Eric Norman, from University of Wisconsin, has a new blog called Fun with Metaphors and an independent spirit that is attractive and informed. He weighs in to our recent discussion with Collusion takes effort:
Now don't get me wrong here. I'm all for protection of privacy. In fact, I have been credited by some as raising consciousness about 8 years ago (pre-Shibboleth) in the Internet2 community to the effect that privacy concerns need to be dealt with in the beginning and at a fundamental level instead of being grafted on later as an afterthought.
There have been recent discussions in the blogosphere about various parties colluding to invade someone's privacy. What I would like to see during such discussions is a more ecological and risk-assessing approach. I'll try to elaborate.
The other day, Kim Cameron analyzed sundry combinations of colluding parties and identity systems to find out what collusion is possible and what isn't. That's all well and good and useful. It answers questions about what's possible in a techno- and crypto- sense. However, I think there's more to the story.
The essence of the rest of the story is that collusion takes effort and motivation on the part of the conspirators. Such effort would act as a deterrent to the formation of such conspiracies and might even make them not worthwhile.
Just the fact that privacy violations would take collusion might be enough to inhibit them in some cases. This is a lightweight version of separation of duty — the nuclear launch scenario; make sure the decision to take action can't be unilateral.
In some of the cases, not much is said about how the parties that are involved in such a conspiracy would find each other. In the case of RPs colluding with each other, how would one of the RPs even know that there's another RP to conspire with and who the other RP is? That would involve a search and I don't think they could just consult Google. It would take effort.
Just today, Kaliya reported another example. A court has held that email is subject to protection under the Fourth Amendment and therefore a subpoena is required for collusion. That takes a lot of effort.
Anyway, the message here is that it is indeed useful to focus on just the technical and cryptographic possibilities. However, all that gets you is a yes/no answer about what's possible and what's not. Don't forget to also include the effort it would actually take to make such collusions happen.
First of all, I agree that the technical and crypto possibilities are not the whole story of linkability. But they are a part of the story we do need to understand a lot more objectively than is currently the case. Clearly this applies to technical people, but I think the same goes for policy makers. Let's get to the point where the characteristics of the systems can be discussed without emotion or the bias of any one technology.
Now let's turn to one of Eric's main points: the effort required for conspirators to collude would act as a deterrent to the formation of such conspiracies.
First, part of what becomes evident is that with browser-based technologies like Liberty, WS-Federation and OpenID, NO collusion is actually necessary for the identity provider to “see everything” – in the sense of all aspects of the identity exchange. That in itself may limit use cases. It also underlines the level of trust the user MUST place in such an IP. At the very minimum, all the users of the system need to be made aware of how this works. I'm not sure that has been happening…
Secondly, even if you blind the IP as to the identity of the RP, you clearly can't prevent the inverse, since the RP needs to know who has made the claims! Even so, I agree that this blinding represents something akin to “separation of duty”, making collusion a lot harder to get away with on a large scale.
So I really am trying to set up this continuum to allow for “risk assessment” and concrete understanding of different use cases and benefits. In this regard Eric and I are in total agreement.
As a concrete example of such risk assessment, people responsible for privacy in government have pointed out to me that their systems are tightly connected, and are often run by entities who provide services across multiple departments. They worry that in this case, collusion is very easy. Put another way, the separation of duties is too fragile.
Assemble the audit logs and you collude. No more to it than that. This is why they see it as prudent to put in place a system with properties that make routine creation of super-dossiers more difficult. And why we need to understand our continuum.