Minutes of the 2022-09-28 IAB Technical Discussion

1. Administrivia

1.1. Attendance

Present:

Deborah Brungard
Lars Eggert (IETF Chair)
Liz Flynn (IETF Secretariat)
Wes Hardaker
Cullen Jennings
Mirja Kühlewind (IAB Chair)
Warren Kumari (IESG Liaison)
Zhenbin Li
Cindy Morgan (IAB Executive Administrative Manager)
Karen O’Donoghue (ISOC Liaison)
Tommy Pauly
David Schinazi
Russ White
Greg Wood (IETF Director of Communications and Operations)
Qin Wu
Jiankang Yao

Regrets:

Jari Arkko
Mallory Knodel
Colin Perkins (IRTF Chair)

Observers:

Mark McFadden

1.2. Agenda bash and announcements

No new items were added to the agenda.

2. Technical Discussion: Data Privacy

Tommy Pauly and Mirja Kühlewind presented an early version of an Internet-Draft on “Partitioning as an Architecture for Privacy.” The draft describes the principle of privacy partitioning, which selectively spreads data and communication across multiple parties as a means to improve the privacy by separating user identity from user actions. This document describes emerging patterns in protocols to partition what data and metadata is revealed through protocol interactions, provides common terminology, and discusses how to analyze such models.

Tommy Pauly asked whether this is a useful topic for the IAB to comment on, and if there are other things that should be included in the document. Several IAB members agreed that this is a useful topic for the IAB cover.

Tommy Pauly asked whether the terminology “privacy partitioning” makes sense in this context. Russ White replied that it does.

David Schinazi said that he thinks it would be helpful to include something about times where attributing the data to an identity is useful (e.g. in anti-abuse cases), because there are no easy answers there.

Cullen Jennings suggested adding something about verified credentials.

Wes Hardaker noted that centralization is one of the driving factors. When companies merge, two companies that may have had discrete bits of information about a user are suddenly now one company with more information about the user than the user might have wanted. He added that TIGRESS and SATP are both doing work in this area.

Russ White observed that it is easy to think that data has been partitioned in a way that de-identifies things, but it is actually harder than people realize; if someone has the last four digits of a social security number and the associated date of birth, it is essentially the same as knowing the full social security number.

Tommy Pauly said that the current identity section of the document relies on previous IAB work in RFC 6973, “Privacy Considerations for Internet Protocols.” Partitioning is only as good as the pseudonym that is used.

Wes Hardaker said that the document could also talk about side effect failures, e.g. how many websites use the same security questions.

Cullen Jennings said that this comes back to needing a better identity service for the Internet.

Tommy Pauly said that while there may be a way to use protocols like Privacy Pass to make some future identity management system possible, he would prefer that this document remain more descriptive, rather than speculative.

Mirja Kühlewind asked the IAB to review the current draft in GitHub and open issues or add pull requests with any pointers to existing research on this topic.

Cullen Jennings noted that there is relevant work outside the IETF, like TOR. Tommy Pauly replied that this document might reference them, but won’t delve in too deeply so as not to broaden the scope too much.

Warren Kumari observed that there are several protocols, like FTP and SIP, that already do this partitioning for other reasons. Cullen Jennings said that he could provide a paragraph about SIP.

Mirja Kühlewind said that the goal was to get the document posted to the Datatracker before the I-D submission deadline, and to present it for feedback during the IAB Open Meeting at IETF 115.