Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TOR and the Digital Freedom Conversation

From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
Date: Wed, 11 Dec 2013 12:41:11 -0600
The question is, what is a reasonable amount of privacy?  This will be
different for everyone and will also vary by situation.
If you want anonymity you have to go live in the wilderness without
utilities or communication.

The key to improving privacy is being able to choose as an individual how
much privacy you are giving up in order to interact.  I believe the
assertion on privicilla.org that "it is a desirable lack of privacy that
allows people to interact with one another socially and in business."
Anonymity only impedes social and business interactions.  If we want to
enable social and business interactions online we must come up with
mechanisms that allow individuals to manage how much privacy they are
willing to give up in order to interact.  This cannot be done with increased
anonymity.  It must be done by establishing an appropriate balance of
Identity, Trust, and Accountability.

Volkswagen has a great commercial that unintentionally illustrates how
anonymity adversely affects trust and accountability and hinders social and
business interactions:  http://www.youtube.com/watch?v=3fuijhUn0pk



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Doty
Sent: Wednesday, December 11, 2013 11:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation

On 12/11/2013 11:15 AM, Jones, Mark B wrote:

This goes to my main point, Identity, TRUST, Privacy, and Accountability

are

all interrelated.  There must be some basis of trust in authentication
services.


You are absolutely right. And the work of NSA/NIST has gone some
distance to undermine trust.

I would never argue that they aren't interrelated, but to claim that
privacy can be maintained through authentication is simply not true. I
pointed out a trivial to understand case but maybe it wasn't trivial

enough?


As Joel pointed out, ubiquitous surveillance hurts privacy. And
anonymity will always be involved to some degree in maintaining any
meaningful privacy. They may make security work more difficult, but TIA
doesn't really make it any easier, either. TIA should really be TMI. In
the end there is a need for balance where normal citizens have a
reasonable amount of privacy.

Tim Doty




There is work being done in this area:


https://urldefense.proofpoint.com/v1/url?u=http://www.idmanagement.g
ov/approved-identity-
providers&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tg
tglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=t3QZBJ4ZAsUqcbbljjZjf6s2
ZV9XjVEgRJycuK%2BIi34%3D%0A&s=c4b81054593ad649679cba296a7b55e270
bf1ae29bf569e2791af2ed5981c3d7




-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, Kevin
Sent: Wednesday, December 11, 2013 10:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation

I think the trouble with this suggestion of privacy through

authentication

is

that there are many authenticating entities we do not trust to be good
stewards of our information.  This is partly because they have been
threatened or bought by the NSA and similar corporate interests, and

that

is

why we turn towards anonymity as a possible alternative to provide

privacy.


Kevin


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, Mark B
Sent: Wednesday, December 11, 2013 9:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation

I still believe that anonymity is the enemy of privacy online.  In my

opinion

the only way to pull back from the current lack of privacy online is to

instate

mechanisms that allow individuals and services to be held accountable

for

inappropriate behavior online.  It is not possible to interact online

socially or

in business while maintaining anonymity.

RE: case 1
If there is authentication there is no anonymity, and lack of anonymity

dose

not equal public disclosure.

RE: case 2
Anonymity in this case is an illusion.  During such a cash transaction

you

show

your face to people and increasingly video cameras.  (as was pointed

out

by

other posts).  It does however control which personal attributes are

shared

during such transactions.

Online, you cannot separate Identity, Trust, Privacy, and

Accountability.

They all interrelate.  When interacting online you must give up some

number

of personal attributes.  This means you must know what entity is

receiving

these attributes, you must trust that entity to be a good steward of

your

information, and you must be able to hold that entity accountable if

they

abuse your information.   To have privacy you must have some measure

of

identity, trust, and accountability.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Doty
Sent: Wednesday, December 11, 2013 8:27 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation

On 12/10/2013 06:22 PM, Jones, Mark B wrote:

There is a difference between 'Privacy' and 'Secrecy'


You are correct that there is a difference, but they are not

exclusive.

While the use of authentication and no anonymity may be an approach

to

protecting published online information from those without access, it
does nothing to preserve privacy in the face of authorized but
unwanted access. Nor does it address the loss of privacy from complete
tracking
-- in fact, a true lack of anonymity would destroy privacy.

Case 1: I want to store information in the cloud, but I want to retain
confidentiality of the data. This is a case where strong
authentication/no anonymity would be a viable approach, but there is
no reason to deny anonymity in a general sense. That is, strong
authentication can be used to establish an access control to a data
set without requiring that a person's identity be publicly disclosed.

Case 2: I desire to have some privacy in my actions. Some degree of
anonymity is *required* to accomplish this. For example, if I buy some
books on medieval mysticism it used to be that a simple cash
transaction kept it essentially private. There are some caveats (if
the seller knows my personally then they will know I bought them, but
for a random person off the street it would be essentially anonymous).

It is trivial to demonstrate a connection between privacy and

anonymity.

Those promoting a police state are naturally against anonymity. Those
promoting privacy understand the utility of strong encryption and

anonymity.


Tim Doty

   Tor seems like it

may lean toward the latter.



I have found that the following site has a useful perspective on
privacy
issues:



https://urldefense.proofpoint.com/v1/url?u=http://www.privacilla.org/&;

k=



yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2km





izyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2BUBsRFLKQEGdDFX3kSbUPcuAndal





zDoyXZ5xLKmwk%3D%0A&s=619dce364444d80b0d6ae91bc98a8926a9335302

3015f61f7c1ffc8b2c57039e


Here are some key quotes:

"Importantly, privacy is a personal, subjective condition. One
person

cannot

decide for another what his or her sense of privacy should be."

"While privacy is held up as one of our highest values, people also
constantly share information about themselves by allowing others to
see their faces, learn their names, learn what they own, and learn
what they think. In fact, it is a desirable lack of privacy that
allows people to interact with one another socially and in business.
This does not mean

that

people should lose control over the information they want to keep

private.

It means that generalizations about privacy are almost always wrong."





https://urldefense.proofpoint.com/v1/url?u=http://www.privacilla.org/f

und



amentals/whatisprivacy.html&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&





r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2B





UBsRFLKQEGdDFX3kSbUPcuAndalzDoyXZ5xLKmwk%3D%0A&s=7a230eb4725

5307ec9137ecaab20a005e92bc778428196abf67c6439b6c3b868




Also 'Privacy' is not the same as 'anonymity'.  It is my opinion
that

strong

authentication and the lack of anonymity are the keys to improved

privacy

online.  Only with strong authentication can consumers and services
be

held

accountable for behavior online.



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeffrey

Sabin

Sent: Tuesday, December 10, 2013 2:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] TOR and the Digital Freedom Conversation



All,



Given the wider US technology community discussions on online
privacy

and

monitoring - this seems to be very topical.  In case anyone was not

aware,

this story is taking place at Iowa State University with Tor being a
relevant part of the discussion:









https://urldefense.proofpoint.com/v1/url?u=http://www.insidehighered.c

o
m/news/2013/12/10/digital-freedom-groups-road-




re&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVF





w2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2BUBsRFLKQEGdDFX3kSbUPcu





AndalzDoyXZ5xLKmwk%3D%0A&s=4d2958cf3df5a67e238c2fc3da779dbf047b

3313ae9f54847ccad80228185d98

cognition-sparks-legal-debate-iowa-state-u






<https://urldefense.proofpoint.com/v1/url?u=http://www.insidehighered.>

c om/ne> ws/2013/12/10/digital-freedom-groups-road-recognition-

sparks-

legal-debate-io

wa-state-





u&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVF

w2kmiz







yPIIFTSGui%2BBSZ5A%3D%0A&m=hnGoebKdLtnE2yvxLiQ0OlhXMu%2FRME

Vn0qZFzyM2pgE%3D%







0A&s=5dcb52d50601a7d4ddc3b0479ff3aa4491e442f9a0d830ba2ff5db38ae6c9

762>




and







https://urldefense.proofpoint.com/v1/url?u=https://www.eff.org/deeplin

k
s/2013/12/open-letter-urging-universities-




encour&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtgl





yNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2BUBsRFLKQEGdDFX3kSb





UPcuAndalzDoyXZ5xLKmwk%3D%0A&s=289e34098442eb4685fcedadf76a0a5

c704df88dc95c422c78bfd5cb1f07008c

age-conversation-about-online-privacy




<https://urldefense.proofpoint.com/v1/url?u=https://www.eff.org/deepli>

n ks/20> 13/12/open-letter-urging-universities-encourage-conversation-

about-online-pr







ivacy&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtgly

NVFw2kmizyPIIF







TSGui%2BBSZ5A%3D%0A&m=hnGoebKdLtnE2yvxLiQ0OlhXMu%2FRMEVn0q

ZFzyM2pgE%3D%0A&s=





75b3522379697ac135dd77ae55292b93024c9c4ab21538dc9f8faf9b4a1fd56e>




Realizing that this isn't necessarily new, but given this recent
story,

I am

curious to know what others are doing or observing as it relates to
Tor

and

it's discussion at your particular institution.



Many thanks,



Jeff



Jeffrey D. Sabin

DIRECTOR, COMMUNICATIONS AND NETWORK SERVICES



oit



Dial Center

2507 University Avenue    Des Moines, Iowa 50311-4505

Tel  515.271.2935

Fax 515.271.1938

1.800.44.DRAKE x2935

E-mail jeff.sabin () drake edu

Attachment: smime.p7s
Description:

Previous By Date Next
Previous By Thread Next

Current thread: