Re: [xcbf] [Fwd: [xcbf-comment] XCBF 1.0 Has Confused Security WithPrivacy]

["Phillip H. Griffin" <phil.griffin@asn-1.com>]

I do not believe that XCBF, X9.84, X.509 or any technical standard on data
security should attempt to specify, or reasonably hope to control the 
behavior
or intentions of human beings.

No data security standard can possibly specify "how the information will
be used" or whether "authorized parties will use information" for good 
or ill.

The use or abuse of information or the intentions or actions of individuals
can not be dictated by XCBF to any greater degree than we can control
whether water will be used to nourish or to drown.

And I do not agree with the assertion made by EPIC that "XCBF 1.0 does not
respect privacy". No evidence is given in the comment and no words appear in
XCBF that would support such a claim.

I read the EPIC note carefully again this morning. Then I went through 
the XCBF
document to see what we had actually written about "privacy". Not much. 
Lines
81-85 state:

"This standard defines cryptographic messages represented in XML markup for
the secure collection, distribution, and processing, of biometric 
information. These
messages provide the means of achieving data integrity, authentication 
of origin,
and privacy of biometric data in XML based systems and applications. 
Mechanisms
and techniques are described for the secure transmission, storage, and 
integrity and
privacy protection of biometric data."

We claim only that these messages are capable of protecting the privacy 
of biometric
data. And I really think that this is about all we are capable of doing 
in the XCBF TC.
And these words indicate that the XCBF work has not "Confused Security With
Privacy". XCBF only provides the means of achieving privacy, not a 
guarantee.

We could make statements such as the UK comments below that express our 
concerns
for protecting individuals from wrong doers. But such statements would 
not change the
scope or any technical aspect of our work. I am opposed to changing the 
scope in ways
that attempt to define what we do NOT cover - there would be no end to 
this and I think
no useful purpose served.

I also disagree that the EPIC statement that the XCBF TC is the 
appropriate forum for
"further research into implementing privacy safeguards within the 
protocol". These are
matters that concern the use or abuse of the protocol and not the schema 
definitions or
cryptographic processing defined in the XCBF standard. The 
implementation of privacy
safeguards (say in WSS using XCBF) is a topic of  interest to me, but it 
is out of scope
of our OASIS charter.

I do share the concerns voiced in the EPIC comment for the protection of 
civil liberties,
the privacy rights of individuals, and the responsibilities of those 
authorized to collect and
use biometric information. But these are matters largely of national and 
international law,
public policy, ethics and perhaps even theology. I believe the public 
interest would be
better served if  these concerns were addressed in a forum that had 
members with
expertise in one or more of those areas, rather than exclusively in a 
data security
technical committee with the limited scope, focus and membership of the 
XCBF TC.

Phil


John Larmouth wrote:

> YOu may be interested in a comment that the UK is making on the CBEFF CD:
>
> >>>>>
>
> 3.3.2    The UK is concerned that appropriate privacy controls be in 
> place to prevent the distribution of biometric data without the 
> consent of the person identified by such data.  It is recognised that 
> this is not part of the remit of the Special Group concerned with this 
> CD, but the UK hopes that these concerns will be addressed in other 
> Groups within SC37.
>
> 3.3.3    It may be appropriate to add a sentence to the Scope saying 
> "Protection of the privacy of individuals from inappropriate 
> dissemination and use of biometric data is not in the Scope of this 
> International Standard, but may be subject to national regulation."
>
> <<<<<<
>
> You may want to consider a similar sentence in the Scope for XCBF.
>
> John L
>
>
> Phillip H. Griffin wrote:
>
>>   This message from a member of EPIC was sent to the XCBF public
>> comment list. I wanted to make sure that all of the XCBF members
>> had seen this comment.
>>
>> Phil
>>
>>
>>
>> -------- Original Message --------
>> Subject: [xcbf-comment] XCBF 1.0 Has Confused Security With Privacy
>> Date: Fri, 28 Feb 2003 18:19:39 -0500
>> From: Ruchika Agrawal <agrawal@epic.org>
>> To: xcbf-comment@lists.oasis-open.org
>>
>>
>>
>> The Electronic Information Privacy Center (EPIC)*, a public interest 
>> research center that has extensive expertise in privacy, submits the 
>> following comments on the OASIS XML Common Biometric Format (XCBF) 
>> 1.0 Committee Specification.
>> In submitting our comments, EPIC understands that biometrics entail 
>> automated methods of recognizing persons based on physiological or 
>> behavioral characteristics; that biometrics are used to recognize the 
>> identity of an individual or to verify a claimed identity; that XCBF 
>> offers a standard XML schema for biometrics, which describes 
>> information that verifies identity based on human characteristics 
>> including fingerprints, iris scans, hand geometry, and DNA; and that 
>> these XML encodings are based on the ASN.1 schema defined in ANSI 
>> X9.84:2003 Biometric Information Management and Security (and 
>> therefore respect the X9.96 XML Cryptographic Message Syntax security 
>> requirements).
>>
>> The XCBF 1.0 specification -- while it may respect security standards 
>> -- cannot be fairly or accurately described as respecting or 
>> achieving privacy.  Technologies or protocols that respect privacy 
>> assist in minimizing or eliminating the collection of personally 
>> identifiable information.  For example, anonymous remailers allow 
>> users to anonymously send emails and post to newsgroups, by not log 
>> incoming and outgoing traffic information and stripping email headers 
>> of personally identifiable information.  As another example, digital 
>> tickets authorize the ticket-holder to perform some action without 
>> collecting or transferring personally identifiable information of the 
>> ticket-holder. By contrast, techniques that enable the collection of 
>> personally identifiable information in the absence of enforceable 
>> legal rights or technical safeguards necessarily create a new risk 
>> that personal information will be misused.
>>
>> Security is not tantamount to privacy.  Technologies that respect 
>> security may prevent unauthorized parties from gaining access to 
>> protected data -- and XCBF 1.0 seems to achieve this goal -- but such 
>> standards say nothing about the how the information will be used or 
>> whether authorized parties will use information in a way that is 
>> detrimental to the interests of the data subject.
>>
>> Because standardization of biometric data in machine-readable format 
>> makes massive and efficient automated data aggregation techniques 
>> much simpler, more careful consideration and actual deliberation of 
>> privacy safeguards is crucial. None of this is reflected in the 
>> current proposal.
>>
>>         We recommend that the specification be changed to acknowledge 
>> that XCBF 1.0 does not respect privacy, and recommend further 
>> research into implementing privacy safeguards within the protocol.
>>
>> Sincerely,
>> Marc Rotenberg, Executive Director
>> Ruchika Agrawal, IPIOP Science Policy Fellow
>> EPIC
>>
>> *EPIC is a public interest research center in Washington, D.C. that 
>> has extensive expertise in privacy.  It was established in 1994 to 
>> focus public attention on emerging civil liberties issues and to 
>> protect privacy, the First Amendment, and constitutional values.  
>> Since its founding, EPIC has participated in extensive agency 
>> comment, litigation, and public education to promote privacy and 
>> civil liberties.
>>
>>
>> For more in depth discussions on technologies or protocols that 
>> respect privacy, see:
>>
>> Anonymizer.com; http://www.anonymizer.com/ (visited on October 22, 
>> 2002).
>>
>> Stefan Brands; "A Technical Overview of Digital Credentials"; 
>> February 20, 2002; http://citeseer.nj.nec.com/brands02technical.html.
>>
>> Stefan A.Brands; ?Untraceable Off-line Cash in Wallets with 
>> Observers?; Advances in Cryptography-CRYPTO ?93; Springer-Verlag; 
>> 1994; p.302-318.
>>
>> Herbert Burkert; ?Privacy-Enhancing Technologies:  Typology, 
>> Critique, Vision?; Technology and Privacy:  The New Landscape edited 
>> by Philip Agre and Marc Rotenberg; The MIT Press (Cambridge, 1997).
>>
>> David Chaum; ?Achieving Electronic Privacy?;  Scientific American, 
>> August 1992; p. 96-101; 
>> http://ntrg.cs.tcd.ie/mepeirce/Project/Chaum/sciam.html.
>>
>> David Chaum; "Prepaid Smart Card Techniques: A Brief Introduction and 
>> Comparison"; Digicash; 1994; 
>> http://ntrg.cs.tcd.ie/mepeirce/Project/Chaum/cardcom.html.
>>
>> Roger Clarke; ?Roger Clarke's PITs and PETs Resources Site?; 
>> http://www.anu.edu.au/people/Roger.Clarke/DV/PITsPETsRes.html#Orig 
>> (visited on October 21, 2002).
>>
>> Whitfield Diffie and Martin E. Hellman; ?New Directions in 
>> Cryptography?; IEEE Transactioins on Information Theory;  IT-22(6); 
>> November  1976.
>>
>> Roger Dingledine, Michael J. Freedman, David Molnar; "The Free Haven 
>> Project: Distributed Anonymous Storage Service"; December 17, 2000; 
>> http://citeseer.nj.nec.com/543510.html.
>>
>> Simson Garfinkel; PGP:  Pretty Good Privacy; O?Reilly & Associates, 
>> Inc. (Sebastopol, 1995).
>>
>> Simson Garfinkel with Gene Spafford; Web Security, Privacy & 
>> Commerce; O?Reilly & Associates, Inc. (Beijing, 2002); Second 
>> Edition; p. 262-283.
>>
>> Simson L. Garfinkel and Abhi Shelat; ?Remembrance of Data Passed:  A 
>> Study of Disk Sanitization Practices?; IEEE Security & Privacy; 
>> January/February 2003.
>>
>> "Privacy-Enhancing Technologies: The Path to Anonymity"; Volume 1; 
>> Joint report by the Dutch Data Protection Authority (RGK) and the 
>> Information and Privacy Commissioner for the Province of Ontario, 
>> Canada (IPC); August 1995.
>>
>> Marc Rotenberg, Director of Electronic Privacy Information Center; 
>> Hearing on S. 809, The Online Privacy Protection Act of 1999, Before 
>> the Subcommittee on Communications Committee on Commerce, Science and 
>> Transportation, U.S. Senate; July 27, 1999; 
>> www.epic.org/privacy/internet/EPIC_testimony_799.pdf 
>> <http://www.epic.org/privacy/internet/EPIC_testimony_799.pdf>.
>>
>> Marc Rotenberg, Director of Electronic Privacy Information Center; 
>> ?Privacy in the Commercial World?; Before the Committee on Energy and 
>> Commerce, U.S. House of Representatives, March 1, 2001; 
>> http://energycommerce.house.gov/107/hearings/03012001Hearing43/Rotenberg68.htm. 
>>
>>
>> Marc Rotenberg; ?A Way Forward for Data Protection:  Privacy 
>> Enhancing Technology?; the PARLIAMENT Magazine; September 30, 2002.
>>
>> Marc Rotenberg, Privacy Law Sourcebook: United States Law, 
>> International Law, and Recent Developments (EPIC 2002).
>>
>> Bruce Schneier; Applied Cryptography; John Wiley & Sons, Inc. (New 
>> York, 1996); p. 126-127, p. 220-222, and generally.
>>
>> Daniel J. Solove and Marc Rotenber; Information Privacy Law; Aspen 
>> Publishers (New York, 2003; p. 27-33 and generally.
>>
>> Peter Wayner; Translucent Databases; Flyzone Press (Baltimore, 2002); 
>> p.13, p.  129-131, and generally.
>
>