Re: TOR and the Digital Freedom Conversation

["Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>]

This goes to my main point, Identity, TRUST, Privacy, and Accountability are
all interrelated.  There must be some basis of trust in authentication
services.

There is work being done in this area:
http://www.idmanagement.gov/approved-identity-providers


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, Kevin
> Sent: Wednesday, December 11, 2013 10:35 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation
>
> I think the trouble with this suggestion of privacy through authentication
is
> that there are many authenticating entities we do not trust to be good
> stewards of our information.  This is partly because they have been
> threatened or bought by the NSA and similar corporate interests, and that
is
> why we turn towards anonymity as a possible alternative to provide
privacy.
> Kevin
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, Mark B
> Sent: Wednesday, December 11, 2013 9:52 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation
>
> I still believe that anonymity is the enemy of privacy online.  In my
opinion
> the only way to pull back from the current lack of privacy online is to
instate
> mechanisms that allow individuals and services to be held accountable for
> inappropriate behavior online.  It is not possible to interact online
socially or
> in business while maintaining anonymity.
>
> RE: case 1
> If there is authentication there is no anonymity, and lack of anonymity
dose
> not equal public disclosure.
>
> RE: case 2
> Anonymity in this case is an illusion.  During such a cash transaction you
show
> your face to people and increasingly video cameras.  (as was pointed out
by
> other posts).  It does however control which personal attributes are
shared
> during such transactions.
>
> Online, you cannot separate Identity, Trust, Privacy, and Accountability.
> They all interrelate.  When interacting online you must give up some
number
> of personal attributes.  This means you must know what entity is receiving
> these attributes, you must trust that entity to be a good steward of your
> information, and you must be able to hold that entity accountable if they
> abuse your information.   To have privacy you must have some measure of
> identity, trust, and accountability.
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Doty
> > Sent: Wednesday, December 11, 2013 8:27 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation
> >
> > On 12/10/2013 06:22 PM, Jones, Mark B wrote:
> > > There is a difference between 'Privacy' and 'Secrecy'
> >
> > You are correct that there is a difference, but they are not exclusive.
> > While the use of authentication and no anonymity may be an approach to
> > protecting published online information from those without access, it
> > does nothing to preserve privacy in the face of authorized but
> > unwanted access. Nor does it address the loss of privacy from complete
> > tracking
> > -- in fact, a true lack of anonymity would destroy privacy.
> >
> > Case 1: I want to store information in the cloud, but I want to retain
> > confidentiality of the data. This is a case where strong
> > authentication/no anonymity would be a viable approach, but there is
> > no reason to deny anonymity in a general sense. That is, strong
> > authentication can be used to establish an access control to a data
> > set without requiring that a person's identity be publicly disclosed.
> >
> > Case 2: I desire to have some privacy in my actions. Some degree of
> > anonymity is *required* to accomplish this. For example, if I buy some
> > books on medieval mysticism it used to be that a simple cash
> > transaction kept it essentially private. There are some caveats (if
> > the seller knows my personally then they will know I bought them, but
> > for a random person off the street it would be essentially anonymous).
> >
> > It is trivial to demonstrate a connection between privacy and anonymity.
> > Those promoting a police state are naturally against anonymity. Those
> > promoting privacy understand the utility of strong encryption and
> anonymity.
> > Tim Doty
> >
> >   Tor seems like it
> > > may lean toward the latter.
> > >
> > >
> > >
> > > I have found that the following site has a useful perspective on
> > > privacy
> > > issues:
> > https://urldefense.proofpoint.com/v1/url?u=http://www.privacilla.org/&;
> > k=
> yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2km
> >
> izyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2BUBsRFLKQEGdDFX3kSbUPcuAndal
> >
> zDoyXZ5xLKmwk%3D%0A&s=619dce364444d80b0d6ae91bc98a8926a9335302
> > 3015f61f7c1ffc8b2c57039e
> > > Here are some key quotes:
> > >
> > > "Importantly, privacy is a personal, subjective condition. One
> > > person
> > cannot
> > > decide for another what his or her sense of privacy should be."
> > >
> > > "While privacy is held up as one of our highest values, people also
> > > constantly share information about themselves by allowing others to
> > > see their faces, learn their names, learn what they own, and learn
> > > what they think. In fact, it is a desirable lack of privacy that
> > > allows people to interact with one another socially and in business.
> > > This does not mean
> that
> > > people should lose control over the information they want to keep
> private.
> > > It means that generalizations about privacy are almost always wrong."
> > https://urldefense.proofpoint.com/v1/url?u=http://www.privacilla.org/f
> > und
> amentals/whatisprivacy.html&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&
> >
> r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2B
> >
> UBsRFLKQEGdDFX3kSbUPcuAndalzDoyXZ5xLKmwk%3D%0A&s=7a230eb4725
> > 5307ec9137ecaab20a005e92bc778428196abf67c6439b6c3b868
> > > Also 'Privacy' is not the same as 'anonymity'.  It is my opinion
> > > that
> strong
> > > authentication and the lack of anonymity are the keys to improved
> privacy
> > > online.  Only with strong authentication can consumers and services
> > > be
> > held
> > > accountable for behavior online.
> > >
> > >
> > >
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeffrey Sabin
> > > Sent: Tuesday, December 10, 2013 2:24 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: [SECURITY] TOR and the Digital Freedom Conversation
> > >
> > >
> > >
> > > All,
> > >
> > >
> > >
> > > Given the wider US technology community discussions on online
> > > privacy
> > and
> > > monitoring - this seems to be very topical.  In case anyone was not
> aware,
> > > this story is taking place at Iowa State University with Tor being a
> > > relevant part of the discussion:
> https://urldefense.proofpoint.com/v1/url?u=http://www.insidehighered.c
> > o
> > m/news/2013/12/10/digital-freedom-groups-road-
> re&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVF
> >
> w2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2BUBsRFLKQEGdDFX3kSbUPcu
> >
> AndalzDoyXZ5xLKmwk%3D%0A&s=4d2958cf3df5a67e238c2fc3da779dbf047b
> > 3313ae9f54847ccad80228185d98
> > > cognition-sparks-legal-debate-iowa-state-u
> <https://urldefense.proofpoint.com/v1/url?u=http://www.insidehighered.
> > c om/ne> ws/2013/12/10/digital-freedom-groups-road-recognition-sparks-
> > legal-debate-io
> > > wa-state-
> u&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVF
> > w2kmiz
> > >
> yPIIFTSGui%2BBSZ5A%3D%0A&m=hnGoebKdLtnE2yvxLiQ0OlhXMu%2FRME
> > Vn0qZFzyM2pgE%3D%
> > >
> 0A&s=5dcb52d50601a7d4ddc3b0479ff3aa4491e442f9a0d830ba2ff5db38ae6c9
> > 762>
> > > and
> > https://urldefense.proofpoint.com/v1/url?u=https://www.eff.org/deeplin
> > k
> > s/2013/12/open-letter-urging-universities-
> encour&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtgl
> >
> yNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2BUBsRFLKQEGdDFX3kSb
> >
> UPcuAndalzDoyXZ5xLKmwk%3D%0A&s=289e34098442eb4685fcedadf76a0a5
> > c704df88dc95c422c78bfd5cb1f07008c
> > > age-conversation-about-online-privacy
> > <https://urldefense.proofpoint.com/v1/url?u=https://www.eff.org/deepli
> > n ks/20> 13/12/open-letter-urging-universities-encourage-conversation-
> > about-online-pr
> > >
> ivacy&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtgly
> > NVFw2kmizyPIIF
> > >
> TSGui%2BBSZ5A%3D%0A&m=hnGoebKdLtnE2yvxLiQ0OlhXMu%2FRMEVn0q
> > ZFzyM2pgE%3D%0A&s=
> > >
> 75b3522379697ac135dd77ae55292b93024c9c4ab21538dc9f8faf9b4a1fd56e>
> > > Realizing that this isn't necessarily new, but given this recent
> > > story,
> I am
> > > curious to know what others are doing or observing as it relates to
> > > Tor
> and
> > > it's discussion at your particular institution.
> > >
> > >
> > >
> > > Many thanks,
> > >
> > >
> > >
> > > Jeff
> > >
> > >
> > >
> > > Jeffrey D. Sabin
> > >
> > > DIRECTOR, COMMUNICATIONS AND NETWORK SERVICES
> > >
> > >
> > >
> > > oit
> > >
> > >
> > >
> > > Dial Center
> > >
> > > 2507 University Avenue    Des Moines, Iowa 50311-4505
> > >
> > > Tel  515.271.2935
> > >
> > > Fax 515.271.1938
> > >
> > > 1.800.44.DRAKE x2935
> > >
> > > E-mail jeff.sabin () drake edu

Attachment: smime.p7s
Description: