{"id":794,"date":"2007-06-03T22:08:49","date_gmt":"2007-06-04T06:08:49","guid":{"rendered":"\/?p=794"},"modified":"2007-07-17T17:11:32","modified_gmt":"2007-07-18T01:11:32","slug":"linkage-and-identification","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=794","title":{"rendered":"Linkage and identification"},"content":{"rendered":"<p>Inspired by some of <a href=\"http:\/\/www.links.org\/?p=233\">Ben Laurie&#39;s<\/a> recent <a href=\"http:\/\/www.links.org\/files\/selective-disclosure.pdf\">postings<\/a>,&nbsp;I&nbsp;want to continue&nbsp;exploring the issues of&nbsp;privacy and linkability (see related pieces <a href=\"\/?p=780\">here <\/a>and <a href=\"\/?p=778\">here<\/a>).&nbsp;<\/p>\n<p>I have explained that CardSpace is a way of selecting and transferring a relevant digital identity &#8211; not a crypto system; and that the privacy characteristics involved depend on the nature of the transaction and the identity provider being used within CardSpace &#8211; not on CardSpace itself.&nbsp;&nbsp; I ended my last piece this way:<\/p>\n<blockquote><p>The question now becomes that of how identity providers behave.&nbsp; Given&nbsp;that suddenly they&nbsp;have no visibility onto the relying party, is linkability still possible?<\/p><\/blockquote>\n<p>But before zeroing in on specific technologies,&nbsp;I want&nbsp;to&nbsp;drill into two issues.&nbsp; First is&nbsp;the meaning of &#8220;identification&#8221;;&nbsp;and second, the meaning of &#8220;linkability&#8221; and&nbsp;its related concept of &#8220;traceability&#8221;.&nbsp;&nbsp;<\/p>\n<p>Having done&nbsp;this will allow us to&nbsp;describe different types of linkage, and&nbsp;set up&nbsp;our look at&nbsp;how different cryptographic approaches and transactional architectures relate to them.<\/p>\n<p><strong>Identification<\/strong>&nbsp;<\/p>\n<p>There has been much discussion of identification (which, for those new to this world, is&nbsp;not at all the same as&nbsp;digital identity).&nbsp; I would like to take up the definitions used in the EU Data Protection Directive, which have been nicely summarized <a href=\"http:\/\/www.cbpweb.nl\/downloads_technologie\/PISA_handboek.pdf\" class=\"broken_link\">here<\/a>, but add a few precisions.&nbsp; First, we need to broaden the definition of&nbsp;&#8220;indirect identification&#8221; by dropping the requirement for unique attributes &#8211;&nbsp;as long as you end up with unambiguous identification.&nbsp; Second, we need to distinguish between identification as a technical phenomenon and personal identification.<\/p>\n<p>This leads to the following taxonomy:<\/p>\n<ul>\n<li>Personal data:\n<ul>\n<li>&nbsp;any piece of information regarding an identified or identifiable natural person.<\/li>\n<\/ul>\n<\/li>\n<li>Direct Personal Identification:\n<ul>\n<li>establishing that an entity is a specific natural person through use of basic&nbsp;personal data&nbsp;(e.g., name, address, etc.), plus a personal number, a widely known pseudo-identity, a biometric characteristic such as a fingerprint, PD, etc.<\/li>\n<\/ul>\n<\/li>\n<li>Indirect Personal Identification:\n<ul>\n<li>establishing that an entity is a specific natural person through other characteristics or attributes or a combination of both &#8211; in other words, to assemble&nbsp;&#8220;sufficiently identifying&#8221; information<\/li>\n<\/ul>\n<\/li>\n<li>Personal Non-Identification:\n<ul>\n<li>assumed if the amount and the nature of the indirectly identifying data are such that identification of the individual as a natural person is only possible with the application of disproportionate effort, or&nbsp;through the&nbsp;assistance&nbsp;of a third party outside the power and authority of the person responsible&#8230;&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Translating to the vocabulary we often use in the software industry, direct personal identification&nbsp;is done through&nbsp;a unique personal identifier assigned to a natural person.&nbsp; Indirect personal identification&nbsp;occurs when enough&nbsp;claims are released &#8211; unique or not &#8211; that linkage to a natural person can be accomplished.&nbsp; If linkage to a natural person is not possible, you&nbsp;have personal non-identification.&nbsp;&nbsp;We have added the word &#8220;personal&#8221; &nbsp;to each of these definitions so we could withstand the paradox that when pseudonyms are used,&nbsp;unique identifiers may in fact lead to personal non-identification&#8230;&nbsp;<\/p>\n<p>The notion of &#8220;disproportionate effort&#8221; is an important one.&nbsp;&nbsp;The basic idea is useful, with the proviso that&nbsp;when one controls&nbsp;computerized systems&nbsp;end-to-end one may accomplish&nbsp;very complicated tasks,&nbsp; computations and correlations very easily &#8211; and this does not in itself constitute &#8220;<span style=\"font-size: 12pt; font-family: Georgia\">disproportionate <\/span>effort&#8221;.<\/p>\n<p><strong>Linkability<\/strong><\/p>\n<p>If you search for &#8220;linkability&#8221;, you will find that about&nbsp;half the&nbsp;hits refer to the characteristics that make people want to link to your web site.&nbsp; That&#39;s NOT what&#39;s being discussed here.<\/p>\n<p>Instead, we&#39;re talking about being able to link one transaction to another.<\/p>\n<p>The first time I heard the word used this way was in reference to the E-Cash systems of the eighties.&nbsp; With physical cash, you can walk into a store and buy something with one coin,&nbsp;later buy something else with another coin, and be assured there is no linkage between the two transactions that is caused by the coins themselves.&nbsp;<\/p>\n<p>This quality is hard to achieve with electronic payments.&nbsp; Think of how a credit card or debit card or bank account works.&nbsp; Use the same credit card for two transactions and you create an electronic trail that connects them together.<\/p>\n<p>E-Cash was proposed as a means of getting characteristics&nbsp;similar to&nbsp;those of the physical world when dealing with electronic transactions.&nbsp; Non-linkability was the concept introduced to describe this.&nbsp; Over time it has become a key concept of privacy research, which models all identity transactions as involving&nbsp;similar basic issues.<\/p>\n<p>Linkability is&nbsp;closely related to&nbsp;traceability.&nbsp; By traceability people are talking about being able to follow a transaction through all its phases by collecting transaction information and&nbsp;having some way of identifying the transaction payload&nbsp;as it moves through the system.<\/p>\n<p>Traceability is often explicitly sought.&nbsp; For example, with credit card purchases, there is a transaction identifier which ties the same event together across the computer systems of the&nbsp;participating banks, clearing house and&nbsp;merchant.&nbsp; This is certainly considered &#8220;a feature.&#8221;&nbsp; There are other,&nbsp;subtler, sometimes unintended,&nbsp;ways of achieving traceability (timestamps and the like).&nbsp;<\/p>\n<p>Once you can link two transactions, many different outcomes may result.&nbsp; Two transactions conveying direct personal identification might be linked.&nbsp; Or, a transaction initially characterized&nbsp;by personal non-identification may suddenly become subject to indirect personal identification.<\/p>\n<p>To further facilitate the discussion, I think we should distinguish various types of linking:<\/p>\n<ul>\n<li>Intra-transaction linking is&nbsp;the&nbsp;product of&nbsp;traceability, and&nbsp;provides visibility between&nbsp;the claims issuer, the user presenting the claims, and the relying party&nbsp; (for example, credit card transaction number).<\/li>\n<li>Single-site&nbsp;transaction linking&nbsp;associates&nbsp;a number of transactions at a single site with a data subject.&nbsp; The phrase &#8220;data subject&#8221; is used&nbsp;to&nbsp;clarify that&nbsp;no linking is implied&nbsp;between the transactions and any &#8220;natural person&#8221;.<\/li>\n<li>Multi-site transaction linking associates linked transactions at one site with those at another site.<\/li>\n<li>Natural person linking associates a data subject with a natural person.<\/li>\n<\/ul>\n<p>Next time&nbsp;I will use these ideas to help explain how specific crypto systems and protocol approaches impact privacy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The implications of being able to link one transaction to another&#8230;<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[37,6,17,47,11],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/794"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=794"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/794\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=794"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}