Network Working Group | A. Cooper |
Internet-Draft | CDT |
Intended status: Informational | H. Tschofenig |
Expires: April 25, 2012 | Nokia Siemens Networks |
B. Aboba | |
Microsoft Corporation | |
J. Peterson | |
NeuStar, Inc. | |
J. Morris | |
October 23, 2011 |
Privacy Considerations for Internet Protocols
draft-iab-privacy-considerations-01.txt
This document offers guidance for developing privacy considerations for IETF documents and aims to make protocol designers aware of privacy-related design choices.
Discussion of this document is taking place on the IETF Privacy Discussion mailing list (see https://www.ietf.org/mailman/listinfo/ietf-privacy).
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2012.
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
All IETF specifications are required by [RFC2223] to contain a security considerations section. [RFC3552] provides detailed guidance to protocol designers about both how to consider security as part of protocol design and how to inform readers of IETF documents about security issues. This document intends to provide a similar set of guidance for considering privacy in protocol design. Whether any individual document will require a specific privacy considerations section will depend on the document's content. The guidance provided here can and should be used to assess the privacy considerations of protocol and architectural specifications regardless of whether those considerations are documented in a stand-alone section.
Privacy is a complicated concept with a rich history that spans many disciplines. Many sets of privacy principles and privacy design frameworks have been developed in different forums over the years. These include the Fair Information Practices (FIPs) [OECD], a baseline set of privacy protections pertaining to the collection and use of data about individuals, and the Privacy by Design framework [PbD], which provides high-level privacy guidance for systems design. The guidance provided in this document is inspired by this prior work, but it aims to be more concrete, pointing protocol designers to specific engineering choices that can impact the privacy of the individuals that make use of Internet protocols.
Privacy as a legal concept is understood differently in different jurisdictions. The guidance provided in this document is generic and can be used to inform the design of any protocol to be used anywhere in the world, without reference to specific legal frameworks.
The document is organized as follows: Section 2 describes the extent to which the guidance offered in this document is applicable within the IETF, Section 3 discusses a generic threat model to motivate the need for privacy considerations, Section 4 provides the guidelines for analyzing and documenting privacy considerations within IETF specifications, and Section 5 examines the privacy characteristics of an IETF protocol to demonstrate the use of the guidance framework.
The core function of IETF activity is building protocols. Internet protocols are often built flexibly, making them useful in a variety of architectures, contexts, and deployment scenarios without requiring significant interdependency between disparately designed components. Although some protocols assume particular architectures at design time, it is not uncommon for architectural frameworks to develop later, after implementations exist and have been deployed in combination with other protocols or components to form complete systems.
As a consequence, the extent to which protocol designers can foresee all of the privacy implications of a particular protocol at design time is significantly limited. An individual protocol may be relatively benign on its own, but when deployed within a larger system or used in a way not envisioned at design time, its use may create new privacy risks. The guidelines in Section 4 ask protocol designers to consider how their protocols are expected to interact with systems and information that exist outside the protocol bounds, but not to imagine every possible deployment scenario.
Furthermore, in many cases the privacy properties of a system are dependent upon API specifics, internal application functionality, database structure, local policy, and other details that are specific to particular instantiations and generally outside the scope of the work conducted in the IETF. The guidance provided here only reaches as far as protocol design can go.
As an example, consider HTTP [RFC2616], which was designed to allow the exchange of arbitrary data. A complete analysis of the privacy considerations for uses of HTTP might include what type of data is exchanged, how this data is stored, and how it is processed. Hence the analysis for an individual's static personal web page would be different than the use of HTTP for exchanging health records. A protocol designer working on HTTP extensions (such as WebDAV [RFC4918]) is not expected to describe the privacy risks derived from all possible usage scenarios, but rather the privacy properties specific to the extensions and any particular uses of the extensions that are expected and foreseen at design time.
To consider privacy in protocol design it is helpful to consider the overall communication architecture and different actors' roles within it. This analysis is similar to a threat analysis found in the security considerations sections of IETF documents. Figure 1 presents a communication model found in many of today's protocols where a sender wants to establish communication with some recipient and thereby uses some form of intermediary. In some cases this intermediary stays in the communication path for the entire duration of the communication and sometimes it is only used for communication establishment, for either inbound or outbound communication. In rare cases there may be a series of intermediaries that are traversed.
+-----------+ | | >| Recipient | / | | ,' +-----------+ +--------+ )--------------( ,' +-----------+ | | | | - | | | Sender |<------>|Intermediary |<------>| Recipient | | | | |`. | | +--------+ )--------------( \ +-----------+ ˆ `. +-----------+ : \ | | : `>| Recipient | .....................................>| | +-----------+ Legend: <....> End-to-End Communication <----> Hop-by-Hop Communication
This model is vulnerable to three types of adversaries:
Eavesdropping is often considered by IETF protocols in the context of a security analysis. Confidentiality protection is often employed to defend against attacks based on eavesdropping, and
[RFC3552] demands that confidentiality be incorporated as a security consideration. While IETF protocols offer guidance on how to secure communication against eavesdroppers, deployments sometimes choose not to enable such security.
This section provides guidance for document authors in the form of a questionnaire about a protocol being designed. The questionnaire may be useful at any point in the design process, particularly after document authors have developed a high-level protocol model as described in [RFC4101].
Note that the guidance does not recommend specific practices. The range of protocols developed in the IETF is too broad to make recommendations about particular uses of data or how privacy might be balanced against other design goals. However, by carefully considering the answers to each question, document authors should be able to produce a comprehensive analysis that can serve as the basis for discussion of whether the protocol adequately protects against privacy threats.
The framework is divided into four sections that address different aspects of privacy -- data minimization, user participation, security, and accountability -- plus a general section. Security is not elaborated since substantial guidance already exists in [RFC3552]. Privacy-specific terminology used in the framework is [will be] defined in [I-D.hansen-privacy-terminology].
[To be provided in a future version.]
This document describes privacy aspects that protocol designers should consider in addition to regular security analysis.
This document does not require actions by IANA.
We would like to thank the participants for the feedback they provided during the December 2010 Internet Privacy workshop co-organized by MIT, ISOC, W3C and the IAB.
[I-D.hansen-privacy-terminology] | Hansen, M, Tschofenig, H and R Smith, "Privacy Terminology", Internet-Draft draft-hansen-privacy-terminology-03, October 2011. |