idnits 2.17.1 draft-hansen-privacy-terminology-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There is 1 instance of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 5, 2010) is 5043 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'RFC2119' is defined on line 2203, but no explicit reference was found in the text == Unused Reference: 'Mart99' is defined on line 2289, but no explicit reference was found in the text Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Pfitzmann, Ed. 3 Internet-Draft TU Dresden 4 Intended status: Informational M. Hansen, Ed. 5 Expires: January 6, 2011 ULD Kiel 6 H. Tschofenig 7 Nokia Siemens Networks 8 July 5, 2010 10 Terminology for Talking about Privacy by Data Minimization: Anonymity, 11 Unlinkability, Undetectability, Unobservability, Pseudonymity, and 12 Identity Management 13 draft-hansen-privacy-terminology-00.txt 15 Abstract 17 This document is an attempt to consolidate terminology in the field 18 privacy by data minimization. It motivates and develops definitions 19 for anonymity/identifiability, (un)linkability, (un)detectability, 20 (un)observability, pseudonymity, identity, partial identity, digital 21 identity and identity management. Starting the definitions from the 22 anonymity and unlinkability perspective and not from a definition of 23 identity (the latter is the obvious approach to some people) reveals 24 some deeper structures in this field. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on January 6, 2011. 43 Copyright Notice 45 Copyright (c) 2010 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2. Terminology and Requirements Notation . . . . . . . . . . . . 4 62 3. Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 63 4. Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . 8 64 5. Unlinkability . . . . . . . . . . . . . . . . . . . . . . . . 14 65 6. Anonymity in Terms of Unlinkability . . . . . . . . . . . . . 16 66 7. Undetectability and Unobservability . . . . . . . . . . . . . 19 67 8. Relationships between Terms . . . . . . . . . . . . . . . . . 24 68 9. Known Mechanisms for Anonymity, Undetectability, and 69 Unobservability . . . . . . . . . . . . . . . . . . . . . . . 25 70 10. Pseudonymity . . . . . . . . . . . . . . . . . . . . . . . . . 26 71 11. Pseudonymity with respect to accountability and 72 authorization . . . . . . . . . . . . . . . . . . . . . . . . 31 73 11.1. Digital pseudonyms to authenticate messages . . . . . . . 31 74 11.2. Accountability for digital pseudonyms . . . . . . . . . . 31 75 11.3. Transferring authenticated attributes and 76 authorizations between pseudonyms . . . . . . . . . . . . 32 77 12. Pseudonymity with respect to linkability . . . . . . . . . . . 32 78 12.1. Knowledge of the linking between the pseudonym and 79 its holder . . . . . . . . . . . . . . . . . . . . . . . 33 80 12.2. Linkability due to the use of a pseudonym across 81 different contexts . . . . . . . . . . . . . . . . . . . 34 82 13. Known mechanisms and other properties of pseudonyms . . . . . 37 83 14. Identity management . . . . . . . . . . . . . . . . . . . . . 39 84 14.1. Setting . . . . . . . . . . . . . . . . . . . . . . . . . 39 85 14.2. Identity and identifiability . . . . . . . . . . . . . . 39 86 14.3. Identity-related terms . . . . . . . . . . . . . . . . . 42 87 14.4. Identity management-related terms . . . . . . . . . . . . 46 88 15. Overview of main definitions and their negations . . . . . . . 48 89 16. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 49 90 17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 50 91 17.1. Normative References . . . . . . . . . . . . . . . . . . 50 92 17.2. Informative References . . . . . . . . . . . . . . . . . 50 94 1. Introduction 96 Early papers from the 1980ies about privacy by data minimization 97 already deal with anonymity, unlinkability, unobservability, and 98 pseudonymity and introduce these terms within the respective context 99 of proposed measures. 101 Note: 103 Data minimization means that first of all, the possibility to 104 collect personal data about others should be minimized. Next 105 within the remaining possibilities, collecting personal data 106 should be minimized. Finally, the time how long collected 107 personal data is stored should be minimized. 109 Data minimization is the only generic strategy to enable 110 anonymity, since all correct personal data help to identify if we 111 exclude providing misinformation (inaccurate or erroneous 112 information, provided usually without conscious effort at 113 misleading, deceiving, or persuading one way or another [Wils93]) 114 or disinformation (deliberately false or distorted information 115 given out in order to mislead or deceive [Wils93]). 117 Furthermore, data minimization is the only generic strategy to 118 enable unlinkability, since all correct personal data provide some 119 linkability if we exclude providing misinformation or 120 disinformation. 122 We show relationships between these terms and thereby develop a 123 consistent terminology. Then, we contrast these definitions with 124 newer approaches, e.g., from ISO IS 15408. Finally, we extend this 125 terminology to identity (as a negation of anonymity and 126 unlinkability) and identity management. Identity management is a 127 much younger and much less well-defined field - so a really 128 consolidated terminology for this field does not exist. 130 The adoption of this terminology will help to achieve better progress 131 in the field by avoiding that those working on standards and research 132 invent their own language from scratch. 134 This document is organized as follows: First, the setting used is 135 described. Then, definitions of anonymity, unlinkability, 136 linkability, undetectability, and unobservability are given and the 137 relationships between the respective terms are outlined. Afterwards, 138 known mechanisms to achieve anonymity, undetectability and 139 unobservability are listed. The next sections deal with 140 pseudonymity, i.e., pseudonyms, their properties, and the 141 corresponding mechanisms. Thereafter, this is applied to privacy- 142 enhancing identity management. To give an overview of the main terms 143 defined and their negations, a corresponding table follows. Finally, 144 concluding remarks are given. In appendices, we (A1) depict the 145 relationships between some terms used and (A2 and A3) briefly discuss 146 the relationship between our approach (to defining anonymity and 147 identifiability) and other approaches. To make the document readable 148 to as large an audience as possible, we did put information which can 149 be skipped in a first reading or which is only useful to part of our 150 readership, e.g., those knowing information theory, in footnotes. 152 2. Terminology and Requirements Notation 154 Privacy: "Privacy is the claim of individuals, groups, or 155 institutions to determine for themselves when, how, and to what 156 extent information about them is communicated to others. Viewed 157 in terms of the relation of the individual to social 158 participation, privacy is the voluntary and temporary withdrawal 159 of a person from the general society through physical or 160 psychological means, either in a state of solitude or small-group 161 intimacy or, when among larger groups, in a condition of anonymity 162 or reserve.", see page 7 of [West67] 164 3. Setting 166 We develop this terminology in the usual setting that senders send 167 messages to recipients using a communication network, i.e., stations 168 send and receive messages using a wired and/or wireless communication 169 medium. 171 Note: 173 To keep the setting as simple as possible, usually, we do not 174 distinguish between human senders and the stations which are used 175 to send messages. Putting it the other way round, usually, we 176 assume that each station is controlled by exactly one human being, 177 its owner. If a differentiation between human communication and 178 computer communication is necessary or if the assumption that each 179 station is controlled by exactly one human being is wrong, the 180 setting has to be more complex. We then use sender and recipient 181 for human beings and message for their communication. For 182 computers and their communications, we use stations sending bit 183 strings. If we have to look even deeper than bits which are 184 "abstractions" of physical signals, we call the representation of 185 bit strings signals. 187 For other settings, e.g., users querying a database, customers 188 shopping in an e-commerce shop, the same terminology can be derived 189 by instantiating the terms "sender", "recipient", and "message". But 190 for ease of explanation, we use the specific setting here, see 191 Figure 1. Only if what we have to say is valid in a broader context 192 without requiring further explanations, we speak more generally about 193 acting entities called actors (such as senders) and entities acted 194 upon called actees (such as recipients). 196 Irrespective whether we speak of senders and recipients or whether we 197 generalize to actors and actees, we regard a subject as a possibly 198 acting entity such as, e.g., a human being (i.e., a natural person), 199 a legal person, or a computer. An organization not acting as a legal 200 person we neither see as a single subject nor as a single entity, but 201 as (possibly structured) sets of subjects or entities. Otherwise, 202 the distinction between "subjects" and "sets of subjects" would 203 completely blur. 205 If we make our setting more concrete, we may l it a system. For our 206 purposes, a system has the following relevant properties: 208 1. The system has a surrounding, i.e., parts of the world are 209 "outside" the system. Together, the system and its surrounding 210 form the universe. 212 2. The state of the system may change by actions within the system. 214 Senders Recipients 215 Communication Network 216 -- -- 217 | | ---- ----------- ---| | 218 -- ------ /---- ----\ ---- -- 219 ---- /// \\\ -- 220 // \\ 221 // \\ 222 / +-+ \ -- 223 | +-+ | ----| | 224 /-\ | +-+ +-+ |--- -- 225 | |---- | +-+ +-+ | 226 \-/ | | 227 | Messages | 228 | +-+ +-+ | 229 | +-+ +-+ | 230 | |-- -- 231 --- \ / --| | 232 -- ---- \\ // -- 233 | | -- \\ // 234 -- \\\ /// \ 235 \---- ----/ \\ 236 ----------- \ /-\ 237 | | 238 \-/ 240 Figure 1: Setting 242 All statements are made from the perspective of an attacker , who may 243 be interested in monitoring what communication is occurring, what 244 patterns of communication exist, or even in manipulating the 245 communication. The perspective describes the set of all possible 246 observations. In the following, a property holds "from an attacker's 247 perspective" iff it holds for all possible observations of that 248 perspective. The attacker's perspective depends on the information 249 the attacker has available. If we assume some limits on how much 250 processing the attacker might be able to do, the information 251 available to the attacker will not only depend on the attacker's 252 perspective, but on the attacker's processing (abilities), too. The 253 attacker may be an outsider tapping communication lines or an insider 254 able to participate in normal communications and controlling at least 255 some stations, cf. Figure 2. We assume that the attacker uses all 256 information available to him to infer (probabilities of) his items of 257 interest (IOIs), e.g., who did send or receive which messages. 258 Related to the IOIs are attributes (and their values) because they 259 may be items of interest themselves or their observation may give 260 information on IOIs: An attribute is a quality or characteristic of 261 an entity or an action. Some attributes may take several values. 262 Then it makes sense to make a distinction between more abstract 263 attributes and more concrete attribute values. Mainly we are 264 interested in attributes of subjects. Examples for attributes in 265 this setting are "sending a message" or "receiving a message". 267 Senders Recipients 268 Communication Network 269 -- -- 270 | | ---- ----------- ---| | 271 -- ------ /---- ----\ ---- -- 272 Alice ---- /// \\\ -- Carol 273 // \\ 274 // \\ 275 / Message \ 276 | by Alice | 277 /-\ | +-+ | 278 | |---- | +-+ | 279 \-/ | Malice's | 280 Bob | Message | 281 | +-+ | 282 | Bob's +-+ | 283 | Message |-- -- 284 --- \ +-+ / --| | 285 -- ---- \\ +-+ // -- 286 | | -- \\ // Complice 287 -- \\\ /// of 288 Malice \---- ----/ Malice 289 (the attacker) ----------- 291 Figure 2: Example of an attacker's domain within the setting 293 Throughout the subsequent sections we assume that the attacker is not 294 able to get information on the sender or recipient from the message 295 content. Of course, encryption of messages provides protection of 296 the content against attackers observing the communication lines and 297 end-to-end encryption even provides protection of the content against 298 all stations passed, e.g., for the purpose of forwarding and/or 299 routing. But message content can neither be hidden from the sender 300 nor from the recipient(s) of the message. Therefore, we do not 301 mention the message content in these sections. For most applications 302 it is unreasonable to assume that the attacker forgets something. 303 Thus, normally the knowledge of the attacker only increases. 304 "Knowledge" can be described by probabilities of IOIs. More 305 knowledge then means more accurate probabilities, i.e., the 306 probabilities the attacker assumes to be true are closer to the 307 "true" probabilities. 309 4. Anonymity 311 To enable anonymity of a subject, there always has to be an 312 appropriate set of subjects with potentially the same attributes . 313 Since sending and receiving of particular messages are special cases 314 of "attributes" of senders and recipients, this is slightly more 315 general than the setting in Section 3. This generality is very 316 fortunate to stay close to the everyday meaning of "anonymity" which 317 is not only used w.r.t. subjects active in a particular context, 318 e.g., senders and recipients of messages, but w.r.t. subjects passive 319 in a particular context as well, e.g., subjects the records within a 320 database relate to. This leads to the following definition: 322 Definition: Anonymity of a subject means that the subject is not 323 identifiable within a set of subjects, the anonymity set. 325 Note: 327 "not identifiable within the anonymity set" means that only using 328 the information the attacker has at his discretion, the subject is 329 "not uniquely characterized within the anonymity set". In more 330 precise language, only using the information the attacker has at 331 his discretion, the subject is "not distinguishable from the other 332 subjects within the anonymity set". 334 From [ISO99]: "Anonymity ensures that a user may use a resource or 335 service without disclosing the user's identity. The requirements 336 for anonymity provide protection of the user identity. Anonymity 337 is not intended to protect the subject identity. [...] Anonymity 338 requires that other users or subjects are unable to determine the 339 identity of a user bound to a subject or operation." Compared 340 with this explanation, our definition is more general as it is not 341 restricted to identifying users, but any subjects. 343 The anonymity set is the set of all possible subjects. The set of 344 possible subjects depends on the knowledge of the attacker. Thus, 345 anonymity is relative with respect to the attacker. With respect to 346 actors, the anonymity set consists of the subjects who might cause an 347 action. With respect to actees, the anonymity set consists of the 348 subjects who might be acted upon. Therefore, a sender may be 349 anonymous (sender anonymity) only within a set of potential senders, 350 his/her sender anonymity set, which itself may be a subset of all 351 subjects worldwide who may send a message from time to time. The 352 same for the recipient means that a recipient may be anonymous 353 (recipient anonymity) only within a set of potential recipients, his/ 354 her recipient anonymity set, cf. Figure 3. Both anonymity sets may 355 be disjoint, be the same, or they may overlap. The anonymity sets 356 may vary over time. Since we assume that the attacker does not 357 forget anything he knows, the anonymity set cannot increase w.r.t. a 358 particular IOI. Especially subjects joining the system in a later 359 stage, do not belong to the anonymity set from the point of view of 360 an attacker observing the system in an earlier stage. (Please note 361 that if the attacker cannot decide whether the joining subjects were 362 present earlier, the anonymity set does not increase either: It just 363 stays the same.) Due to linkability, cf. below, the anonymity set 364 normally can only decrease. 366 Anonymity of a set of subjects within an (potentially larger) 367 anonymity set means that all these individual subjects are not 368 identifiable within this anonymity set. In this definition, "set of 369 subjects" is just taken to describe that the anonymity property holds 370 for all elements of the set. Another possible definition would be to 371 consider the anonymity property for the set as a whole. Then a 372 semantically quite different definition could read: Anonymity of a 373 set S of subjects within a larger anonymity set A means that it is 374 not distinguishable whether the subject whose anonymity is at stake 375 (and which clearly is within A) is within S or not. 377 +----------+ +---------+ 378 | | Communication Network | | 379 | -- | | -- | 380 | | | ----| ----------- |---| | | 381 | -- +----- /---- ----\ ---+ -- | 382 | | ---- /// \\\ -- | | 383 | | // \\ | | 384 | | // \\ | | 385 | | / +-+ \ | -- | 386 | | | +-+ | | --| | | 387 | /-\ | | +-+ +-+ |+-- -- | 388 | | |-+-- | +-+ +-+ || | 389 | \-/ | | | | 390 | | | Messages | | 391 | | | +-+ +-+ || | 392 | | | +-+ +-+ || | 393 | | | |-+ -- | 394 | | --- \ / |----| | | 395 | -- --+- \\ // | -- | 396 | | | -- | \\ // | | 397 | -- | \\\ /// \ | | 398 | | \---- ----/ \\ | | 399 | | ----------- \| /-\ | 400 | | |\| | | 401 | | | \-/ | 402 +----------+ | | 403 +---------+ 404 Sender (1) & (2) 405 Anonymity Largest Possible Recipient 406 Set Anonymity Set Anonymity 407 (1) Set (2) 409 Figure 3: Anonymity sets within the setting 411 The definition given above for anonymity basically defines anonymity 412 as a binary property: Either a subject is anonymous or not. To 413 reflect the possibility to quantify anonymity in our definition and 414 to underline that all statements are made from the perspective of an 415 attacker (cf. Figure 4), it is appropriate to work with a slightly 416 more complicated definition in the following: 418 Definition: Anonymity of a subject from an attacker's perspective 419 means that the attacker cannot sufficiently identify the subject 420 within a set of subjects, the anonymity set. 422 In this revised definition, "sufficiently" underlines both that there 423 is a possibility to quantify anonymity and that for some 424 applications, there might be a need to define a threshold where 425 anonymity begins. 427 If we do not focus on the anonymity of one individual subject, called 428 individual anonymity, but on the anonymity provided by a system to 429 all of its users together, called global anonymity, we can state: All 430 other things being equal, global anonymity is the stronger, the 431 larger the respective anonymity set is and the more evenly 432 distributed the sending or receiving, respectively, of the subjects 433 within that set is. 435 Note: 437 The entropy of a message source as defined by Claude E. Shannon 438 [Shan48] might be an appropriate measure to quantify global 439 anonymity - just take who is the sender/recipient as the "message" 440 in Shannon's definition. For readers interested in formalizing 441 what we informally say: "No change of probabilities" means "no 442 change of knowledge" and vice versa. "No change of probabilities" 443 (or what is equivalent: "no change of knowledge") implies "no 444 change of entropy", whereas "no change of entropy" neither implies 445 "no change of probabilities" nor "no change of knowledge". In an 446 easy to remember notation: No change of probabilities = no change 447 of knowledge => no change of entropy. 449 The definition of anonymity is an analog to the definition of 450 "perfect secrecy" by Claude E. Shannon [Shan49], whose definition 451 takes into account that no security mechanism whatsoever can take 452 away knowledge from the attacker which he already has. 454 For a fixed anonymity set, global anonymity is maximal iff all 455 subjects within the anonymity set are equally likely. Since subjects 456 may behave quite distinct from each other (and trying to persuade 457 them to behave more equally may both fail and be not compatible with 458 basic human rights), achieving maximal anonymity or even something 459 close to it usually is impossible. Strong or even maximal global 460 anonymity does not imply strong anonymity or even maximal anonymity 461 of each particular subject. What maximal anonymity of one individual 462 subject (maximal individual anonymity, for short) means is unclear. 463 On the one hand, if her probability approaches zero, her Shannon 464 entropy (as a measure for anonymity) gets larger and larger. On the 465 other hand, if her probability gets zero, she is outside the 466 anonymity set. Even if global anonymity is strong, one (or a few) 467 individual subjects might be quite likely, so their anonymity is 468 weak. W.r.t. these "likely suspects", nothing is changed if the 469 anonymity set is made larger and sending and receiving of the other 470 subjects are, e.g., distributed evenly. That way, arbitrarily strong 471 global anonymity can be achieved without doing anything for the 472 "likely suspects" [ClSc06]. So there is need to define anonymity 473 measures not only for the system as a whole, but for individual 474 subjects (individual anonymity) or small sets of subjects. 476 +----------+ 477 | | Communication Network 478 | -- | -- 479 | | | ----| ----------- ----| | 480 | -- +----- /---- ----\ --- -- 481 | | ---- /// \\\ -- Attacker 482 | | // \\ 483 | +--------+ // \\ +---------+ 484 | | / +-+ \ | -- | 485 | | | +-+ | | --| | | 486 | | /-\ | +-+ +-+ |+-- -- | 487 | | | |-+-- | +-+ +-+ || | 488 | | \-/ | || | 489 | | Attacker | Messages || | 490 | | | +-+ +-+ || | 491 | +--------+ | +-+ +-+ || | 492 | | | |-+ -- | 493 | | --- \ / |----| | | 494 | -- --+- \\ // | -- | 495 | | | -- | \\ // | | 496 | -- | \\\ /// \ | | 497 | | \---- ----/ \\ | | 498 | | ----------- \| /-\ | 499 | | |\| | | 500 | | | \-/ | 501 +----------+ | | 502 +---------+ 503 Sender (1) & (2) 504 Anonymity Largest Possible Recipient 505 Set Anonymity Set Anonymity 506 (1) w.r.t. to attacker Set (2) 508 Figure 4: Anonymity sets w.r.t. attacker within the setting 510 From the above discussion follows that anonymity in general as well 511 as the anonymity of each particular subject is a concept which is 512 very much context dependent (on, e.g., subjects population, 513 attributes, time frame, etc). In order to quantify anonymity within 514 concrete situations, one would have to describe the system in 515 sufficient detail, which is practically not (always) possible for 516 large open systems (but maybe for some small data bases for 517 instance). Besides the quantity of anonymity provided within a 518 particular setting, there is another aspect of anonymity: its 519 robustness. Robustness of anonymity characterizes how stable the 520 quantity of anonymity is against changes in the particular setting, 521 e.g., a stronger attacker or different probability distributions. We 522 might use quality of anonymity as a term comprising both quantity and 523 robustness of anonymity. To keep this text as simple as possible, we 524 will mainly discuss the quantity of anonymity in the following, using 525 the wording "strength of anonymity". 527 The above definitions of anonymity and the mentioned measures of 528 quantifying anonymity are fine to characterize the status of a 529 subject in a world as is. If we want to describe changes to the 530 anonymity of a subject if the world is changed somewhat, e.g., the 531 subject uses the communication network differently or uses a modified 532 communication network, we need another definition of anonymity 533 capturing the delta. The simplest way to express this delta is by 534 the observations of "the" attacker. 536 Definition: An anonymity delta (regarding a subject's anonymity) 537 from an attacker's perspective specifies the difference between 538 the subject's anonymity taking into account the attacker's 539 observations (i.e., the attacker's a-posteriori knowledge) and the 540 subject's anonymity given the attacker's a-priori knowledge only. 542 Note: 544 In some publications, the a-priori knowledge of the attacker is 545 called "background knowledge" and the a-posteriori knowledge of 546 the attacker is called "new knowledge". 548 As we can quantify anonymity in concrete situations, so we can 549 quantify the anonymity delta. This can be done by just defining: 550 quantity(anonymity delta) := quantity(anonymity_a-posteriori) - 551 quantity(anonymity_a-priori) If anonymity_a-posteriori and 552 anonymity_a-priori are the same, their quantification is the same and 553 therefore the difference of these quantifications is 0. If anonymity 554 can only decrease (which usually is quite a reasonable assumption), 555 the maximum of quantity(anonymity delta) is 0. 557 Since anonymity cannot increase, the anonymity delta can never be 558 positive. Having an anonymity delta of zero means that anonymity 559 stays the same. This means that if the attacker has no a-priori 560 knowledge about the particular subject, having no anonymity delta 561 implies anonymity. But if the attacker has an a-priori knowledge 562 covering all actions of the particular subject, having no anonymity 563 delta does not imply any anonymity at all. If there is no anonymity 564 from the very beginning, even preserving it completely does not yield 565 any anonymity. To be able to express this conveniently, we use 566 wordings like "perfect preservation of a subject's anonymity". It 567 might be worthwhile to generalize "preservation of anonymity of 568 single subjects" to "preservation of anonymity of sets of subjects", 569 in the limiting case all subjects in an anonymity set. An important 570 special case is that the "set of subjects" is the set of subjects 571 having one or several attribute values A in common. Then the meaning 572 of "preservation of anonymity of this set of subjects" is that 573 knowing A does not decrease anonymity. Having a negative anonymity 574 delta means that anonymity is decreased. 576 5. Unlinkability 578 Unlinkability only has a meaning after the system in which we want to 579 describe anonymity properties has been defined and the entities 580 interested in linking (the attacker) have been characterized. Then: 582 Definition: Unlinkability of two or more items of interest (IOIs, 583 e.g., subjects, messages, actions, ...) from an attacker's 584 perspective means that within the system (comprising these and 585 possibly other items), the attacker cannot sufficiently 586 distinguish whether these IOIs are related or not. , 588 Note: 590 From [ISO99]: "Unlinkability ensures that a user may make multiple 591 uses of resources or services without others being able to link 592 these uses together. [...] Unlinkability requires that users 593 and/or subjects are unable to determine whether the same user 594 caused certain specific operations in the system." In contrast to 595 this definition, the meaning of unlinkability in this text is less 596 focused on the user, but deals with unlinkability of "items" and 597 therefore takes a general approach. 599 As the entropy of a message source might be an appropriate measure 600 to quantify (global) anonymity (and thereafter "anonymity" might 601 be used as a quantity), we may use definitions to quantify 602 unlinkability (and thereafter "unlinkability" might be used as a 603 quantity as well). Quantifications of unlinkability can be either 604 probabilities or entropies, or whatever is useful in a particular 605 context. 607 Linkability is the negation of unlinkability: 609 Definition: Linkability of two or more items of interest (IOIs, 610 e.g., subjects, messages, actions, ...) from an attacker's 611 perspective means that within the system (comprising these and 612 possibly other items), the attacker can sufficiently distinguish 613 whether these IOIs are related or not. 615 For example, in a scenario with at least two senders, two messages 616 sent by subjects within the same anonymity set are unlinkable for an 617 attacker if for him, the probability that these two messages are sent 618 by the same sender is sufficiently close to 1/(number of senders). 619 In case of unicast the same is true for recipients; in case of 620 multicast it is slightly more complicated. 622 Definition: An unlinkability delta of two or more items of interest 623 (IOIs, e.g., subjects, messages, actions, ...) from an attacker's 624 perspective specifies the difference between the unlinkability of 625 these IOIs taking into account the attacker's observations and the 626 unlinkability of these IOIs given the attacker's a-priori 627 knowledge only. 629 Since we assume that the attacker does not forget anything, 630 unlinkability cannot increase. Normally, the attacker's knowledge 631 cannot decrease (analogously to Shannon's definition of "perfect 632 secrecy", see above). An exception of this rule is the scenario 633 where the use of misinformation (inaccurate or erroneous information, 634 provided usually without conscious effort at misleading, deceiving, 635 or persuading one way or another [Wils93]) or disinformation 636 (deliberately false or distorted information given out in order to 637 mislead or deceive [Wils93]) leads to a growing uncertainty of the 638 attacker which information is correct. A related, but different 639 aspect is that information may become wrong (i.e., outdated) simply 640 because the state of the world changes over time. Since privacy is 641 not only about to protect the current state, but the past and history 642 of a data subject as well, we will not make use of this different 643 aspect in the rest of this document. Therefore, the unlinkability 644 delta can never be positive. Having an unlinkability delta of zero 645 means that the probability of those items being related from the 646 attacker's perspective stays exactly the same before (a-priori 647 knowledge) and after the attacker's observations (a-posteriori 648 knowledge of the attacker). If the attacker has no a-priori 649 knowledge about the particular IOIs, having an unlinkability delta of 650 zero implies unlinkability. But if the attacker has a-priori 651 knowledge covering the relationships of all IOIs, having an 652 unlinkability delta of zero does not imply any unlinkability at all. 653 If there is no unlinkability from the very beginning, even preserving 654 it completely does not yield any unlinkability. To be able to 655 express this conveniently, we use wordings like "perfect preservation 656 of unlinkability w.r.t. specific items" to express that the 657 unlinkability delta is zero. It might be worthwhile to generalize 658 "preservation of unlinkability of two IOIs" to "preservation of 659 unlinkability of sets of IOIs", in the limiting case all IOIs in the 660 system. 662 For example, the unlinkability delta of two messages is sufficiently 663 small (zero) for an attacker if the probability describing his 664 a-posteriori knowledge that these two messages are sent by the same 665 sender and/or received by the same recipient is sufficiently 666 (exactly) the same as the probability imposed by his a-priori 667 knowledge. Please note that unlinkability of two (or more) messages 668 of course may depend on whether their content is protected against 669 the attacker considered. In particular, messages may be unlinkable 670 if we assume that the attacker is not able to get information on the 671 sender or recipient from the message content, cf. Section 3. Yet 672 with access to their content even without deep semantical analysis 673 the attacker can notice certain characteristics which link them 674 together - e.g. similarities in structure, style, use of some words 675 or phrases, consistent appearance of some grammatical errors, etc. 676 In a sense, content of messages may play a role as "side channel" in 677 a similar way as in cryptanalysis - i.e., content of messages may 678 leak some information on their linkability. 680 Roughly speaking, no unlinkability delta of items means that the 681 ability of the attacker to relate these items does not increase by 682 observing the system or by possibly interacting with it. 684 The definitions of unlinkability, linkability and unlinkability delta 685 do not mention any particular set of IOIs they are restricted to. 686 Therefore, the definitions of unlinkability and unlinkability delta 687 are very strong, since they cover the whole system. We could weaken 688 the definitions by restricting them to part of the system: 689 "Unlinkability of two or more IOIs from an attacker's perspective 690 means that within an unlinkability set of IOIs (comprising these and 691 possibly other items), the attacker cannot sufficiently distinguish 692 whether these IOIs are related or not." 694 6. Anonymity in Terms of Unlinkability 696 To describe anonymity in terms of unlinkability, we have to augment 697 the definitions of anonymity given in Section 4 by making explicit 698 the attributes anonymity relates to. This is best explained by 699 looking at an example in detail. In our setting, cf. Section 3, we 700 choose the attribute "having sent a message" as the example. Then we 701 have: 703 A sender s is anonymous w.r.t. sending, iff s is anonymous within the 704 set of potential senders, i.e., within the sender anonymity set. 706 This mainly is a re-phrasing of the definition in Section 3. If we 707 make the message under consideration explicit, the definition reads: 709 A sender s sends a message m anonymously, iff s is anonymous within 710 the set of potential senders of m, the sender anonymity set of m. 712 This can be generalized to sets of messages easily: 714 A sender s sends a set of messages M anonymously, iff s is anonymous 715 within the set of potential senders of M, the sender anonymity set of 716 M. 718 If the attacker's focus is not on the sender, but on the message, we 719 can define: 721 A message m is sent anonymously, iff m can have been sent by each 722 potential sender, i.e., by any subject within the sender anonymity 723 set of m. 725 Again, this can be generalized to sets of messages easily: 727 A set of messages M is sent anonymously, iff M can have been sent by 728 each set of potential senders, i.e., by any set of subjects within 729 the cross product of the sender anonymity sets of each message m 730 within M. 732 Of course, all 5 definitions would work for receiving of messages 733 accordingly. For more complicated settings with more operations than 734 these two, appropriate sets of definitions can be developed. 736 Now we are prepared to describe anonymity in terms of unlinkability. 738 We do this by using our setting, cf. Section 3. So we consider 739 sending and receiving of messages as attributes; the items of 740 interest (IOIs) are "who has sent or received which message". Then, 741 anonymity of a subject w.r.t. an attribute may be defined as 742 unlinkability of this subject and this attribute. Unlinkability is a 743 sufficient condition of anonymity, but it is not a necessary 744 condition. Thus, failing unlinkability w.r.t. some attribute 745 value(s) does not necessarily eliminate anonymity as defined in 746 Section 4; in specific cases (i.e., depending on the attribute 747 value(s)) even the strength of anonymity may not be affected. 749 So we have: Sender anonymity of a subject means that to this 750 potentially sending subject, each message is unlinkable. 752 Note: 754 The property unlinkability might be more "fine-grained" than 755 anonymity, since there are many more relations where unlinkability 756 might be an issue than just the relation "anonymity" between 757 subjects and IOIs. Therefore, the attacker might get to know 758 information on linkability while not necessarily reducing 759 anonymity of the particular subject - depending on the defined 760 measures. An example might be that the attacker, in spite of 761 being able to link, e.g., by timing, all encrypted messages of a 762 transactions, does not learn who is doing this transaction. 764 Correspondingly, recipient anonymity of a subject means that to this 765 potentially receiving subject, each message is unlinkable. 767 Relationship anonymity of a pair of subjects, the potentially sending 768 subject and the potentially receiving subject, means that to this 769 potentially communicating pair of subjects, each message is 770 unlinkable. In other words, sender and recipient (or each recipient 771 in case of multicast) are unlinkable. As sender anonymity of a 772 message cannot hold against the sender of this message himself nor 773 can recipient anonymity hold against any of the recipients w.r.t. 774 himself, relationship anonymity is considered w.r.t. outsiders only, 775 i.e., attackers being neither the sender nor one of the recipients of 776 the messages under consideration. 778 Thus, relationship anonymity is a weaker property than each of sender 779 anonymity and recipient anonymity: The attacker might know who sends 780 which messages or he might know who receives which messages (and in 781 some cases even who sends which messages and who receives which 782 messages). But as long as for the attacker each message sent and 783 each message received are unlinkable, he cannot link the respective 784 senders to recipients and vice versa, i.e., relationship anonymity 785 holds. The relationship anonymity set can be defined to be the cross 786 product of two potentially distinct sets, the set of potential 787 senders and the set of potential recipients or - if it is possible to 788 exclude some of these pairs - a subset of this cross product. So the 789 relationship anonymity set is the set of all possible sender- 790 recipient(s)-pairs. In case of multicast, the set of potential 791 recipients is the power set of all potential recipients. If we take 792 the perspective of a subject sending (or receiving) a particular 793 message, the relationship anonymity set becomes the set of all 794 potential recipients (senders) of that particular message. So fixing 795 one factor of the cross product gives a recipient anonymity set or a 796 sender anonymity set. 798 Note: 800 The following is an explanation of the statement made in the 801 previous paragraph regarding relationship anonymity: For all 802 attackers it holds that sender anonymity implies relationship 803 anonymity, and recipient anonymity implies relationship anonymity. 804 This is true if anonymity is taken as a binary property: Either it 805 holds or it does not hold. If we consider quantities of 806 anonymity, the validity of the implication possibly depends on the 807 particular definitions of how to quantify sender anonymity and 808 recipient anonymity on the one hand, and how to quantify 809 relationship anonymity on the other. There exists at least one 810 attacker model, where relationship anonymity does neither imply 811 sender anonymity nor recipient anonymity. Consider an attacker 812 who neither controls any senders nor any recipients of messages, 813 but all lines and - maybe - some other stations. If w.r.t. this 814 attacker relationship anonymity holds, you can neither argue that 815 against him sender anonymity holds nor that recipient anonymity 816 holds. The classical MIX-net (cf. Section 9) without dummy 817 traffic is one implementation with just this property: The 818 attacker sees who sends messages when and who receives messages 819 when, but cannot figure out who sends messages to whom. 821 7. Undetectability and Unobservability 823 In contrast to anonymity and unlinkability, where not the IOI, but 824 only its relationship to subjects or other IOIs is protected, for 825 undetectability, the IOIs are protected as such. Undetectability can 826 be regarded as a possible and desirable property of steganographic 827 systems (see Section 9). Therefore it matches the information hiding 828 terminology [Pfit96], [ZFKP98]. In contrast, anonymity, dealing with 829 the relationship of discernible IOIs to subjects, does not directly 830 fit into that terminology, but independently represents a different 831 dimension of properties. 833 Definition: Undetectability of an item of interest (IOI) from an 834 attacker's perspective means that the attacker cannot sufficiently 835 distinguish whether it exists or not. 837 Note: 839 From [ISO99]: "Unobservability ensures that a user may use a 840 resource or service without others, especially third parties, 841 being able to observe that the resource or service is being used. 842 [...] Unobservability requires that users and/or subjects cannot 843 determine whether an operation is being performed." As seen 844 before, our approach is less user-focused and insofar more 845 general. With the communication setting and the attacker model 846 chosen in this text, our definition of unobservability shows the 847 method how to achieve it: preventing distinguishability of IOIs. 848 Thus, the ISO definition might be applied to a different setting 849 where attackers are prevented from observation by other means, 850 e.g., by encapsulating the area of interest against third parties. 852 In some applications (e.g. steganography), it might be useful to 853 quantify undetectability to have some measure how much uncertainty 854 about an IOI remains after the attacker's observations. Again, we 855 may use probabilities or entropy, or whatever is useful in a 856 particular context. 858 If we consider messages as IOIs, this means that messages are not 859 sufficiently discernible from, e.g., "random noise". A slightly more 860 precise formulation might be that messages are not discernible from 861 no message. A quantification of this property might measure the 862 number of indistinguishable IOIs and/or the probabilities of 863 distinguishing these IOIs. 865 Undetectability is maximal iff whether an IOI exists or not is 866 completely indistinguishable. We call this perfect undetectability. 868 Definition: An undetectability delta of an item of interest (IOI) 869 from an attacker's perspective specifies the difference between 870 the undetectability of the IOI taking into account the attacker's 871 observations and the undetectability of the IOI given the 872 attacker's a-priori knowledge only. 874 The undetectability delta is zero iff whether an IOI exists or not is 875 indistinguishable to exactly the same degree whether the attacker 876 takes his observations into account or not. We call this "perfect 877 preservation of undetectability". 879 Undetectability of an IOI clearly is only possible w.r.t. subjects 880 being not involved in the IOI (i.e., neither being the sender nor one 881 of the recipients of a message). Therefore, if we just speak about 882 undetectability without spelling out a set of IOIs, it goes without 883 saying that this is a statement comprising only those IOIs the 884 attacker is not involved in. 886 As the definition of undetectability stands, it has nothing to do 887 with anonymity - it does not mention any relationship between IOIs 888 and subjects. Even more, for subjects being involved in an IOI, 889 undetectability of this IOI is clearly impossible. Therefore, early 890 papers describing new mechanisms for undetectability designed the 891 mechanisms in a way that if a subject necessarily could detect an 892 IOI, the other subject(s) involved in that IOI enjoyed anonymity at 893 least. The rational for this is to strive for data minimization: No 894 subject should get to know any (potentially personal) data - except 895 this is absolutely necessary. Given the setting described in 896 Section 3, this means: 1. Subjects being not involved in the IOI get 897 to know absolutely nothing. 2. Subjects being involved in the IOI 898 only get to know the IOI, but not the other subjects involved - the 899 other subjects may stay anonymous. Since in the setting described in 900 Section 3 the attributes "sending a message" or "receiving a message" 901 are the only kinds of attributes considered, 1. and 2. together 902 provide data minimization in this setting in an absolute sense. 903 Undetectability by uninvolved subjects together with anonymity even 904 if IOIs can necessarily be detected by the involved subjects has been 905 called unobservability: 907 Definition: Unobservability of an item of interest (IOI) means 909 * undetectability of the IOI against all subjects uninvolved in 910 it and 912 * anonymity of the subject(s) involved in the IOI even against 913 the other subject(s) involved in that IOI. 915 As we had anonymity sets of subjects with respect to anonymity, we 916 have unobservability sets of subjects with respect to 917 unobservability, see Figure 5. Mainly, unobservability deals with 918 IOIs instead of subjects only. Though, like anonymity sets, 919 unobservability sets consist of all subjects who might possibly cause 920 these IOIs, i.e. send and/or receive messages. 922 Sender unobservability then means that it is sufficiently 923 undetectable whether any sender within the unobservability set sends. 924 Sender unobservability is perfect iff it is completely undetectable 925 whether any sender within the unobservability set sends. 927 Recipient unobservability then means that it is sufficiently 928 undetectable whether any recipient within the unobservability set 929 receives. Recipient unobservability is perfect iff it is completely 930 undetectable whether any recipient within the unobservability set 931 receives. 933 Relationship unobservability then means that it is sufficiently 934 undetectable whether anything is sent out of a set of could-be 935 senders to a set of could-be recipients. In other words, it is 936 sufficiently undetectable whether within the relationship 937 unobservability set of all possible sender-recipient(s)-pairs, a 938 message is sent in any relationship. Relationship unobservability is 939 perfect iff it is completely undetectable whether anything is sent 940 out of a set of could-be senders to a set of could-be recipients. 942 All other things being equal, unobservability is the stronger, the 943 larger the respective unobservability set is, see Figure 6. 945 +----------+ +---------+ 946 | | Communication Network | | 947 | -- | | -- | 948 | | | ----| ----------- |---| | | 949 | -- +----- /----|+++++++++|----\ ---+ -- | 950 | | ---- ///++++++++++++++++++++ \\\ -- | | 951 | | // ++++++++++++++++++++++++++\\ | | 952 | | //+++++++++++++++++++++++++++++++\\ | | 953 | | |++++++++++++++++++++++++++++++++++|\ | -- | 954 | | |+++++++++++++++++++++++++++++++++++++| | --| | | 955 | /-\ | |+++++++++++++++++++++++++++++++++++++++|+-- -- | 956 | | |-+-- |+++++++++++++++++++++++++++++++++++++++|| | 957 | \-/ | |++++++++++++++++++++++++++++++++++++++++|| | 958 | | |++++++++++++++++++++++++++++++++++++++++|| | 959 | | |+++++++++++++++++++++++++++++++++++++++|| | 960 | | |+++++++++++++++++++++++++++++++++++++++|| | 961 | | ++++++++++++++++++++++++++++++++++++++|-+ -- | 962 | | --- \+++++++++++++++++++++++++++++++++++/ |----| | | 963 | -- --+- \\+++++++++++++++++++++++++++++++// | -- | 964 | | | -- | \\+++++++++++++++++++++++++++// | | 965 | -- | \|\+++++++++++++++++++++/// \ | | 966 | | \----+++++++++++----/ \\ | | 967 | | ----------- \| /-\ | 968 | | |\| | | 969 | | | \-/ | 970 +----------+ | | 971 +---------+ 972 Sender 973 Unobservability Largest Possible Recipient 974 Set Unobservability Set Unobservability 975 Set 977 Figure 5: Unobservability sets within the setting 979 +----------+ 980 | | -- 981 | -- | Communication Network ----| | 982 | | |-----| - -- 983 | -- +- ----------- Attacker 984 | | ---- /----|+++++++++|----\ -- 985 | | ---- ///++++++++++++++++++++ \\\ -- +---------+ 986 | +--------+ // ++++++++++++++++++++++++++\\ | -- | 987 | | //+++++++++++++++++++++++++++++++\\ | --| | | 988 | | |++++++++++++++++++++++++++++++++++|\ |+-- -- | 989 | | /-\ |+++++++++++++++++++++++++++++++++++++||| | 990 | | | |--- |++++++++++++Observable+++++++++++++++++|| | 991 | | \-/ -- |++++++++++++by attacker++++++++++++++++|| | 992 | | Attacker |++++++++++++++++++++++++++++++++++++++++|| | 993 | | |++++++++++++++++++++++++++++++++++++++++|| | 994 | +--------+ |+++++++++++++++++++++++++++++++++++++++-+ -- | 995 | | |+++++++++++++++++++++++++++++++++++++++ |----| | | 996 | | ++++++++++++++++++++++++++++++++++++++| | -- | 997 | -- --+---- \+++++++++++++++++++++++++++++++++++/ | | 998 | | | -- | \\+++++++++++++++++++++++++++++++// | | 999 | -- | \\+++++++++++++++++++++++++++// | | 1000 | | \|\+++++++++++++++++++++/// \ \| /-\ | 1001 | | \----+++++++++++----/ \\ |\| | | 1002 | | ----------- | \-/ | 1003 | | | | 1004 +----------+ +---------+ 1005 Sender Recipient 1006 Unobservability Largest Possible Unobservability 1007 Set Unobservability Set Set 1008 w.r.t. to attacker 1010 Figure 6: Unobservability sets w.r.t. attacker within the setting 1012 Definition: An unobservability delta of an item of interest (IOI) 1013 means 1015 * undetectability delta of the IOI against all subjects 1016 uninvolved in it and 1018 * anonymity delta of the subject(s) involved in the IOI even 1019 against the other subject(s) involved in that IOI. 1021 Since we assume that the attacker does not forget anything, 1022 unobservability cannot increase. Therefore, the unobservability 1023 delta can never be positive. Having an unobservability delta of zero 1024 w.r.t. an IOI means an undetectability delta of zero of the IOI 1025 against all subjects uninvolved in the IOI and an anonymity delta of 1026 zero against those subjects involved in the IOI. To be able to 1027 express this conveniently, we use wordings like "perfect preservation 1028 of unobservability" to express that the unobservability delta is 1029 zero. 1031 8. Relationships between Terms 1033 With respect to the same attacker, unobservability reveals always 1034 only a subset of the information anonymity reveals. [ReRu98] propose 1035 a continuum for describing the strength of anonymity. They give 1036 names: "absolute privacy" (the attacker cannot perceive the presence 1037 of communication, i.e., unobservability) - "beyond suspicion" - 1038 "probable innocence" - "possible innocence" - "exposed" - "provably 1039 exposed" (the attacker can prove the sender, recipient, or their 1040 relationship to others). Although we think that the terms "privacy" 1041 and "innocence" are misleading, the spectrum is quite useful. We 1042 might use the shorthand notation 1044 unobservability => anonymity 1046 for that (=> reads "implies"). Using the same argument and notation, 1047 we have 1049 sender unobservability => sender anonymity 1051 recipient unobservability => recipient anonymity 1053 relationship unobservability => relationship anonymity 1055 As noted above, we have 1057 sender anonymity => relationship anonymity 1059 recipient anonymity => relationship anonymity 1061 sender unobservability => relationship unobservability 1063 recipient unobservability => relationship unobservability 1065 With respect to the same attacker, unobservability reveals always 1066 only a subset of the information undetectability reveals 1068 unobservability => undetectability 1070 9. Known Mechanisms for Anonymity, Undetectability, and Unobservability 1072 Before it makes sense to speak about any particular mechanisms for 1073 anonymity, undetectability, and unobservability in communications, 1074 let us first remark that all of them assume that stations of users do 1075 not emit signals the attacker considered is able to use for 1076 identification of stations or their behavior or even for 1077 identification of users or their behavior. So if you travel around 1078 taking with you a mobile phone sending more or less continuously 1079 signals to update its location information within a cellular radio 1080 network, don't be surprised if you are tracked using its signals. If 1081 you use a computer emitting lots of radiation due to a lack of 1082 shielding, don't be surprised if observers using high-tech equipment 1083 know quite a bit about what's happening within your machine. If you 1084 use a computer, PDA, or smartphone without sophisticated access 1085 control, don't be surprised if Trojan horses send your secrets to 1086 anybody interested whenever you are online - or via electromagnetic 1087 emanations even if you think you are completely offline. 1089 DC-net [Chau85], [Chau88], and MIX-net [Chau81] are mechanisms to 1090 achieve sender anonymity and relationship anonymity, respectively, 1091 both against strong attackers. If we add dummy traffic, both provide 1092 for the corresponding unobservability [PfPW91]. If dummy traffic is 1093 used to pad sending and/or receiving on the sender's and/or 1094 recipient's line to a constant rate traffic, MIX-nets can even 1095 provide sender and/or recipient anonymity and unobservability. 1097 Broadcast [Chau85], [PfWa86], [Waid90] and private information 1098 retrieval [CoBi95] are mechanisms to achieve recipient anonymity 1099 against strong attackers. If we add dummy traffic, both provide for 1100 recipient unobservability. 1102 This may be summarized: A mechanism to achieve some kind of anonymity 1103 appropriately combined with dummy traffic yields the corresponding 1104 kind of unobservability. 1106 Of course, dummy traffic alone can be used to make the number and/or 1107 length of sent messages undetectable by everybody except for the 1108 recipients; respectively, dummy traffic can be used to make the 1109 number and/or length of received messages undetectable by everybody 1110 except for the senders. (Note: Misinformation and disinformation may 1111 be regarded as semantic dummy traffic, i.e., communication from which 1112 an attacker cannot decide which are real requests with real data or 1113 which are fake ones. Assuming the authenticity of misinformation or 1114 disinformation may lead to privacy problems for (innocent) 1115 bystanders.) 1117 As a side remark, we mention steganography and spread spectrum as two 1118 other well-known undetectability mechanisms. 1120 The usual concept to achieve undetectability of IOIs at some layer, 1121 e.g., sending meaningful messages, is to achieve statistical 1122 independence of all discernible phenomena at some lower 1123 implementation layer. An example is sending dummy messages at some 1124 lower layer to achieve, e.g., a constant rate flow of messages 1125 looking - by means of encryption - randomly for all parties except 1126 the sender and the recipient(s). 1128 10. Pseudonymity 1130 Having anonymity of human beings, unlinkability, and maybe 1131 unobservability is superb w.r.t. data minimization, but would prevent 1132 any useful two-way communication. For many applications, we need 1133 appropriate kinds of identifiers: 1135 Definition: A pseudonym is an identifier of a subject other than one 1136 of the subject's real names. 1138 Note: 1140 The term 'pseudonym' comes from the Greek word "pseudonumon" and 1141 means "falsely named" (pseudo: false; onuma: name). Thus, it 1142 means a name other than the 'real name'. To avoid the connotation 1143 of "pseudo" = false, some authors call pseudonyms as defined in 1144 this paper simply nyms. This is nice and short, but we stick with 1145 the usual wording, i.e., pseudonym, pseudonymity, etc. However 1146 the reader should not be surprised to read nym, nymity, etc. in 1147 other texts. 1149 An identifier is a name or another bit string. Identifiers, which 1150 are generated using random data only, i.e., fully independent of 1151 the subject and related attribute values, do not contain side 1152 information on the subject they are attached to, whereas non- 1153 random identifiers may do. E.g., nicknames chosen by a user may 1154 contain information on heroes he admires; a sequence number may 1155 contain information on the time the pseudonym was issued; an 1156 e-mail address or phone number contains information how to reach 1157 the user. 1159 In our setting 'subject' means sender or recipient. 1161 The term 'real name' is the antonym to "pseudonym". There may be 1162 multiple real names over lifetime, in particular the legal names, 1163 i.e., for a human being the names which appear on the birth 1164 certificate or on other official identity documents issued by the 1165 State; for a legal person the name under which it operates and 1166 which is registered in official registers (e.g., commercial 1167 register or register of associations). A human being's real name 1168 typically comprises their given name and a family name. In the 1169 realm of identifiers, it is tempting to define anonymity as "the 1170 attacker cannot sufficiently determine a real name of the 1171 subject". But despite the simplicity of this definition, it is 1172 severely restricted: It can only deal with subjects which have at 1173 least one real name. It presumes that it is clear who is 1174 authorized to attach real names to subjects. It fails to work if 1175 the relation to real names is irrelevant for the application at 1176 hand. Therefore, we stick to the definitions given in Section 4. 1177 Note that from a mere technological perspective it cannot always 1178 be determined whether an identifier of a subject is a pseudonym or 1179 a real name. 1181 We can generalize pseudonyms to be identifiers of sets of subjects - 1182 see below -, but we do not need this in our setting. 1184 Definition: The subject which the pseudonym refers to is the holder 1185 of the pseudonym. 1187 Definition: A subject is pseudonymous if a pseudonym is used as 1188 identifier instead of one of its real names. 1190 We prefer the term "holder" over "owner" of a pseudonym because it 1191 seems to make no sense to "own" identifiers, e.g., bit strings. 1192 Furthermore, the term "holder" sounds more neutral than the term 1193 "owner", which is associated with an assumed autonomy of the 1194 subject's will. The holder may be a natural person (in this case 1195 we have the usual meaning and all data protection regulations 1196 apply), a legal person, or even only a computer. 1198 Fundamentally, pseudonyms are nothing else than another kind of 1199 attribute values. But whereas in building an IT system, its 1200 designer can strongly support the holders of pseudonyms to keep 1201 the pseudonyms under their control, this is not equally possible 1202 w.r.t. attributes and attribute values in general. Therefore, it 1203 is useful to give this kind of attribute a distinct name: 1204 pseudonym. 1206 For pseudonyms chosen by the user (in contrast to pseudonyms 1207 assigned to the user by others), primarily, the holder of the 1208 pseudonym is using it. Secondarily, all others he communicated to 1209 using the pseudonym can utilize it for linking. Each of them can, 1210 of course, divulge the pseudonym and all data related to it to 1211 other entities. So finally, the attacker will utilize the 1212 pseudonym to link all data related to this pseudonym he gets to 1213 know being related. 1215 Defining the process of preparing for the use of pseudonyms, e.g., by 1216 establishing certain rules how and under which conditions to identify 1217 holders of pseudonyms by so-called identity brokers or how to prevent 1218 uncovered claims by so-called liability brokers (cf. Section 11), 1219 leads to the more general notion of pseudonymity, as defined below. 1221 Note: 1223 Identity brokers have for the pseudonyms they are the identity 1224 broker for the information who is their respective holder. 1225 Therefore, identity brokers can be implemented as a special kind 1226 of certification authorities for pseudonyms. Since anonymity can 1227 be described as a particular kind of unlinkability, cf. Section 6, 1228 the concept of identity broker can be generalized to linkability 1229 broker. A linkability broker is a (trusted) third party that, 1230 adhering to agreed rules, enables linking IOIs for those entities 1231 being entitled to get to know the linking. 1233 Concerning the natural use of the English language, one might use 1234 "pseudonymization" instead of "pseudonymity". But at least in 1235 Germany, the law makers gave "pseudonymization" the meaning that 1236 first personal data known by others comprise some identifiers for 1237 the civil identity and later these identifiers are replaced by 1238 pseudonyms. Therefore, we use a different term (coined by David 1239 Chaum: "pseudonymity") to describe that from the very beginning 1240 pseudonyms are used. 1242 Definition: Pseudonymity is the use of pseudonyms as identifiers. 1244 Note: 1246 From [ISO99]: "Pseudonymity ensures that a user may use a resource 1247 or service without disclosing its user identity, but can still be 1248 accountable for that use. [...] Pseudonymity requires that a set 1249 of users and/or subjects are unable to determine the identity of a 1250 user bound to a subject or operation, but that this user is still 1251 accountable for its actions." This view on pseudonymity covers 1252 only the use of digital pseudonyms. Therefore, our definition of 1253 pseudonymity is much broader as it does not necessarily require 1254 disclosure of the user's identity and accountability. 1255 Pseudonymity alone - as it is used in the real world and in 1256 technological contexts - does not tell anything about the 1257 strengths of anonymity, authentication or accountability; these 1258 strengths depend on several properties, cf. below. 1260 Quantifying pseudonymity would primarily mean quantifying the 1261 state of using a pseudonym according to its different dimensions 1262 (cf. Section 11 and Section 12), i.e., quantifying the 1263 authentication and accountability gained and quantifying the 1264 anonymity left over (e.g., using entropy as the measure). Roughly 1265 speaking, well-employed pseudonymity could mean in e-commerce 1266 appropriately fine-grained authentication and accountability to 1267 counter identity theft or to prevent uncovered claims using, e.g., 1268 the techniques described in [BuPf90], combined with much anonymity 1269 retained. Poorly employed pseudonymity would mean giving away 1270 anonymity without preventing uncovered claims. 1272 So sender pseudonymity is defined as the sender being pseudonymous, 1273 recipient pseudonymity is defined as the recipient being 1274 pseudonymous, see Figure 7. Providing sender pseudonymity and 1275 recipient pseudonymity is the basic interface communication networks 1276 have to provide to enhance privacy for two-way communications. 1278 Senders Recipients 1280 Pseudonyms Pseudonyms 1282 -- Communication Network 1283 | | ---- ------ 1284 -- \\ - ---- ---- 1285 \| |---- // \\ - -- 1286 - ---- // \\ ------| |-----| | 1287 / \ - -- 1288 / +-+ \ 1289 / +-+ \ 1290 /-\ - | | 1291 | |------- | |--- | +-+ +-+ | 1292 \-/ - --| +-+ +-+ | - /-\ 1293 | |--| |----| | 1294 | Messages | - \-/ 1295 | | 1296 | +-+ | 1297 - ---| +-+ | 1298 -- -----| |-- | +-+ |\\ - 1299 | | -- - \ +-+ / \| |--- -- 1300 -- \ / - --| | 1301 holder- \ / -- 1302 ship \\ // 1303 \\ // holder- 1304 ---- ---- ship 1305 ------ 1307 Sender 1308 Pseudonymity Recipient 1309 Pseudonymity 1311 Figure 7: Pseudonymity 1313 In our usual setting, we assume that each pseudonym refers to exactly 1314 one specific holder, invariant over time. 1316 Specific kinds of pseudonyms may extend this setting: A group 1317 pseudonym refers to a set of holders, i.e., it may refer to multiple 1318 holders; a transferable pseudonym can be transferred from one holder 1319 to another subject becoming its holder. 1321 Such a group pseudonym may induce an anonymity set: Using the 1322 information provided by the pseudonym only, an attacker cannot decide 1323 whether an action was performed by a specific subject within the set. 1324 Please note that the mere fact that a pseudonym has several holders 1325 does not yield a group pseudonym: For instance, creating the same 1326 pseudonym may happen by chance and even without the holders being 1327 aware of this fact, particularly if they choose the pseudonyms and 1328 prefer pseudonyms which are easy to remember. But the context of 1329 each use of the pseudonym (e.g., used by which subject - usually 1330 denoted by another pseudonym - in which kind of transaction) then 1331 usually will denote a single holder of this pseudonym. 1333 Transferable pseudonyms can, if the attacker cannot completely 1334 monitor all transfers of holdership, serve the same purpose, without 1335 decreasing accountability as seen by an authority monitoring all 1336 transfers of holdership. 1338 An interesting combination might be transferable group pseudonyms - 1339 but this is left for further study. 1341 11. Pseudonymity with respect to accountability and authorization 1343 11.1. Digital pseudonyms to authenticate messages 1345 A digital pseudonym is a bit string which, to be meaningful in a 1346 certain context, is 1348 o unique as identifier (at least with very high probability) and 1350 o suitable to be used to authenticate the holder's IOIs relatively 1351 to his/her digital pseudonym, e.g., to authenticate his/her 1352 messages sent. 1354 Using digital pseudonyms, accountability can be realized with 1355 pseudonyms - or more precisely: with respect to pseudonyms. 1357 11.2. Accountability for digital pseudonyms 1359 To authenticate IOIs relative to pseudonyms usually is not enough to 1360 achieve accountability for IOIs. 1362 Therefore, in many situations, it might make sense to either 1364 o attach funds to digital pseudonyms to cover claims or to 1366 o let identity brokers authenticate digital pseudonyms (i.e., check 1367 the civil identity of the holder of the pseudonym and then issue a 1368 digitally signed statement that this particular identity broker 1369 has proof of the identity of the holder of this digital pseudonym 1370 and is willing to divulge that proof under well-defined 1371 circumstances) or 1373 o both. 1375 Note: 1377 If the holder of the pseudonym is a natural person or a legal 1378 person, civil identity has the usual meaning, i.e. the identity 1379 attributed to an individual person by a State (e.g., represented 1380 by the social security number or the combination of name, date of 1381 birth, and location of birth etc.). If the holder is, e.g., a 1382 computer, it remains to be defined what "civil identity" should 1383 mean. It could mean, for example, exact type and serial number of 1384 the computer (or essential components of it) or even include the 1385 natural person or legal person responsible for its operation. 1387 If sufficient funds attached to a digital pseudonym are reserved 1388 and/or the digitally signed statement of a trusted identity broker is 1389 checked before entering into a transaction with the holder of that 1390 pseudonym, accountability can be realized in spite of anonymity. 1392 11.3. Transferring authenticated attributes and authorizations between 1393 pseudonyms 1395 To transfer attributes including their authentication by third 1396 parties (called "credentials" by David Chaum [Chau85]) - all kinds of 1397 authorizations are special cases - between digital pseudonyms of one 1398 and the same holder, it is always possible to prove that these 1399 pseudonyms have the same holder. 1401 But as David Chaum pointed out, it is much more anonymity-preserving 1402 to maintain the unlinkability of the digital pseudonyms involved as 1403 much as possible by transferring the credential from one pseudonym to 1404 the other without proving the sameness of the holder. How this can 1405 be done is described in [Chau90] [CaLy04]. 1407 We will come back to the just described property "convertibility" of 1408 digital pseudonyms in Section 13. 1410 12. Pseudonymity with respect to linkability 1412 Whereas anonymity and accountability are the extremes with respect to 1413 linkability to subjects, pseudonymity is the entire field between and 1414 including these extremes. Thus, pseudonymity comprises all degrees 1415 of linkability to a subject. Ongoing use of the same pseudonym 1416 allows the holder to establish or consolidate a reputation. 1417 Establishing and/or consolidating a reputation under a pseudonym is, 1418 of course, insecure if the pseudonym does not enable to authenticate 1419 messages, i.e., if the pseudonym is not a digital pseudonym, cf. 1420 Section 11.1. Then, at any moment, another subject might use this 1421 pseudonym possibly invalidating the reputation, both for the holder 1422 of the pseudonym and all others having to do with this pseudonym. 1423 Some kinds of pseudonyms enable dealing with claims in case of abuse 1424 of unlinkability to holders: Firstly, third parties (identity 1425 brokers, cf. ) may have the possibility to reveal the civil identity 1426 of the holder in order to provide means for investigation or 1427 prosecution. To improve the robustness of anonymity, chains of 1428 identity brokers may be used [Chau81]. Secondly, third parties may 1429 act as liability brokers of the holder to clear a debt or settle a 1430 claim. [BuPf90] presents the particular case of value brokers. 1432 There are many properties of pseudonyms which may be of importance in 1433 specific application contexts. In order to describe the properties 1434 of pseudonyms with respect to anonymity, we limit our view to two 1435 aspects and give some typical examples: 1437 12.1. Knowledge of the linking between the pseudonym and its holder 1439 The knowledge of the linking may not be a constant, but change over 1440 time for some or even all people. Normally, for non-transferable 1441 pseudonyms the knowledge of the linking cannot decrease (with the 1442 exception of misinformation or disinformation, which may blur the 1443 attacker's knowledge.). Typical kinds of such pseudonyms are: 1445 Public pseudonym: The linking between a public pseudonym and its 1446 holder may be publicly known even from the very beginning. E.g., 1447 the linking could be listed in public directories such as the 1448 entry of a phone number in combination with its owner. 1450 Initially non-public pseudonym: The linking between an initially 1451 non-public pseudonym and its holder may be known by certain 1452 parties, but is not public at least initially. E.g., a bank 1453 account where the bank can look up the linking may serve as a non- 1454 public pseudonym. For some specific non-public pseudonyms, 1455 certification authorities acting as identity brokers could reveal 1456 the civil identity of the holder in case of abuse. 1458 Initially unlinked pseudonym: The linking between an initially 1459 unlinked pseudonym and its holder is - at least initially - not 1460 known to anybody with the possible exception of the holder 1461 himself/herself. Examples for unlinked pseudonyms are (non- 1462 public) biometrics like DNA information unless stored in databases 1463 including the linking to the holders. 1465 Public pseudonyms and initially unlinked pseudonyms can be seen as 1466 extremes of the described pseudonym aspect whereas initially non- 1467 public pseudonyms characterize the continuum in between. 1469 Anonymity is the stronger, the less is known about the linking to a 1470 subject. The strength of anonymity decreases with increasing 1471 knowledge of the pseudonym linking. In particular, under the 1472 assumption that no gained knowledge on the linking of a pseudonym 1473 will be forgotten and that the pseudonym cannot be transferred to 1474 other subjects, a public pseudonym never can become an unlinked 1475 pseudonym. In each specific case, the strength of anonymity depends 1476 on the knowledge of certain parties about the linking relative to the 1477 chosen attacker model. 1479 If the pseudonym is transferable, the linking to its holder can 1480 change. Considering an unobserved transfer of a pseudonym to another 1481 subject, a formerly public pseudonym can become non-public again. 1483 12.2. Linkability due to the use of a pseudonym across different 1484 contexts 1486 With respect to the degree of linkability, various kinds of 1487 pseudonyms may be distinguished according to the kind of context for 1488 their usage: 1490 Person pseudonym: A person pseudonym is a substitute for the 1491 holder's name which is regarded as representation for the holder's 1492 civil identity. It may be used in many different contexts, e.g., 1493 a number of an identity card, the social security number, DNA, a 1494 nickname, the pseudonym of an actor, or a mobile phone number. 1496 Role pseudonym: The use of role pseudonyms is limited to specific 1497 roles, e.g., a customer pseudonym or an Internet account used for 1498 many instantiations of the same role "Internet user". See 1499 Section 14.3 for a more precise characterization of the term 1500 "role". The same role pseudonym may be used with different 1501 communication partners. Roles might be assigned by other parties, 1502 e.g., a company, but they might be chosen by the subject himself/ 1503 herself as well. 1505 Relationship pseudonym: For each communication partner, a different 1506 relationship pseudonym is used. The same relationship pseudonym 1507 may be used in different roles for communicating with the same 1508 partner. Examples are distinct nicknames for each communication 1509 partner. In case of group communication, the relationship 1510 pseudonyms may be used between more than two partners. 1512 Role-relationship pseudonym: For each role and for each 1513 communication partner, a different role-relationship pseudonym is 1514 used. This means that the communication partner does not 1515 necessarily know, whether two pseudonyms used in different roles 1516 belong to the same holder. On the other hand, two different 1517 communication partners who interact with a user in the same role, 1518 do not know from the pseudonym alone whether it is the same user. 1519 As with relationship pseudonyms, in case of group communication, 1520 the role-relationship pseudonyms may be used between more than two 1521 partners. 1523 Transaction pseudonym: Apart from "transaction pseudonym" some 1524 employ the term "one-time-use pseudonym", taking the naming from 1525 "one-time pad". For each transaction, a transaction pseudonym 1526 unlinkable to any other transaction pseudonyms and at least 1527 initially unlinkable to any other IOI is used, e.g., randomly 1528 generated transaction numbers for online-banking. Therefore, 1529 transaction pseudonyms can be used to realize as strong anonymity 1530 as possible. In fact, the strongest anonymity is given when there 1531 is no identifying information at all, i.e., information that would 1532 allow linking of anonymous entities, thus transforming the 1533 anonymous transaction into a pseudonymous one. If the transaction 1534 pseudonym is used exactly once, we have the same strength of 1535 anonymity as if no pseudonym is used at all. Another possibility 1536 to achieve strong anonymity is to prove the holdership of the 1537 pseudonym or specific attribute values (e.g., with zero-knowledge 1538 proofs) without revealing the information about the pseudonym or 1539 more detailed attribute values themselves. Then, no identifiable 1540 or linkable information is disclosed. 1542 Linkability across different contexts due to the use of these 1543 pseudonyms can be represented as the lattice that is illustrated in 1544 the following diagram, see Figure 8. The arrows point in direction 1545 of increasing unlinkability, i.e., A -> B stands for "B enables 1546 stronger unlinkability than A". Note that "->" is not the same as 1547 "=>" of Section 8, which stands for the implication concerning 1548 anonymity and unobservability. 1550 linkable 1552 +-----------------+ * 1553 Person | | * 1554 / Pseudonym \ | decreasing | * 1555 // \\ | linkability | * 1556 / \ | across | * 1557 / \-+ | contexts | * 1558 +-/ v | | * 1559 v Role Relationship | | * 1560 Pseudonym Pseudonym | | * 1561 -- -- | | * 1562 -- --- | | * 1563 --- ---- | | * 1564 --+ +--- | | * 1565 v v | | * 1566 Role-Relationship | | |* 1567 Pseudonym | | * 1568 | | | * 1569 | | | * 1570 | | | * 1571 | | | * 1572 | | | * 1573 v | | * 1574 Transaction | * 1575 Pseudonym | v 1577 unlinkable 1579 Figure 8: Lattice of pseudonyms according to their use across 1580 different contexts 1582 In general, unlinkability of both role pseudonyms and relationship 1583 pseudonyms is stronger than unlinkability of person pseudonyms. The 1584 strength of unlinkability increases with the application of role- 1585 relationship pseudonyms, the use of which is restricted to both the 1586 same role and the same relationship. If a role-relationship 1587 pseudonym is used for roles comprising many kinds of activities, the 1588 danger arises that after a while, it becomes a person pseudonym in 1589 the sense of: "A person pseudonym is a substitute for the holder's 1590 name which is regarded as representation for the holder's civil 1591 identity." This is even more true both for role pseudonyms and 1592 relationship pseudonyms. Ultimate strength of unlinkability is 1593 obtained with transaction pseudonyms, provided that no other 1594 information, e.g., from the context or from the pseudonym itself, 1595 enabling linking is available. 1597 Anonymity is the stronger, ... 1599 o the less personal data of the pseudonym holder can be linked to 1600 the pseudonym; 1602 o the less often and the less context-spanning pseudonyms are used 1603 and therefore the less data about the holder can be linked; 1605 o the more often independently chosen, i.e., from an observer's 1606 perspective unlinkable, pseudonyms are used for new actions. 1608 The amount of information of linked data can be reduced by different 1609 subjects using the same pseudonym (e.g., one after the other when 1610 pseudonyms are transferred or simultaneously with specifically 1611 created group pseudonyms) or by misinformation or disinformation. 1612 The group of pseudonym holders acts as an inner anonymity set within 1613 a, depending on context information, potentially even larger outer 1614 anonymity set. 1616 13. Known mechanisms and other properties of pseudonyms 1618 A digital pseudonym could be realized as a public key to test digital 1619 signatures where the holder of the pseudonym can prove holdership by 1620 forming a digital signature which is created using the corresponding 1621 private key [Chau81]. The most prominent example for digital 1622 pseudonyms are public keys generated by the user himself/herself, 1623 e.g., using PGP. In using PGP, each user may create an unlimited 1624 number of key pairs by himself/herself (at this moment, such a key 1625 pair is an initially unlinked pseudonym), bind each of them to an 1626 e-mail address, self-certify each public key by using his/her digital 1627 signature or asking another introducer to do so, and circulate it. 1629 A public key certificate bears a digital signature of a so-called 1630 certification authority and provides some assurance to the binding of 1631 a public key to another pseudonym, usually held by the same subject. 1632 In case that pseudonym is the civil identity (the real name) of a 1633 subject, such a certificate is called an identity certificate. An 1634 attribute certificate is a digital certificate which contains further 1635 information (attribute values) and clearly refers to a specific 1636 public key certificate. Independent of certificates, attributes may 1637 be used as identifiers of sets of subjects as well. Normally, 1638 attributes refer to sets of subjects (i.e., the anonymity set), not 1639 to one specific subject. 1641 There are several other properties of pseudonyms related to their use 1642 which shall only be briefly mentioned, but not discussed in detail in 1643 this text. They comprise different degrees of, e.g., 1644 o limitation to a fixed number of pseudonyms per subject [Chau81], 1645 [Chau85], [Chau90]. For pseudonyms issued by an agency that 1646 guarantees the limitation of at most one pseudonym per individual 1647 person, the term "is-a-person pseudonym" is used. 1649 o guaranteed uniqueness [Chau81] [StSy00], e.g., "globally unique 1650 pseudonyms". 1652 o transferability to other subjects. 1654 o authenticity of the linking between a pseudonym and its holder 1655 (possibilities of verification/falsification or indication/ 1656 repudiation). 1658 o provability that two or more pseudonyms have the same holder. For 1659 digital pseudonyms having only one holder each and assuming that 1660 no holders cooperate to provide wrong "proofs", this can be proved 1661 trivially by signing, e.g., the statement " and 1662 have the same holder." digitally with respect to both 1663 these pseudonyms. Putting it the other way round: Proving that 1664 pseudonyms have the same holder is all but trivial. 1666 o convertibility, i.e., transferability of attributes of one 1667 pseudonym to another [Chau85], [Chau90]. This is a property of 1668 convertible credentials. 1670 o possibility and frequency of pseudonym changeover. 1672 o re-usability and, possibly, a limitation in number of uses. 1674 o validity (e.g., guaranteed durability and/or expiry date, 1675 restriction to a specific application). 1677 o possibility of revocation or blocking. 1679 o participation of users or other parties in forming the pseudonyms. 1681 o information content about attributes in the pseudonym itself. 1683 In addition, there may be some properties for specific applications 1684 (e.g., an addressable pseudonym serves as a communication address 1685 which enables to contact its holder) or due to the participation of 1686 third parties (e.g., in order to circulate the pseudonyms, to reveal 1687 civil identities in case of abuse, or to cover claims). 1689 Some of the properties can easily be realized by extending a digital 1690 pseudonym by attributes of some kind, e.g., a communication address, 1691 and specifying the appropriate semantics. The binding of attributes 1692 to a pseudonym can be documented in an attribute certificate produced 1693 either by the holder himself/herself or by a certification authority. 1694 The non-transferability of the attribute certificate can be somewhat 1695 enforced, e.g., by biometrical means, by combining it with individual 1696 hardware (e.g., chipcards), or by confronting the holder with legal 1697 consequences. 1699 14. Identity management 1701 14.1. Setting 1703 To adequately address privacy-enhancing identity management, we have 1704 to extend our setting: 1706 o It is not realistic to assume that an attacker might not get 1707 information on the sender or recipient of messages from the 1708 message content and/or the sending or receiving context (time, 1709 location information, etc.) of the message. We have to consider 1710 that the attacker is able to use these attributes for linking 1711 messages and, correspondingly, the pseudonyms used with them. 1713 o In addition, it is not just human beings, legal persons, or simply 1714 computers sending messages and using pseudonyms at their 1715 discretion as they like at the moment, but they use (computer- 1716 based) applications, which strongly influence the sending and 1717 receiving of messages and may even strongly determine the usage of 1718 pseudonym. 1720 14.2. Identity and identifiability 1722 Identity can be explained as an exclusive perception of life, 1723 integration into a social group, and continuity, which is bound to a 1724 body and - at least to some degree - shaped by society. This concept 1725 of identity distinguishes between "I" and "Me" [Mead34] : "I" is the 1726 instance that is accessible only by the individual self, perceived as 1727 an instance of liberty and initiative. "Me" is supposed to stand for 1728 the social attributes, defining a human identity that is accessible 1729 by communications and that is an inner instance of control and 1730 consistency (see [ICPP03] for more information). In this 1731 terminology, we are interested in identity as communicated to others 1732 and seen by them. Therefore, we concentrate on the "Me". 1734 Note: 1736 Here (and in Section 14 throughout), we have human beings in mind, 1737 which is the main motivation for privacy. From a structural point 1738 of view, identity can be attached to any subject, be it a human 1739 being, a legal person, or even a computer. This makes the 1740 terminology more general, but may lose some motivation at first 1741 sight. Therefore, we start in our explanation with identity of 1742 human beings, but implicitly generalize to subjects thereafter. 1743 This means: In a second reading of this paper, you may replace 1744 "individual person" by "individual subject" (introduced as 1745 "possibly acting entity" at the beginning of Section 3) throughout 1746 as it was used in the definitions of the Section 3 through 1747 Section 13. It may be discussed whether the definitions can be 1748 further generalized and apply for any "entity", regardless of 1749 subject or not. 1751 According to Mireille Hildebrandt, the French philosopher Paul 1752 Ricoeur made a distinction between "idem and ipse. Idem 1753 (sameness) stands for the third person, objectified observer's 1754 perspective of identity as a set of attributes that allows 1755 comparison between different people, as well as unique 1756 identification, whereas ipse (self) stands for the first person 1757 perspective constituting a 'sense of self'.", see page 274 in 1758 [RaRD09]. So what George H. Mead called "I" is similar to what 1759 Paul Ricoeur called "ipse" (self). What George H. Mead called 1760 "Me" is similar to what Paul Ricoeur called "idem" (sameness). 1762 Motivated by identity as an exclusive perception of life, i.e., a 1763 psychological perspective, but using terms defined from a computer 1764 science, i.e., a mathematical perspective (as we did in the sections 1765 before), identity can be explained and defined as a property of an 1766 entity in terms of the negation of anonymity and the negation of 1767 unlinkability. In a positive wording, identity enables both to be 1768 identifiable as well as to link IOIs because of some continuity of 1769 life. Here we have the negation of anonymity (identifiability) and 1770 the negation of unlinkability (linkability) as positive properties. 1771 So the perspective changes: What is the aim of an attacker w.r.t. 1772 anonymity, now is the aim of the subject under consideration, so the 1773 attacker's perspective becomes the perspective of the subject. And 1774 again, another attacker (attacker2) might be considered working 1775 against identifiability and/or linkability. I.e., attacker2 might 1776 try to mask different attributes of subjects to provide for some kind 1777 of anonymity or attacker2 might spoof some messages to interfere with 1778 the continuity of the subject's life. 1780 Corresponding to the anonymity set introduced in the beginning of 1781 this text, we can work with an "identifiability set" [Hild03], which 1782 is the set is a set of possible subjects, to define "identifiability" 1783 and "identity". This definition is compatible with the definitions 1784 given in [HoWi03] and it is very close to that given by [Chi03]: "An 1785 identity is any subset of attributes of a person which uniquely 1786 characterizes this person within a community." 1787 Definition: Identifiability of a subject from an attacker's 1788 perspective means that the attacker can sufficiently identify the 1789 subject within a set of subjects, the identifiability set. 1791 Figure 9 contrasts anonymity set and identifiability set. 1793 Anonymity Identifiability 1794 within an within an 1795 -- -- 1796 -- -- -- -- 1797 / \ / \ 1798 / \ / \ 1799 / -- \ / --/ \ 1800 / | | \ / |//| \ 1801 / -- \ / /-- \ 1802 / \ / \ 1803 / \ / \ 1804 / -- \ / -- \ 1805 / | | \ / | | \ 1806 | -- | | -- | 1807 | | | | 1808 | | | | 1809 | -- | | --/ | 1810 \ | | / \ |//| / 1811 \ -- / \ /-- / 1812 \ / \ / 1813 \ / \ / 1814 \ -- / \ --/ / 1815 \ | | / \ |//| / 1816 \ -- / \ /-- / 1817 \ / \ / 1818 \ / \ / 1819 -- -- -- -- 1820 -- -- 1821 anonymity set identifiability set 1823 Figure 9: Anonymity set vs. identifiability set 1825 All other things being equal, identifiability is the stronger, the 1826 larger the respective identifiability set is. Conversely, the 1827 remaining anonymity is the stronger, the smaller the respective 1828 identifiability set is. 1830 Identity of an individual person should be defined independent of an 1831 attacker's perspective: 1833 Definition: An identity is any subset of attribute values of an 1834 individual person which sufficiently identifies this individual 1835 person within any set of persons. So usually there is no such 1836 thing as "the identity", but several of them. 1838 Note: 1840 Whenever we speak about "attribute values" in this text, this 1841 shall comprise not only a measurement of the attribute value, but 1842 the attribute as well. E.g., if we talk about the attribute 1843 "color of one's hair" the attribute value "color of one's hair" is 1844 not just, e.g., "grey", but ("color of one's hair", "grey"). 1846 An equivalent, but slightly longer definition of identity would 1847 be: An identity is any subset of attribute values of an individual 1848 person which sufficiently distinguishes this individual person 1849 from all other persons within any set of persons. 1851 Of course, attribute values or even attributes themselves may change 1852 over time. Therefore, if the attacker has no access to the change 1853 history of each particular attribute, the fact whether a particular 1854 subset of attribute values of an individual person is an identity or 1855 not may change over time as well. If the attacker has access to the 1856 change history of each particular attribute, any subset forming an 1857 identity will form an identity from his perspective irrespective how 1858 attribute values change. Any reasonable attacker will not just try 1859 to figure out attribute values per se, but the point in time (or even 1860 the time frame) they are valid (in), since this change history helps 1861 a lot in linking and thus inferring further attribute values. 1862 Therefore, it may clarify one's mind to define each "attribute" in a 1863 way that its value cannot get invalid. So instead of the attribute 1864 "location" of a particular individual person, take the set of 1865 attributes "location at time x". Depending on the inferences you are 1866 interested in, refining that set as a list ordered concerning 1867 "location" or "time" may be helpful. 1869 Identities may of course comprise particular attribute values like 1870 names, identifiers, digital pseudonyms, and addresses - but they 1871 don't have to. 1873 14.3. Identity-related terms 1875 Role: In sociology, a "role" or "social role" is a set of connected 1876 actions, as conceptualized by actors in a social situation (i.e., 1877 situation-dependent identity attributes). It is mostly defined as 1878 an expected behavior (i.e., sequences of actions) in a given 1879 individual social context. So roles provide for some linkability 1880 of actions. 1882 Partial identity: An identity of an individual person may comprise 1883 many partial identities of which each represents the person in a 1884 specific context or role. (Note: As an identity has to do with 1885 integration into a social group, on the one hand, partial 1886 identities have to do with, e.g., relationships to particular 1887 group members (or to be more general: relationships to particular 1888 subsets of group members). On the other hand, partial identities 1889 might be associated with relationships to organizations.) A 1890 partial identity is a subset of attribute values of a complete 1891 identity, where a complete identity is the union of all attribute 1892 values of all identities of this person. (Note: If attributes are 1893 defined such that their values do not get invalid, "union" can 1894 have the usual meaning within set theory. We have to admit that 1895 usually nobody, including the person concerned, will know "all" 1896 attribute values or "all" identities. Nevertheless we hope that 1897 the notion "complete identity" will ease the understanding of 1898 "identity" and "partial identity".) On a technical level, these 1899 attribute values are data. Of course, attribute values or even 1900 attributes themselves of a partial identity may change over time. 1901 As identities, partial identities may comprise particular 1902 attribute values like names, identifiers, digital pseudonyms, and 1903 addresses - but they don't have to, either. A pseudonym might be 1904 an identifier for a partial identity. If it is possible to 1905 transfer attribute values of one pseudonym to another (as 1906 convertibility of credentials provides for, cf. Section 13), this 1907 means transferring a partial identity to this other pseudonym. 1908 Re-use of the partial identity with its identifier(s), e.g., a 1909 pseudonym, supports continuity in the specific context or role by 1910 enabling linkability with, e.g., former or future messages or 1911 actions. If the pseudonym is a digital pseudonym, it provides the 1912 possibility to authenticate w.r.t. the partial identity which is 1913 important to prevent others to take over the partial identity 1914 (discussed as "identity theft" ). Linkability of partial 1915 identities arises by non-changing identifiers of a partial 1916 identity as well as other attribute values of that partial 1917 identity that are (sufficiently) static or easily determinable 1918 over time (e.g., bodily biometrics, the size or age of a person). 1919 All the data that can be used to link data sets such as partial 1920 identities belong to a category of "data providing linkability" 1921 (to which we must pay the same attention as to personal data 1922 w.r.t. privacy and data protection; "protection of individuals 1923 with regard to the processing of personal data" [DPD95]). Whereas 1924 we assume that an "identity" sufficiently identifies an individual 1925 person (without limitation to particular identifiability sets), a 1926 partial identity may not do, thereby enabling different quantities 1927 of anonymity. So we may have linkability by re-using a partial 1928 identity (which may be important to support continuity of life) 1929 without necessarily giving up anonymity (which may be important 1930 for privacy). But we may find for each partial identity 1931 appropriately small identifiability sets, where the partial 1932 identity sufficiently identifies an individual person, see 1933 Figure 10. For identifiability sets of cardinality 1, this is 1934 trivial, but it may hold for "interesting" identifiability sets of 1935 larger cardinality as well. The relation between anonymity set 1936 and identifiability set can be seen in two ways: 1938 1. Within an a-priori anonymity set, we can consider a-posteriori 1939 identifiability sets as subsets of the anonymity set. Then 1940 the largest identifiability sets allowing identification 1941 characterize the a-posteriori anonymity, which is zero iff the 1942 largest identifiability set allowing identification equals the 1943 a-priori anonymity set. 1945 2. Within an a-priori identifiability set, its subsets which are 1946 the a-posteriori anonymity sets characterize the a-posteriori 1947 anonymity. It is zero iff all a-posteriori anonymity sets 1948 have cardinality 1. 1950 As with identities, depending on whether the attacker has access 1951 to the change history of each particular attribute or not, the 1952 identifiability set of a partial identity may change over time if 1953 the values of its attributes change. 1955 -- 1956 -- -- 1957 / \ 1958 / \ 1959 / --/ \ 1960 / |//| \ -- 1961 / /-- \ -- -- 1962 / \ / \ 1963 / \ / \ 1964 / --/ \ / --/ \ 1965 / |//| \ -- / |//| \ 1966 | /-- | -- -- / /-- \ 1967 | | / \ / \ 1968 | | / \ / \ 1969 | --/ | / --/ \ / --/ \ 1970 | |//| | / |//| \ / |//| \ 1971 | /-- | / /-- \ | /-- | 1972 | | / \ | | 1973 | +-------------------------------------------+ | 1974 | | -- | / -- \ | -- (*)| | 1975 \ | | | / / | | \ | | | | | 1976 \ | -- / | -- | | -- | | 1977 \ +-------------------------------------------+ | 1978 \ / | | | | 1979 \ --/ / | --/ | | --/ | 1980 \ |//| / | |//| | \ |//| / 1981 \ /-- / | /-- | \ /-- / 1982 \ / | | \ / 1983 \ / | | \ / 1984 -- -- | --/ | \ --/ / 1985 -- \ |//| / \ |//| / 1986 \ /-- / \ /-- / 1987 \ / \ / 1988 \ / \ / 1989 \ --/ / -- -- 1990 \ |//| / -- 1991 \ /-- / 1992 \ / 1993 \ / 1994 -- -- 1995 -- 1997 *: Anonymity set of a partial identity given 1998 that the set of all possible subjects 1999 (the a-priori anonymity set) can be partitioned 2000 into the three disjoint identifiability sets 2001 of the partial identity shown. 2003 Figure 10: Relation between anonymity set and identifiability set 2005 Digital identity Digital identity denotes attribution of attribute 2006 values to an individual person, which are immediately 2007 operationally accessible by technical means. More to the point, 2008 the identifier of a digital partial identity can be a simple 2009 e-mail address in a news group or a mailing list. A digital 2010 partial identity is the same as a partial digital identity. In 2011 the following, we skip "partial" if the meaning is clear from the 2012 context. Its owner will attain a certain reputation. More 2013 generally we might consider the whole identity as a combination 2014 from "I" and "Me" where the "Me" can be divided into an implicit 2015 and an explicit part: Digital identity is the digital part from 2016 the explicated "Me". Digital identity should denote all those 2017 personal data that can be stored and automatically interlinked by 2018 a computer-based application. 2020 Virtual identity Virtual identity is sometimes used in the same 2021 meaning as digital identity or digital partial identity, but 2022 because of the connotation with "unreal, non-existent, seeming" 2023 the term is mainly applied to characters in a MUD (Multi User 2024 Dungeon), MMORPG (Massively Multiplayer Online Role Playing Game) 2025 or to avatars. For these reasons, we do not use the notions 2026 physical world vs. virtual world nor physical person vs. virtual 2027 person defined in [RaRD09] (pp. 80ff). Additionally, we feel that 2028 taking the distinction between physical vs. digital (=virtual) 2029 world as a primary means to build up a terminology is not helpful. 2030 First we have to define what a person, an entity, and an identity 2031 is. The distinction between physical and digital is only of 2032 secondary importance and the structure of the terminology should 2033 reflect this fundamental fact. In other disciplines, of course, 2034 it may be very relevant whether a person is a human being with a 2035 physical body. Please remember Section 14.3, where the 2036 sociological definition of identity includes "is bound to a body", 2037 or law enforcement when a jail sentence has to be carried out. 2038 Generalizing from persons, laws should consider and spell out 2039 whether they are addressing physical entities, which cannot be 2040 duplicated easily, or digital entities, which can. 2042 14.4. Identity management-related terms 2044 Identity management Identity management means managing various 2045 partial identities (usually denoted by pseudonyms) of an 2046 individual person, i.e., administration of identity attributes 2047 including the development and choice of the partial identity and 2048 pseudonym to be (re-)used in a specific context or role. 2049 Establishment of reputation is possible when the individual person 2050 re-uses partial identities. A prerequisite to choose the 2051 appropriate partial identity is to recognize the situation the 2052 person is acting in. 2054 Privacy-enhancing identity management Given the restrictions of a 2055 set of applications, identity management is called privacy- 2056 enhancing if it sufficiently preserves unlinkability (as seen by 2057 an attacker) between the partial identities of an individual 2058 person required by the applications. Note that due to our 2059 setting, this definition focuses on the main property of Privacy- 2060 Enhancing Technologies (PETs), namely data minimization: This 2061 property means to limit as much as possible the release of 2062 personal data and for those released, preserve as much 2063 unlinkability as possible. We are aware of the limitation of this 2064 definition: In the real world it is not always desired to achieve 2065 utmost unlinkability. We believe that the user as the data 2066 subject should be empowered to decide on the release of data and 2067 on the degree of linkage of his or her personal data within the 2068 boundaries of legal regulations, i.e., in an advanced setting the 2069 privacy-enhancing application design should also take into account 2070 the support of "user-controlled release" as well as "user- 2071 controlled linkage". Identity management is called perfectly 2072 privacy-enhancing if it perfectly preserves unlinkability between 2073 the partial identities, i.e., by choosing the pseudonyms (and 2074 their authorizations, cf. Section 11.3) denoting the partial 2075 identities carefully, it maintains unlinkability between these 2076 partial identities towards an attacker to the same degree as 2077 giving the attacker the attribute values with all pseudonyms 2078 omitted. (Note: Given the terminology defined in Section 3 to 2079 Section 6, privacy-enhancing identity management is unlinkability- 2080 preserving identity management. So, maybe, the term "privacy- 2081 preserving identity management" would be more appropriate. But to 2082 be compatible to the earlier papers in this field, we stick to 2083 privacy-enhancing identity management.) 2085 Privacy-enhancing identity management enabling application design An 2086 application is designed in a privacy-enhancing identity management 2087 enabling way if neither the pattern of sending/receiving messages 2088 nor the attribute values given to entities (i.e., human beings, 2089 organizations, computers) reduce unlinkability more than is 2090 strictly necessary to achieve the purposes of the application. 2092 Identity management system (IMS) An identity management system in 2093 its broadest sense refers to technology-based administration of 2094 identity attributes including the development and choice of the 2095 partial identity and pseudonym to be (re-)used in a specific 2096 context or role. Note that some publications use the 2097 abbreviations IdMS or IDMS instead. We can distinguish between 2098 identity management system and identity management application: 2100 The term "identity management system" is seen as an 2101 infrastructure, in which "identity management applications" as 2102 components, i.e., software installed on computers, are co- 2103 ordinated. 2105 Privacy-enhancing identity management system (PE-IMS) A Privacy- 2106 Enhancing IMS is an IMS that, given the restrictions of a set of 2107 applications, sufficiently preserves unlinkability (as seen by an 2108 attacker) between the partial identities and corresponding 2109 pseudonyms of an individual person. 2111 User-controlled identity management system A user-controlled 2112 identity management system is an IMS that makes the flow of this 2113 user's identity attribute values explicit to the user and gives 2114 its user a large degree of control [CPHH02]. The guiding 2115 principle is "notice and choice". 2117 Combining user-controlled IMS with PE-IMS means user-controlled 2118 linkability of personal data, i.e., achieving user-control based 2119 on thorough data minimization. According to respective situation 2120 and context, such a system supports the user in making an informed 2121 choice of pseudonyms, representing his or her partial identities. 2122 A user-controlled PE-IMS supports the user in managing his or her 2123 partial identities, i.e., to use different pseudonyms with 2124 associated identity attribute values according to different 2125 contexts, different roles the user is acting in and according to 2126 different interaction partners. It acts as a central gateway for 2127 all interactions between different applications, like browsing the 2128 web, buying in Internet shops, or carrying out administrative 2129 tasks with governmental authorities [HBCC04]. 2131 15. Overview of main definitions and their negations 2133 o 2135 o 2137 +---------------------------------+---------------------------------+ 2138 | Definition | Negation | 2139 +---------------------------------+---------------------------------+ 2140 | Anonymity of a subject from an | Identifiability of a subject | 2141 | attacker's perspective means | from an attacker's perspective | 2142 | that the attacker cannot | means that the attacker can | 2143 | sufficiently identify the | sufficiently identify the | 2144 | subject within a set of | subject within a set of | 2145 | subjects, the anonymity set. | subjects, the identifiability | 2146 | | set. | 2147 | ------------------------------- | ------------------------------- | 2148 | Unlinkability of two or more | Linkability of two or more | 2149 | items of interest (IOIs, e.g., | items of interest (IOIs, e.g., | 2150 | subjects, messages, actions, | subjects, messages, actions, | 2151 | ...) from an attacker's | ...) from an attacker's | 2152 | perspective means that within | perspective means that within | 2153 | the system (comprising these | the system (comprising these | 2154 | and possibly other items), the | and possibly other items), the | 2155 | attacker cannot sufficiently | attacker can sufficiently | 2156 | distinguish whether these IOIs | distinguish whether these IOIs | 2157 | are related or not. | are related or not. | 2158 | ------------------------------- | ------------------------------- | 2159 | Undetectability of an item of | Detectability of an item of | 2160 | interest (IOI) from an | interest (IOI) from an | 2161 | attacker's perspective means | attacker's perspective means | 2162 | that the attacker cannot | that the attacker can | 2163 | sufficiently distinguish | sufficiently distinguish | 2164 | whether it exists or not. | whether it exists or not. | 2165 | ------------------------------- | ------------------------------- | 2166 | Unobservability of an item of | Observability of an item of | 2167 | interest (IOI) means | interest (IOI) means "many | 2168 | undetectability of the IOI | possibilities to define the | 2169 | against all subjects uninvolved | semantics". | 2170 | in it and anonymity of the | | 2171 | subject(s) involved in the IOI | | 2172 | even against the other | | 2173 | subject(s) involved in that | | 2174 | IOI. | | 2175 +---------------------------------+---------------------------------+ 2177 16. Acknowledgments 2179 Before this document was submitted to the IETF it already had a long 2180 history starting at 2000 and a number of people helped to improve the 2181 quality of the document with their feedback. The original authors, 2182 Marit Hansen and Andreas Pfitzmann, would therefore like to thank 2183 Adam Shostack, David-Olivier Jaquet-Chiffelle, Claudia Diaz, Giles 2184 Hogben, Thomas Kriegelstein, Wim Schreurs, Sandra Steinbrecher, Mike 2185 Bergmann, Katrin Borcea, Simone Fischer-Huebner, Stefan Koepsell, 2186 Martin Rost, Marc Wilikens, Adolf Flueli, Jozef Vyskoc, Thomas 2187 Kriegelstein, Jan Camenisch, Vashek Matyas, Daniel Cvrcek, Wassim 2188 Haddad, Alf Zugenmair, Katrin Borcea-Pfitzmann, Thomas Kriegelstein, 2189 Elke Franz, Sebastian Clauss, Neil Mitchison, Rolf Wendolsky, Stefan 2190 Schiffner, Maritta Heisel, Katja Liesebach, Stefanie Poetzsch, Thomas 2191 Santen, Maritta Heisel, Manuela Berg, and Katie Tietze for their 2192 input. 2194 The terminology has been translated to other languages and the result 2195 can be found here: 2197 http://dud.inf.tu-dresden.de/Anon_Terminology.shtml. 2199 17. References 2201 17.1. Normative References 2203 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2204 Requirement Levels", BCP 14, RFC 2119, March 1997. 2206 17.2. Informative References 2208 [BuPf90] Buerk, H. and A. Pfitzmann, "Value Exchange Systems 2209 Enabling Security and Unobservability", Computers & 2210 Security , 9/8, 715-721, January 1990. 2212 [CPHH02] Clauss, S., Pfitzmann, A., Hansen, M., and E. Herreweghen, 2213 "Privacy-Enhancing Identity Management", IEEE Symposium on 2214 Research in Security and Privacy , IPTS Report 67, 8-16, 2215 September 2002. 2217 [CaLy04] Camenisch, J. and A. Lysyanskaya, "Signature Schemes and 2218 Anonymous Credentials from Bilinear Maps", Crypto , LNCS 2219 3152, Springer, Berlin 2004, 56-72, 2004. 2221 [Chau81] Chaum, D., "Untraceable Electronic Mail, Return Addresses, 2222 and Digital Pseudonyms", Communications of the ACM , 24/2, 2223 84-88, 1981. 2225 [Chau85] Chaum, D., "Security without Identification: Transaction 2226 Systems to make Big Brother Obsolete", Communications of 2227 the ACM , 28/10, 1030-1044, 1985. 2229 [Chau88] Chaum, D., "The Dining Cryptographers Problem: 2230 Unconditional Sender and Recipient Untraceability", 2231 Journal of Cryptology , 1/1, 65-75, 1988. 2233 [Chau90] Chaum, D., "Showing credentials without identification: 2234 Transferring signatures between unconditionally unlinkable 2235 pseudonyms", Auscrypt , LNCS 453, Springer, Berlin 1990, 2236 246-264, 1990. 2238 [Chi03] Jaquet-Chiffelle, D., "Towards the Identity", Presentation 2239 at the the Future of IDentity in the Information Society 2240 (FIDIS) workshop , http://www.calt.insead.edu/fidis/ 2241 workshop/workshop-wp2-december2003/, December 2003. 2243 [ClSc06] Clauss, S. and S. Schiffner, "Structuring Anonymity 2244 Metrics", in A. Goto (Ed.), DIM '06, Proceedings of the 2245 2006 ACM Workshop on Digital Identity Management, Fairfax, 2246 USA, Nov. 2006, 55-62, 2006. 2248 [CoBi95] Cooper, D. and K. Birm, "Preserving Privacy in a Network 2249 of Mobile Computers", IEEE Symposium on Research in 2250 Security and Privacy , IEEE Computer Society Press, Los 2251 Alamitos 1995, 26-38, 1995. 2253 [DPD95] European Commission, "Directive 95/46/EC of the European 2254 Parliament and of the Council of 24 October 1995 on the 2255 protection of individuals with regard to the processing of 2256 personal data and on the free movement of such data", 2257 Official Journal L 281 , 23/11/1995 P. 0031 - 0050, 2258 November 2005. 2260 [HBCC04] Hansen, M., Berlich, P., Camenisch, J., Clauss, S., 2261 Pfitzmann, A., and M. Waidner, "Privacy-Enhancing Identity 2262 Management", Information Security Technical Report 2263 (ISTR) , Volume 9, Issue 1, 67, 8-16, Elsevier, UK, 35-44, 2264 2004. 2266 [Hild03] Hildebrandt, M., "Same selves? Identification of identity: 2267 a social perspective from a legal-philosophical point of 2268 view", Presentation at the the Future of IDentity in the 2269 Information Society (FIDIS) workshop , http:// 2270 www.calt.insead.edu/fidis/workshop/ 2271 workshop-wp2-december2003/, December 2003. 2273 [HoWi03] Hogben, G., Wilikens, M., and I. Vakalis, "On the Ontology 2274 of Digital Identification", , in: Robert Meersman, Zahir 2275 Tari (Eds.): On the Move to Meaningful Internet Systems 2276 2003: OTM 2003 Workshops, LNCS 2889, Springer, Berlin 2277 2003, 579-593, 2003. 2279 [ICPP03] Independent Centre for Privacy Protection & Studio 2280 Notarile Genghini, "Identity Management Systems (IMS): 2281 Identification and Comparison Study", Study commissioned 2282 by the Joint Research Centre Seville, Spain , http:// 2283 www.datenschutzzentrum.de/projekte/idmanage/study.htm, 2284 September 2003. 2286 [ISO99] ISO, "Common Criteria for Information Technology Security 2287 Evaluation", ISO/IEC 15408 , 1999. 2289 [Mart99] Martin, D., "Local Anonymity in the Internet", PhD 2290 dissertation , Boston University, Graduate School of Arts 2291 and Sciences, http://www.cs.uml.edu/~dm/pubs/thesis.pdf, 2292 December 2003. 2294 [Mead34] Mead, G., "Mind, Self and Society", Chicago Press , 1934. 2296 [PfPW91] Pfitzmann, A., Pfitzmann, B., and M. Michael Waidner, 2297 "ISDN-MIXes -- Untraceable Communication with Very Small 2298 Bandwidth Overhead", 7th IFIP International Conference on 2299 Information Security (IFIP/Sec '91) , Elsevier, Amsterdam 2300 1991, 245-258, 1991. 2302 [PfWa86] Pfitzmann, A. and M. Michael Waidner, "Networks without 2303 user observability -- design options", Eurocrypt '85 , 2304 LNCS 219, Springer, Berlin 1986, 245-253; revised and 2305 extended version in: Computers & Security 6/2 (1987) 158- 2306 166, 1986. 2308 [Pfit96] Pfitzmann, B., "Information Hiding Terminology -- Results 2309 of an informal plenary meeting and additional proposals", 2310 Information Hiding , NCS 1174, Springer, Berlin 1996, 347- 2311 350, 1996. 2313 [RaRD09] Rannenberg, K., Royer, D., and A. Deuker, "The Future of 2314 Identity in the Information Society - Challenges and 2315 Opportunities", Springer, Berlin 2009. , 2009. 2317 [ReRu98] Reiter, M. and A. Rubin, "Crowds: Anonymity for Web 2318 Transactions", ACM Transactions on Information and System 2319 Security , 1(1), 66-92, November 1998. 2321 [Shan48] Shannon, C., "A Mathematical Theory of Communication", The 2322 Bell System Technical Journal , 27, 379-423, 623-656, 2323 1948. 2325 [Shan49] Shannon, C., "Communication Theory of Secrecy Systems", 2326 The Bell System Technical Journal , 28/4, 656-715, 1949. 2328 [StSy00] Stubblebine, S. and P. Syverson, "Authentic Attributes 2329 with Fine-Grained Anonymity Protection", Financial 2330 Cryptography , LNCS Series, Springer, Berlin 2000, 2000. 2332 [Waid90] Waidner, M., "Unconditional Sender and Recipient 2333 Untraceability in spite of Active Attacks", Eurocrypt 2334 '89 , LNCS 434, Springer, Berlin 1990, 302-319, 1990. 2336 [West67] Westin, A., "Privacy and Freedom", Atheneum, New York , 2337 1967. 2339 [Wils93] Wilson, K., "The Columbia Guide to Standard American 2340 English", Columbia University Press, New York , 1993. 2342 [ZFKP98] Zoellner, J., Federrath, H., Klimant, H., Pfitzmann, A., 2343 Piotraschke, R., Westfeld, A., Wicke, G., and G. Wolf, 2344 "Modeling the security of steganographic systems", 2nd 2345 Workshop on Information Hiding , LNCS 1525, Springer, 2346 Berlin 1998, 345-355, 1998. 2348 Authors' Addresses 2350 Andreas Pfitzmann (editor) 2351 TU Dresden 2353 EMail: pfitza@inf.tu-dresden.de 2355 Marit Hansen (editor) 2356 ULD Kiel 2358 EMail: marit.hansen@datenschutzzentrum.de 2360 Hannes Tschofenig 2361 Nokia Siemens Networks 2362 Linnoitustie 6 2363 Espoo 02600 2364 Finland 2366 Phone: +358 (50) 4871445 2367 EMail: Hannes.Tschofenig@gmx.net 2368 URI: http://www.tschofenig.priv.at