{"id":811,"date":"2007-06-20T05:10:23","date_gmt":"2007-06-20T13:10:23","guid":{"rendered":"\/?p=811"},"modified":"2007-06-25T10:13:21","modified_gmt":"2007-06-25T18:13:21","slug":"collusion-takes-effort-how-much","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=811","title":{"rendered":"Collusion takes effort; how much?"},"content":{"rendered":"<p><a href=\"http:\/\/www.google.ca\/search?hl=en&amp;q=eric+norman+madison&amp;meta=\">Eric Norman<\/a>, from University of Wisconsin,&nbsp;has a new blog called <a href=\"http:\/\/ejnorman.blogspot.com\/\">Fun with Metaphors <\/a>and an independent spirit that is&nbsp;attractive and informed.&nbsp; &nbsp; He weighs in to our recent discussion with <a href=\"http:\/\/ejnorman.blogspot.com\/2007\/06\/collusion-takes-effort-how-much.html\">Collusion takes effort<\/a>:<\/p>\n<blockquote><p>Now don&#39;t get me wrong here. I&#39;m all for protection of privacy. In fact, I have been credited by some as raising consciousness about 8 years ago (pre-Shibboleth) in the Internet2 community to the effect that privacy concerns need to be dealt with in the beginning and at a fundamental level instead of being grafted on later as an afterthought.<\/p>\n<p>There have been recent discussions in the blogosphere about various parties colluding to invade someone&#39;s privacy. What I would like to see during such discussions is a more ecological and risk-assessing approach. I&#39;ll try to elaborate.<\/p>\n<p>The other day, <a href=\"\/?p=804\"><font color=\"#336699\">Kim Cameron analyzed<\/font><\/a> sundry combinations of colluding parties and identity systems to find out what collusion is possible and what isn&#39;t. That&#39;s all well and good and useful. It answers questions about what&#39;s possible in a techno- and crypto- sense. However, I think there&#39;s more to the story.<\/p>\n<p>The essence of the rest of the story is that collusion takes effort and motivation on the part of the conspirators. Such effort would act as a deterrent to the formation of such conspiracies and might even make them not worthwhile.<\/p>\n<p>Just the fact that privacy violations would take collusion might be enough to inhibit them in some cases. This is a lightweight version of separation of duty &#8212; the nuclear launch scenario; make sure the decision to take action can&#39;t be unilateral.<\/p>\n<p>In some of the cases, not much is said about how the parties that are involved in such a conspiracy would find each other. In the case of RPs colluding with each other, how would one of the RPs even know that there&#39;s another RP to conspire with and who the other RP is? That would involve a search and I don&#39;t think they could just consult Google. It would take effort.<\/p>\n<p>Just today, <a href=\"http:\/\/www.identitywoman.net\/?p=601\"><font color=\"#336699\">Kaliya reported<\/font><\/a> another example. A court has held that email is subject to protection under the Fourth Amendment and therefore a subpoena is required for collusion. That takes a lot of effort.<\/p>\n<p>Anyway, the message here is that it is indeed useful to focus on just the technical and cryptographic possibilities. However, all that gets you is a yes\/no answer about what&#39;s possible and what&#39;s not. Don&#39;t forget to also include the effort it would actually take to make such collusions happen.<\/p><\/blockquote>\n<p>First of all, I agree that the technical and crypto possibilities are not the whole story of linkability.&nbsp; But they are a part of the story we do need to understand a lot more objectively than is currently the case.&nbsp; Clearly this applies to technical people, but&nbsp;I think the same goes for&nbsp;policy makers.&nbsp; Let&#39;s get to the point where the characteristics of the systems can be discussed without emotion or the bias of any one technology.<\/p>\n<p>Now let&#39;s turn to one of Eric&#39;s main points:&nbsp;the effort required for conspirators to collude&nbsp;would act as a deterrent to the formation of such conspiracies.<\/p>\n<p>First,&nbsp;part of what&nbsp;becomes evident is&nbsp;that with browser-based technologies like&nbsp;Liberty, WS-Federation and OpenID, &nbsp;NO collusion is actually necessary&nbsp;for the identity provider to &#8220;see everything&#8221; &#8211;&nbsp;in the sense of&nbsp;<a href=\"\/?p=812\">all aspects of the identity exchange<\/a>.&nbsp; That in itself may limit use cases.&nbsp;&nbsp; It also&nbsp;underlines the level of trust the user MUST place in&nbsp;such an&nbsp;IP.&nbsp; At the very minimum,&nbsp;all the users of the system&nbsp;need to be made aware of how this works.&nbsp; I&#39;m not sure that has&nbsp;been happening&#8230;<\/p>\n<p>Secondly,&nbsp;even if you blind the IP as to the identity of the RP, you&nbsp;clearly can&#39;t prevent the&nbsp;inverse, since&nbsp;the RP needs to know who&nbsp;has made the claims!&nbsp; Even so,&nbsp;&nbsp;I agree that this blinding represents&nbsp;something akin to&nbsp;&#8220;separation of duty&#8221;,&nbsp;making collusion a lot harder to get away with on a large scale.<\/p>\n<p>So I really am trying to set up this continuum to allow&nbsp;for &#8220;risk assessment&#8221;&nbsp;and concrete understanding of&nbsp;different use cases and benefits.&nbsp; In this regard Eric and I are in total agreement.<\/p>\n<p>As a concrete example of such risk assessment, people responsible for privacy&nbsp;in government have pointed out to me that their systems are tightly&nbsp;connected, and are often run by&nbsp;entities who provide&nbsp;services across multiple departments.&nbsp; They worry that in this case, collusion is very easy.&nbsp; Put another way, the separation of duties is too fragile.<\/p>\n<p>Assemble the audit logs and you collude.&nbsp; No more to it than that.&nbsp;&nbsp;This is&nbsp;why&nbsp;they see it as prudent&nbsp;to&nbsp;put in place&nbsp;a system with&nbsp;properties that make&nbsp;routine creation of super-dossiers more difficult.&nbsp; And why we need to understand our continuum.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Eric Norman argues that the effort required for identity conspirators to collude would act as a deterrent to the formation of such conspiracies.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,17,38,40,11],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/811"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=811"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/811\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=811"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=811"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}