Individual Submission S. Moonesamy Internet-Draft August 10, 2012 Intended status: Informational Expires: February 11, 2013 Privacy and Identifiers draft-moonesamy-privacy-identifiers-00 Abstract The Internet provides the ability for information to be spread beyond geographical boundaries at the speed of light. Once information is available over the Internet it leaves the private realm. If the information can be used to identify a person it can affect the privacy of the individual. There are cases when it can increase the physical risk to the individual or where it can have a negative financial impact. Some types of information can be an embarassment to an individual and negatively affect the person's reputation. This document discusses about whether Internet Identifiers and Session Identifiers can be information about an individual and whether consent is necessary. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on February 11, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents Moonesamy Expires February 11, 2013 [Page 1] Internet-Draft Privacy and Identifiers August 2012 (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Note . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Personally Identifiable Information . . . . . . . . . . . . . . 4 3. Internet Identifiers . . . . . . . . . . . . . . . . . . . . . 4 3.1. IP address . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Email address . . . . . . . . . . . . . . . . . . . . . . . 5 4. Session Identifiers . . . . . . . . . . . . . . . . . . . . . . 5 5. The right amount of information . . . . . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 8. Informative References . . . . . . . . . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 7 Moonesamy Expires February 11, 2013 [Page 2] Internet-Draft Privacy and Identifiers August 2012 1. Background In 1881 French law about the freedom of the press [Leg1] offered protection for facts about an individual's private life by giving the individual the ability to seek redress by legal means if these facts were published by the press. In an article published in the Harvard Law Review in 1890 [Leg2] it was mentioned that recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right "to be let alone". The article cites the following text from E. L. Godkin about the rights of the citizen to his reputation: But as long as gossip was oral, it spread, as regards any one individual, over a very small area, and was confined to be immediate circle of his acquaintances. It did not reach, or but rarely reached, those who knew nothing of him. It did not make his name, or his walk, or his conversation familiar to strangers. In 1948 the United Declaration of Human Rights [Leg3] stated that "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks". Nowadays, privacy is sometimes equated with the "right to be left alone". 1.1. Introduction The Internet provides the ability for information to be spread beyond geographical boundaries at the speed of light. Once information is available over the Internet it leaves the private realm. Although there is the ability to seek redress by legal means if information about an individual's private life is being distributed publicly over the Internet, it can be an impossible task when multiple juridictions are involved. In essence, the information cannot be contained once it leaves the private realm. According to RFC 3365 [RFC3365] privacy refers to the right of an entity, normally a person, acting in its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share information about itself with others. If the information shared can be used to identify a person it can affect the privacy of the individual. There are cases when it can increase the physical risk to the individual or where it can have a negative financial impact. Some types of information can be an embarassment to an individual and negatively affect the person's Moonesamy Expires February 11, 2013 [Page 3] Internet-Draft Privacy and Identifiers August 2012 reputation. This document discusses about whether Internet Identifiers and Session Identifiers can be information about an individual and whether consent is necessary. 1.2. Note This Internet-Draft can be discussed on the ietf-privacy@ietf.org mailing list. [RFC-Editor: please remove this paragraph] 2. Personally Identifiable Information Personally Identifiable Information (PII) is a term generally used in discussions about privacy. The U.S. National Institute of Standards and Technology defines PII [NIST] as any information about an individual including: any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. The European Union Directive 95/46/EC [EUD] defines "personal data" as follows: Personal data shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified directly or indirectly, in particular by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity". 3. Internet Identifiers 3.1. IP address An Internet Identifier known as an IP address indicates where it is [RFC0791]. In 2008, the European Union's Article 29 Data Protection Working Party [ARTDP] noted that Internet service providers should "treat all Moonesamy Expires February 11, 2013 [Page 4] Internet-Draft Privacy and Identifiers August 2012 IP information as personal data" unless the Internet service providers can "distinguish with absolute certainty that the data correspond to users that cannot be identified". In 2009, a U.S. District Court judge [USDC] ruled that: In order for "personally identifiable information" to be personally identifiable, it must identify a person. But an IP address identifies a computer, and can do that only after matching the IP address to a list of a particular Internet service provider's subscribers. 3.2. Email address An email address is a character string that identifies a user to whom mail will be sent or a location into which mail will be deposited [RFC5321]. 4. Session Identifiers A Session Identifier uniquely identifies a communication session. For example, a cookie [RFC6265] is session identifier used by HTTP servers to store state. The HTTP server can send the user agent a cookie. The user agent returns that cookie in subsequent requests. There are two types of cookies, session cookies and persistent cookies. A session cookie is destroyed when the user agent is closed. A persistent cookie is preserved across multiple sessions and is only destroyed once it reaches its expiration date. 5. The right amount of information When a person explicitly addresses the remote end at the IP layer the person consents to the transmission of the IP address assigned to local end. The IP addresses of the two end-hosts are necessary for IP-layer communication to be possible. When a person sends an email the person consents to the transmission of an email address. The email address is necessary for the recipient of the email to be able to reply to it. As a short-lived mechanism to store state it can be argued that a session identifier such as a session cookie is necessary to provide the functionality for a communication session. There may be valid reasons for having a persistent cookie, for example, to store the preferences of the individual. A persistent cookie can also be used to track a person's usage of a service. If the intention of the person is not clear, he/she may have to be asked for consent. Moonesamy Expires February 11, 2013 [Page 5] Internet-Draft Privacy and Identifiers August 2012 In an all-or-nothing proposition a person is faced with the inevitable choice of sharing information to be able to communicate. The interests and motivation of the two ends (e.g. the entity providing a service at one end and the person using the service at the other end) are not aligned. It is difficult for the average person to take an informed decision about the amount of personally identifiable information that needs to be shared. There is an implicit assumption that the underlying protocols are transmitting the right amount of information needed for the protocols to work. There is a reasonable expectation that the person will be provided with a cautionary notice to which he/she must consent to if the information being disclosed may adversely affect the person. 6. Security Considerations It is a myth that people become anonymous when they are in a crowd. Naive users view the Internet as a place where they are anonymous and by extension, incorrectly assume they should not be concerned about their privacy. Privacy policies usually end up as disclaimers of liability instead of policies aimed at protecting privacy. 7. IANA Considerations This document does not request any action from IANA. [RFC-Editor: please remove this paragraph] 8. Informative References [ARTDP] "Opinion 2/2008 on the review of the Directive 2002/58/EC on privacy and electronic communications (ePrivacy Directive)", . [EUD] "Directive EU 95/46/EC of the European Parliament and the Council", . [Leg1] "Loi du 29 juillet 1881 sur la liberte de la presse", . Moonesamy Expires February 11, 2013 [Page 6] Internet-Draft Privacy and Identifiers August 2012 [Leg2] "The right to privacy", . [Leg3] "The universal declaration of human rights", . [NIST] "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)", . [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981. [RFC3365] Schiller, J., "Strong Security Requirements for Internet Engineering Task Force Standard Protocols", BCP 61, RFC 3365, August 2002. [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, October 2008. [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, April 2011. [USDC] "United States District Court Western District of Washington - Johnson et al. v. Microsoft, Case No. C06- 0900RAJ". Author's Address S. Moonesamy 76, Ylang Ylang Avenue Quatre Bornes Mauritius Email: sm+ietf@elandsys.com Moonesamy Expires February 11, 2013 [Page 7]