and to what extent information about them is communicated to others". Privacy is a general term that involves several different aspects. These aspects enable features like hiding the node's address(es) (e.g., MAC and/or IP), name(s) (e.g., DNS), and/or location(s), in addition to hiding specific IOIs. One or more of these features can be obtained during one particular session. In wireless telecommunications, privacy addresses especially the protection of the content as well as the context (e.g., time, location, type of service, ...) of a communication event. Consequently, neither the mobile node nor its system software shall support the creation of user-related usage profiles. Such profiles basically comprise of a correlation of time and location of the node's use, as well as the type and details of the transaction performed. The main privacy aspects are the anonymity, unlinkability, Haddad, Nordmark Expires March 2006 [Page 3] INTERNET-DRAFT Privacy Terminology October 2005 unobservability and pseudonymity. Note that privacy can even be achieved by disconnectivity, i.e., not being connected to a network. 5. Location Privacy Location privacy is the ability to prevent other parties from learning one's current and/or past location. In order to get such ability, the concerned (i.e., targeted :) node must conceal any relation between its location and the personal identifiable information. In our context, location privacy refers normally to the topological location and not the geographic one. The latter is provided by other means (e.g., GPS) than an IPv6 address. But it should be noted that it may be possible sometimes to deduce the geographical location from the topological one. 6. Privacy Aspects As mentioned above, privacy is a general term, which refers to many different aspects. In the following, we define the main privacy aspects and describe the different relations between them. 6.1. Anonymity Anonymity is the state of being not uniquely characterized, i.e., identifiable, within a set of subjects (e.g., node, user) called the anonymity set. The set of possible subjects depends on the knowledge of the attacker and may vary over time. Thus, anonymity is relative with respect to the attacker and is very much context dependent. In the security field, anonymity is a property of network security. An entity "A" in a set has anonymity if no other entity can identify "A", nor is there any link back to "A" that can be used, nor any way to verify that any two anonymous act are performed by "A". From a user perspective, anonymity ensures that a user may use Haddad, Nordmark Expires March 2006 [Page 4] INTERNET-DRAFT Privacy Terminology October 2005 a resource or service without disclosing the user's identity. In wireless networks, anonymity means that neither the mobile node nor its system shall by default expose any information, that allows any conclusions on the owner or current use of the node. Consequently, in scenarios where a device and/or network identifiers are used (e.g., MAC address, IP address), neither the communication partner nor any outside attacker should be able to disclose any possible link between the respective identifier and the user's identity. 6.2. Unlinkability Unlinkability of two or more IOIs means that from an attacker's perspective, these IOIs are no more and no less related after his observation than they are related concerning his background knowledge. For example, two messages (e.g., binding updates) are unlinkable for an attacker if the a-posteriori probability describing his background knowledge that these two messages are sent by the same sender and/or received by the same recipient is the same as the probability imposed by his a-priori knowledge. From a user perspective, unlinkability ensures that a user may make multiple uses of resources or services without other being able to link these uses together. 6.3. Unobservability Unobservability is the state of IOIs being indistinguishable from any IOI. This means that messages are not discernable from e.g., random noise. Consequently, unobservability deals with events instead of subjects. From a user perspective, unobservability ensures that a user may use a resource or service without others, especially third parties, being able to observe that the resource or service is being used. Haddad, Nordmark Expires March 2006 [Page 5] INTERNET-DRAFT Privacy Terminology October 2005 6.4. Relation between Anonymity and Unlinkability In terms of unlinkability, anonymity can be defined as the unlikability of an IOI and any identifier of a subject. Consequently, unlinkability is a sufficient condition of anonymity but is not a necessary condition. 6.5. Pseudonymity Pseudonymity is a weaker property related to anonymity. It means that one cannot identify an entity, but it may be possible to prove that two pseudonyms acts were performed by the same entity. From a user perspective, pseudonymity ensures that a user may use a resource or service without disclosing its user identity, but can still be accountable for that use. Consequently, a pseudonym is an identifier for a party to a transaction, which is not in the normal course of events, sufficient to associate the transaction with a particular user. Hence a transaction is pseudonymous in relation to a particular party if the transaction data contains no direct identifier for that party, and can only be related to them in the event that a very specific piece of additional data is associated with it. For more literature about the privacy terminology content, please refer to [ANON], [ISO99], [PRIVNG], [FREEDOM] and [ANON-PRIV]Ã. 7. Security Considerations This document presents only terminology. There are no security issues in this document. Haddad, Nordmark Expires March 2006 [Page 6] INTERNET-DRAFT Privacy Terminology October 2005 8. References [ANON] A. Pfitzmann et al. "Anonymity, Unobservability, Pseudonymity, and Identity Management - A Proposal for Terminology", Draft v0.23, Aout, 2005. [ANONPRIV] M. Schmidt, "Subscriptionless Mobile Networking: Anonymity and Privacy Aspects within Personal Area Networks", IEEE WCNC 2002. [Freedom] A.F. Westin, "Privacy and Freedom", Atheneum Press, New York, USA, 1967. [ISO99] ISO IS 15408, 1999, http://www.commoncriteria.org/ [LOPRIPEC] A. Beresfold, F. Stajano, "Location Privacy in Pervasive Computing", IEEE Pervasive Computing, 2(1):46-55, 2003 IEEE. [PRIV-NG] A. Escudero-Pascual, "Privacy in the Next Generation Internet", December 2002. 9. Authors' Addresses Wassim Haddad Ericsson Research 8400, Decarie Blvd Town of Mount Royal Quebec H4P 2N2 Canada Phone: +1 514 345 7900 E-Mail: Wassim.Haddad@ericsson.com Erik Nordmark Sun Microsystems, Inc 17 Network Circle Moutain View, CA USA Haddad, Nordmark Expires March 2006 [Page 7] INTERNET-DRAFT Privacy Terminology October 2005 Phone: +1 650 786 2921 Fax: +1 650 786 5896 E-Mail: Erik.Nordmark@sun.com Haddad, Nordmark Expires March 2006 [Page 8] INTERNET-DRAFT Privacy Terminology October 2005 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. The IETF has been notified of intellectual property rights claimed in regard to some or all of the specification contained in this document. For more information consult the online list of claimed rights. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Haddad, Nordmark Expires March 2006 [Page 9]