You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-iab-privacy-partitioning.md
+30-5Lines changed: 30 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -513,29 +513,54 @@ about individual client data.
513
513
514
514
Applying privacy partitioning to an existing or new system or protocol requires the following steps:
515
515
516
-
1. Identify the types of information used or exposed in a system or protocol, some of which can be used to identify a user or correlate to other contexts.
517
-
1. Partition data to minimize the amount of user-identifying or correlatable information in any given context to only include what is necessary for that context, and prevent sharing of data across contexts wherever possible.
516
+
1. Identify the types of information used or exposed in a system or protocol, some
517
+
of which can be used to identify a user or correlate to other contexts.
518
+
1. Partition data to minimize the amount of user-identifying or correlatable
519
+
information in any given context to only include what is necessary for that
520
+
context, and prevent sharing of data across contexts wherever possible.
518
521
519
-
The most impactful types of information to partition are (a) user identity or identities (such as an account name or IP address) that can be linked and (b) user data (such as the content a user is accessing), which can be often sensitive when combined with user identity. Note that user data can itself be user-identifying, in which case it should be treated as an identifier.
522
+
The most impactful types of information to partition are (a) user-identifying information,
523
+
such as user identity or identities (including account names or IP addresses) that can be
524
+
linked and (b) non-user-identifying information (including content a user
525
+
generates or accesses), which can be often sensitive when combined with user identity.
526
+
527
+
In this section, we discuss considerations for partitioning these types of information.
528
+
529
+
## User-Identifying Information
530
+
531
+
User data can itself be user-identifying, in which case it should be treated as an identifier.
520
532
For example, Oblivious DoH and Oblivious HTTP partition the client IP address and client request data into
521
533
separate contexts, thereby ensuring that no entity beyond the client can observe both. Collusion across contexts
522
534
could reverse this partitioning, but can also promote non-user-identifying information to user-identifying.
523
535
For example, in CONNECT proxy systems that use QUIC, the QUIC connection ID is inherently non-user-identifying
524
536
since it is generated randomly ({{?QUIC=RFC9000, Section 5.1}}). However, if combined with another context that has user-identifying
525
537
information such as the client IP address, the QUIC connection ID can become user-identifying information.
526
538
527
-
This partitioning process can be applied incorrectly or incompletely. Contexts may contain
539
+
Some information is innate to client user-agents, including details of implementation of
540
+
protocols in hardware and software, and network location. This information can be used to construct
541
+
user-identifying information, which is a process sometimes referred to as fingerprinting.
542
+
Depending on the application and system constraints, users may not be able to prevent fingerprinting
543
+
in privacy contexts. As a result, fingerprinting information, when combined with non-user-identifying
544
+
user data, could promote user data to user-identifying information.
545
+
546
+
## Incorrect or Incomplete Partitioning
547
+
548
+
Privacy partitioning can be applied incorrectly or incompletely. Contexts may contain
528
549
more user-identifying information than desired, or some information in a context may be more user-identifying
529
-
than intended. Moreover, splitting user-identifying information over multiple contexts has to be done with care, as creating more contexts can increase the number of entities that need to be trusted to not collude.
550
+
than intended. Moreover, splitting user-identifying information over multiple contexts has to be done
551
+
with care, as creating more contexts can increase the number of entities that need to be trusted to not collude.
530
552
Nevertheless, partitions can help improve the client's privacy posture when applied carefully.
531
553
554
+
532
555
Evaluating and qualifying the resulting privacy of a system or protocol that applies privacy partitioning depends
533
556
on the contexts that exist and types of user-identifying information in each context. Such evaluation is
534
557
helpful for identifying ways in which systems or protocols can improve their privacy posture. For example,
535
558
consider DNS-over-HTTPS {{?DOH=RFC8484}}, which produces a single context which contains both the client IP
536
559
address and client query. One application of privacy partitioning results in ODoH, which produces two contexts,
537
560
one with the client IP address and the other with the client query.
538
561
562
+
## Identifying Information for Partitioning
563
+
539
564
Recognizing potential appliations of privacy partitoning requires identifying the contexts in use, the information
540
565
exposed in a context, and the intent of information exposed in a context. Unfortunately, determing what
541
566
information to include in a given context is a nontrivial task. In principle, the information contained
0 commit comments