Neither of us really had the time to clearly articulate things last time, so I am glad you brought it up. My perspective is primarily from an architectural one, and it boils down to this: Platform security shouldn't choose favorites. I don't want there to be any second class data citizens, as the determination of who is a "first class" citizen and who isn't seems arbitrary and unfair, especially if you happen to be second class. The technology should be egalitarian and should be capable of treating all data the same. If a user wants data to be secure, or an application wants it's execution to be secure, they should be able to ask for and get the highest level of security that the platform can offer. You point out that legal and societal policy likes to lump some kinds of data together and then protect those lumps of data in certain ways from certain things. Policy may also leave the same data open for some kinds of usage and or exploitation in some circumstances. This is a fine and wonderful thing from a policy perspective. This kind of rich policy is only possible in a PC if that machine is capable of exerting the highest degrees of security to every object seeking it. You can't water the security up; you can only water it down. I don't think that the platform security functions should have to decide that some data looks like copyrighted information and so it must be treated in one way, while other data looks like national secrets and so should be treated differently. The platform shouldn't be able to make that choice on it's own. The platform needs someone else (eg the user) to tell it what policies to enforce. (Of course the policy engine required to automatically enforce policy judgement on arbitrary data would be impossible to manage. It would vary from country to country, and most importantly (from my architectural perspective) it's impossible to implement becuase the only SW with access to all data must be explicitly non-judgemental about what good or bad policy is.) More in-line: ----- Original Message ----- From: "Seth David Schoen" <schoen@loyalty.org> To: <cypherpunks@lne.com>; <cryptography@wasabisystems.com>; <mail2news@anon.lcs.mit.edu> Sent: Tuesday, August 06, 2002 12:11 PM Subject: Re: Privacy-enhancing uses for TCPA
AARG!Anonymous writes:
I could go on and on, but the basic idea is always the same, and hopefully once people see the pattern they will come up with their own ideas. Being able to write software that trusts other computers allows for an entirely new approach to security software design. TCPA can enhance freedom and privacy by closing off possibilities for surveillance and interference. The same technology that protects Sony's music content in a DRM application can protect the data exchanged by a P2P system. As Seth Schoen of the EFF paraphrases Microsoft, "So the protection of privacy was the same technical problem as the protection of copyright, because in each case bits owned by one party were being entrusted to another party and there was an attempt to enforce a policy." (http://vitanuova.loyalty.org/2002-07-05.html, 3rd bullet point)
I would just like to point out that the view that "the protection of privacy [is] the same technical problem as the protection of copyright" is Microsoft's and not mine. I don't agree that these problems are the same.
You say above that you don't agree the the problems are the same, but you don't specify in what domain - policy, technical, legal, all of the above, something else? The examples you give below are not technical examples - I think that they are policy examples. What about from the technical perspective?
An old WinHEC presentation by Microsoft's Peter Biddle says that computer security, copyright enforcement, and privacy are the same problem. I've argued with Peter about that claim before, and I'm going to keep arguing about it.
The term I use is "a blob is a blob"...
For one thing, facts are not copyrightable -- copyright law in the U.S. has an "idea/expression dichotomy", which, while it might be ultimately incoherent, suggests that copyright is not violated when factual information is reproduced or retransmitted without permission. So, for example, giving a detailed summary of the plot of a novel or a movie -- even revealing what happens in the ending! -- is not an infringement of copyright. It's also not something a DRM system can control.
Isn't copyright a legal protection, and not a technical one? The efficacy of copyright has certainly benefited greatly from the limitations of the mediums it generally protects (eg books are hard and expensive to copy; ideas, quotes, reviews and satires are allowed and also (not coincidentally) don't suffer from the physical limitations imposed by the medium) and so those limitations can look like technical protections, but really they aren't. I agree that copyrighted material is subject to different policy from other kinds of information. What I disagree on is that the TOR should arbitrarily enforce a different policy for it becuase it thinks that it is copyrighted. The platform should enforce policy based on an external (user, application, service, whatever) policy assertion around a given piece of data. Note that data can enter into Pd completely encrypted and unable to be viewed by anything but a user-written app and the TOR. At that point the policy is that the app, and thus the user, decides what can be done with the data. The TOR simply enforces the protections. No one but the app and the TOR can see the data to attempt to exert policy.
But privacy is frequently violated when "mere" facts are redistributed.
I swear that *I* was arguing this very point last time, and you were saying something else! Hmmm. Maybe we agree or something.
It often doesn't matter that no bits, bytes, words, or sentences were copied verbatim. In some cases (sexual orientation, medical history, criminal history, religious or political belief, substance abuse), the actual informational content of a "privacy-sensitive" assertion is extremely tiny, and would probably not be enough to be "copyrightable subject matter". Sentences like "X is gay", "Y has had an abortion", "Z has AIDS", etc., are not even copyrightable, but their dissemination in certain contexts will have tremendous privacy implications.
The platform should treat this kind of data with the highest degree of security and integrity available, and the level of security available should support local policy like "no SW can have access to this data without my explicit consent". The fact that the data is small makes it particularly sensitive as it is so highly portable, so there must be law to allow the legal assertion of policy independently from the technical exertion of policy, and there has to be some rationalization between the two approaches. While bandwidth limits the re-distribution of many kinds of content, it doesn't with this kind of info. (And of course bandwidth limitations aren't really technical protections and are subject to the vagaries of increased bandwidth. Not a good security model.) Not only should the platform be able to exert the highest degrees of control over this information on behalf of a user, it should also allow the user to make smart choices about who gets the info and what the policy is around the usage of this info remotely. This must be in a context where lying is both extremely difficult and onerous. Common sense dictates that the unlawful usage of some kinds of data is far more damaging (to society, individuals, groups, companies) than other kinds of data, and that some kinds of unlawful uses are worse than others, but common sense is not something that can be exercised by a computer program. This will need to be figured out by society and then the policy can be exerted accordingly.
"Technical enforcement of policies for the use of a file within a computer system" is a pretty poor proxy for privacy.
This is not to say that trusted computing systems don't have interesting advantages (and disadvantages) for privacy.
I am not sure I understand the dichotomy; technical enforcement of user defined policies around access to, and usage of, their local data would seem to be the right place to start in securing privacy. (Some annoying cliche about cleaning your own room first is nipping at the dark recesses of my brain ; I can't seem to place it.) When you have control over privacy sensitive information on your own machine you should be able to use similiar mechanisms to achieve similiar protections on other machines which are capable of exerting the same policy. You should also have an infrastructure which makes that policy portable and renewable. This is, of course, another technical / architectural argument. The actual policy around data like "X is gay" must come from society, but controls on the information itself originates with the user X, and thus the control on the data that represents this information must start in user X's platform. The platform should be capable of exerting the entire spectrum of possible controls. Peter ++++
-- Seth David Schoen <schoen@loyalty.org> | Reading is a right, not a feature! http://www.loyalty.org/~schoen/ | -- Kathryn Myronuk http://vitanuova.loyalty.org/ |
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com