Hiya, On 27/02/15 11:27, Stephane Bortzmeyer wrote: > I assume you know draft-iab-privsec-confidentiality-threat, currently > under review. In its -03 version, there are a lot of mentions of > "inference", inference being defined as "information extracted from > analysis of [raw information]". Isn't it sufficient, for > draft-ietf-dprive-problem-statement, to mention the importance of > inference and to add a reference to > draft-iab-privsec-confidentiality-threat?
I'd argue that a specific mention here would be warranted, even if that's partly redundant with the IAB document. But hey it's fair for you to ask for text too, so I had a quick look and found [1] which seems fairly on the money. (Via [2] which may have even better refs.) How's about adding something like: " 2.6 Re-identification Re-identification of a user via DNS queries is also a potential threat. If the adversary knows a user's identity and can watch their DNS queries for a period, then that same adversary may be able to re-identify the user solely based on their pattern of DNS queries later on regardless of the location from which the user makes those queries. For example, one study [1] found that such re-identification is possible so that "73.1% of all day-to-day links were correctly established, i.e. user u was either re-identified unambiguously (1) or the classifier correctly reported that u was not present on day t+1 any more (2)" While that study related to web browsing behaviour, equally characteristic patterns may be produced even in machine-to-machine communications or without a user taking specific actions, e.g. at reboot time if a characteristic set of services are accessed by the device. The IAB privacy and security programme also have a work in progress [draft-iab-privsec-confidentiality-threat] that considers such inference based attacks in a more general framework. " S. [1] Herrmann, D., Gerber, C., Banse, C., & Federrath, H. (2012). Analyzing characteristic host access patterns for re-identification of web user sessions. In Information Security Technology for Applications (pp. 136-154). Springer Berlin Heidelberg. http://epub.uni-regensburg.de/21103/1/Paper_PUL_nordsec_published.pdf _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
