I’m kind of proud of my gossip model for thinking about these problems; e.g. that what really bothers people about the problems of privacy invasion is the sense that people are talking about them; passing gossip, slander, and which articles in the paper they read this morning. That gossip is passed across back-channels your unaware of. That gossip is aggregated by brokers who provide gossip-knowledge-pools for their customers. The gossip brokers don’t necessarily have any relationship the folks, you and me, about whom they are accumulating data.
The architectures for internet identity that strive to be respectful of end-user privacy are complex because they draw the end-user into the negotiation about what information may be passed between to parties that have relationships with that user. So if your mortgage company wants to work with your bank in a manner that respects your privacy they need to bring you into the loop and get your permission. The internet identity solutions manage this using the tools (redirect, cookies, etc) to orchestrate that.
Of course parties that don’t respect your privacy can use the same tools to pass data back and forth. In effect using your web browser to help them establish the back channel they need to be able to gossip about you. Thus if a few customers of a gossip broker, like DoubleClick, all drop a web bug on their pages then the broker can act as a clearing house for information about your behavior at each of their sites.
So, I enjoyed this paper on “New Covert Channels in HTTP: Adding Unwitting Web Browsers to Anonymity Sets” because outlines a delightful point in the spectrum such systems. It sort of turns everything on it’s head.
In this case, instead of a group of gossip-broker customers coordinating the web pages they present to users so they can pool their knowledge of how those users behave we have a group of sites that are looking for a way to pass messages around anonymously. In particular they want to be sure that no outside observer can tell who is exchanging messages with whom.
For example I have a few friends who practice good privacy hygiene and with those I encrypt almost all my email. This way observers listening in on the wire can’t see what we are talking about. That’s good, but what’s bad is that these observers can see who my friends are, and they can tell when I’m communicating with them. Which, frankly, is none of their business.
To solve problem you need a special black box. I poke my message into the box and sometime later it pops out on at my correspondent. You can’t trust anybody to run this box, so you have to figure out a way to run it without a central authority. The traditional means to that end is to run a swarm of email servers – called remixers. You poke your message at one remixer and it jumbles up it’s parts and timing and scatters it out to the swarm. Slowly but surely the scattered bits rattle around the swarm until they pop out on the other side.
The paper reframes that idea with one key additional trick. The nodes in the swarm are web servers. These web servers never connect to another member of the swarm. Instead when an unwitting browser lands on them, like a bee on a flower, they use the bag of tricks used for gossip passing (redirects, cookies, etc.) to push their message fragments onto other nodes in the swarm.
I love it. For example; notice how this is a peer to peer network with two classes of actors; the unwitting browsers and the servers of those who which to remain anonymous.