Educause Security Discussion mailing list archives
Re: TOR and the Digital Freedom Conversation
From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
Date: Wed, 11 Dec 2013 12:41:11 -0600
The question is, what is a reasonable amount of privacy? This will be different for everyone and will also vary by situation. If you want anonymity you have to go live in the wilderness without utilities or communication. The key to improving privacy is being able to choose as an individual how much privacy you are giving up in order to interact. I believe the assertion on privicilla.org that "it is a desirable lack of privacy that allows people to interact with one another socially and in business." Anonymity only impedes social and business interactions. If we want to enable social and business interactions online we must come up with mechanisms that allow individuals to manage how much privacy they are willing to give up in order to interact. This cannot be done with increased anonymity. It must be done by establishing an appropriate balance of Identity, Trust, and Accountability. Volkswagen has a great commercial that unintentionally illustrates how anonymity adversely affects trust and accountability and hinders social and business interactions: http://www.youtube.com/watch?v=3fuijhUn0pk
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Doty Sent: Wednesday, December 11, 2013 11:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation On 12/11/2013 11:15 AM, Jones, Mark B wrote:This goes to my main point, Identity, TRUST, Privacy, and Accountability
are
all interrelated. There must be some basis of trust in authentication services.You are absolutely right. And the work of NSA/NIST has gone some distance to undermine trust. I would never argue that they aren't interrelated, but to claim that privacy can be maintained through authentication is simply not true. I pointed out a trivial to understand case but maybe it wasn't trivial
enough?
As Joel pointed out, ubiquitous surveillance hurts privacy. And anonymity will always be involved to some degree in maintaining any meaningful privacy. They may make security work more difficult, but TIA doesn't really make it any easier, either. TIA should really be TMI. In the end there is a need for balance where normal citizens have a reasonable amount of privacy. Tim DotyThere is work being done in this area:https://urldefense.proofpoint.com/v1/url?u=http://www.idmanagement.g ov/approved-identity- providers&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tg tglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=t3QZBJ4ZAsUqcbbljjZjf6s2 ZV9XjVEgRJycuK%2BIi34%3D%0A&s=c4b81054593ad649679cba296a7b55e270 bf1ae29bf569e2791af2ed5981c3d7-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, Kevin Sent: Wednesday, December 11, 2013 10:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation I think the trouble with this suggestion of privacy through
authentication
isthat there are many authenticating entities we do not trust to be good stewards of our information. This is partly because they have been threatened or bought by the NSA and similar corporate interests, and
that
iswhy we turn towards anonymity as a possible alternative to provideprivacy.Kevin -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, Mark B Sent: Wednesday, December 11, 2013 9:52 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation I still believe that anonymity is the enemy of privacy online. In myopinionthe only way to pull back from the current lack of privacy online is toinstatemechanisms that allow individuals and services to be held accountable
for
inappropriate behavior online. It is not possible to interact onlinesocially orin business while maintaining anonymity. RE: case 1 If there is authentication there is no anonymity, and lack of anonymitydosenot equal public disclosure. RE: case 2 Anonymity in this case is an illusion. During such a cash transaction
you
showyour face to people and increasingly video cameras. (as was pointed
out
byother posts). It does however control which personal attributes aresharedduring such transactions. Online, you cannot separate Identity, Trust, Privacy, and
Accountability.
They all interrelate. When interacting online you must give up somenumberof personal attributes. This means you must know what entity is
receiving
these attributes, you must trust that entity to be a good steward of
your
information, and you must be able to hold that entity accountable if
they
abuse your information. To have privacy you must have some measureofidentity, trust, and accountability.-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Doty Sent: Wednesday, December 11, 2013 8:27 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation On 12/10/2013 06:22 PM, Jones, Mark B wrote:There is a difference between 'Privacy' and 'Secrecy'You are correct that there is a difference, but they are not
exclusive.
While the use of authentication and no anonymity may be an approachtoprotecting published online information from those without access, it does nothing to preserve privacy in the face of authorized but unwanted access. Nor does it address the loss of privacy from complete tracking -- in fact, a true lack of anonymity would destroy privacy. Case 1: I want to store information in the cloud, but I want to retain confidentiality of the data. This is a case where strong authentication/no anonymity would be a viable approach, but there is no reason to deny anonymity in a general sense. That is, strong authentication can be used to establish an access control to a data set without requiring that a person's identity be publicly disclosed. Case 2: I desire to have some privacy in my actions. Some degree of anonymity is *required* to accomplish this. For example, if I buy some books on medieval mysticism it used to be that a simple cash transaction kept it essentially private. There are some caveats (if the seller knows my personally then they will know I bought them, but for a random person off the street it would be essentially anonymous). It is trivial to demonstrate a connection between privacy and
anonymity.
Those promoting a police state are naturally against anonymity. Those promoting privacy understand the utility of strong encryption andanonymity.Tim Doty Tor seems like itmay lean toward the latter. I have found that the following site has a useful perspective on privacy issues:https://urldefense.proofpoint.com/v1/url?u=http://www.privacilla.org/&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2BUBsRFLKQEGdDFX3kSbUPcuAndalzDoyXZ5xLKmwk%3D%0A&s=619dce364444d80b0d6ae91bc98a8926a93353023015f61f7c1ffc8b2c57039eHere are some key quotes: "Importantly, privacy is a personal, subjective condition. One personcannotdecide for another what his or her sense of privacy should be." "While privacy is held up as one of our highest values, people also constantly share information about themselves by allowing others to see their faces, learn their names, learn what they own, and learn what they think. In fact, it is a desirable lack of privacy that allows people to interact with one another socially and in business. This does not meanthatpeople should lose control over the information they want to keepprivate.It means that generalizations about privacy are almost always wrong."https://urldefense.proofpoint.com/v1/url?u=http://www.privacilla.org/fundamentals/whatisprivacy.html&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2BUBsRFLKQEGdDFX3kSbUPcuAndalzDoyXZ5xLKmwk%3D%0A&s=7a230eb47255307ec9137ecaab20a005e92bc778428196abf67c6439b6c3b868Also 'Privacy' is not the same as 'anonymity'. It is my opinion thatstrongauthentication and the lack of anonymity are the keys to improvedprivacyonline. Only with strong authentication can consumers and services beheldaccountable for behavior online. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of JeffreySabinSent: Tuesday, December 10, 2013 2:24 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] TOR and the Digital Freedom Conversation All, Given the wider US technology community discussions on online privacyandmonitoring - this seems to be very topical. In case anyone was notaware,this story is taking place at Iowa State University with Tor being a relevant part of the discussion:https://urldefense.proofpoint.com/v1/url?u=http://www.insidehighered.co m/news/2013/12/10/digital-freedom-groups-road-re&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2BUBsRFLKQEGdDFX3kSbUPcuAndalzDoyXZ5xLKmwk%3D%0A&s=4d2958cf3df5a67e238c2fc3da779dbf047b3313ae9f54847ccad80228185d98cognition-sparks-legal-debate-iowa-state-u<https://urldefense.proofpoint.com/v1/url?u=http://www.insidehighered.>c om/ne> ws/2013/12/10/digital-freedom-groups-road-recognition-sparks-legal-debate-iowa-state-u&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=hnGoebKdLtnE2yvxLiQ0OlhXMu%2FRMEVn0qZFzyM2pgE%3D%0A&s=5dcb52d50601a7d4ddc3b0479ff3aa4491e442f9a0d830ba2ff5db38ae6c9762>andhttps://urldefense.proofpoint.com/v1/url?u=https://www.eff.org/deeplink s/2013/12/open-letter-urging-universities-encour&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2BUBsRFLKQEGdDFX3kSbUPcuAndalzDoyXZ5xLKmwk%3D%0A&s=289e34098442eb4685fcedadf76a0a5c704df88dc95c422c78bfd5cb1f07008cage-conversation-about-online-privacy<https://urldefense.proofpoint.com/v1/url?u=https://www.eff.org/deepli>n ks/20> 13/12/open-letter-urging-universities-encourage-conversation-about-online-privacy&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=hnGoebKdLtnE2yvxLiQ0OlhXMu%2FRMEVn0qZFzyM2pgE%3D%0A&s=75b3522379697ac135dd77ae55292b93024c9c4ab21538dc9f8faf9b4a1fd56e>Realizing that this isn't necessarily new, but given this recent story,I amcurious to know what others are doing or observing as it relates to Torandit's discussion at your particular institution. Many thanks, Jeff Jeffrey D. Sabin DIRECTOR, COMMUNICATIONS AND NETWORK SERVICES oit Dial Center 2507 University Avenue Des Moines, Iowa 50311-4505 Tel 515.271.2935 Fax 515.271.1938 1.800.44.DRAKE x2935 E-mail jeff.sabin () drake edu
Attachment:
smime.p7s
Description:
Current thread:
- Re: TOR and the Digital Freedom Conversation, (continued)
- Re: TOR and the Digital Freedom Conversation Joel L. Rosenblatt (Dec 11)
- Re: TOR and the Digital Freedom Conversation Isabelle Grey (Dec 11)
- Re: TOR and the Digital Freedom Conversation Joel L. Rosenblatt (Dec 11)
- Re: TOR and the Digital Freedom Conversation Tim Doty (Dec 11)
- Re: TOR and the Digital Freedom Conversation Joel L. Rosenblatt (Dec 11)
- Re: TOR and the Digital Freedom Conversation Jones, Mark B (Dec 11)
- Re: TOR and the Digital Freedom Conversation Jones, Mark B (Dec 11)
- Re: TOR and the Digital Freedom Conversation Shalla, Kevin (Dec 11)
- Re: TOR and the Digital Freedom Conversation Jones, Mark B (Dec 11)
- Re: TOR and the Digital Freedom Conversation Tim Doty (Dec 11)
- Re: TOR and the Digital Freedom Conversation Jones, Mark B (Dec 11)
- Re: TOR and the Digital Freedom Conversation David Escalante (Dec 11)
- Re: TOR and the Digital Freedom Conversation Manjak, Martin (Dec 11)
- Re: TOR and the Digital Freedom Conversation Williams, Charles (Dec 11)
- Re: TOR and the Digital Freedom Conversation Jones, Mark B (Dec 11)
- Re: TOR and the Digital Freedom Conversation Manjak, Martin (Dec 11)
- Re: TOR and the Digital Freedom Conversation Jones, Mark B (Dec 11)