One document matched: draft-hansen-privacy-terminology-02.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
]>
<rfc ipr="trust200902" category="info" docName="draft-hansen-privacy-terminology-02.txt">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc rfcedstyle="yes" ?>
<?rfc subcompact="no"?>
<?rfc compact="yes"?>
<front>
<title abbrev="Privacy Terminology">Terminology for Talking about Privacy by Data Minimization:
Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity
Management</title>
<author initials="M." surname="Hansen" fullname="Marit Hansen" role="editor">
<organization>ULD Kiel</organization>
<address>
<email>marit.hansen@datenschutzzentrum.de</email>
</address>
</author>
<author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
<organization>Nokia Siemens Networks</organization>
<address>
<postal>
<street>Linnoitustie 6</street>
<city>Espoo</city>
<code>02600</code>
<country>Finland</country>
</postal>
<phone>+358 (50) 4871445</phone>
<email>Hannes.Tschofenig@gmx.net</email>
<uri>http://www.tschofenig.priv.at</uri>
</address>
</author>
<date year="2011"/>
<abstract>
<t>This document is an attempt to consolidate terminology in the field privacy by data
minimization. It motivates and develops definitions for anonymity/identifiability,
(un)linkability, (un)detectability, (un)observability, pseudonymity, identity, partial
identity, digital identity and identity management. Starting the definitions from the
anonymity and unlinkability perspective reveals some deeper structures in this field.</t>
<t>Note: This document is discussed at https://www.ietf.org/mailman/listinfo/ietf-privacy </t>
</abstract>
</front>
<middle>
<!-- **************************************************************************************** -->
<section anchor="intro" title="Introduction">
<t>Early papers from the 1980ies about privacy by data minimization already deal with
anonymity, unlinkability, unobservability, and pseudonymity. These terms are often used in
discussions about privacy properties of systems.</t>
<t>Data minimization means that first of all, the ability for others to collect personal data
should be minimized. Often, however, the collection of personal data cannot not be prevented
entirely. In such a case, the goal is to minimize the collection of
personal data. The time how long collected personal data is
stored should be minimized. </t>
<t>Data minimization is the only generic strategy to enable anonymity, since all correct
personal data help to identify if we exclude providing misinformation (inaccurate or
erroneous information, provided usually without conscious effort at misleading,
deceiving, or persuading one way or another) or disinformation
(deliberately false or distorted information given out in order to mislead or deceive).</t>
<t>Furthermore, data minimization is the only generic strategy to enable unlinkability,
since all correct personal data provide some linkability if we exclude providing
misinformation or disinformation.</t>
<t>This document does not aim to collect all terms used in the area of privacy.
Even the definition of the term 'privacy' itself difficult due to the contextual nature of it; the understanding
of privacy has changed over time. For the purpose of this document we refer to one
fairly well established definition by Alan Westin from 1967 <xref target="West67"/>:
</t>
<t>
<list style="empty">
<t>"Privacy is the claim of individuals, groups, or institutions to
determine for themselves when, how, and to what extent information about them is
communicated to others. Viewed in terms of the relation of the individual to social
participation, privacy is the voluntary and temporary withdrawal of a person from the
general society through physical or psychological means, either in a state of solitude
or small-group intimacy or, when among larger groups, in a condition of anonymity or
reserve.", see page 7 of <xref target="West67"/>.
</t>
</list>
</t>
</section>
<!-- **************************************************************************************** -->
<section anchor="anonymity" title="Anonymity">
<t>To enable anonymity of a subject, there always has to be an appropriate set of subjects
with potentially the same attributes.</t>
<t>
<list style="hanging">
<t hangText="Definition:"> Anonymity of a subject means that the subject is not
identifiable within a set of subjects, the anonymity set. </t>
</list>
</t>
<t>Note:<list style="empty">
<t> "not identifiable within the anonymity set" means that only using the information the
attacker has at his discretion, the subject is not distinguishable from the other subjects within the
anonymity set. </t>
<t>In order to
underline that there is a possibility to
quantify anonymity for some applications (instead to treating it purely as a binary value it is possible to
use the following variation of the previous definition: "Anonymity of a subject from an attacker's perspective means
that the attacker cannot sufficiently identify the subject within a set of subjects, the
anonymity set." </t>
</list>
</t>
<t> The anonymity set is the set of all possible subjects. The set of possible subjects
depends on the knowledge of the attacker. Thus, anonymity is relative with respect to the
attacker. With respect to actors, the anonymity set consists of the subjects who might cause
an action. With respect to actees, the anonymity set consists of the subjects who might be
acted upon. Therefore, a sender may be anonymous (sender anonymity) only within a set of
potential senders, his/her sender anonymity set, which itself may be a subset of all
subjects who may send a message. The same for the recipient
means that a recipient may be anonymous (recipient anonymity) only within a set of potential
recipients, his/her recipient anonymity set. Both anonymity sets
may be disjoint, be the same, or they may overlap. The anonymity sets may vary over time.
Since we assume that the attacker does not forget anything he knows, the anonymity set
cannot increase w.r.t. a particular IOI. Especially subjects joining the system in a later
stage, do not belong to the anonymity set from the point of view of an attacker observing
the system in an earlier stage. (Please note that if the attacker cannot decide whether the
joining subjects were present earlier, the anonymity set does not increase either: It just
stays the same.) Due to linkability, cf. below, the anonymity set normally can only
decrease. </t>
<t>Anonymity of a set of subjects within an anonymity set means that all
these individual subjects are not identifiable within this anonymity set. In this
definition, "set of subjects" is just taken to describe that the anonymity property holds
for all elements of the set. Another possible definition would be to consider the anonymity
property for the set as a whole. Then a semantically quite different definition could read:
Anonymity of a set S of subjects within a larger anonymity set A means that it is not
distinguishable whether the subject S whose anonymity is at stake (and which clearly is within
A) is within S or not. </t>
<t>Anonymity in general as well as the anonymity of
each particular subject is a concept which is very much context dependent (on, e.g.,
subjects population, attributes, time frame, etc). In order to quantify anonymity within
concrete situations, one would have to describe the system in sufficient detail, which is
practically not always possible for large open systems. Besides the quantity of anonymity provided within a particular setting,
there is another aspect of anonymity: its robustness. Robustness of anonymity characterizes
how stable the quantity of anonymity is against changes in the particular setting, e.g., a
stronger attacker or different probability distributions. We might use quality of anonymity
as a term comprising both quantity and robustness of anonymity. To keep this text as simple
as possible, we will mainly discuss the quantity of anonymity in the following, using the
wording "strength of anonymity". </t>
<t> The above definitions of anonymity and the mentioned measures of quantifying anonymity are
fine to characterize the status of a subject in a world as it is. If we want to describe
changes to the anonymity of a subject if the world is changed somewhat, e.g., the subject
uses the communication network differently or uses a modified communication network, we need
another definition of anonymity capturing the delta. The simplest way to express this delta
is by the observations of "the" attacker. </t>
<t>
<list style="hanging">
<t hangText="Definition:"> An anonymity delta (regarding a subject's anonymity) from an
attacker's perspective specifies the difference between the subject's anonymity taking
into account the attacker's observations (i.e., the attacker's a-posteriori knowledge)
and the subject's anonymity given the attacker's a-priori knowledge only.</t>
</list>
</t>
<t>Note:<list style="empty">
<t> In some publications, the a-priori knowledge of the attacker is called "background
knowledge" and the a-posteriori knowledge of the attacker is called "new knowledge".
</t>
</list>
</t>
<t> As we can quantify anonymity in concrete situations, so we can quantify the anonymity
delta. This can be done by just defining: quantity(anonymity delta) :=
quantity(anonymity_a-posteriori) - quantity(anonymity_a-priori)</t>
<t>If anonymity_a-posteriori
and anonymity_a-priori are the same, their quantification is the same and therefore the
difference of these quantifications is 0. If anonymity can only decrease (which usually is
quite a reasonable assumption), the maximum of quantity(anonymity delta) is 0. </t>
<t> Since anonymity cannot increase, the anonymity delta can never be positive. Having an
anonymity delta of zero means that anonymity stays the same. This means that if the attacker
has no a-priori knowledge about the particular subject, having no anonymity delta implies
anonymity. But if the attacker has an a-priori knowledge covering all actions of the
particular subject, having no anonymity delta does not imply any anonymity at all. If there
is no anonymity from the very beginning, even preserving it completely does not yield any
anonymity. To be able to express this conveniently, we use wordings like "perfect
preservation of a subject's anonymity". It might be worthwhile to generalize "preservation
of anonymity of single subjects" to "preservation of anonymity of sets of subjects", in the
limiting case all subjects in an anonymity set. An important special case is that the "set
of subjects" is the set of subjects having one or several attribute values A in common. Then
the meaning of "preservation of anonymity of this set of subjects" is that knowing A does
not decrease anonymity. Having a negative anonymity delta means that anonymity is decreased. </t>
</section>
<!--
****************************************************************************************
-->
<section anchor="unlinkability" title="Unlinkability">
<t>
<list style="hanging">
<t hangText="Definition:"> Unlinkability of two or more items of interest (IOIs, e.g.,
subjects, messages, actions, ...) from an attacker's perspective means that within the
system (comprising these and possibly other items), the attacker cannot sufficiently
distinguish whether these IOIs are related or not.</t>
</list>
</t>
<t>Linkability is the negation of unlinkability: </t>
<t>
<list style="hanging">
<t hangText="Definition:"> Linkability of two or more items of interest (IOIs, e.g.,
subjects, messages, actions, ...) from an attacker's perspective means that within the
system (comprising these and possibly other items), the attacker can sufficiently
distinguish whether these IOIs are related or not.</t>
</list>
</t>
<t> For example, in a scenario with at least two senders, two messages sent by subjects within
the same anonymity set are unlinkable for an attacker if for him, the probability that these
two messages are sent by the same sender is sufficiently close to 1/(number of senders).</t>
<t>
<list style="hanging">
<t hangText="Definition:"> An unlinkability delta of two or more items of interest (IOIs,
e.g., subjects, messages, actions, ...) from an attacker's perspective specifies the
difference between the unlinkability of these IOIs taking into account the attacker's
observations and the unlinkability of these IOIs given the attacker's a-priori knowledge
only. </t>
</list>
</t>
<t> Since we assume that the attacker does not forget anything, unlinkability cannot increase.
Normally, the attacker's knowledge cannot decrease (analogously to Shannon's definition of
"perfect secrecy"). An exception of this rule is the scenario where the use of
misinformation (inaccurate or erroneous information, provided usually without conscious
effort at misleading, deceiving, or persuading one way or another <xref target="Wils93"/>)
or disinformation (deliberately false or distorted information given out in order to mislead
or deceive <xref target="Wils93"/>) leads to a growing uncertainty of the attacker which
information is correct. A related, but different aspect is that information may become wrong
(i.e., outdated) simply because the state of the world changes over time. Since privacy is
not only about to protect the current state, but the past and history of a data subject as
well, we will not make use of this different aspect in the rest of this document. Therefore,
the unlinkability delta can never be positive. Having an unlinkability delta of zero means
that the probability of those items being related from the attacker's perspective stays
exactly the same before (a-priori knowledge) and after the attacker's observations
(a-posteriori knowledge of the attacker). If the attacker has no a-priori knowledge about
the particular IOIs, having an unlinkability delta of zero implies unlinkability. But if the
attacker has a-priori knowledge covering the relationships of all IOIs, having an
unlinkability delta of zero does not imply any unlinkability at all. If there is no
unlinkability from the very beginning, even preserving it completely does not yield any
unlinkability. To be able to express this conveniently, we use wordings like "perfect
preservation of unlinkability w.r.t. specific items" to express that the unlinkability delta
is zero. It might be worthwhile to generalize "preservation of unlinkability of two IOIs" to
"preservation of unlinkability of sets of IOIs", in the limiting case all IOIs in the
system. </t>
<t> For example, the unlinkability delta of two messages is sufficiently small (zero) for an
attacker if the probability describing his a-posteriori knowledge that these two messages
are sent by the same sender and/or received by the same recipient is sufficiently (exactly)
the same as the probability imposed by his a-priori knowledge. Please note that
unlinkability of two (or more) messages of course may depend on whether their content is
protected against the attacker considered. In particular, messages may be unlinkable if we
assume that the attacker is not able to get information on the sender or recipient from the
message content. Yet with access to their content even without
deep semantical analysis the attacker can notice certain characteristics which link them
together - e.g. similarities in structure, style, use of some words or phrases, consistent
appearance of some grammatical errors, etc. In a sense, content of messages may play a role
as "side channel" in a similar way as in cryptanalysis - i.e., content of messages may leak
some information on their linkability. </t>
<t>Roughly speaking, no unlinkability delta of items means that the ability of the attacker to
relate these items does not increase by observing the system or by possibly interacting with
it.</t>
<t> The definitions of unlinkability, linkability and unlinkability delta do not mention any
particular set of IOIs they are restricted to. Therefore, the definitions of unlinkability
and unlinkability delta are very strong, since they cover the whole system. We could weaken
the definitions by restricting them to part of the system: "Unlinkability of two or more
IOIs from an attacker's perspective means that within an unlinkability set of IOIs
(comprising these and possibly other items), the attacker cannot sufficiently distinguish
whether these IOIs are related or not." </t>
</section>
<!--
****************************************************************************************
-->
<section anchor="ano-unlink" title="Anonymity in Terms of Unlinkability">
<t>To describe anonymity in terms of unlinkability, we have to augment the definitions of
anonymity given in <xref target="anonymity"/> by making explicit the attributes anonymity
relates to. For example, if we choose the attribute "having sent a message" then we can define:
</t>
<t> A sender s sends a set of messages M anonymously, iff s is anonymous within the set of
potential senders of M, the sender anonymity set of M.</t>
<t>If the attacker's focus is not on the sender, but on the message, we can define:</t>
<t>A set of messages M is sent anonymously, iff M can have been sent by each set of potential
senders, i.e., by any set of subjects within the cross product of the sender anonymity sets
of each message m within M.</t>
<t>When considering sending and
receiving of messages as attributes, the items of interest (IOIs) are "who has sent or
received which message", then, anonymity of a subject w.r.t. an attribute may be defined as
unlinkability of this subject and this attribute. In the wording of the definition of unlinkability:
a subject s is related to the attribute value "has sent message m" if s has sent message m. s is not
related to that attribute value if s has not sent message m. Same for receiving.Unlinkability is a
sufficient condition of
anonymity, but it is not a necessary condition. Thus, failing unlinkability w.r.t. some
attribute value(s) does not necessarily eliminate anonymity as defined in <xref
target="anonymity"/>; in specific cases (i.e., depending on the attribute value(s)) even
the strength of anonymity may not be affected. </t>
<t><list style="hanging">
<t hangText="Definition:">
Sender anonymity of a subject means that to this potentially sending subject,
each message is unlinkable. </t>
</list>
</t>
<t>Note:<list style="empty">
<t> The property unlinkability might be more "fine-grained" than anonymity, since there
are many more relations where unlinkability might be an issue than just the relation
"anonymity" between subjects and IOIs. Therefore, the attacker might get to know
information on linkability while not necessarily reducing anonymity of the particular
subject - depending on the defined measures. An example might be that the attacker, in
spite of being able to link, e.g., by timing, all encrypted messages of a transactions,
does not learn who is doing this transaction. </t>
</list>
</t>
<t>Correspondingly, recipient anonymity of a subject means that to this potentially receiving
subject, each message is unlinkable.</t>
<t>Relationship anonymity of a pair of subjects, the potentially sending subject and the
potentially receiving subject, means that to this potentially communicating pair of
subjects, each message is unlinkable. In other words, sender and recipient (or each
recipient in case of multicast) are unlinkable. As sender anonymity of a message cannot hold
against the sender of this message himself nor can recipient anonymity hold against any of
the recipients w.r.t. himself, relationship anonymity is considered w.r.t. outsiders only,
i.e., attackers being neither the sender nor one of the recipients of the messages under
consideration.</t>
<t>Thus, relationship anonymity is a weaker property than each of sender anonymity and
recipient anonymity: The attacker might know who sends which messages or he might know who
receives which messages (and in some cases even who sends which messages and who receives
which messages). But as long as for the attacker each message sent and each message received
are unlinkable, he cannot link the respective senders to recipients and vice versa, i.e.,
relationship anonymity holds. The relationship anonymity set can be defined to be the cross
product of two potentially distinct sets, the set of potential senders and the set of
potential recipients or - if it is possible to exclude some of these pairs - a subset of
this cross product. So the relationship anonymity set is the set of all possible
sender-recipient(s)-pairs. In case of multicast, the set of potential recipients is the
power set of all potential recipients. If we take the perspective of a subject sending (or
receiving) a particular message, the relationship anonymity set becomes the set of all
potential recipients (senders) of that particular message. So fixing one factor of the cross
product gives a recipient anonymity set or a sender anonymity set.</t>
<t>Note:<list style="empty">
<t>The following is an explanation of the statement made in the previous paragraph
regarding relationship anonymity: For all attackers it holds that sender anonymity
implies relationship anonymity, and recipient anonymity implies relationship anonymity.
This is true if anonymity is taken as a binary property: Either it holds or it does not
hold. If we consider quantities of anonymity, the validity of the implication possibly
depends on the particular definitions of how to quantify sender anonymity and recipient
anonymity on the one hand, and how to quantify relationship anonymity on the other.
There exists at least one attacker model, where relationship anonymity does neither
imply sender anonymity nor recipient anonymity. Consider an attacker who neither
controls any senders nor any recipients of messages, but all lines and - maybe - some
other stations. If w.r.t. this attacker relationship anonymity holds, you can neither
argue that against him sender anonymity holds nor that recipient anonymity holds. The
classical MIX-net <xref target="Chau81"/> without dummy traffic is one
implementation with just this property: The attacker sees who sends messages when and
who receives messages when, but cannot figure out who sends messages to whom. </t>
</list>
</t>
</section>
<!--
****************************************************************************************
-->
<section anchor="undect-unobs" title="Undetectability and Unobservability">
<t>In contrast to anonymity and unlinkability, where not the IOI, but only its relationship to
subjects or other IOIs is protected, for undetectability, the IOIs are protected as such.
Undetectability can be regarded as a possible and desirable property of steganographic
systems. Therefore it matches the information hiding
terminology (see <xref target="Pfit96"/>, <xref target="ZFKP98"/>). In contrast, anonymity,
dealing with the relationship of discernible IOIs to subjects, does not directly fit into
that terminology, but independently represents a different dimension of properties.</t>
<t>
<list style="hanging">
<t hangText="Definition:"> Undetectability of an item of interest (IOI) from an attacker's
perspective means that the attacker cannot sufficiently distinguish whether it exists or
not.</t>
</list>
</t>
<t>If we consider messages as IOIs, this means that messages are not sufficiently discernible
from, e.g., "random noise". A slightly more precise formulation might be that messages are
not discernible from no message. A quantification of this property might measure the number
of indistinguishable IOIs and/or the probabilities of distinguishing these IOIs.</t>
<t>Undetectability is maximal iff whether an IOI exists or not is completely
indistinguishable. We call this perfect undetectability.</t>
<t>
<list style="hanging">
<t hangText="Definition:"> An undetectability delta of an item of interest (IOI) from an
attacker's perspective specifies the difference between the undetectability of the IOI
taking into account the attacker's observations and the undetectability of the IOI given
the attacker's a-priori knowledge only. </t>
</list>
</t>
<t>The undetectability delta is zero iff whether an IOI exists or not is indistinguishable to
exactly the same degree whether the attacker takes his observations into account or not. We
call this "perfect preservation of undetectability".</t>
<t> Undetectability of an IOI clearly is only possible w.r.t. subjects being not involved in
the IOI (i.e., neither being the sender nor one of the recipients of a message). Therefore,
if we just speak about undetectability without spelling out a set of IOIs, it goes without
saying that this is a statement comprising only those IOIs the attacker is not involved in.</t>
<t> As the definition of undetectability stands, it has nothing to do with anonymity - it does
not mention any relationship between IOIs and subjects. Even more, for subjects being
involved in an IOI, undetectability of this IOI is clearly impossible. Therefore, early
papers describing new mechanisms for undetectability designed the mechanisms in a way that
if a subject necessarily could detect an IOI, the other subject(s) involved in that IOI
enjoyed anonymity at least. The rational for this is to strive for data minimization: No
subject should get to know any (potentially personal) data - except this is absolutely
necessary. This means that
<list style="numbers">
<t>Subjects
being not involved in the IOI get to know absolutely nothing.</t>
<t>Subjects being involved in
the IOI only get to know the IOI, but not the other subjects involved - the other subjects
may stay anonymous.</t>
</list>
The
attributes "sending a message" or "receiving a message" are the only kinds of attributes
considered, 1. and 2. together provide data minimization in this setting in an absolute
sense. Undetectability by uninvolved subjects together with anonymity even if IOIs can
necessarily be detected by the involved subjects has been called unobservability: </t>
<t>
<list style="hanging">
<t hangText="Definition:"> Unobservability of an item of interest (IOI) means <list
style="symbols">
<t>undetectability of the IOI against all subjects uninvolved in it and</t>
<t>anonymity of the subject(s) involved in the IOI even against the other subject(s)
involved in that IOI.</t>
</list>
</t>
</list>
</t>
<t> As we had anonymity sets of subjects with respect to anonymity, we have unobservability
sets of subjects with respect to unobservability. Mainly,
unobservability deals with IOIs instead of subjects only. Though, like anonymity sets,
unobservability sets consist of all subjects who might possibly cause these IOIs, i.e. send
and/or receive messages.</t>
<t> Sender unobservability then means that it is sufficiently undetectable whether any sender
within the unobservability set sends. Sender unobservability is perfect iff it is completely
undetectable whether any sender within the unobservability set sends.</t>
<t> Recipient unobservability then means that it is sufficiently undetectable whether any
recipient within the unobservability set receives. Recipient unobservability is perfect iff
it is completely undetectable whether any recipient within the unobservability set receives. </t>
<t> Relationship unobservability then means that it is sufficiently undetectable whether
anything is sent out of a set of could-be senders to a set of could-be recipients. In other
words, it is sufficiently undetectable whether within the relationship unobservability set
of all possible sender-recipient(s)-pairs, a message is sent in any relationship.
Relationship unobservability is perfect iff it is completely undetectable whether anything
is sent out of a set of could-be senders to a set of could-be recipients. </t>
<t> All other things being equal, unobservability is the stronger, the larger the respective
unobservability set is.</t>
<t>
<list style="hanging">
<t hangText="Definition:">An unobservability delta of an item of interest (IOI) means
<list style="symbols">
<t>undetectability delta of the IOI against all subjects uninvolved in it and</t>
<t>anonymity delta of the subject(s) involved in the IOI even against the other
subject(s) involved in that IOI.</t>
</list>
</t>
</list>
</t>
<t>Since we assume that the attacker does not forget anything, unobservability cannot
increase. Therefore, the unobservability delta can never be positive. Having an
unobservability delta of zero w.r.t. an IOI means an undetectability delta of zero of the
IOI against all subjects uninvolved in the IOI and an anonymity delta of zero against those
subjects involved in the IOI. To be able to express this conveniently, we use wordings like
"perfect preservation of unobservability" to express that the unobservability delta is zero.</t>
</section>
<!--
****************************************************************************************
-->
<!--
<section anchor="known-mechs"
title="Known Mechanisms for Anonymity, Undetectability, and Unobservability">
<t>Before it makes sense to speak about any particular mechanisms for anonymity,
undetectability, and unobservability in communications, let us first remark that all of them
assume that stations of users do not emit signals the attacker considered is able to use for
identification of stations or their behavior or even for identification of users or their
behavior. So if you travel around taking with you a mobile phone sending more or less
continuously signals to update its location information within a cellular radio network,
don't be surprised if you are tracked using its signals. If you use a computer emitting lots
of radiation due to a lack of shielding, don't be surprised if observers using high-tech
equipment know quite a bit about what's happening within your machine. If you use a
computer, PDA, or smartphone without sophisticated access control, don't be surprised if
Trojan horses send your secrets to anybody interested whenever you are online - or via
electromagnetic emanations even if you think you are completely offline.</t>
<t>DC-net <xref target="Chau85"/>, <xref target="Chau88"/>, and MIX-net <xref target="Chau81"
/> are mechanisms to achieve sender anonymity and relationship anonymity, respectively, both
against strong attackers. If we add dummy traffic, both provide for the corresponding
unobservability <xref target="PfPW91"/>. If dummy traffic is used to pad sending and/or
receiving on the sender's and/or recipient's line to a constant rate traffic, MIX-nets can
even provide sender and/or recipient anonymity and unobservability. </t>
<t>Broadcast <xref target="Chau85"/>, <xref target="PfWa86"/>, <xref target="Waid90"/> and
private information retrieval <xref target="CoBi95"/> are mechanisms to achieve recipient
anonymity against strong attackers. If we add dummy traffic, both provide for recipient
unobservability.</t>
<t> This may be summarized: A mechanism to achieve some kind of anonymity appropriately
combined with dummy traffic yields the corresponding kind of unobservability.</t>
<t> Of course, dummy traffic alone can be used to make the number and/or length of sent
messages undetectable by everybody except for the recipients; respectively, dummy traffic
can be used to make the number and/or length of received messages undetectable by everybody
except for the senders. (Note: Misinformation and disinformation may be regarded as semantic
dummy traffic, i.e., communication from which an attacker cannot decide which are real
requests with real data or which are fake ones. Assuming the authenticity of misinformation
or disinformation may lead to privacy problems for (innocent) bystanders.) </t>
<t>As a side remark, we mention steganography and spread spectrum as two other well-known
undetectability mechanisms.</t>
<t> The usual concept to achieve undetectability of IOIs at some layer, e.g., sending
meaningful messages, is to achieve statistical independence of all discernible phenomena at
some lower implementation layer. An example is sending dummy messages at some lower layer to
achieve, e.g., a constant rate flow of messages looking - by means of encryption - randomly
for all parties except the sender and the recipient(s). </t>
</section>
-->
<!--
****************************************************************************************
-->
<section anchor="pseudonymity" title="Pseudonymity">
<t>Having anonymity of human beings, unlinkability, and maybe unobservability is superb w.r.t.
data minimization, but would prevent any useful two-way communication. For many
applications, we need appropriate kinds of identifiers: </t>
<t>
<list style="hanging">
<t hangText="Definition:">A pseudonym is an identifier of a subject other than one of the
subject's real names.</t>
</list>
</t>
<t>Note:<list style="empty">
<t>An identifier is defined in <xref target="id"/> as "a lexical token that names entities".</t>
<t>In our setting 'subject' means sender or recipient.</t>
<t>The term 'real name' is the antonym to "pseudonym". There may be multiple real names
over lifetime, in particular the legal names, i.e., for a human being the names which
appear on the birth certificate or on other official identity documents issued by the
State; for a legal person the name under which it operates and which is registered in
official registers (e.g., commercial register or register of associations). A human
being's real name typically comprises their given name and a family name. In the realm
of identifiers, it is tempting to define anonymity as "the attacker cannot sufficiently
determine a real name of the subject". But despite the simplicity of this definition, it
is severely restricted: It can only deal with subjects which have at least one real
name. It presumes that it is clear who is authorized to attach real names to subjects.
It fails to work if the relation to real names is irrelevant for the application at
hand. Therefore, we stick to the definitions given in <xref target="anonymity"/>.
<!-- A slightly broader discussion of this topic is given in Appendix A3. --> Note that
from a mere technological perspective it cannot always be determined whether an
identifier of a subject is a pseudonym or a real name.</t>
</list>
</t>
<t>Additional useful terms are:</t>
<t>
<list style="hanging">
<t hangText="Definition:"> The subject which the pseudonym refers to is the holder of the
pseudonym.<vspace blankLines="1"/></t>
<t hangText="Definition:">A subject is pseudonymous if a pseudonym is used as identifier
instead of one of its real names.</t>
</list>
</t>
<t>
<list style="hanging">
<t hangText="Definition:">Pseudonymity is the use of pseudonyms as identifiers.</t>
</list>
</t>
<t>So sender pseudonymity is defined as the sender being pseudonymous, recipient pseudonymity
is defined as the recipient being pseudonymous.</t>
<t>In order to be useful in the context of Internet communication we use the term digital pseudonym
and declare it as a pseudonym that is suitable to be used to authenticate the holder's IOIs.</t>
<t>Defining the process of preparing for the use of pseudonyms, e.g., by establishing certain
rules how and under which conditions civil identities of holders of pseudonyms will be disclosed
by so-called identity brokers or how to prevent uncovered claims by so-called liability brokers,
leads to the more general notion of pseudonymity, as defined below. </t>
<t>Note:<list style="empty">
<t>Identity brokers have for the pseudonyms they are the identity broker for the
information who is their respective holder. Therefore, identity brokers can be
implemented as a special kind of certification authorities for pseudonyms. Since
anonymity can be described as a particular kind of unlinkability, cf. <xref
target="ano-unlink"/>, the concept of identity broker can be generalized to
linkability broker. A linkability broker is a (trusted) third party that, adhering to
agreed rules, enables linking IOIs for those entities being entitled to get to know the
linking.</t>
</list>
</t>
<t>To authenticate IOIs relative to pseudonyms usually is not enough to achieve
accountability for IOIs. </t>
<t>Therefore, in many situations, it might make sense to let identity brokers authenticate
digital pseudonyms (i.e., check the civil identity
of the holder of the pseudonym and then issue a digitally signed statement that this
particular identity broker has proof of the identity of the holder of this digital
pseudonym and is willing to divulge that proof under well-defined circumstances) or
both.</t>
<t>Note:<list style="empty">
<t>If the holder of the pseudonym is a natural person or a legal person, civil identity
has the usual meaning, i.e. the identity attributed to that person by a State
(e.g., a natural person being represented by the social security number or the combination of name, date of
birth, and location of birth etc.). If the holder is, e.g., a computer, it remains to
be defined what "civil identity" should mean. It could mean, for example, exact type
and serial number of the computer (or essential components of it) or even include the
natural person or legal person responsible for its operation.</t>
</list>
</t>
<t>If the digitally
signed statement of a trusted identity broker is checked before entering into a
transaction with the holder of that pseudonym, accountability can be realized in spite of
anonymity.</t>
<t>Whereas anonymity and accountability are the extremes with respect to linkability to
subjects, pseudonymity is the entire field between and including these extremes. Thus,
pseudonymity comprises all degrees of linkability to a subject. Ongoing use of the same
pseudonym allows the holder to establish or consolidate a reputation. Establishing and/or
consolidating a reputation under a pseudonym is, of course, insecure if the pseudonym does
not enable to authenticate messages, i.e., if the pseudonym is not a digital pseudonym.
Then, at any moment, another subject might use this pseudonym
possibly invalidating the reputation, both for the holder of the pseudonym and all others
having to do with this pseudonym. Some kinds of pseudonyms enable dealing with claims in
case of abuse of unlinkability to holders: Firstly, third parties (identity brokers) may
have the possibility to reveal the civil identity of the
holder in order to provide means for investigation or prosecution. To improve the robustness
of anonymity, chains of identity brokers may be used <xref target="Chau81"/>. Secondly,
third parties may act as liability brokers of the holder to clear a debt or settle a claim.
<xref target="BuPf90"/> presents the particular case of value brokers.</t>
<t>There are many properties of pseudonyms which may be of importance in specific application
contexts. In order to describe the properties of pseudonyms with respect to anonymity, we
limit our view to two aspects and give some typical examples:</t>
<t>The knowledge of the linking may not be a constant, but change over time for some or even
all people. Normally, for non-transferable pseudonyms the knowledge of the linking cannot
decrease (with the exception of misinformation or disinformation, which may blur the
attacker's knowledge.). Typical kinds of such pseudonyms are:</t>
<t>
<list style="hanging">
<t hangText="Public Pseudonym:"> The linking between a public pseudonym and its holder
may be publicly known even from the very beginning. E.g., the linking could be listed
in public directories such as the entry of a phone number in combination with its
owner. </t>
<t hangText="Initially non-Public Pseudonym:"> The linking between an initially
non-public pseudonym and its holder may be known by certain parties, but is not public
at least initially. E.g., a bank account where the bank can look up the linking may
serve as a non-public pseudonym. For some specific non-public pseudonyms,
certification authorities acting as identity brokers could reveal the civil identity
of the holder in case of abuse.</t>
<t hangText="Initially Unlinked Pseudonym:"> The linking between an initially unlinked
pseudonym and its holder is - at least initially - not known to anybody with the
possible exception of the holder himself/herself. Examples for unlinked pseudonyms are
(non-public) biometrics like DNA information unless stored in databases including the
linking to the holders.</t>
</list>
</t>
<t>Public pseudonyms and initially unlinked pseudonyms can be seen as extremes of the
described pseudonym aspect whereas initially non-public pseudonyms characterize the
continuum in between.</t>
<t>Anonymity is the stronger, the less is known about the linking to a subject. The strength
of anonymity decreases with increasing knowledge of the pseudonym linking. In particular,
under the assumption that no gained knowledge on the linking of a pseudonym will be
forgotten and that the pseudonym cannot be transferred to other subjects, a public
pseudonym never can become an unlinked pseudonym. In each specific case, the strength of
anonymity depends on the knowledge of certain parties about the linking relative to the
chosen attacker model.</t>
<t>If the pseudonym is transferable, the linking to its holder can change. Considering an
unobserved transfer of a pseudonym to another subject, a formerly public pseudonym can
become non-public again.</t>
<t>With respect to the degree of linkability, various kinds of pseudonyms may be
distinguished according to the kind of context for their usage:</t>
<t>
<list style="hanging">
<t hangText="Person pseudonym:"> A person pseudonym is a substitute for the holder's
name which is regarded as representation for the holder's civil identity. It may be
used in many different contexts, e.g., a number of an identity card, the social
security number, DNA, a nickname, the pseudonym of an actor, or a mobile phone number.</t>
<t hangText="Role pseudonym:"> The use of role pseudonyms is limited to specific roles,
e.g., a customer pseudonym or an Internet account used for many instantiations of the
same role "Internet user". The same role pseudonym may be used with
different communication partners. Roles might be assigned by other parties, e.g., a
company, but they might be chosen by the subject himself/herself as well.</t>
<t hangText="Relationship pseudonym:"> For each communication partner, a different
relationship pseudonym is used. The same relationship pseudonym may be used in
different roles for communicating with the same partner. Examples are distinct
nicknames for each communication partner. In case of group communication, the
relationship pseudonyms may be used between more than two partners. </t>
<t hangText="Role-relationship pseudonym:"> For each role and for each communication
partner, a different role-relationship pseudonym is used. This means that the
communication partner does not necessarily know, whether two pseudonyms used in
different roles belong to the same holder. On the other hand, two different
communication partners who interact with a user in the same role, do not know from the
pseudonym alone whether it is the same user. As with relationship pseudonyms, in case
of group communication, the role-relationship pseudonyms may be used between more than
two partners.</t>
<t hangText="Transaction pseudonym:"> Apart from "transaction pseudonym" some employ the
term "one-time-use pseudonym", taking the naming from "one-time pad". For each
transaction, a transaction pseudonym unlinkable to any other transaction pseudonyms
and at least initially unlinkable to any other IOI is used, e.g., randomly generated
transaction numbers for online-banking. Therefore, transaction pseudonyms can be used
to realize as strong anonymity as possible. In fact, the strongest anonymity is given
when there is no identifying information at all, i.e., information that would allow
linking of anonymous entities, thus transforming the anonymous transaction into a
pseudonymous one. If the transaction pseudonym is used exactly once, we have the same
strength of anonymity as if no pseudonym is used at all. Another possibility to
achieve strong anonymity is to prove the holdership of the pseudonym or specific
attribute values (e.g., with zero-knowledge proofs) without revealing the information
about the pseudonym or more detailed attribute values themselves. Then, no
identifiable or linkable information is disclosed. </t>
</list>
</t>
<t>Linkability across different contexts due to the use of these pseudonyms can be represented
as the lattice that is illustrated in the following diagram, see <xref target="fig8"/>. The
arrows point in direction of increasing unlinkability, i.e., A -> B stands for "B enables
stronger unlinkability than A". Note that "->" is not the same as "=>" of <xref
target="relationship"/>, which stands for the implication concerning anonymity and
unobservability. </t>
<t>
<figure anchor="fig8"
title="Lattice of pseudonyms according to their use across different contexts">
<artwork><![CDATA[
linkable
+-----------------+ *
Person | | *
/ Pseudonym \ | decreasing | *
// \\ | linkability | *
/ \ | across | *
/ \-+ | contexts | *
+-/ v | | *
v Role Relationship | | *
Pseudonym Pseudonym | | *
-- -- | | *
-- --- | | *
--- ---- | | *
--+ +--- | | *
v v | | *
Role-Relationship | | |*
Pseudonym | | *
| | | *
| | | *
| | | *
| | | *
| | | *
v | | *
Transaction | *
Pseudonym | v
unlinkable
]]>
</artwork>
</figure>
</t>
<t>In general, unlinkability of both role pseudonyms and relationship pseudonyms is stronger
than unlinkability of person pseudonyms. The strength of unlinkability increases with the
application of role-relationship pseudonyms, the use of which is restricted to both the same
role and the same relationship. If a role-relationship pseudonym is used for roles
comprising many kinds of activities, the danger arises that after a while, it becomes a
person pseudonym in the sense of: "A person pseudonym is a substitute for the holder's name
which is regarded as representation for the holder's civil identity." This is even more true
both for role pseudonyms and relationship pseudonyms. Ultimate strength of unlinkability is
obtained with transaction pseudonyms, provided that no other information, e.g., from the
context or from the pseudonym itself, enabling linking is available.</t>
<t>Anonymity is the stronger, ... <list style="symbols">
<t> the less personal data of the pseudonym holder can be linked to the pseudonym;</t>
<t> the less often and the less context-spanning pseudonyms are used and therefore the
less data about the holder can be linked;</t>
<t> the more often independently chosen, i.e., from an observer's perspective unlinkable,
pseudonyms are used for new actions.</t>
</list>
</t>
<t>The amount of information of linked data can be reduced by different subjects using the
same pseudonym (e.g., one after the other when pseudonyms are transferred or simultaneously
with specifically created group pseudonyms) or by misinformation or disinformation. The
group of pseudonym holders acts as an inner anonymity set within a, depending on context
information, potentially even larger outer anonymity set.</t>
</section>
<!--
****************************************************************************************
-->
<!--
<section anchor="known-other" title="Known mechanisms and other properties of pseudonyms">
<t>A digital pseudonym could be realized as a public key to test digital signatures where the
holder of the pseudonym can prove holdership by forming a digital signature which is created
using the corresponding private key <xref target="Chau81"/>. The most prominent example for
digital pseudonyms are public keys generated by the user himself/herself, e.g., using PGP.
In using PGP, each user may create an unlimited number of key pairs by himself/herself (at
this moment, such a key pair is an initially unlinked pseudonym), bind each of them to an
e-mail address, self-certify each public key by using his/her digital signature or asking
another introducer to do so, and circulate it.</t>
<t>A public key certificate bears a digital signature of a so-called certification authority
and provides some assurance to the binding of a public key to another pseudonym, usually
held by the same subject. In case that pseudonym is the civil identity (the real name) of a
subject, such a certificate is called an identity certificate. An attribute certificate is a
digital certificate which contains further information (attribute values) and clearly refers
to a specific public key certificate. Independent of certificates, attributes may be used as
identifiers of sets of subjects as well. Normally, attributes refer to sets of subjects
(i.e., the anonymity set), not to one specific subject.</t>
<t>There are several other properties of pseudonyms related to their use, such as revocation,
lifetime of the pseudonym, non-transferability, frequency of pseudonym changeover, the
ability to reveal civil identities in case of abuse, etc. Some of the properties may require
extension of the digital pseudonym by attributes of some kind. The binding of attributes to
a pseudonym can be documented in an attribute certificate produced either by the holder
himself/herself or by a certification authority.
</t>
</section>
-->
<!--
****************************************************************************************
-->
<section anchor="idm" title="Identity Management">
<t> Identity can be explained as an exclusive perception of life, integration into a social
group, and continuity, which is bound to a body and - at least to some degree - shaped by
society. This concept of identity distinguishes between "I" and "Me" <xref target="Mead34"
/> : "I" is the instance that is accessible only by the individual self, perceived as an
instance of liberty and initiative. "Me" is supposed to stand for the social attributes,
defining a human identity that is accessible by communications and that is an inner
instance of control and consistency (see <xref target="ICPP03"/> for more information). In
this terminology, we are interested in identity as communicated to others and seen by
them. Therefore, we concentrate on the "Me".</t>
<t> Motivated by identity as an exclusive perception of life, i.e., a psychological
perspective, but using terms defined from a computer science, i.e., a mathematical
perspective (as we did in the sections before), identity can be explained and defined as a
property of an entity in terms of the opposite of anonymity and the opposite of
unlinkability. In a positive wording, identity enables both to be identifiable as well as
to link IOIs because of some continuity of life. Here we have the opposite of anonymity
(identifiability) and the opposite of unlinkability (linkability) as positive properties.
So the perspective changes: What is the aim of an attacker w.r.t. anonymity, now is the
aim of the subject under consideration, so the attacker's perspective becomes the
perspective of the subject. And again, another attacker (attacker2) might be considered
working against identifiability and/or linkability. I.e., attacker2 might try to mask
different attributes of subjects to provide for some kind of anonymity or attacker2 might
spoof some messages to interfere with the continuity of the subject's life.</t>
<!-- <t> Corresponding to the anonymity set introduced in the beginning of this text, we can work
with an "identifiability set" <xref target="Hild03"/>, which is the set is a set of
possible subjects, to define "identifiability" and "identity". This definition is
compatible with the definitions given in <xref target="HoWi03"/> and it is very close to
that given by <xref target="Chi03"/>: "An identity is any subset of attributes of a person
which uniquely characterizes this person within a community." </t>
<t>
<list style="hanging">
<t hangText="Definition:">Identifiability of a subject from an attacker's perspective
means that the attacker can sufficiently identify the subject within a set of
subjects, the identifiability set.</t>
</list>
</t>
--> <t>
<list style="hanging">
<t hangText="Definition:">An identity is any subset of attribute values of an individual
person which sufficiently identifies this individual person within any set of persons.
So usually there is no such thing as "the identity", but several of them.</t>
<t hangText="Definition:"> Identity management means managing various
identities (usually denoted by pseudonyms) of an individual person, i.e.,
administration of identity attributes including the development and choice of the
partial identity and pseudonym to be (re-)used in a specific context or role.
Establishment of reputation is possible when the individual person re-uses partial
identities. A prerequisite to choose the appropriate partial identity is to recognize
the situation the person is acting in. </t>
</list>
</t>
<t> Of course, attribute values or even attributes themselves may change over time.
Therefore, if the attacker has no access to the change history of each particular
attribute, the fact whether a particular subset of attribute values of an individual
person is an identity or not may change over time as well. If the attacker has access to
the change history of each particular attribute, any subset forming an identity will form
an identity from his perspective irrespective how attribute values change. Any reasonable
attacker will not just try to figure out attribute values per se, but the point in time
(or even the time frame) they are valid (in), since this change history helps a lot in
linking and thus inferring further attribute values. Therefore, it may clarify one's mind
to define each "attribute" in a way that its value cannot get invalid. So instead of the
attribute "location" of a particular individual person, take the set of attributes
"location at time x". Depending on the inferences you are interested in, refining that set
as a list ordered concerning "location" or "time" may be helpful. </t>
<t> Identities may of course comprise particular attribute values like names, identifiers,
digital pseudonyms, and addresses - but they don't have to. </t>
</section>
<!--
****************************************************************************************
-->
<section anchor="contributor" title="Contributors">
<t>The authors would like to thank Andreas Pfitzmann for all his work on this document.</t>
</section>
<!--
****************************************************************************************
-->
<section anchor="acks" title="Acknowledgments">
<t>Before this document was submitted to the IETF it already had a long history starting at
2000 and a number of people helped to improve the quality of the document with their
feedback. A number of persons contributed to the original writeup and they are acknowledged in
http://dud.inf.tu-dresden.de/Anon_Terminology.shtml.
</t>
</section>
<!--
****************************************************************************************
-->
<section anchor="security" title="Security Considerations">
<t>This document introduces terminology for talking about privacy by data minimization. Since
privacy protection relies on security mechanisms this document is also related to security
in a broader context.</t>
</section>
<!--
****************************************************************************************
-->
<section anchor="iana" title="IANA Considerations">
<t>This document does not require actions by IANA.</t>
</section>
<!--
****************************************************************************************
-->
</middle>
<back>
<references title="Normative References"> </references>
<references title="Informative References">
<reference anchor="BuPf90">
<front>
<title>Value Exchange Systems Enabling Security and Unobservability</title>
<author fullname="Holger Buerk" initials="H." surname="Buerk"> </author>
<author fullname="Andreas Pfitzmann" initials="A." surname="Pfitzmann"> </author>
<date month="January" year="1990"/>
</front>
<seriesInfo name="Computers & Security" value=", 9/8, 715-721"/>
</reference>
<!-- <reference anchor="CaLy04">
<front>
<title>Signature Schemes and Anonymous Credentials from Bilinear Maps</title>
<author fullname="Jan Camenisch" initials="J." surname="Camenisch"> </author>
<author fullname="Anna Lysyanskaya" initials="A." surname="Lysyanskaya"> </author>
<date year="2004"/>
</front>
<seriesInfo name="Crypto" value=", LNCS 3152, Springer, Berlin 2004, 56-72"/>
</reference>
-->
<reference anchor="Chau81">
<front>
<title>Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms</title>
<author fullname="David Chaum" initials="D." surname="Chaum"> </author>
<date year="1981"/>
</front>
<seriesInfo name="Communications of the ACM" value=", 24/2, 84-88"/>
</reference>
<!--
<reference anchor="Chau85">
<front>
<title>Security without Identification: Transaction Systems to make Big Brother Obsolete</title>
<author fullname="David Chaum" initials="D." surname="Chaum"> </author>
<date year="1985"/>
</front>
<seriesInfo name="Communications of the ACM" value=", 28/10, 1030-1044"/>
</reference>
<reference anchor="Chau88">
<front>
<title>The Dining Cryptographers Problem: Unconditional Sender and Recipient
Untraceability</title>
<author fullname="David Chaum" initials="D." surname="Chaum"> </author>
<date year="1988"/>
</front>
<seriesInfo name="Journal of Cryptology" value=", 1/1, 65-75"/>
</reference>
<reference anchor="Chau90">
<front>
<title>Showing credentials without identification: Transferring signatures between
unconditionally unlinkable pseudonyms</title>
<author fullname="David Chaum" initials="D." surname="Chaum"> </author>
<date year="1990"/>
</front>
<seriesInfo name="Auscrypt" value=", LNCS 453, Springer, Berlin 1990, 246-264"/>
</reference>
<reference anchor="ClSc06">
<front>
<title>Structuring Anonymity Metrics</title>
<author fullname="Sebastian Clauss" initials="S." surname="Clauss"> </author>
<author fullname="Stefan Schiffner" initials="S." surname="Schiffner"> </author>
<date year="2006"/>
</front>
<seriesInfo name=""
value="in A. Goto (Ed.), DIM '06, Proceedings of the 2006 ACM Workshop on Digital Identity Management, Fairfax, USA, Nov. 2006, 55-62"
/>
</reference>
<reference anchor="CoBi95">
<front>
<title>Preserving Privacy in a Network of Mobile Computers</title>
<author fullname="David A. Cooper" initials="D." surname="Cooper"> </author>
<author fullname="Kenneth P. Birm" initials="K." surname="Birm"> </author>
<date year="1995"/>
</front>
<seriesInfo name="IEEE Symposium on Research in Security and Privacy"
value=", IEEE Computer Society Press, Los Alamitos 1995, 26-38"/>
</reference>
<reference anchor="CPHH02">
<front>
<title>Privacy-Enhancing Identity Management</title>
<author fullname="Sebastian Clauss" initials="S." surname="Clauss"> </author>
<author fullname="Andreas Pfitzmann" initials="A." surname="Pfitzmann"> </author>
<author fullname="Marit Hansen" initials="M." surname="Hansen"> </author>
<author fullname="Els Van Herreweghen" initials="E." surname="Herreweghen"> </author>
<date month="September" year="2002"/>
</front>
<seriesInfo name="IEEE Symposium on Research in Security and Privacy"
value=", IPTS Report 67, 8-16"/>
</reference>
<reference anchor="DPD95">
<front>
<title>Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995
on the protection of individuals with regard to the processing of personal data and on
the free movement of such data</title>
<author>
<organization>European Commission</organization>
</author>
<date month="November" year="2005"/>
</front>
<seriesInfo name="Official Journal L 281" value=", 23/11/1995 P. 0031 - 0050"/>
<format type="HTML"
target="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML"/>
</reference>
<reference anchor="HBCC04">
<front>
<title>Privacy-Enhancing Identity Management</title>
<author fullname="Marit Hansen" initials="M." surname="Hansen"> </author>
<author fullname="Peter Berlich" initials="P." surname="Berlich"> </author>
<author fullname="Jan Camenisch" initials="J." surname="Camenisch"> </author>
<author fullname="Sebastian Clauss" initials="S." surname="Clauss"> </author>
<author fullname="Andreas Pfitzmann" initials="A." surname="Pfitzmann"> </author>
<author fullname="Michael Waidner" initials="M." surname="Waidner"> </author>
<date year="2004"/>
</front>
<seriesInfo name="Information Security Technical Report (ISTR)"
value=", Volume 9, Issue 1, 67, 8-16, Elsevier, UK, 35-44"/>
<format type="HTML" target="http://dx.doi.org/10.1016/S1363-4127(04)00014-7"/>
</reference>
<reference anchor="Hild03">
<front>
<title>Same selves? Identification of identity: a social perspective from a
legal-philosophical point of view</title>
<author fullname="Mireille Hildebrandt" initials="M." surname="Hildebrandt"> </author>
<date month="December" year="2003"/>
</front>
<seriesInfo
name="Presentation at the the Future of IDentity in the Information Society (FIDIS) workshop"
value=", http://www.calt.insead.edu/fidis/workshop/workshop-wp2-december2003/"/>
<format type="PPT"
target="http://www.calt.insead.edu/fidis/workshop/workshop-wp2-december2003/presentation/VUB/VUB_fidis_wp2_workshop_dec2003.ppt"
/>
</reference>
-->
<reference anchor="ICPP03">
<front>
<title>Identity Management Systems (IMS): Identification and Comparison Study</title>
<author>
<organization>Independent Centre for Privacy Protection & Studio Notarile
Genghini</organization>
</author>
<date month="September" year="2003"/>
</front>
<seriesInfo name="Study commissioned by the Joint Research Centre Seville, Spain"
value=", http://www.datenschutzzentrum.de/projekte/idmanage/study.htm"/>
<format type="HTML" target="http://www.datenschutzzentrum.de/projekte/idmanage/study.htm"/>
</reference>
<!--
<reference anchor="ISO99">
<front>
<title>Common Criteria for Information Technology Security Evaluation</title>
<author>
<organization>ISO</organization>
</author>
<date year="1999"/>
</front>
<seriesInfo name="ISO/IEC 15408" value=""/>
</reference>
<reference anchor="Mart99">
<front>
<title> Local Anonymity in the Internet</title>
<author fullname="David Michael Martin" initials="D." surname="Martin"> </author>
<date month="December" year="2003"/>
</front>
<seriesInfo name="PhD dissertation"
value=", Boston University, Graduate School of Arts and Sciences, http://www.cs.uml.edu/~dm/pubs/thesis.pdf"/>
<format type="PDF" target="http://www.cs.uml.edu/~dm/pubs/thesis.pdf"/>
</reference>
-->
<reference anchor="Mead34">
<front>
<title>Mind, Self and Society</title>
<author fullname="George H. Mead" initials="G." surname="Mead"> </author>
<date year="1934"/>
</front>
<seriesInfo name="Chicago Press" value=""/>
</reference>
<reference anchor="Pfit96">
<front>
<title>Information Hiding Terminology -- Results of an informal plenary meeting and
additional proposals</title>
<author fullname="Birgit Pfitzmann" initials="B." surname="Pfitzmann"> </author>
<date year="1996"/>
</front>
<seriesInfo name="Information Hiding" value=", NCS 1174, Springer, Berlin 1996, 347-350"/>
</reference>
<!--
<reference anchor="PfPW91">
<front>
<title>ISDN-MIXes -- Untraceable Communication with Very Small Bandwidth Overhead</title>
<author fullname="Andreas Pfitzmann" initials="A." surname="Pfitzmann"> </author>
<author fullname="Birgit Pfitzmann" initials="B." surname="Pfitzmann"> </author>
<author fullname="Michael Waidner" initials="M." surname="Michael Waidner"> </author>
<date year="1991"/>
</front>
<seriesInfo name="7th IFIP International Conference on Information Security (IFIP/Sec '91)"
value=", Elsevier, Amsterdam 1991, 245-258"/>
</reference>
<reference anchor="PfWa86">
<front>
<title>Networks without user observability -- design options</title>
<author fullname="Andreas Pfitzmann" initials="A." surname="Pfitzmann"> </author>
<author fullname="Michael Waidner" initials="M." surname="Michael Waidner"> </author>
<date year="1986"/>
</front>
<seriesInfo name="Eurocrypt '85"
value=", LNCS 219, Springer, Berlin 1986, 245-253; revised and extended version in: Computers & Security 6/2 (1987) 158-166"
/>
</reference>
<reference anchor="RaRD09">
<front>
<title>The Future of Identity in the Information Society - Challenges and Opportunities</title>
<author fullname="Kai Rannenberg" initials="K." surname="Rannenberg"> </author>
<author fullname="Denis Royer" initials="D." surname="Royer"> </author>
<author fullname="Andre Deuker" initials="A." surname="Deuker"> </author>
<date year="2009"/>
</front>
<seriesInfo name="Springer, Berlin 2009." value=""/>
</reference>
-->
<reference anchor="ReRu98">
<front>
<title>Crowds: Anonymity for Web Transactions</title>
<author fullname="Michael K. Reiter" initials="M." surname="Reiter"> </author>
<author fullname="Aviel D. Rubin" initials="A." surname="Rubin"> </author>
<date month="November" year="1998"/>
</front>
<seriesInfo name="ACM Transactions on Information and System Security" value=", 1(1), 66-92"
/>
</reference>
<!--
<reference anchor="Shan48">
<front>
<title>A Mathematical Theory of Communication</title>
<author fullname="Claude E. Shannon" initials="C." surname="Shannon"> </author>
<date year="1948"/>
</front>
<seriesInfo name="The Bell System Technical Journal" value=", 27, 379-423, 623-656"/>
</reference>
<reference anchor="Shan49">
<front>
<title>Communication Theory of Secrecy Systems</title>
<author fullname="Claude E. Shannon" initials="C." surname="Shannon"> </author>
<date year="1949"/>
</front>
<seriesInfo name="The Bell System Technical Journal" value=", 28/4, 656-715"/>
</reference>
<reference anchor="StSy00">
<front>
<title>Authentic Attributes with Fine-Grained Anonymity Protection</title>
<author fullname="Stuart Stubblebine" initials="S." surname="Stubblebine"> </author>
<author fullname="Paul Syverson" initials="P." surname="Syverson"> </author>
<date year="2000"/>
</front>
<seriesInfo name="Financial Cryptography" value=", LNCS Series, Springer, Berlin 2000"/>
</reference>
<reference anchor="Waid90">
<front>
<title>Unconditional Sender and Recipient Untraceability in spite of Active Attacks</title>
<author fullname="Michael Waidner" initials="M." surname="Waidner"> </author>
<date year="1990"/>
</front>
<seriesInfo name="Eurocrypt '89" value=", LNCS 434, Springer, Berlin 1990, 302-319"/>
</reference>
-->
<reference anchor="West67">
<front>
<title>Privacy and Freedom</title>
<author fullname="Alan F. Westin" initials="A." surname="Westin"> </author>
<date year="1967"/>
</front>
<seriesInfo name="Atheneum, New York" value=""/>
</reference>
<reference anchor="id">
<front>
<title>Identifier - Wikipeadia</title>
<author/>
<date year="2011"/>
</front>
<seriesInfo name="Wikipedia" value=""/>
<format type="HTML" target="http://en.wikipedia.org/wiki/Identifier"/>
</reference>
<reference anchor="Wils93">
<front>
<title>The Columbia Guide to Standard American English</title>
<author fullname="Kenneth G. Wilson" initials="K." surname="Wilson"> </author>
<date year="1993"/>
</front>
<seriesInfo name="Columbia University Press, New York" value=""/>
</reference>
<reference anchor="ZFKP98">
<front>
<title>Modeling the security of steganographic systems</title>
<author fullname="Jan Zoellner" initials="J." surname="Zoellner"> </author>
<author fullname="Hannes Federrath" initials="H." surname="Federrath"> </author>
<author fullname="Herbert Klimant" initials="H." surname="Klimant"> </author>
<author fullname="Andreas Pfitzmann" initials="A." surname="Pfitzmann"> </author>
<author fullname="Rudi Piotraschke" initials="R." surname="Piotraschke"> </author>
<author fullname="Andreas Westfeld" initials="A." surname="Westfeld"> </author>
<author fullname="Guntram Wicke" initials="G." surname="Wicke"> </author>
<author fullname="Gritta Wolf" initials="G." surname="Wolf"> </author>
<date year="1998"/>
</front>
<seriesInfo name="2nd Workshop on Information Hiding"
value=", LNCS 1525, Springer, Berlin 1998, 345-355"/>
</reference>
<!-- <reference anchor="HoWi03">
<front>
<title>On the Ontology of Digital Identification</title>
<author fullname="Giles Hogben" initials="G." surname="Hogben"> </author>
<author fullname="Marc Wilikens" initials="M." surname="Wilikens"> </author>
<author fullname="Ioannis Vakalis" initials="I." surname="Vakalis"> </author>
<date year="2003"/>
</front>
<seriesInfo name=""
value=", in: Robert Meersman, Zahir Tari (Eds.): On the Move to Meaningful
Internet Systems 2003: OTM 2003 Workshops, LNCS 2889, Springer, Berlin 2003, 579-593"
/>
</reference>
<reference anchor="Chi03">
<front>
<title>Towards the Identity</title>
<author fullname="David-Olivier Jaquet-Chiffelle" initials="D." surname="Jaquet-Chiffelle"> </author>
<date month="December" year="2003"/>
</front>
<seriesInfo
name="Presentation at the the Future of IDentity in the Information Society (FIDIS) workshop"
value=", http://www.calt.insead.edu/fidis/workshop/workshop-wp2-december2003/"/>
<format type="HTML"
target="http://www.calt.insead.edu/fidis/workshop/workshop-wp2-december2003/presentation/VIP/vip_id_def2_files/frame.htm"
/>
</reference>
-->
</references>
<section anchor="overview" title="Overview of Main Definitions and their Opposites">
<t>
<texttable>
<ttcol>Definition</ttcol>
<ttcol>Negation</ttcol>
<c>Anonymity of a subject from an attacker's perspective means that the attacker cannot
sufficiently identify the subject within a set of subjects, the anonymity set.</c>
<c>Identifiability of a subject from an attacker's perspective means that the attacker can
sufficiently identify the subject within a set of subjects, the identifiability set.</c>
<c> ------------------------------- </c>
<c> ------------------------------- </c>
<c>Unlinkability of two or more items of interest (IOIs, e.g., subjects, messages,
actions, ...) from an attacker's perspective means that within the system (comprising
these and possibly other items), the attacker cannot sufficiently distinguish whether
these IOIs are related or not.</c>
<c>Linkability of two or more items of interest (IOIs, e.g., subjects, messages, actions,
...) from an attacker's perspective means that within the system (comprising these and
possibly other items), the attacker can sufficiently distinguish whether these IOIs are
related or not.</c>
<c> ------------------------------- </c>
<c> ------------------------------- </c>
<c>Undetectability of an item of interest (IOI) from an attacker's perspective means that
the attacker cannot sufficiently distinguish whether it exists or not.</c>
<c>Detectability of an item of interest (IOI) from an attacker's perspective means that
the attacker can sufficiently distinguish whether it exists or not.</c>
<c> ------------------------------- </c>
<c> ------------------------------- </c>
<c>Unobservability of an item of interest (IOI) means <list style="symbols">
<t>undetectability of the IOI against all subjects uninvolved in it and </t>
<t>anonymity of the subject(s) involved in the IOI even against the other subject(s)
involved in that IOI.</t>
</list>
</c>
<c>Observability of an item of interest (IOI) means "many possibilities to define the
semantics".</c>
</texttable>
</t>
</section>
<!--
****************************************************************************************
-->
<section anchor="relationship" title="Relationships between Terms">
<t>With respect to the same attacker, unobservability reveals always only a subset of the
information anonymity reveals. <xref target="ReRu98"/> propose a continuum for describing
the strength of anonymity. They give names: "absolute privacy" (the attacker cannot perceive
the presence of communication, i.e., unobservability) - "beyond suspicion" - "probable
innocence" - "possible innocence" - "exposed" - "provably exposed" (the attacker can prove
the sender, recipient, or their relationship to others). Although we think that the terms
"privacy" and "innocence" are misleading, the spectrum is quite useful. We might use the
shorthand notation </t>
<t>
<list style="empty">
<t>unobservability => anonymity</t>
</list>
</t>
<t> for that (=> reads "implies"). Using the same argument and notation, we have </t>
<t>
<list style="empty">
<t>sender unobservability => sender anonymity</t>
<t>recipient unobservability => recipient anonymity</t>
<t>relationship unobservability => relationship anonymity</t>
</list>
</t>
<t> As noted above, we have </t>
<t>
<list style="empty">
<t>sender anonymity => relationship anonymity</t>
<t>recipient anonymity => relationship anonymity</t>
<t>sender unobservability => relationship unobservability</t>
<t>recipient unobservability => relationship unobservability</t>
</list>
</t>
<t> With respect to the same attacker, unobservability reveals always only a subset of the
information undetectability reveals </t>
<t>
<list style="empty">
<t> unobservability => undetectability</t>
</list>
</t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 08:50:17 |