OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Anonymity: The real note

Dear SAML'ers

This is the "real" write up on anonymity.
Please however read the "pre-note" first.


Here's the outline of this note:

   Definitions that Relate to Anonymity
   Pseudonymity & Anonymity
   Behavior & Anonymity
   Upshot for SAML (aka Executive Summary)

Definitions that Relate to Anonymity/

   I found no definition of anonymity which I consider to be
satisfying for all cases.  Many definitions deal with the simple case
case of a sender and a message, and discuss "anonymity"
in terms of not being able to link a given sender to
a sent message, or a message back to a sender. [1]
  And while that "works" for the "one off" case,
it ignores the aggregation of information that is possible
over time based on *behavior* rather than an identifier.
(More about this later in the note).

  That said, I found two "notions" which I believe are generally
useful,and that relate to each other.

  The first notion is to think about anonymity as being "within a set".
Here's a quote (again from [1]):

"To enable anonymity of a subject, there always has to be
an appropriate set of subjects with potentially the same attributes....
... Anonymity is the stronger, the larger the respective
anonymity set is and the more evenly distributed the sending or
receiving,respectively, of the subjects within that set is".

And I'll add, "the more uniformly distributed the behavior of
the users within the set"!

  This is relevant to SAML because of our use of "authorities".
Even if a Subject is "anonymous", that subject is
still identifiable as a member of the set of Subjects within the domain
of the relevant authority.
  In the case where aggregating attributes of the user are provided,
the "set" can become much smaller.  For example,  let's say the
user is "anonymous" but has the attribute of
"student in Course 6@mit.edu". Certainly, the number of Course 6
students is less than the number of MIT-affiliated persons which is
less  than the number of users "everywhere".

  Why does this matter?   Because of the second notion (from
[2]). This idea is that non-anonymity leads to the ability
of an adversary to harm.  Here's a quote:

  "Both anonymity and pseudonymity protect the privacy of the user's
location and true name. Location refers to the actual physical connection
to the system. The term ``true name'' was introduced by Vinge and
popularized by May to refer to the legal identity of an individual.
Knowing someone's true name or location allows you to hurt him or her."

  And in a nice unification of the notion of anonymity within a set and
ability to harm, we have (also from [2]), the following:
  "We might say that a system is partially anonymous if an adversary can
only narrow down a search for a user to one of a ``set of suspects.'' If
the set is large enough, then it is impractical for an adversary to act
as  if any single suspect were guilty. On the other hand, when the set
of suspects is small, mere suspicion may cause an adversary to take
action against all of them."

  In SAML,the best we can ever do is "partial anonymity" because of
our use of authorities.  And we can do a lot worse depending on
how identifiers are employed.  And users can screw themselves despite
our best efforts.
  This next section discusses pseudonymity and how it relates to
anonymity. The following section discusses behavior and how unusual
behavior can serve to defeat anonymity.

Pseudonymity & Anonymity/

  Apart from "legal identity",any identifier for a Subject
can be considered a pseudonym.  And even notions like
"holder of key" can be considered as serving as the moral
equivalent of a pseudonym (MEOP) in linking an action (or set
of actions) to a Subject. Finally, even a description such
as "the user that just requested access to object XYZ at time 23:34"
can serve as MEOP.
   My point is, that with respect to "ability to harm"
it makes no difference whether the user is described with
an identifier or described by behavior (i.e. use of a key,
or performance of an action).
   What does make a difference is how often the MEOP
is used.
   [2] gives a taxonomy of pseudonyms starting from
personal pseudonyms (like nicknames) that are used all
the time, through various types of role pseudonyms (e.g.
Secretary of Defense), on to "one time use" pseudonyms.
   Only one time use pseudonyms can give you anonymity (within
SAML, consider this as "anonymity within a set").
The more often you use a given pseudonym, the more you reduce
your anonymity and the more likely it is that you can be harmed.
(When I say pseudonym here I mean MEOP as well).

    This leads onto the discussion of behavior.

Behavior and Anonymity/

   As Joe Klein can attest, anonymity isn't all it is cracked up to
   Klein is the "Anonymous" who authored Primary Colors.  Despite
his denials he was unmasked as the author by Don Foster, a Vassar
professor who did a forensic analysis of the text of Primary Colors.
Foster compared that text with texts from a list of suspects that he
devised based on their knowledge bases and writing proclivities.
   It was Klein's idiosyncratic usages that did him in (though apparently
all authors have them).
   The relevant point for SAML is that an "anonymous" user (even one that
is never named) can be identified enough to be harmed by repeated
unusual behavior.  Here are some examples:
   A user who each Tuesday at 21:00 access a database that correlates
finger lengths and life span starts to be non-anonymous.  Depending on
that user's other behavior, she or he may become "traceable" [3] in
that other "identifying" information may be able to be collected.
   A user who routinely buys an usual set of products from a
networked vending machine, certainly opens themselves to harm (by
virtue of booby-trapping the products).

Upshots For SAML aka Execute Summary/

   Origin site authorities (i.e. Authentication Authorities and
Attribute Authorities) can provide a degree of "partial anonymity"
by employing one-time-use identifiers or keys (for the "holder of
key" case).
   This anonymity is "partial" at best because the Subject is
necessarily confined to the set of Subjects in a relationship
with the Authority.
   This set may be further reduced (thus further reducing anonymity)
when aggregating attributes are used that further subset the user
community at the origin site.

   Users who truly care about anonymity must take care to
disguise or avoid unusual patterns of behavior that could
serve to "de-anonymize" them over time.

1.  Anonymity, Unobservability, and Pseudonymity --
A Proposal for Terminology
Andreas Pfitzmann
Marit Köhntopp

2.The Free Haven Project:
Distributed Anonymous Storage Service
Roger Dingledine & Michael J. Freedman & David Molnar

3. Pooling Intellectual Capital:
Thoughts on Anonymity, Pseudonymity, and Limited Liability in Cyberspace
David G. Post


That is it.

Questions and comments are welcomed.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC