Agenda Request - Aggregate Measurement Threat Model

[eriktaubeneck]

Agenda+: Aggregate Measurement Threat Model

In the last meeting, we discussed how opinionated this group should be with respect to technologies used to enable privacy. The answer seemed to be: yes, we will be opinionated, but that there isn't clear consensus (yet) among the community group as to what those opinions are.

The follow up from that previous agenda item was for the group to begin working on building consensus around a threat model for these use cases, which we could then evaluate technologies against.

I propose we use some time during the next meeting to discuss how we want to approach this threat model. It would be useful to review some of the existing examples of threat models from similar working groups, such as the Privacy Preserving Measurement threat model.

The goal for the session would be to have enough consensus on the basic principles and structure to begin a draft of a thread model, and to find a small number of volunteers to work on that draft.

[csharrison]

Can we clarify if we are talking about a security threat model here or a privacy threat model, or both?

[eriktaubeneck]

Good clarification @csharrison - I am thinking primarily security threat model here, however I think we should also do the same for the privacy threat model as well. I think these would be better as separate agenda items.

[michaelkleber]

I'm not sure I agree with this issue's framing of the right next step.

My impression was that we agreed that this group should put work into evaluating the trade-offs in different types of solutions (MPC vs TEE), and that one of those trade-offs is some difference in the security threats that they protect against.

So I think that "Pick a threat model" is the wrong first step, and that rather we should clearly spell out the differences in threat model, so that we can evaluate them side-by-side with other pros/cons of the choice.

[eriktaubeneck]

To be clear, I don't think it's reasonable or possible to "pick a threat model" during the time in the upcoming meeting, but I do think that building consensus around a threat model should be the goal this should work towards.

I also agree that there are going to be certain (and important) points where there will be differing views from the group. However, in my experience, 90% of the threat model is defining the different actors involved, what sort of capabilities they may have, etc. Putting together a draft of such a document should result in the areas where there are important differences.

Finally, I did not get the same impression of the next step:

My impression was that we agreed that this group should put work into evaluating the trade-offs in different types of solutions (MPC vs TEE), and that one of those trade-offs is some difference in the security threats that they protect against.

My impression was that the group should try to build consensus around a threat model, and then evaluate the tradeoffs between different solutions relative to that threat model.

[chris-wood]

One takeaway from the last(?) meeting I recall is we needed a better understanding of the features of each proposal on the table here. That is, to first identify the use cases and the requirements for solving them, and then to determine if MPC (or TEEs or whatever) can suitable solve them. For example, if we find that MPC is not feasible as a replacement for, say, PCM, then that narrows the question of what threat model we ought to consider here.

[ekr]

+100.

We should spend at least one of the days of the next meeting on features and requirements and then trying to get an understanding of the capabilities of each design.

[csharrison]

+1 to ekr, I think the next meeting we should have time dedicated to dive deeper into use-cases / requirements, but that's a bit orthogonal to this issue so I can file a separate agenda request.

Edit: filed #51

[seanturner]

It would be great if somebody could volunteer to lead us through this discussion.

[eriktaubeneck]

I'm happy to lead this discussion - though given some of the feedback here, it may make more sense to have this discussion after the item that @csharrison opened in #51. This could even wait until the next meeting.

[martinthomson]

I would prefer to have this out, but only if we can be effectively prepared. And use cases seem to be the sticking point. Then there is the interplay between what we might like to have happen and what is practical/affordable. I have to reluctantly concede that we might need to defer this discussion, even though I think that we desperately need to reach some sort of conclusion here.

Can I suggest we try to make some space for this, with an understanding that we might not get to it, or that we might not make much progress if we do?

[bedfordsean]

FWIW, use cases have always been the sticking point, even in our very first f2f session of web-advertising ;-) I'm also open to this conversation but we should tightly scope/timebox it since it could use all of the time we have if we let it

[seanturner]

@eriktaubeneck Please link the slides here so I can upload them to the meeting repo. Thanks!

[eriktaubeneck]

@seanturner I opened #55 with the slides!

Thanks to @martinthomson, @csharrison, and @chris-wood for volunteering (along with myself) to begin working on a draft. We will coordinate offline, but please feel free to reach out to me (or reply here and tag me) if anyone else wants to join.