Merge pull request #56 from intarchboard/mirjak-patch-7

collusion through third parties

Author: tfpauly

draft-iab-privacy-partitioning.md

@@ -625,11 +625,15 @@ If the Oblivious Relay and Gateway collude, they can link Client identity and da
 for each request and response transaction by simply observing requests in transit.
 
 It is not currently possible to guarantee with technical protocol measures that two
-entities are not colluding. However, there are some mitigations that can be applied
+entities are not colluding. Even if two entities do not collude directly, if both entities reveal
+information to other parties, it will not be possible to guarantee that the information won't
+be combined. However, there are some mitigations that can be applied
 to reduce the risk of collusion happening in practice:
 
-- Policy and contractual agreements between entities involved in partitioning, to disallow
-logging or sharing of data, or to require auditing.
+- Policy and contractual agreements between entities involved in partitioning to disallow
+logging or sharing of data, along with auditing to validate that the policies are being followed.
+For cases where logging is required (such as for service operation), such logged data should
+be minimized and anonymized to prevent it from being useful for collusion.
 - Protocol requirements to make collusion or data sharing more difficult.
 - Adding more partitions and contexts, to make it increasingly difficult to collude with
 enough parties to recover identities.