Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: TOR and the Digital Freedom Conversation
From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
Date: Wed, 11 Dec 2013 09:51:32 -0600

I still believe that anonymity is the enemy of privacy online.  In my
opinion the only way to pull back from the current lack of privacy online is
to instate mechanisms that allow individuals and services to be held
accountable for inappropriate behavior online.  It is not possible to
interact online socially or in business while maintaining anonymity.

RE: case 1
If there is authentication there is no anonymity, and lack of anonymity dose
not equal public disclosure.

RE: case 2
Anonymity in this case is an illusion.  During such a cash transaction you
show your face to people and increasingly video cameras.  (as was pointed
out by other posts).  It does however control which personal attributes are
shared during such transactions.

Online, you cannot separate Identity, Trust, Privacy, and Accountability.
They all interrelate.  When interacting online you must give up some number
of personal attributes.  This means you must know what entity is receiving
these attributes, you must trust that entity to be a good steward of your
information, and you must be able to hold that entity accountable if they
abuse your information.   To have privacy you must have some measure of
identity, trust, and accountability.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Doty
Sent: Wednesday, December 11, 2013 8:27 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation

On 12/10/2013 06:22 PM, Jones, Mark B wrote:
There is a difference between 'Privacy' and 'Secrecy'

You are correct that there is a difference, but they are not exclusive.
While the use of authentication and no anonymity may be an approach to
protecting published online information from those without access, it
does nothing to preserve privacy in the face of authorized but unwanted
access. Nor does it address the loss of privacy from complete tracking
-- in fact, a true lack of anonymity would destroy privacy.

Case 1: I want to store information in the cloud, but I want to retain
confidentiality of the data. This is a case where strong
authentication/no anonymity would be a viable approach, but there is no
reason to deny anonymity in a general sense. That is, strong
authentication can be used to establish an access control to a data set
without requiring that a person's identity be publicly disclosed.

Case 2: I desire to have some privacy in my actions. Some degree of
anonymity is *required* to accomplish this. For example, if I buy some
books on medieval mysticism it used to be that a simple cash transaction
kept it essentially private. There are some caveats (if the seller knows
my personally then they will know I bought them, but for a random person
off the street it would be essentially anonymous).

It is trivial to demonstrate a connection between privacy and anonymity.
Those promoting a police state are naturally against anonymity. Those
promoting privacy understand the utility of strong encryption and
anonymity.

Tim Doty

  Tor seems like it
may lean toward the latter.



I have found that the following site has a useful perspective on privacy
issues:
https://urldefense.proofpoint.com/v1/url?u=http://www.privacilla.org/&k=
yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2km
izyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2BUBsRFLKQEGdDFX3kSbUPcuAndal
zDoyXZ5xLKmwk%3D%0A&s=619dce364444d80b0d6ae91bc98a8926a9335302
3015f61f7c1ffc8b2c57039e

Here are some key quotes:

"Importantly, privacy is a personal, subjective condition. One person
cannot
decide for another what his or her sense of privacy should be."

"While privacy is held up as one of our highest values, people also
constantly share information about themselves by allowing others to see
their faces, learn their names, learn what they own, and learn what they
think. In fact, it is a desirable lack of privacy that allows people to
interact with one another socially and in business. This does not mean
that
people should lose control over the information they want to keep
private.
It means that generalizations about privacy are almost always wrong."


https://urldefense.proofpoint.com/v1/url?u=http://www.privacilla.org/fund
amentals/whatisprivacy.html&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&
r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2B
UBsRFLKQEGdDFX3kSbUPcuAndalzDoyXZ5xLKmwk%3D%0A&s=7a230eb4725
5307ec9137ecaab20a005e92bc778428196abf67c6439b6c3b868



Also 'Privacy' is not the same as 'anonymity'.  It is my opinion that
strong
authentication and the lack of anonymity are the keys to improved
privacy
online.  Only with strong authentication can consumers and services be
held
accountable for behavior online.



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeffrey Sabin
Sent: Tuesday, December 10, 2013 2:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] TOR and the Digital Freedom Conversation



All,



Given the wider US technology community discussions on online privacy
and
monitoring - this seems to be very topical.  In case anyone was not
aware,
this story is taking place at Iowa State University with Tor being a
relevant part of the discussion:




https://urldefense.proofpoint.com/v1/url?u=http://www.insidehighered.co
m/news/2013/12/10/digital-freedom-groups-road-
re&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVF
w2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2BUBsRFLKQEGdDFX3kSbUPcu
AndalzDoyXZ5xLKmwk%3D%0A&s=4d2958cf3df5a67e238c2fc3da779dbf047b
3313ae9f54847ccad80228185d98
cognition-sparks-legal-debate-iowa-state-u

<https://urldefense.proofpoint.com/v1/url?u=http://www.insidehighered.c
om/ne> ws/2013/12/10/digital-freedom-groups-road-recognition-sparks-
legal-debate-io
wa-state-
u&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVF
w2kmiz

yPIIFTSGui%2BBSZ5A%3D%0A&m=hnGoebKdLtnE2yvxLiQ0OlhXMu%2FRME
Vn0qZFzyM2pgE%3D%

0A&s=5dcb52d50601a7d4ddc3b0479ff3aa4491e442f9a0d830ba2ff5db38ae6c9
762>



and




https://urldefense.proofpoint.com/v1/url?u=https://www.eff.org/deeplink
s/2013/12/open-letter-urging-universities-
encour&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtgl
yNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=sj%2BUBsRFLKQEGdDFX3kSb
UPcuAndalzDoyXZ5xLKmwk%3D%0A&s=289e34098442eb4685fcedadf76a0a5
c704df88dc95c422c78bfd5cb1f07008c
age-conversation-about-online-privacy

<https://urldefense.proofpoint.com/v1/url?u=https://www.eff.org/deeplin
ks/20> 13/12/open-letter-urging-universities-encourage-conversation-
about-online-pr

ivacy&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtgly
NVFw2kmizyPIIF

TSGui%2BBSZ5A%3D%0A&m=hnGoebKdLtnE2yvxLiQ0OlhXMu%2FRMEVn0q
ZFzyM2pgE%3D%0A&s=
75b3522379697ac135dd77ae55292b93024c9c4ab21538dc9f8faf9b4a1fd56e>



Realizing that this isn't necessarily new, but given this recent story,
I am
curious to know what others are doing or observing as it relates to Tor
and
it's discussion at your particular institution.



Many thanks,



Jeff



Jeffrey D. Sabin

DIRECTOR, COMMUNICATIONS AND NETWORK SERVICES



oit



Dial Center

2507 University Avenue    Des Moines, Iowa 50311-4505

Tel  515.271.2935

Fax 515.271.1938

1.800.44.DRAKE x2935

E-mail jeff.sabin () drake edu




Attachment: smime.p7s
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]