From 9dd188d5db766c23f21b5b0371e64b0acabe47a1 Mon Sep 17 00:00:00 2001 From: mirjak Date: Tue, 12 Sep 2023 10:50:57 +0200 Subject: [PATCH 1/4] Update draft-iab-privacy-partitioning.md fixes #36 This proposal puts more attention on the problem with data sharing. However, this was also covered to some extend. --- draft-iab-privacy-partitioning.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/draft-iab-privacy-partitioning.md b/draft-iab-privacy-partitioning.md index 82fa1c2..dbb9748 100644 --- a/draft-iab-privacy-partitioning.md +++ b/draft-iab-privacy-partitioning.md @@ -623,15 +623,19 @@ If the Oblivious Relay and Gateway collude, they can link Client identity and da for each request and response transaction by simply observing requests in transit. It is not currently possible to guarantee with technical protocol measures that two -entities are not colluding. However, there are some mitigations that can be applied +entities are not colluding. Further even if entities do not collude directly, if information +is revealed to another party, there might be no control about further collusion of data. +However, there are some mitigations that can be applied to reduce the risk of collusion happening in practice: -- Policy and contractual agreements between entities involved in partitioning, to disallow -logging or sharing of data, or to require auditing. +- Policy and contractual agreements between entities involved in partitioning to disallow +logging or sharing of data, as well as careful data minimization or annoymization when auditing is required. - Protocol requirements to make collusion or data sharing more difficult. - Adding more partitions and contexts, to make it increasingly difficult to collude with enough parties to recover identities. + + ## Violations by Insufficient Partitioning It is possible to define contexts that contain more than one type of user-specific information, From 06e9505074ac4e8a821936fab9b799758bc636e5 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Tue, 12 Sep 2023 09:05:22 -0700 Subject: [PATCH 2/4] Update draft-iab-privacy-partitioning.md --- draft-iab-privacy-partitioning.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/draft-iab-privacy-partitioning.md b/draft-iab-privacy-partitioning.md index dbb9748..3f8e92e 100644 --- a/draft-iab-privacy-partitioning.md +++ b/draft-iab-privacy-partitioning.md @@ -634,8 +634,6 @@ logging or sharing of data, as well as careful data minimization or annoymizatio - Adding more partitions and contexts, to make it increasingly difficult to collude with enough parties to recover identities. - - ## Violations by Insufficient Partitioning It is possible to define contexts that contain more than one type of user-specific information, From 5d1813edbe5fc5b088fa2b3ee66e8053cc2e43a6 Mon Sep 17 00:00:00 2001 From: mirjak Date: Tue, 12 Sep 2023 18:10:36 +0200 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: Tommy Pauly --- draft-iab-privacy-partitioning.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-iab-privacy-partitioning.md b/draft-iab-privacy-partitioning.md index 3f8e92e..3d91a08 100644 --- a/draft-iab-privacy-partitioning.md +++ b/draft-iab-privacy-partitioning.md @@ -623,9 +623,9 @@ If the Oblivious Relay and Gateway collude, they can link Client identity and da for each request and response transaction by simply observing requests in transit. It is not currently possible to guarantee with technical protocol measures that two -entities are not colluding. Further even if entities do not collude directly, if information -is revealed to another party, there might be no control about further collusion of data. -However, there are some mitigations that can be applied +entities are not colluding. Even if two entities do not collude directly, if both entities reveal +information to other parties, it will not be possible to guarantee that the information won't +be combined. However, there are some mitigations that can be applied to reduce the risk of collusion happening in practice: - Policy and contractual agreements between entities involved in partitioning to disallow From 04a466ad6ee241b40e4aac74ea0b739638583947 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Tue, 12 Sep 2023 09:30:43 -0700 Subject: [PATCH 4/4] Update draft-iab-privacy-partitioning.md --- draft-iab-privacy-partitioning.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/draft-iab-privacy-partitioning.md b/draft-iab-privacy-partitioning.md index 3d91a08..f8d9dd4 100644 --- a/draft-iab-privacy-partitioning.md +++ b/draft-iab-privacy-partitioning.md @@ -629,7 +629,9 @@ be combined. However, there are some mitigations that can be applied to reduce the risk of collusion happening in practice: - Policy and contractual agreements between entities involved in partitioning to disallow -logging or sharing of data, as well as careful data minimization or annoymization when auditing is required. +logging or sharing of data, along with auditing to validate that the policies are being followed. +For cases where logging is required (such as for service operation), such logged data should +be minimized and anonymized to prevent it from being useful for collusion. - Protocol requirements to make collusion or data sharing more difficult. - Adding more partitions and contexts, to make it increasingly difficult to collude with enough parties to recover identities.