An interesting presentation from the Internet Society described how the IETF is responding to increased public and developer concern with Internet privacy. Privacy is about individuals being able to control the dissemination and use of their information: secrecy is about preventing the use of such information. Privacy needs to consider information provided by the user or network operator (names, addresses, usernames, etc.), observable data (e.g. IP addresses) and software/hardware data (e.g. MAC addresses and browser profiles). Technology can have both intended and unintended consequences for privacy (for example it turns out that a particular configuration of a browser may well create a unique fingerprint identifying its user). Tools to manage privacy include terms and conditions, limitations on use and authorisation. These need to find a balance between the overlapping, and sometimes conflicting, demands of security, reliability and privacy. Ease of use is critical and provides a further set of challenges since differing social norms and economic models will affect users’ preferences for convenience, functionality and granularity. The technical issues that are the concern of the IETF and IAB therefore coexist with social and regulatory issues, both of which have become much more active in recent years.
The IAB held a privacy workshop a few months ago that identified key questions for the IETF, including:
- How to design technical systems that respect privacy?
- What guidance can be given to authors and implementers (for example on recognising, avoiding or mitigating known privacy traps)?
- What is the role of policy makers?
- What is the role (and limitations) of the IETF working in this area?
A number of working groups are already active and creating Internet drafts, including on privacy considerations for Internet protocols, privacy terminology (which may vary between technical, legal and real-world meanings), and handling geographic location.