?

Log in

No account? Create an account

fanf

Confidentiality vs privacy

« previous entry | next entry »
11th Mar 2016 | 02:03

I have a question about a subtle distinction in meaning between words. I want to know if this distinction is helpful, or if it is just academic obfuscation. But first let me set the scene...

Last week I attempted to explain DNSSEC to a few undergraduates. One of the things I struggled with was justifying its approach to privacy.

(HINT: it doesn't have one!)

Actually, DNSSEC has a bit more reasoning for its lack of privacy than that, so here's a digression:

The bullshit reason why DNSSEC doesn't give you privacy

Typically when you query the DNS you are asking for the address of a server; the next thing you do is connect to that server. The result of the DNS query is necessarily revealed, in cleartext, in the headers of the TCP connection attempt.

So anyone who can see your TCP connection has a good chance of inferring your DNS queries. (Even if your TCP connection went to Cloudflare or some other IP address hosting millions of websites, a spy can still guess based on the size of the web page and other clues.)

Why this reasoning is bullshit

DNSSEC turns the DNS into a general-purpose public key infrastructure, which means that it makes sense to use the DNS for a lot more interesting things than just finding IP addresses.

For example, people might use DNSSEC to publish their PGP or S/MIME public keys. So your DNS query might be a prelude to sending encrypted email rather than just connecting to a server.

In this case the result of the query is not revealed in the TCP connection traffic - you are always talking to your mail server! The DNS query for the PGP key reveals who you are sending mail to - information that would be much more obscure if the DNS exchange were encrypted!

That subtle distinction

What we have here is a distinction between

who you are talking to

and

what you are talking about

In the modern vernacular of political excuses for the police state, who you talk to is "metadata" and this is "valuable" information which "should" be collected. (For example, America uses metadata to decide who to kill.) Nobody wants to know what you are talking about, unless getting access to your data gives them a precedent in favour of more spying powers.

Hold on a sec! Let's drop the politics and get back to nerdery.

Actually it's more subtle than that

Frequently, "who you are talking to" might be obscure at a lower layer, but revealed at a higer layer.

For example, when you query for a correspondent's public key, that query might be encrypted from the point of view of a spy sniffing your network connection, so the spy can't tell whose key you asked for. But if the spy has cut a deal with the people who run the keyserver, they can find out which key you asked for and therefore who you are talking to.

Why DNS privacy is hard

There's a fundamental tradeoff here.

You can have privacy against an attacker who can observe your network traffic, by always talking to a few trusted servers who proxy your actions to the wider Internet. You get extra privacy bonus points if a diverse set of other people use the same trusted servers, and provide covering fire for your traffic.

Or you can have privacy against a government-regulated ISP who provides (and monitors) your default proxy servers, by talking directly to resources on the Internet and bypassing the monitored proxies. But that reveals a lot of information to network-level traffic analsis.

The question I was building up to

Having written all that preamble, I'm even less confident that this is a sensible question. But anyway,

What I want to get at is the distinction between metadata and content. Are there succinct words that capture the difference?

Do you think the following works? Does this make sense?

The weaker word is

"confidential"

If something is confidential, an adversary is likely to know who you are talking to, but they might not know what you talked about.

The stronger word is

"private"

If something is private, an adversary should not even know who you are dealing with.

For example, a salary is often "confidential": an adversary (a rival colleague or a prospective employer) will know who is paying it but not how big it is.

By contrast, an adulterous affair is "private": the adversary (your spouse) shouldn't even know you are spending a lot of time with someone else.

What I am trying to get at with this choice of words is the idea that even if your communication is "confidential" (i.e. encrypted so spies can't see the contents), it probably isn't "private" (i.e. it doesn't hide who you are talking to or suppress scurrilous implications).

SSL gives you confidentiality (it hides your credit card number) whereas TOR gives you privacy (it hides who you are buying drugs from).

| Leave a comment | Share

Comments {4}

cozminsky

from: cozminsky
date: 11th Mar 2016 03:18 (UTC)

I would say they have almost the same meaning when used in this context, but that private is broader. That is confidential implies that there is an authorized group and an unauthorised group to know the information, whereas private could also cover situations where there is no sharing of information at all (e.g. your private thoughts) and also has other related uses not pertinent to information (e.g. private property).

I'd definitely think of confidentiality/privacy as a scale and that it's just the difference in degree between an https connection or using an anonymizing service ( although I guess using tor may provide less confidentiality if you're connecting to an http service than using the https version of a page ).

Reply | Thread

Evan

from: mr_cellaneous
date: 11th Mar 2016 04:19 (UTC)

I don't think that terminology works; most people regard "private" and "confidential" as synonyms, at least on my side of the pond. You have private business with your attorney, who has a responsibility to maintain client confidentiality.

Instead of "private" you might consider "secret". Or "covert" or "clandestine" or "surreptitious" or "sub rosa" or something.

Reply | Thread

ewx

from: ewx
date: 11th Mar 2016 09:02 (UTC)

The research world already has a confidentiality/privacy distinction, e.g. "Privacy protects access to the person, whereas confidentiality protects access to the data" or here, the same idea but more verbose. Or in law, a similar idea of confidentiality and broader (vaguer) notion of privacy.

I think this is mostly orthogonal to what you're asking about though, and the notion of confidentiality in these fields covers traffic data (at least if anyone bothers to think about it) as well as payload. For instance in this EU law "confidentiality" applies to traffic data as well as payload.

...edit: on reflection this is actually closer to what you're on about than I'd initially thought, once I stop focusing entirely on traffic data.

Edited at 2016-03-11 09:04 am (UTC)

Reply | Thread

Gerald the cuddly duck

from: gerald_duck
date: 11th Mar 2016 16:04 (UTC)

Last year, I tried to draw a distinction between a right and an entitlement.

I think people generally recognised the two notions between which I was seeking to distinguish, but didn't agree that one corresponded to a "right" and the other to an "entitlement".

Similarly, I clearly see the distinction you're making, and agree it's important, but don't think it's the distinction between confidentiality and privacy.

To me, confidentiality is protection from secrets being divulged by people you've shared them with. A conversation with a lawyer, doctor or journalist might be confidential, for example. Things not confided to another person are not confidential. Privacy is the having of something such that others are denied access to it. Secrets can be private but so, too, is my front garden, in the sense that it's not a public park, rather than the sense of it not being visible on Google StreetView.

Reply | Thread