Internet Architecture Board (IAB) A. Cooper Request for Comments: 6462 January 2012 Category: Informational ISSN: 2070-1721
Internet Architecture Board (IAB) A. Cooper Request for Comments: 6462 January 2012 Category: Informational ISSN: 2070-1721
Report from the Internet Privacy Workshop
互联网隐私研讨会报告
Abstract
摘要
On December 8-9, 2010, the IAB co-hosted an Internet privacy workshop with the World Wide Web Consortium (W3C), the Internet Society (ISOC), and MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL). The workshop revealed some of the fundamental challenges in designing, deploying, and analyzing privacy-protective Internet protocols and systems. Although workshop participants and the community as a whole are still far from understanding how best to systematically address privacy within Internet standards development, workshop participants identified a number of potential next steps. For the IETF, these included the creation of a privacy directorate to review Internet-Drafts, further work on documenting privacy considerations for protocol developers, and a number of exploratory efforts concerning fingerprinting and anonymized routing. Potential action items for the W3C included investigating the formation of a privacy interest group and formulating guidance about fingerprinting, referrer headers, data minimization in APIs, usability, and general considerations for non-browser-based protocols.
2010年12月8日至9日,IAB与万维网联盟(W3C)、互联网协会(ISOC)和麻省理工学院计算机科学和人工智能实验室(CSAIL)共同举办了一次互联网隐私研讨会。研讨会揭示了在设计、部署和分析隐私保护互联网协议和系统方面的一些基本挑战。尽管研讨会参与者和整个社区还远未了解如何在互联网标准开发中系统地解决隐私问题,但研讨会参与者确定了一些潜在的后续步骤。对于IETF来说,这些措施包括成立一个隐私委员会来审查互联网草案,进一步记录协议开发人员的隐私注意事项,以及一些关于指纹识别和匿名路由的探索性工作。W3C的潜在行动项目包括调查隐私利益小组的组成,制定关于指纹识别、参考头、API中的数据最小化、可用性和非基于浏览器协议的一般注意事项的指南。
Note that this document is a report on the proceedings of the workshop. The views and positions documented in this report are those of the workshop participants and do not necessarily reflect the views of the IAB, W3C, ISOC, or MIT CSAIL.
请注意,本文件是研讨会会议记录的报告。本报告中记录的观点和立场是研讨会参与者的观点和立场,不一定反映IAB、W3C、ISOC或MIT CSAIL的观点。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Architecture Board (IAB) and represents information that the IAB has deemed valuable to provide for permanent record. Documents approved for publication by the IAB are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网体系结构委员会(IAB)的产品,代表IAB认为有价值提供永久记录的信息。IAB批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6462.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6462.
Copyright Notice
版权公告
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Introduction ....................................................3 2. Workshop Overview ...............................................3 2.1. Technical Discussion .......................................4 2.2. SDO Discussion .............................................5 3. Design Challenges ...............................................6 3.1. Ease of Fingerprinting .....................................6 3.2. Information Leakage ........................................7 3.3. Differentiating between First and Third Parties ............8 3.4. Lack of Transparency and User Awareness ....................9 4. Deployment and Analysis Challenges ..............................9 4.1. Generative Protocols vs. Contextual Threats ................9 4.2. Tension between Privacy Protection and Usability ..........11 4.3. Interaction between Business, Legal, and Technical Incentives ................................................12 4.3.1. Role of Regulation .................................12 4.3.2. P3P: A Case Study of the Importance of Incentives ..13 5. Conclusions and Next Steps .....................................14 5.1. IETF Outlook ..............................................14 5.2. W3C Outlook ...............................................15 5.3. Other Future Work .........................................15 6. Acknowledgements ...............................................15 7. Security Considerations ........................................15 8. Informative References .........................................16 Appendix A. Workshop Materials ....................................19 Appendix B. Workshop Participants .................................19 Appendix C. Accepted Position Papers ..............................21
1. Introduction ....................................................3 2. Workshop Overview ...............................................3 2.1. Technical Discussion .......................................4 2.2. SDO Discussion .............................................5 3. Design Challenges ...............................................6 3.1. Ease of Fingerprinting .....................................6 3.2. Information Leakage ........................................7 3.3. Differentiating between First and Third Parties ............8 3.4. Lack of Transparency and User Awareness ....................9 4. Deployment and Analysis Challenges ..............................9 4.1. Generative Protocols vs. Contextual Threats ................9 4.2. Tension between Privacy Protection and Usability ..........11 4.3. Interaction between Business, Legal, and Technical Incentives ................................................12 4.3.1. Role of Regulation .................................12 4.3.2. P3P: A Case Study of the Importance of Incentives ..13 5. Conclusions and Next Steps .....................................14 5.1. IETF Outlook ..............................................14 5.2. W3C Outlook ...............................................15 5.3. Other Future Work .........................................15 6. Acknowledgements ...............................................15 7. Security Considerations ........................................15 8. Informative References .........................................16 Appendix A. Workshop Materials ....................................19 Appendix B. Workshop Participants .................................19 Appendix C. Accepted Position Papers ..............................21
On December 8-9, 2010, the IAB co-hosted a workshop with the W3C, ISOC, and MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) about Internet privacy [Workshop]. The workshop was organized to help the Internet community gain some understanding of what it means for Internet-based systems to respect privacy, how such systems have been or could be designed, how the relationship between the web and the broader Internet impacts privacy, and what specific work the IETF and/or the W3C might pursue to address Internet privacy. An overview of topics discussed at the workshop is provided in Section 2.
2010年12月8日至9日,IAB与W3C、ISOC和麻省理工学院计算机科学和人工智能实验室(CSAIL)共同举办了一个关于互联网隐私的研讨会[研讨会]。举办研讨会的目的是帮助互联网社区了解基于互联网的系统尊重隐私意味着什么,这些系统是如何设计的,或者可以如何设计,网络和更广泛的互联网之间的关系如何影响隐私,以及IETF和/或W3C为解决互联网隐私问题可能开展的具体工作。第2节概述了研讨会上讨论的主题。
The workshop discussions revealed the complexity and broad-based nature of privacy on the Internet. Across numerous different applications, a number of fundamental design challenges appear again and again: the increasing ease of user/device/application fingerprinting, unforeseen information leakage, difficulties in distinguishing first parties from third parties, complications arising from system dependencies, and the lack of transparency and user awareness of privacy risks and tradeoffs (see Section 3). Workshop participants also identified a number of barriers to successful deployment and analysis of privacy-minded protocols and systems, including the difficulty of using generic protocols and tools to defend against context-specific threats; the tension between privacy protection and usability; and the difficulty of navigating between business, legal, and individual incentives (see Section 4).
研讨会的讨论揭示了互联网隐私的复杂性和广泛性。在众多不同的应用程序中,一系列基本的设计挑战一再出现:用户/设备/应用程序指纹识别越来越容易,不可预见的信息泄漏,难以区分第一方和第三方,系统依赖性引起的复杂性,以及缺乏透明度和用户对隐私风险和权衡的意识(见第3节)。研讨会参与者还确定了成功部署和分析具有隐私意识的协议和系统的一些障碍,包括难以使用通用协议和工具抵御特定环境的威胁;隐私保护和可用性之间的紧张关系;以及在商业、法律和个人激励之间导航的困难(见第4节)。
Privacy challenges far outnumber solutions, but the workshop identified a number of concrete preliminary steps that standards organizations can take to help ensure respect for user privacy in the design of future standards and systems. For the IETF, these included the creation of a privacy directorate to review Internet-Drafts, further work on documenting privacy considerations for protocol developers, and initiating a number of exploratory efforts concerning fingerprinting and anonymized routing. Potential action items for the W3C included investigating the formation of a privacy interest group and formulating guidance about fingerprinting, referrer headers, data minimization in APIs, usability, and general considerations for non-browser-based protocols. These next steps and workshop outcomes are discussed in Section 5.
隐私挑战远多于解决方案,但研讨会确定了一些具体的初步步骤,标准组织可以采取这些步骤来帮助确保在未来标准和系统的设计中尊重用户隐私。对于IETF,这些措施包括成立一个隐私委员会来审查互联网草案,进一步记录协议开发人员的隐私注意事项,以及启动一系列关于指纹识别和匿名路由的探索性工作。W3C的潜在行动项目包括调查隐私利益小组的组成,制定关于指纹识别、参考头、API中的数据最小化、可用性和非基于浏览器协议的一般注意事项的指南。第5节讨论了这些后续步骤和研讨会成果。
The workshop explored both current technical challenges to protecting privacy and the ways in which standards organizations can help to address those challenges. Links to workshop materials are listed in Appendix A.
研讨会探讨了保护隐私的当前技术挑战以及标准组织可以帮助解决这些挑战的方式。附录A中列出了车间材料的链接。
The workshop explored privacy challenges in three different technical domains: at the network level, at the browser level, and with respect to cross-site data exchanges. Example technologies were highlighted in each area to motivate the discussion.
研讨会探讨了三个不同技术领域的隐私挑战:网络层面、浏览器层面和跨站点数据交换方面。每个领域都突出了示例技术,以推动讨论。
At the network level, participants discussed IP address hiding in mobility protocols, privacy extensions for IPv6 addressing [RFC4941], and onion routing. Discussion about the Tor project [Tor] was particularly insightful. Tor is a circuit-based, low-latency communication service designed to anonymize protocols that run over TCP. End hosts participating in a Tor exchange choose a path through the network and build a circuit in which each "onion router" in the path knows its predecessor and successor, but no other nodes in the circuit. Each onion router in the path unwraps and decrypts received information before relaying it downstream.
在网络层面,参与者讨论了移动协议中隐藏的IP地址、IPv6寻址的隐私扩展[RFC4941]和洋葱路由。关于Tor项目[Tor]的讨论特别有见地。Tor是一种基于电路的低延迟通信服务,旨在匿名化通过TCP运行的协议。参与Tor交换的终端主机通过网络选择一条路径,并构建一个电路,其中路径中的每个“洋葱路由器”都知道它的前一个和后一个,但电路中没有其他节点。路径中的每个洋葱路由器在将接收到的信息转发到下游之前都会对其进行展开和解密。
For Tor to provide anonymity guarantees, Tor nodes need to be able to strip out information elements that can be used to re-identify users over time. For example, web technologies such as cookies, large portions of JavaScript, and almost all browser plug-ins (including Flash) need to be disabled in order to maintain Tor's privacy properties during web use, significantly hampering usability.
为了使Tor能够提供匿名性保证,Tor节点需要能够去除可用于随时间重新识别用户的信息元素。例如,需要禁用Cookie、大部分JavaScript和几乎所有浏览器插件(包括Flash)等web技术,以便在web使用过程中维护Tor的隐私属性,从而严重影响可用性。
At the browser level, the discussion focused first on experiences with "private browsing" modes. Private browsing puts a browser into a temporary session where no information about the user's browsing session is stored locally after the session ends. The goal is to protect the user's browsing behavior from others who may make use of the same browser on the same machine. Private browsing is not designed to protect the user from being tracked by malware (e.g., keyloggers), remote servers, employers, or governments, but there is some evidence that users fail to understand the distinction between protection from snooping among users who share a device and these other forms of tracking. The specific protections offered by private browsing modes also vary from browser to browser, creating privacy loopholes in some cases.
在浏览器层面,讨论首先集中在“私人浏览”模式的体验上。私人浏览将浏览器置于临时会话中,会话结束后,不会在本地存储有关用户浏览会话的任何信息。其目的是保护用户的浏览行为不受可能在同一台机器上使用同一浏览器的其他人的影响。私人浏览的目的不是为了保护用户不被恶意软件(如键盘记录者)、远程服务器、雇主或政府跟踪,但有证据表明,用户无法理解在共享设备的用户之间防止窥探与这些其他跟踪形式之间的区别。私人浏览模式提供的具体保护也因浏览器而异,在某些情况下会造成隐私漏洞。
The browser discussion also addressed proposals for "Do Not Track" (DNT) technologies to be built into browsers to provide users with a simple way to opt out of web tracking. At the time of the workshop, various different technical proposals had been designed to offer users the ability to indicate their preference to opt out or to block communication to certain web sites altogether. The discussions at the workshop illustrated a lack of agreement about what type of
浏览器讨论还讨论了在浏览器中内置“请勿跟踪”(DNT)技术的建议,以便为用户提供一种选择退出web跟踪的简单方法。在举办讲习班时,设计了各种不同的技术提案,以便用户能够表明他们选择退出或完全阻止与某些网站的通信。研讨会上的讨论表明,对什么类型的培训缺乏共识
tracking is acceptable, which technical mechanisms would be best suited for different scenarios, and how the mechanisms would interact with other aspects of privacy protection (such as notices to users).
跟踪是可以接受的,哪些技术机制最适合于不同的场景,以及这些机制如何与隐私保护的其他方面(如给用户的通知)交互。
The cross-site data-sharing discussion focused on current uses of Open Authorization (OAuth) (with Facebook Connect, for example). While improvements have been made in obtaining user consent to sharing data between sites, challenges remain with regard to data minimization, ease of use, hidden sharing of data, and centralization of identity information.
跨站点数据共享讨论的重点是开放授权(OAuth)的当前使用(例如,Facebook Connect)。虽然在获得用户同意在站点之间共享数据方面有所改进,但在数据最小化、易用性、数据隐藏共享和身份信息集中方面仍然存在挑战。
Participants discussed past experiences in approaching privacy within the IETF and the W3C. Individual protocol efforts within the IETF have sought to address certain privacy threats over the years. Protocol designers have taken steps to reduce the potential for identifiability associated with protocol usage, such as in the IPv6 privacy extensions case [RFC4941]. Protocols architected to rely on intermediaries have sought to minimize the user data exposed in transit, most notably in SIP [RFC3323]. Protocol architectures used in interpersonal exchange have sought to give users granular control over their information, including presence [RFC2778] and geolocation information [RFC3693]. Efforts to square privacy with usability are ongoing; the ALTO working group [ALTO], for example, is working out how to balance the needs of users and network operators to share data with each other about content preferences and network topologies against legitimate concerns about revealing too much of either kind of information.
与会者讨论了过去在IETF和W3C中处理隐私问题的经验。IETF内的个别协议努力多年来一直试图解决某些隐私威胁。协议设计者已采取措施降低与协议使用相关的可识别性,例如IPv6隐私扩展案例[RFC4941]。设计为依赖中间层的协议寻求最小化传输过程中暴露的用户数据,尤其是在SIP[RFC3323]中。人际交换中使用的协议体系结构试图为用户提供对其信息的精确控制,包括状态[RFC2778]和地理位置信息[RFC3693]。将隐私与可用性结合起来的努力正在进行中;例如,ALTO工作组(ALTO)正在研究如何平衡用户和网络运营商之间共享关于内容偏好和网络拓扑的数据的需求,以及对披露过多这两种信息的合理担忧。
The IETF also has experience to draw on in building a culture of security awareness. Beginning with [RFC1543], RFCs were required to contain a Security Considerations section. But that simple mandate did not immediately translate into the extensive security consciousness that permeates the IETF today. Over many years and with much effort invested, a more systematic approach to security has evolved that makes use of a variety of tools and resources: the security area itself, guidelines to RFC authors about security considerations [RFC3552], the security directorate, security advisors assigned to individual working groups, security tutorials at IETF meetings, and so on.
IETF在建立安全意识文化方面也有可借鉴的经验。从[RFC1543]开始,RFC需要包含一个安全注意事项部分。但这一简单的授权并没有立即转化为广泛的安全意识,这种意识渗透到今天的IETF中。经过多年的努力,一种更加系统化的安全方法已经形成,它利用了各种工具和资源:安全领域本身、RFC作者关于安全考虑的指南[RFC3552]、安全理事会、分配给各个工作组的安全顾问、,IETF会议上的安全教程,等等。
The W3C likewise has a number of past efforts to draw on. One of the earliest large-scale standards efforts aimed at improving web privacy was the Platform for Privacy Preferences [P3P]. The idea behind P3P was to have web sites provide machine-readable privacy policies that browsers could vet and possibly override according to the user's preference. The P3P policy expression language was robust enough to
W3C同样也有许多过去的努力可以借鉴。旨在改善网络隐私的最早大规模标准之一是隐私偏好平台[P3P]。P3P背后的想法是让网站提供机器可读的隐私政策,浏览器可以根据用户的偏好审查并可能覆盖这些政策。P3P策略表达式语言足够健壮,可以
allow sites to make complex assertions about how they intended to make use of data related to users, but market developments have created a number of challenges with deployed policies.
允许站点对其打算如何利用与用户相关的数据做出复杂的断言,但市场发展已经对部署的策略造成了许多挑战。
More recent work at the W3C centered around the appropriateness of various privacy features to be included in the Geolocation API [Geolocation], which gives web sites a way to access the user's precise location. The API requires that implementations obtain user consent before accessing location information and allow users to revoke that consent, but decisions about retention, secondary use, and data minimization are left up to individual web sites and applications. The geolocation effort and the P3P experience both raise questions about how to navigate usability, regulation, business incentives, and other aspects that normally lie outside the scope of standards development organization (SDO) work.
W3C最近的工作围绕着地理定位API[Geolocation]中包含的各种隐私功能的适当性展开,该API为网站提供了访问用户精确位置的方法。API要求实现在访问位置信息之前获得用户同意,并允许用户撤销该同意,但有关保留、二次使用和数据最小化的决定将留给各个网站和应用程序。地理定位工作和P3P经验都提出了关于如何导航可用性、法规、业务激励以及通常不在标准开发组织(SDO)工作范围内的其他方面的问题。
Workshop discussions surfaced a number of key issues that can make designing privacy-sensitive protocols and systems difficult: the increasing ease of user/device/application fingerprinting, unforeseen information leakage, difficulties in distinguishing first parties from third parties, complications arising from system dependencies, and the lack of transparency and user awareness of privacy risks and tradeoffs.
研讨会讨论提出了一些可能使设计隐私敏感协议和系统变得困难的关键问题:用户/设备/应用程序指纹识别越来越容易,无法预见的信息泄漏,难以区分第一方和第三方,系统依赖性引起的复杂性,以及缺乏透明度和用户对隐私风险和权衡的意识。
Internet applications and protocols now share so many unique identifiers and other bits of information as part of their ordinary operation that it is becoming increasingly easy for remote nodes to create unique device or application fingerprints and re-identify the same devices or applications over time [Panopticlick]. Hardware identifiers, IP addresses, transport protocol parameters, cookies, other forms of web storage, and a vast array of browser-based information may be routinely shared as users browse the web. The ease of fingerprinting presents a significant challenge for any application that seeks to guarantee anonymity or unlinkability (such as [Tor], which uses onion routing to strip out data that identifies communications endpoints).
互联网应用程序和协议现在共享如此多的唯一标识符和其他信息位,作为其日常操作的一部分,远程节点越来越容易创建唯一的设备或应用程序指纹,并随着时间的推移重新识别相同的设备或应用程序[Panoptick]。硬件标识符、IP地址、传输协议参数、cookie、其他形式的web存储以及大量基于浏览器的信息可能会在用户浏览web时定期共享。指纹识别的易用性对于任何试图保证匿名性或不可链接性的应用程序(例如[Tor],它使用洋葱路由来剥离识别通信端点的数据)来说都是一个重大挑战。
In many cases, the information that can be used to fingerprint a device was not originally shared for that purpose; identifiers and other information are provided to support some other functionality (like IP addresses being shared in order to route packets), and may incidentally be used to fingerprint. This complicates the task of preventing fingerprinting, because each application or protocol likely needs its own identifiers and information to function.
在许多情况下,可用于对设备进行指纹识别的信息最初不是为此目的共享的;提供标识符和其他信息以支持一些其他功能(例如为了路由分组而共享的IP地址),并且可以顺便用于指纹识别。这使防止指纹识别的任务复杂化,因为每个应用程序或协议可能需要自己的标识符和信息才能正常工作。
Furthermore, some services are increasingly coming to rely on fingerprinting in order to detect fraud or provide customized content, for example. Finding privacy-friendly substitutes for fingerprinting will only become more difficult as these services become more entrenched (see Section 4.3).
此外,例如,一些服务越来越依赖指纹识别来检测欺诈或提供定制内容。随着这些服务越来越根深蒂固,寻找隐私友好的指纹替代品只会变得越来越困难(见第4.3节)。
The space of fingerprinting mitigations requires further exploration. For example, workshop participants discussed the use of JavaScript queries to obtain a browser's (often highly unique) font list, and the tradeoffs associated with browsers instead (or additionally) supporting some small subset of fonts in order to reduce browser identifiability. As with many other privacy features, such a restriction presents a tradeoff between privacy and usability, and in the case of fingerprinting writ large, it may be difficult to find consensus about which mitigations appropriately balance both values. As a first step, the IETF may consider documenting the fingerprinting implications for widely used IETF protocols (TCP, HTTP, SIP, etc.).
指纹缓解的空间需要进一步探索。例如,研讨会参与者讨论了如何使用JavaScript查询来获取浏览器(通常是高度唯一的)字体列表,以及与浏览器相关联的折衷方案,即(或另外)支持一些小字体子集以降低浏览器的可识别性。与许多其他隐私功能一样,这样的限制在隐私和可用性之间进行了权衡,并且在大指纹的情况下,可能很难就哪种缓解措施可以适当地平衡这两个值达成共识。作为第一步,IETF可以考虑记录对广泛使用的IETF协议(TCP、HTTP、SIP等)的指纹影响。
Internet protocols and services tend to leak information in ways that were not foreseen at design time, as explored during the IETF 77 technical plenary [IETF77] and in recent research [PrivLoss] [PrivDiffus]. For example, the HTTP referrer header [RFC2616] (misspelled in the original specification as "Referer") provides a way for a web site to obtain the URI of the resource that referred the user to the site. Referrer headers provide valuable insights to web sites about where their users come from, but they can also leak sensitive information (search terms or user IDs, for example), because URI strings on the web often contain this information. The infrastructure of an individual web site is often designed solely with a view to making the site itself function properly, and embedding search terms or other user-specific information in URIs may serve that goal, but when those URIs leak out to other sites via a referrer header, it creates the potential for third parties to use and abuse the data contained therein.
正如IETF 77技术全体会议[IETF77]和最近的研究[PrivLoss][PrivDiffus]所探讨的那样,互联网协议和服务往往以设计时无法预见的方式泄漏信息。例如,HTTP Referer头[RFC2616](在原始规范中拼写错误为“Referer”)为网站提供了一种获取将用户引用到该网站的资源的URI的方法。参考者标题为网站提供了关于用户来源的有价值的见解,但它们也可能泄漏敏感信息(例如搜索词或用户ID),因为web上的URI字符串通常包含这些信息。单个网站的基础设施通常仅为使网站本身正常运行而设计,在URI中嵌入搜索词或其他特定于用户的信息可能有助于实现这一目标,但当这些URI通过引用标头泄漏到其他网站时,它可能会导致第三方使用和滥用其中包含的数据。
The use of URIs for authentication of identity or capabilities can be susceptible to the same kinds of problems. Relying on a "possession model" where any user in possession of an authentication or capability URI can gain access to a resource is only suitable in situations with some means of control over URI distribution, and can lead to wide leakage when used on the open web.
使用URI对身份或功能进行身份验证可能会遇到同样的问题。依赖“拥有模型”,即拥有身份验证或功能URI的任何用户都可以访问资源,这只适用于通过某种方式控制URI分布的情况,并且在开放web上使用时可能导致大量泄漏。
Distinguishing between "first-party" interactions and "third-party" interactions is important for understanding the implications of data collection, sharing, and use that take place during the normal course of web use. Unfortunately, the traditional meanings of these concepts do not always clearly match up with user expectations or evolving web technologies. Traditionally, the term "first party" has been used to refer to the domain of a web site to which a user agent directs an explicit request on behalf of a user. The term "third party" has been used to refer to the domain of a web resource that a user agent requests as a result of a first-party request, with the third-party resource hosted at a different domain from the first-party domain.
区分“第一方”交互和“第三方”交互对于理解正常web使用过程中发生的数据收集、共享和使用的含义非常重要。不幸的是,这些概念的传统含义并不总是与用户期望或不断发展的web技术相匹配。传统上,术语“第一方”用于指代用户代理代表用户向其发出明确请求的网站域。术语“第三方”用于指用户代理根据第一方请求请求的web资源的域,第三方资源托管在与第一方域不同的域中。
This distinction between first-party and third-party domains is in part a result of long-standing user agent practices for handling HTTP cookies. Typically, HTTP cookies are returned only to the origin server that set them [RFC6265]. Cookies set from first-party domains may not be read by third-party domains and vice versa. In some cases, cookies set from first-party domains that contain subdomains are accessible by all subdomains of the first-party domain. The distinction between first-party domains and third-party domains is reflected in browser-based cookie controls: major web browsers all offer distinct first-party cookie settings and third-party cookie settings.
第一方域和第三方域之间的这种区别部分是由于处理HTTP cookie的长期用户代理实践造成的。通常,HTTP cookie仅返回给设置它们的源服务器[RFC6265]。来自第一方域的Cookie集可能不会被第三方域读取,反之亦然。在某些情况下,第一方域的所有子域都可以访问包含子域的第一方域中设置的cookie。第一方域和第三方域之间的区别反映在基于浏览器的cookie控件中:主要的web浏览器都提供不同的第一方cookie设置和第三方cookie设置。
However, a user's perception or expectation of the difference between a "first party" and a "third party" may not fall neatly within these distinctions. Users may expect that content hosted on a first-party subdomain, but provided or used by a third party, would be treated as third-party content, but browsers often treat it as first-party content. Conversely, when third-party content appears from a source with which the user has an established relationship -- such as the Facebook "Like" button or other social widgets -- users may consider their interaction with that content to be a desirable first-party interaction, even though the content is hosted on a third-party domain.
然而,用户对“第一方”和“第三方”之间差异的感知或期望可能并不完全属于这些区别。用户可能希望托管在第一方子域上但由第三方提供或使用的内容将被视为第三方内容,但浏览器通常将其视为第一方内容。相反,当第三方内容从用户具有已建立关系的源(例如脸谱网“类””按钮或其他社交小部件出现时,用户可以考虑将其与该内容的交互成为理想的第一方交互,即使内容被托管在第三方域上。
Handling these expectations programmatically is difficult, since the same identifier structures (domains, subdomains) can correlate to different user expectations in different contexts. On the other hand, prompting users to express a preference about what kinds of data collection and use should be allowable by each party encountered on the web is not practical. Web and browser developers are actively seeking novel ways to address this challenge, but there are few clear-cut solutions.
以编程的方式处理这些期望是困难的,因为相同的标识符结构(域、子域)可以在不同的上下文中与不同的用户期望相关联。另一方面,提示用户对网络上遇到的各方应允许的数据收集和使用类型表示偏好是不现实的。Web和浏览器开发人员正在积极寻求新的方法来应对这一挑战,但鲜有明确的解决方案。
There is no question that users lack a full understanding of how their information is being used and what the tradeoffs are between having their data collected and accessing services at little or no cost. Much of the tracking that takes place on the web is passive and invisible to users. Most companies disclose their data usage practices in written privacy policies, but these policies are rarely read, difficult to understand, and often fail to disclose salient details (such as data retention lifetimes). Even when web tracking is associated with some visual indication -- a highly targeted Gmail ad or the Facebook "Like" button, for example -- users often do not realize that it is occurring.
毫无疑问,用户不完全了解他们的信息是如何被使用的,以及在收集数据和以很少或没有成本访问服务之间的权衡。在网络上进行的大部分跟踪都是被动的,用户看不见。大多数公司在书面隐私政策中披露其数据使用做法,但这些政策很少被阅读,难以理解,而且往往无法披露重要细节(如数据保留期限)。即使网络跟踪与一些视觉指示相关联——例如,目标明确的Gmail广告或Facebook的“喜欢”按钮——用户通常也没有意识到它正在发生。
Efforts abound to attempt to present information about data collection and usage in a more digestible way. P3P was one early effort, but because it sought to support the expression of the vast expanse of potential policies that companies may have, it developed more complexity than the average user (or user interface) could sustain. More recent efforts have focused on using a limited set of icons to represent policies or provide an indication that tracking is taking place.
大量的努力试图以更易于理解的方式呈现有关数据收集和使用的信息。P3P是早期的一项努力,但由于它试图支持公司可能拥有的大量潜在政策的表达,因此它的复杂性超过了普通用户(或用户界面)所能承受的程度。最近的努力集中在使用一组有限的图标来表示策略或提供正在进行跟踪的指示。
Workshop participants identified a number of barriers to both deployment of privacy-protecting technologies and the analysis of the privacy properties of technological systems. These included the difficulty of using generic protocols and tools to defend against context-specific threats; the tension between privacy protection and usability; and the difficulty of navigating between business, legal, and individual incentives.
研讨会参与者确定了在部署隐私保护技术和分析技术系统的隐私属性方面存在的一些障碍。其中包括难以使用通用协议和工具抵御特定环境的威胁;隐私保护和可用性之间的紧张关系;以及在商业、法律和个人激励之间导航的困难。
Privacy is not a binary state. Rather than operating either entirely in private or entirely in public, individuals experience privacy contextually, resulting in differing requirements for privacy protection, depending on the circumstance and the individual. On the Internet, the contextual nature of privacy means that threats against it can vary, depending on the deployment scenario, the usage scenario, the capabilities of different attackers, and the level of concern that different kinds of attackers generate among different users.
隐私不是二进制状态。个人不是完全在私下或完全在公共场所操作,而是在不同的环境和个人中体验隐私,从而导致对隐私保护的不同要求。在互联网上,隐私的上下文性质意味着针对隐私的威胁可能会有所不同,这取决于部署场景、使用场景、不同攻击者的能力以及不同类型的攻击者在不同用户之间产生的关注程度。
Addressing the full waterfront of privacy threats within generic protocols and tools is largely intractable. As a result, existing privacy features developed at the network and application layers have taken more targeted approaches. For example, privacy extensions for stateless address autoconfiguration in IPv6 [RFC4941] support addresses constructed dynamically rather than generating addresses based on interface Media Access Control (MAC) addresses, which for most users are persistent and unchangeable unique identifiers that could be used for long-term tracking. While IPv6 privacy extensions provide important protection against tracking and re-identification by remote endpoints, they do not prevent -- and were not meant to prevent -- all parties from being able to associate an IP address with a particular user. ISPs and governments still have means to make such associations, and remote endpoints have many other mechanisms at their disposal to attempt to identify users persistently, albeit without using IPv6 addresses.
在通用协议和工具中解决全面的隐私威胁在很大程度上是难以解决的。因此,在网络和应用层开发的现有隐私功能采用了更有针对性的方法。例如,IPv6[RFC4941]中无状态地址自动配置的隐私扩展支持动态构造的地址,而不是基于接口媒体访问控制(MAC)地址生成地址,对于大多数用户来说,MAC地址是持久的、不可更改的唯一标识符,可用于长期跟踪。虽然IPv6隐私扩展提供了重要的保护,防止远程端点跟踪和重新识别,但它们并不阻止(也不是为了阻止)所有各方能够将IP地址与特定用户关联。ISP和政府仍然有办法进行这种关联,远程端点有许多其他机制可供使用,以尝试持续识别用户,尽管不使用IPv6地址。
This kind of experience with developing privacy tools shows that designing privacy features into systems and protocols requires a clear understanding of the scope of the threats they are designed to address. This scope is currently being debated in discussion about developing "Do Not Track" (DNT) mechanisms for the web and other online contexts. A number of different approaches have been proposed, including browser functionality to retain opt-out cookies, an HTTP header that expresses the user's preference not to be tracked, and a browser-based block list mechanism that prevents the browser from communicating with tracking sites (for an overview, see [OptOuts]). Regardless of the approach, these mechanisms function based on some understanding of which "tracking" users should be able to control, which in turn is based on some notion of the threats presented by different kinds of tracking conducted by different kinds of entities on the web. Should DNT mechanisms apply to sites with which the user already has an established relationship? Or sites that use only aggregate, non-individualized data? Does tracking for fraud prevention or customization present different threats than tracking for advertising or marketing purposes? The answers to these questions will dictate DNT design choices.
这种开发隐私工具的经验表明,将隐私功能设计到系统和协议中需要清楚地了解它们设计用来解决的威胁的范围。这一范围目前正在讨论为网络和其他在线环境开发“请勿跟踪”(DNT)机制。已经提出了许多不同的方法,包括保留退出cookie的浏览器功能、表示用户不被跟踪偏好的HTTP头,以及防止浏览器与跟踪站点通信的基于浏览器的阻止列表机制(有关概述,请参阅[OptOuts])。无论采用哪种方法,这些机制都是基于对“跟踪”用户应该能够控制的某种理解而起作用的,而这种理解又是基于对网络上不同实体进行的不同类型跟踪所带来的威胁的某种概念。DNT机制是否应适用于用户已建立关系的站点?还是只使用聚合、非个性化数据的网站?针对欺诈预防或定制的跟踪是否与针对广告或营销目的的跟踪存在不同的威胁?这些问题的答案将决定DNT的设计选择。
The space of privacy threats on the Internet may appear particularly broad from a protocol design perspective, because many of the protocols in widest use are designed generically to support a variety of applications and functionality. HTTP, for example, is used for a wider variety of purposes than its original designers likely anticipated; it is unsurprising that some of these purposes include obtaining and using data about web users in ways that may be privacy-infringing. It is unreasonable to ask protocol designers to mitigate the potential privacy risks of every possible deployment that may result from a particular protocol design; the key questions are about
从协议设计的角度来看,互联网上的隐私威胁空间可能显得特别广阔,因为许多最广泛使用的协议都是为支持各种应用和功能而设计的。例如,HTTP被用于比其原始设计者可能预期的更广泛的用途;毫不奇怪,其中一些目的包括以可能侵犯隐私的方式获取和使用有关网络用户的数据。要求协议设计者减轻特定协议设计可能导致的每个可能部署的潜在隐私风险是不合理的;关键问题是关于
how the responsibility for protecting against privacy intrusion should be split between protocols, APIs, applications, and services, and which kinds of privacy features can best be implemented in each place.
如何在协议、API、应用程序和服务之间划分防止隐私入侵的责任,以及在每个地方可以最好地实现哪些类型的隐私功能。
The workshop discussions highlighted the tension between providing privacy protections and maintaining usability. Tor [Tor] provides some salient examples of this tradeoff. Tor seeks to provide protection against network surveillance, but by lengthening the routing path, it may significantly increase round-trip time. Tor obscures endpoint IP addresses; thus, it also interferes with IP-based geolocation. Web browsing using Tor is particularly challenging, as most browser plug-ins, much of JavaScript, and a number of other browser-based features need to be blocked or overridden in order to meet Tor's anonymity requirements. With Tor, privacy clearly comes at a price.
研讨会讨论强调了提供隐私保护和保持可用性之间的紧张关系。Tor[Tor]提供了这种权衡的一些突出例子。Tor试图针对网络监视提供保护,但通过延长路由路径,它可能会显著增加往返时间。Tor掩盖了端点IP地址;因此,它也会干扰基于IP的地理定位。使用Tor进行Web浏览尤其具有挑战性,因为大多数浏览器插件、大部分JavaScript以及许多其他基于浏览器的功能都需要被阻止或覆盖,以满足Tor的匿名性要求。有了Tor,隐私显然是要付出代价的。
Even less aggressive privacy features may come with usability tradeoffs. One example is the blocking of HTTP referrer headers for privacy protection reasons. Some sites provide a customized experience to users based on the referring page, which means that disabling referrer headers, as some browsers allow users to do, may sacrifice user experience features on certain sites. Part of the challenge is the level of nuance involved in making decisions about privacy -- how can users be made to understand the privacy tradeoffs of blocking HTTP referrer headers, for example, when the effects of doing so will vary from site to site, or when there is limited UI space to communicate the tradeoffs? Even seemingly simple privacy controls like private browsing are not well understood.
更不具攻击性的隐私功能可能会带来可用性权衡。一个例子是出于隐私保护的原因而阻止HTTP引用头。一些网站基于引用页面为用户提供定制体验,这意味着禁用引用者标题(某些浏览器允许用户这么做)可能会牺牲某些网站的用户体验功能。挑战的一部分是在做出隐私决策时所涉及的细微差别——例如,当阻止HTTP引用头的效果因站点而异时,或者当交流这些权衡的UI空间有限时,如何让用户理解这种隐私权衡?即使像私人浏览这样看似简单的隐私控制也没有得到很好的理解。
The feature set that implementors choose to make available is often reflective of the tension between usability and privacy. For example, SIP [RFC3261] supports Secure/Multipurpose Internet Mail Extensions (S/MIME) to secure SIP request bodies, but given its user experience impact, few implementations include S/MIME support. Although usability challenges are generally thought of as user-level issues that are out of scope for the IETF, to the extent that they trickle down into implementation decisions, they are highly relevant.
实现者选择提供的特性集通常反映了可用性和隐私之间的紧张关系。例如,SIP[RFC3261]支持安全/多用途Internet邮件扩展(S/MIME)来保护SIP请求主体,但考虑到其对用户体验的影响,很少有实现包括S/MIME支持。尽管可用性挑战通常被认为是IETF范围之外的用户级问题,但在一定程度上,这些问题会渗透到实施决策中,它们是高度相关的。
Although workshop participants reached few firm conclusions about how to tackle usability issues arising from privacy features, the group agreed that it may be beneficial for the W3C to do some more thinking in this area, possibly toward the end of including usability considerations in individual specifications. The challenge with such an effort will be to provide useful guidance without being overly prescriptive about how implementations should be designed.
尽管研讨会参与者对如何解决隐私特性引起的可用性问题没有得出明确的结论,但小组一致认为,W3C在这一领域进行更多思考可能是有益的,可能是在将可用性考虑纳入个别规范的最后。这种努力的挑战将是提供有用的指导,而不是过度规定如何设计实现。
The Internet has sustained commercial content for decades. Many services are offered at little or no cost in exchange for being able to sell advertising or collect user data (or both). As the commercial value of the web in particular has exploded in recent years, the paradigm for regulating privacy has also begun to change, albeit more slowly.
互联网几十年来一直支持商业内容。许多服务都是以很少或没有成本提供的,以换取能够销售广告或收集用户数据(或两者兼而有之)。特别是近年来,随着网络的商业价值爆炸式增长,监管隐私的范式也开始发生变化,尽管速度较慢。
At the dawn of the commercial Internet, few web sites had written privacy policies that explained what they did with user data. Under regulatory pressure, sites began to document their data collection and usage practices in publicly posted policies. These policies quickly became lengthy legal documents that commercial sites could use to limit their liability, often by disclosing every possible practice that the site might engage in, rather than informing users about the salient practices of relevance to them.
在商业互联网出现之初,很少有网站制定了隐私政策来解释他们对用户数据的处理方式。在监管压力下,网站开始在公开发布的政策中记录其数据收集和使用实践。这些政策很快就变成了冗长的法律文件,商业网站可以利用这些法律文件来限制其责任,通常是通过披露网站可能从事的每一种可能的实践,而不是告知用户与他们相关的显著实践。
Because so many businesses are fueled by user data, any move to give users greater control over their data -- whether by better informing them about its use or providing tools and settings -- often requires the force of regulatory influence to succeed. In recent years, regulatory authorities have put pressure on companies to improve their privacy disclosures by making them simpler, more concise, more prominent, and more accessible (see the 2010 Federal Trade Commission privacy report [FTC]). Certain companies and industry sectors have responded by developing privacy icons, using short notices in addition to privacy policies, and making the language they use to describe privacy practices more accessible and easier to understand.
由于如此多的业务都是由用户数据推动的,因此任何让用户更好地控制其数据的举措——无论是通过更好地告知用户数据的使用情况,还是通过提供工具和设置——通常都需要监管影响力才能成功。近年来,监管机构向公司施加压力,要求它们改进隐私披露,使其更简单、更简洁、更突出、更容易获取(见2010年联邦贸易委员会隐私报告[FTC])。某些公司和行业部门的应对措施是开发隐私图标,在隐私政策之外使用简短通知,并使他们用来描述隐私实践的语言更容易理解。
Regulators play an important role in shaping incentive structures. Companies often seek a balance between acting to limit their liability and pushing the envelope with respect to uses of consumer data. If regulators take a strong stand against certain practices -- as, for example, European legislators have against cookies being set without user consent [Directive] -- legitimate businesses will feel compelled to comply. But where there is regulatory uncertainty, business responses may differ according to different market strategies. The variety of potential responses to the emerging discussion about mechanisms to control web tracking demonstrates this variation: some businesses will embrace support for enhanced user control, others may restrict their offerings or charge fees if they are unable to track users, and still others may elect to circumvent any new mechanisms put in place. The absence of regulatory pressure tends to make the line between "good" and "bad" actors less evident.
监管者在形成激励结构方面发挥着重要作用。公司经常在限制责任和在消费者数据使用方面突破极限之间寻求平衡。如果监管机构对某些做法采取强硬立场——例如,欧洲立法者反对在未经用户同意的情况下设置cookies[指令]——合法企业将被迫遵守。但在存在监管不确定性的情况下,企业的反应可能会因不同的市场策略而有所不同。对控制网络跟踪机制的新讨论的各种潜在反应表明了这种变化:一些企业将支持增强用户控制,另一些企业可能会限制其产品或在无法跟踪用户时收取费用,还有一些人可能选择规避任何新的机制。缺乏监管压力往往会使“好”和“坏”行为者之间的界限变得不那么明显。
That absence of regulatory pressure revealed itself in the case of P3P. The first version of P3P was standardized in the early 2000s, when legalistic privacy policies were the norm and users had only elementary controls over the data collected about them on the web. P3P challenged that paradigm by providing a way for web sites to express machine-readable privacy policies for browsers to vet and possibly override according to the user's preference. The P3P policy expression language was designed to allow sites to make complex assertions about how they intended to make use of data related to users.
这种监管压力的缺失在P3P的案例中显现出来。P3P的第一个版本是在21世纪初标准化的,当时法律隐私政策是常态,用户对网络上收集的关于他们的数据只有基本的控制。P3P通过为网站提供一种方式来表达机器可读的隐私策略,以供浏览器根据用户的偏好进行审查和可能的覆盖,从而挑战了这种模式。P3P策略表达式语言的设计目的是允许站点对其打算如何使用与用户相关的数据做出复杂的断言。
The designers of Internet Explorer 6 made a crucial decision to only allow sites to use third-party cookies if they had installed adequate P3P policies. To avoid having their cookies blocked, most commercial sites adopted some P3P policy, although many sites merely cut and pasted from the example policies provided by the W3C. Today, large numbers of sites are misrepresenting their privacy practices in their P3P policies, but little has been done in response [Policies], and browser support for P3P outside of IE is limited.
InternetExplorer6的设计者做出了一个至关重要的决定,即只有安装了足够的P3P策略的站点才允许使用第三方cookie。为了避免cookie被阻止,大多数商业站点采用了一些P3P策略,尽管许多站点只是从W3C提供的示例策略中剪切和粘贴。如今,大量网站在其P3P政策中歪曲了他们的隐私实践,但在回应[政策]方面做得很少,IE之外对P3P的浏览器支持也很有限。
While theories abound to explain the current status of P3P implementations, there is no doubt that the relationship between regulatory and commercial incentives played a significant role. The P3P policy expression language provided support for companies to be able to express in granular detail how they handle user data, but the companies had little reason to do so, preferring to protect themselves from the liability associated with revealing potentially unsavory practices. In theory, the threat of regulatory backlash could have served as an incentive to publish accurate P3P policies, but at the time of P3P's release, there was little regulatory interest in moving beyond long, legalistic privacy policies. Even today, regulators are reluctant to bring enforcement actions against companies with misleading policies, perhaps because their own incentive structure compels them to focus on other, more prominent matters.
虽然有很多理论可以解释P3P实施的现状,但毫无疑问,监管和商业激励之间的关系发挥了重要作用。P3P策略表达语言为公司提供了支持,使其能够详细表达其如何处理用户数据,但这些公司没有理由这样做,而是更愿意保护自己免受与披露潜在不良做法相关的责任。从理论上讲,监管反弹的威胁可能会激励人们发布准确的P3P政策,但在P3P发布之时,监管部门对超越长期的法律隐私政策几乎没有兴趣。即使在今天,监管机构也不愿意对具有误导性政策的公司采取执法行动,可能是因为它们自身的激励结构迫使它们将重点放在其他更突出的问题上。
The P3P experience is instructive in general for attempts at crafting privacy features that require the active participation of both ends of a communication. Actors that are meant to articulate their own privacy preferences, whether they be companies or individuals, require incentives to do so, as do those that are meant to process and react to such preferences. For example, the IETF's GEOPRIV architecture allows for expression of user preferences about location information [RFC4119]. While users may have more incentive to disclose their privacy preferences than companies did in the P3P case, successful use of the GEOPRIV model will require endpoints that
P3P体验通常对需要通信两端积极参与的隐私功能的设计具有指导意义。无论是公司还是个人,想要表达自己的隐私偏好的参与者都需要激励来表达自己的隐私偏好,那些想要处理隐私偏好并对其做出反应的参与者也是如此。例如,IETF的GEOPRIV架构允许表达用户对位置信息的偏好[RFC4119]。虽然与P3P案例中的公司相比,用户披露其隐私偏好的动机可能更大,但成功使用GEOPRIV模型需要具有以下特征的端点:
consume location information to abide by those preferences, and in certain contexts -- commercial or employment-related, for example -- they may be unwilling, or regulatory pressure may be required to spur a change in practice.
使用位置信息来遵守这些偏好,在某些情况下(例如,商业或与就业相关的情况),他们可能不愿意,或者可能需要监管压力来刺激实践中的变化。
It is clearly not the prerogative of Internet protocol developers to seek to change existing incentive structures. But acknowledging what motivates businesses, individuals, and regulators is crucial to determining whether new privacy technologies will succeed or fail.
寻求改变现有激励结构显然不是互联网协议开发者的特权。但了解企业、个人和监管机构的动机对于决定新隐私技术的成败至关重要。
The workshop demonstrated that the understanding of how to address privacy within the Internet standards community is nascent. The IETF faces particular challenges, because IETF protocols generally do not mandate implementation styles or pre-conceive particular deployment contexts, making the space of potential privacy threats attributable to any single protocol difficult to foresee at protocol design time.
研讨会表明,对如何在互联网标准社区内解决隐私问题的理解还处于初级阶段。IETF面临着特殊的挑战,因为IETF协议通常不强制实施风格或预先设想特定的部署环境,使得在协议设计时难以预见任何单一协议可能带来的隐私威胁空间。
Workshop participants nonetheless outlined a number of potential next steps. Work has already begun to attempt to provide guidance to protocol designers about the privacy impact of their specifications [PrivCons]. In refining this guidance, many of the questions raised at the workshop will need to be confronted, including those about how to properly model privacy threats against generic protocols, how to anticipate privacy risks that have been exposed in the previous design efforts, and how to document risks that are more difficult to foresee and mitigate. Workshop participants acknowledged that developing such guidance is likely necessary if document authors are expected to incorporate "Privacy Considerations" sections in their documents, but even with guidance, this is likely to be an uphill battle for many authors for some time to come.
尽管如此,讲习班与会者还是概述了今后可能采取的一些步骤。已经开始尝试为协议设计者提供有关其规范对隐私影响的指导[PrivCons]。在完善本指南的过程中,需要面对研讨会上提出的许多问题,包括如何正确建模针对通用协议的隐私威胁,如何预测在以前的设计工作中暴露的隐私风险,以及如何记录更难预见和缓解的风险。研讨会参与者承认,如果文档作者希望在其文档中包含“隐私注意事项”部分,则制定此类指南可能是必要的,但即使有了指南,在未来一段时间内,对于许多作者来说,这可能是一场艰苦的战斗。
As preliminary steps, those with privacy expertise may seek to apply the current guidance to existing IETF protocols. The security area directors have also created a privacy directorate where privacy reviews of documents coming before the IESG are being conducted.
作为初步步骤,具有隐私专业知识的人员可寻求将当前指南应用于现有IETF协议。安全区域主管还成立了一个隐私委员会,负责对IESG之前提交的文件进行隐私审查。
Participants also expressed an interest in further pursuing a number of the technical topics discussed at the workshop, including lessons learned from the experience of Tor and the fingerprinting implications of HTTP, TCP, SIP, and other IETF protocols. These and other efforts may be explored within the Internet Research Task Force (IRTF) in addition to, or in lieu of, the IETF.
与会者还表示有兴趣进一步探讨研讨会上讨论的一些技术主题,包括从Tor经验中吸取的教训以及HTTP、TCP、SIP和其他IETF协议的指纹识别影响。除IETF之外,或替代IETF,可在互联网研究工作队(IRTF)内探索这些和其他工作。
The W3C is likewise in a position of seeking a more comprehensive approach to privacy within the SDO. Because the work of the W3C operates within a more defined scope than that of the IETF -- namely, the web -- the questions before the W3C tend to lie more in the space of distinguishing between what can appropriately be accomplished within W3C specifications and what should be left to individual implementations, a theme that repeated itself again and again at the workshop.
W3C同样也在寻求SDO中更全面的隐私保护方法。由于W3C的工作在比IETF(即web)更明确的范围内运行,W3C面临的问题往往更多地在于区分哪些工作可以在W3C规范内适当完成,哪些工作应该留给单独的实现,在研讨会上反复出现的主题。
To further develop its approach to privacy, the W3C will investigate an interest group to discuss privacy topics. Some potential topics that emerged from the workshop include the fingerprinting impact of W3C protocols, data minimization in APIs, dealing with referrer header privacy leakage, developing privacy considerations for non-browser-based protocols, and developing usability considerations as part of specification design.
为了进一步发展其隐私方法,W3C将调查一个利益集团,讨论隐私主题。研讨会中出现的一些潜在主题包括W3C协议的指纹识别影响、API中的数据最小化、处理引用人头部隐私泄漏、为非基于浏览器的协议开发隐私注意事项,以及作为规范设计的一部分开发可用性注意事项。
The workshop covered a number of topics that may deserve further exploration in the IETF, the W3C, and the privacy community at large. These include development of privacy terminology; articulation of privacy threat models; analysis and experimentation with "Do Not Track" mechanisms for the web; work on cross-site data sharing, correlation, and linkability in web and non-web contexts; and investigation of policy expression languages.
研讨会涵盖了许多主题,这些主题可能值得IETF、W3C和整个隐私社区进一步探讨。其中包括制定隐私术语;隐私威胁模型的表达;网络“不跟踪”机制的分析和实验;在网络和非网络环境下进行跨站点数据共享、关联和链接工作;策略表达语言的研究。
Thanks to Bernard Aboba, Nick Doty, and Hannes Tschofenig for their early reviews.
感谢Bernard Aboba、Nick Doty和Hannes Tschofenig的早期评论。
Workshop participants discussed security aspects related to privacy, acknowledging that while much of the standards community may have once viewed most relevant privacy concerns as being encompassed by security considerations, there is a growing realization of privacy threats that lie outside the security realm. These include concerns related to data minimization, identifiability, and secondary use. Earlier security work provided minimal provision for privacy protection (e.g., the definition of "privacy" in [RFC2828] and some guidance about private information in [RFC3552]).
研讨会参与者讨论了与隐私相关的安全方面,承认虽然许多标准团体曾经认为最相关的隐私问题都包含在安全考虑因素中,但越来越多的人意识到安全领域之外的隐私威胁。这些问题包括与数据最小化、可识别性和二次使用相关的问题。早期的安全工作为隐私保护提供了最低限度的规定(例如,[RFC2828]中的“隐私”定义和[RFC3552]中关于私人信息的一些指导)。
[ALTO] IETF, "Application-Layer Traffic Optimization (alto)", 2011, <http://datatracker.ietf.org/wg/alto/charter/>.
[ALTO]IETF,“应用层流量优化(ALTO)”,2011年<http://datatracker.ietf.org/wg/alto/charter/>.
[Directive] European Parliament and Council of the European Union, "Directive 2009/136/EC of the European Parliament and of the Council", November 2009, <http://eur-lex.europa.eu/ LexUriServ/ LexUriServ.do?uri=OJ:L:2009:337:0011:01:EN:HTML>.
[指令]欧洲议会和欧盟理事会,“欧洲议会和理事会指令2009/136/EC”,2009年11月<http://eur-lex.europa.eu/ LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:01:EN:HTML>。
[FTC] Federal Trade Commission Staff, "A Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers", December 2010, <http://www.ftc.gov/opa/2010/12/privacyreport.shtm>.
[FTC]联邦贸易委员会工作人员,“FTC工作人员关于在快速变化时代保护消费者隐私的初步报告:企业和决策者的拟议框架”,2010年12月<http://www.ftc.gov/opa/2010/12/privacyreport.shtm>.
[Geolocation] Popescu, A., Ed., "Geolocation API Specification", September 2010, <http://www.w3.org/TR/2010/CR-geolocation-API-20100907/>.
[地理定位]Popescu,A.,Ed.,“地理定位API规范”,2010年9月<http://www.w3.org/TR/2010/CR-geolocation-API-20100907/>.
[IETF77] Krishnamurthy, B., "Privacy Leakage on the Internet", March 2010, <http://www.ietf.org/proceedings/77/slides/ plenaryt-5.pdf>.
[IETF77]Krishnamurthy,B.,“互联网上的隐私泄露”,2010年3月<http://www.ietf.org/proceedings/77/slides/ plenaryt-5.pdf>。
[OptOuts] Cooper, A. and H. Tschofenig, "Overview of Universal Opt-Out Mechanisms for Web Tracking", Work in Progress, March 2011.
[OptOuts]Cooper,A.和H.Tschofenig,“Web跟踪的通用选择退出机制概述”,正在进行的工作,2011年3月。
[P3P] Wenning, R., Ed., and M. Schunter, Ed., "The Platform for Privacy Preferences 1.1 (P3P1.1) Specification", November 2006, <http://www.w3.org/TR/P3P11/>.
[P3P]Wenning,R.,Ed.,和M.Schunter,Ed.,“隐私偏好平台1.1(P3P1.1)规范”,2006年11月<http://www.w3.org/TR/P3P11/>.
[Panopticlick] Electronic Frontier Foundation, "Panopticlick", 2011, <http://panopticlick.eff.org/>.
[ PopoptLICK]电子前沿基金会,“Panopticlick”,2011,<http://panopticlick.eff.org/>.
[Policies] Leon, P., Cranor, L., McDonald, A., and R. McGuire, "Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens", September 2010, <http://www.cylab.cmu.edu/research/ techreports/2010/tr_cylab10014.html>.
[政策]Leon,P.,Cranor,L.,McDonald,A.,和R.McGuire,“代币尝试:通过滥用P3P契约政策代币对网站隐私政策的错误陈述”,2010年9月<http://www.cylab.cmu.edu/research/ techreports/2010/tr_cylab10014.html>。
[PrivCons] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., and J. Morris, "Privacy Considerations for Internet Protocols", Work in Progress, October 2011.
[PrivCons]Cooper,A.,Tschofenig,H.,Aboba,B.,Peterson,J.,和J.Morris,“互联网协议的隐私考虑”,正在进行的工作,2011年10月。
[PrivDiffus] Krishnamurthy, B. and C. Wills, "Privacy Diffusion on the Web: A Longitudinal Perspective", Proceedings of the World Wide Web Conference, pages 541-550, Madrid, Spain, April 2009, <http://www.cs.wpi.edu/~cew/papers/www09.pdf>.
[PrivDiffus]Krishnamurthy,B.和C.Wills,“网络上的隐私传播:纵向视角”,《万维网会议记录》,第541-550页,西班牙马德里,2009年4月<http://www.cs.wpi.edu/~cew/papers/www09.pdf>。
[PrivLoss] Krishnamurthy, B., Malandrino, D., and C. Wills, "Measuring Privacy Loss and the Impact of Privacy Protection in Web Browsing", Proceedings of the Symposium on Usable Privacy and Security, pages 52-63, Pittsburgh, PA USA, ACM International Conference Proceedings Series, July 2007, <http://www.cs.wpi.edu/~cew/papers/soups07.pdf>.
[PrivLoss]Krishnamurthy,B.,Malandrino,D.,和C.Wills,“测量隐私损失和网络浏览中隐私保护的影响”,可用隐私和安全研讨会论文集,第52-63页,美国宾夕法尼亚州匹兹堡,ACM国际会议论文集,2007年7月<http://www.cs.wpi.edu/~cew/papers/soups07.pdf>。
[RFC1543] Postel, J., "Instructions to RFC Authors", RFC 1543, October 1993.
[RFC1543]Postel,J.,“RFC作者须知”,RFC1543,1993年10月。
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2616]菲尔丁,R.,盖蒂斯,J.,莫卧儿,J.,弗莱斯蒂克,H.,马斯特,L.,利奇,P.,和T.伯纳斯李,“超文本传输协议——HTTP/1.1”,RFC 2616,1999年6月。
[RFC2778] Day, M., Rosenberg, J., and H. Sugano, "A Model for Presence and Instant Messaging", RFC 2778, February 2000.
[RFC2778]Day,M.,Rosenberg,J.,和H.Sugano,“状态和即时信息模型”,RFC 27782000年2月。
[RFC2828] Shirey, R., "Internet Security Glossary", RFC 2828, May 2000.
[RFC2828]Shirey,R.,“互联网安全词汇表”,RFC 28282000年5月。
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002.
[RFC3261]Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,2002年6月。
[RFC3323] Peterson, J., "A Privacy Mechanism for the Session Initiation Protocol (SIP)", RFC 3323, November 2002.
[RFC3323]Peterson,J.,“会话启动协议(SIP)的隐私机制”,RFC3323,2002年11月。
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, July 2003.
[RFC3552]Rescorla,E.和B.Korver,“关于安全考虑的RFC文本编写指南”,BCP 72,RFC 3552,2003年7月。
[RFC3693] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and J. Polk, "Geopriv Requirements", RFC 3693, February 2004.
[RFC3693]Cuellar,J.,Morris,J.,Mulligan,D.,Peterson,J.,和J.Polk,“地质驱动要求”,RFC 3693,2004年2月。
[RFC4119] Peterson, J., "A Presence-based GEOPRIV Location Object Format", RFC 4119, December 2005.
[RFC4119]Peterson,J.,“一种基于状态的GEOPRIV定位对象格式”,RFC41192005年12月。
[RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy Extensions for Stateless Address Autoconfiguration in IPv6", RFC 4941, September 2007.
[RFC4941]Narten,T.,Draves,R.,和S.Krishnan,“IPv6中无状态地址自动配置的隐私扩展”,RFC 49412007年9月。
[RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, April 2011.
[RFC6265]Barth,A.,“HTTP状态管理机制”,RFC6265,2011年4月。
[Tor] The Tor Project, Inc., "Tor", 2011, <https://www.torproject.org/>.
[Tor]Tor项目有限公司,“Tor”,2011年<https://www.torproject.org/>.
[Workshop] IAB, W3C, ISOC, MIT CSAIL, "Internet Privacy Workshop 2010", 2011, <http://www.iab.org/activities/workshops/ internet-privacy-workshop-2010/>.
[研讨会]IAB、W3C、ISOC、MIT CSAIL,“2010年互联网隐私研讨会”,2011年<http://www.iab.org/activities/workshops/ internet-privacy-workshop-2010/>。
Main page: http://www.iab.org/activities/workshops/ internet-privacy-workshop-2010/
Main page: http://www.iab.org/activities/workshops/ internet-privacy-workshop-2010/
Slides: http://www.iab.org/activities/workshops/ internet-privacy-workshop-2010/slides/
Slides: http://www.iab.org/activities/workshops/ internet-privacy-workshop-2010/slides/
Minutes: http://www.iab.org/activities/workshops/ internet-privacy-workshop-2010/minutes/
Minutes: http://www.iab.org/activities/workshops/ internet-privacy-workshop-2010/minutes/
Position papers: http://www.iab.org/activities/workshops/ internet-privacy-workshop-2010/papers/
Position papers: http://www.iab.org/activities/workshops/ internet-privacy-workshop-2010/papers/
o Fu-Ming Shih, MIT o Ian Jacobi, MIT o Steve Woodrow, MIT o Nick Mathewson, The Tor Project o Peter Eckersley, Electronic Frontier Foundation o John Klensin, IAB o Oliver Hanka, Technical University Munich o Alan Mislove, Northeastern University o Ashkan Soltani, FTC o Sam Hartman, Painless Security o Kevin Trilli, TRUSTe o Dorothy Gellert, InterDigital o Aaron Falk, Raytheon - BBN Technologies o Sean Turner, IECA o Wei-Yeh Lee, NAVTEQ o Chad McClung, The Boeing Company o Jan Seedorf, NEC o Dave Crocker, Brandenburg InternetWorking o Lorrie Cranor, Carnegie Mellon University o Noah Mendelsohn, W3C TAG Chair o Stefan Winter, RESTENA o Craig Wittenberg, Microsoft o Bernard Aboba, IAB/Microsoft o Heather West, Google o Blaine Cook, British Telecom o Kasey Chappelle, Vodafone Group o Russ Housley, IETF Chair/Vigil Security, LLC o Daniel Appelquist, Vodafone R&D o Olaf Kolkman, IAB Chair o Jon Peterson, IAB/NeuStar, Inc. o Balachander Krishnamurthy, AT&T Labs--Research o Marc Linsner, Cisco Systems
o Fu Ming Shih,麻省理工学院O Ian Jacobi,麻省理工学院O Steve Woodrow,麻省理工学院,Nick Mathewson,托尔项目Peter Eckersley,电子前沿基金会John Klensin,IAB O Oliver Hanka,慕尼黑技术大学,东北大学,O,FTC O,无痛保安O,托雷斯奥格勒特,阿伦·福克(Aaron Falk)、雷神-BBN技术公司(Raytheon-BBN Technologies)和肖恩·特纳(Sean Turner)、国际电工协会(IECA)和李伟业(Wei Yeh Lee)、纳夫特克(NAVTEQ)和查德·麦克隆(Chad McClong)、波音公司(o Jan Sedorf)、国家电气公司(NEC)和戴夫·克罗克(Dave Crocker)、勃兰登堡互联网络公司(o Rorrie Cranor)、卡内基梅隆大学(Carnegie Mellon University)和门德尔松(No,IAB/Microsoft o Heather West、Google o Blaine Cook、英国电信o Kasey Chappelle、沃达丰集团o Russ Housley、IETF主席/守夜安全有限责任公司o Daniel Appelquist、沃达丰研发o Olaf Kolkman、IAB主席o Jon Peterson、IAB/NeuStar、Inc.o Balachander Krishnamurthy、AT&T实验室——研究o Marc Linner、思科系统
o Jorge Cuellar, Siemens AG o Arvind Narayanan, Stanford University o Eric Rescorla, Skype o Cullen Jennings, Cisco o Christine Runnegar, Internet Society o Alissa Cooper, Center for Democracy & Technology o Jim Fenton, Cisco o Oshani Seneviratne, MIT o Lalana Kagal, MIT o Fred Carter, Information & Privacy Commissioner of Ontario, Canada o Frederick Hirsch, Nokia o Benjamin Heitmann, DERI, NUI Galway, Ireland o John Linn, RSA, The Security Division of EMC o Paul Trevithick, Azigo o Ari Schwartz, National Institute of Standards and Technology o David Evans, University of Cambridge o Nick Doty, UC Berkeley, School of Information o Sharon Paradesi, MIT o Jonathan Mayer, Stanford University o David Maher, Intertrust o Brett McDowell, PayPal o Leucio Antonio Cutillo, Eurecom o Susan Landau, Radcliffe Institute for Advanced Study, Harvard University o Christopher Soghoian, FTC In-house Technologist, Center for Applied Cybersecurity Research, Indiana University o Trent Adams, Internet Society o Thomas Roessler, W3C o Karen O'Donoghue, ISOC o Hannes Tschofenig, IAB/Nokia Siemens Networks o Lucy Elizabeth Lynch, Internet Society o Karen Sollins, MIT o Tim Berners-Lee, W3C
o Jorge Cuellar、Siemens AG o Arvind Narayanan、斯坦福大学o Eric Rescorla、Skype o Cullen Jennings、Cisco o Christine Runnegar、互联网协会o Alissa Cooper、民主与技术中心o Jim Fenton、Cisco o Oshani Seneviratine、麻省理工学院o Lalana Kagal、麻省理工学院o Fred Carter、安大略省信息与隐私专员、,加拿大O Frederick Hirsch,诺基亚O Benjamin Heitmann,德里,努伊戈尔韦,爱尔兰O John Linn,RSA,安全部的EMC O Paul Trevithick,Asio O-ARI施瓦兹,国家标准和技术研究所O戴维,剑桥大学O,UC,信息学院,麻省理工学院,O,斯坦福大学o David Maher、Intertrust o Brett McDowell、PayPal o Leucio Antonio Cutillo、Eurecom o Susan Landau、Radcliffe高等研究所、哈佛大学o Christopher Soghoian、FTC内部技术专家、应用网络安全研究中心、印第安纳大学o Trent Adams、互联网协会o Thomas Roessler、,W3C o Karen o'Donoghue,ISOC o Hannes Tschofenig,IAB/诺基亚西门子网络o Lucy Elizabeth Lynch,互联网协会o Karen Sollins,麻省理工学院o Tim Berners Lee,W3C
1. "Addressing the privacy management crisis in online social networks" by Krishna Gummadi, Balachander Krishnamurthy, and Alan Mislove
1. Krishna Gummadi、Balachander Krishnamurthy和Alan Mislove合著的《解决在线社交网络中的隐私管理危机》
2. "Thoughts on Adding "Privacy Considerations" to Internet Drafts" by Alissa Cooper and John Morris
2. 关于在互联网草稿中加入“隐私考虑”的思考
3. "Toward Objective Global Privacy Standards" by Ari Schwartz
3. Ari Schwartz的“迈向客观的全球隐私标准”
4. "SocialKeys: Transparent Cryptography via Key Distribution over Social Networks" by Arvind Narayanan
4. Arvind Narayanan的“社交密钥:通过社交网络上的密钥分发实现透明加密”
5. "Web Crawlers and Privacy: The Need to Reboot Robots.txt" by Arvind Narayanan and Pete Warden
5. Arvind Narayanan和Pete Warden的“网络爬虫和隐私:需要重新启动Robots.txt”
6. "I Know What You Will Do Next Summer" by Balachander Krishnamurthy
6. 巴拉昌德·克里希纳穆尔蒂的《我知道你明年夏天会做什么》
7. "An architecture for privacy-enabled user profile portability on the Web of Data" by Benjamin Heitmann and Conor Hayes
7. Benjamin Heitmann和Conor Hayes的“数据Web上支持隐私的用户配置文件可移植性架构”
8. "Addressing Identity on the Web" by Blaine Cook
8. Blaine Cook的“在Web上寻址身份”
9. "Protection-by-Design: Enhancing ecosystem capabilities to protect personal information" by Jonathan Fox and Brett McDowell
9. 乔纳森·福克斯(Jonathan Fox)和布雷特·麦克道尔(Brett McDowell)的《设计保护:增强生态系统保护个人信息的能力》
10. "Privacy-preserving identities for a safer, more trusted internet" by Christian Paquin
10. Christian Paquin的“保护隐私的身份,实现更安全、更可信的互联网”
11. "Why Private Browsing Modes Do Not Deliver Real Privacy" by Christopher Soghoian
11. Christopher Soghoian的“为什么私人浏览模式不能提供真正的隐私”
12. "Incentives for Privacy" by Cullen Jennings
12. 卡伦·詹宁斯的“隐私激励”
13. "Joint Privacy Workshop: Position Comments by D. Crocker" by Dave Crocker
13. 戴夫·克罗克的“联合隐私研讨会:D.克罗克的立场评论”
14. "Using properties of physical phenomena and information flow control to manage privacy" by David Evans and David M. Eyers
14. David Evans和David M.Eyers的“利用物理现象的特性和信息流控制来管理隐私”
15. "Privacy Approaches for Internet Video Advertising" by Dave Maher
15. Dave Maher的“互联网视频广告的隐私方法”
16. "Privacy on the Internet" by Dorothy Gellert
16. 多萝西·盖勒特的《互联网上的隐私》
17. "Can We Have a Usable Internet Without User Trackability?" by Eric Rescorla
17. Eric Rescorla的“我们能拥有一个没有用户跟踪的可用互联网吗?”
18. "Privacy by Design: The 7 Foundational Principles -- Implementation and Mapping of Fair Information Practices" by Fred Carter and Ann Cavoukian
18. 弗雷德·卡特(Fred Carter)和安·卡沃基安(Ann Cavoukian)“设计隐私:7项基本原则——公平信息实践的实施和映射”
19. "Internet Privacy Workshop Position Paper: Privacy and Device APIs" by Frederick Hirsch
19. Frederick Hirsch的“互联网隐私研讨会立场文件:隐私和设备API”
20. "Position Paper for Internet Privacy Workshop" by Heather West
20. Heather West撰写的“互联网隐私研讨会立场文件”
21. "I 'like' you, but I hate your apps" by Ian Glazer
21. 伊恩·格雷泽的“我喜欢你,但我讨厌你的应用程序”
22. "Privicons: A approach to communicating privacy preferences between Users" by E. Forrest and J. Schallabock
22. E.Forrest和J.Schallabock的“Privicons:用户之间交流隐私偏好的方法”
23. "Privacy Preservation Techniques to establish Trustworthiness for Distributed, Inter-Provider Monitoring" by J. Seedorf, S. Niccolini, A. Sarma, B. Trammell, and G. Bianchi
23. J.Seedorf、S.Niccolini、A.Sarma、B.Trammell和G.Bianchi的“为分布式、跨提供商监控建立可信度的隐私保护技术”
24. "Trusted Intermediaries as Privacy Agents" by Jim Fenton
24. Jim Fenton的“作为隐私代理的可信中介机构”
25. "Protocols are for sharing" by John Kemp
25. 约翰·肯普的《协议是为了共享》
26. "On Technology and Internet Privacy" by John Linn
26. 约翰·林恩的“关于技术和互联网隐私”
27. "Do Not Track: Universal Web Tracking Opt-out" by Jonathan Mayer and Arvind Narayanan
27. Jonathan Mayer和Arvind Narayanan的“不跟踪:通用网络跟踪选择退出”
28. "Location Privacy Protection Through Obfuscation" by Jorge Cuellar
28. Jorge Cuellar的“通过混淆保护位置隐私”
29. "Everything we thought we knew about privacy is wrong" by Kasey Chappelle and Dan Appelquist
29. 凯西·查佩尔和丹·阿佩尔奎斯特的《我们所知道的关于隐私的一切都是错误的》
30. "TRUSTe Position Paper" by Kevin Trilli
30. 凯文·特里利的“信任立场文件”
31. "Position Paper: Incentives for Adoption of Machine-Readable Privacy Notices" by Lorrie Cranor
31. 罗莉·克兰纳的《立场文件:采用机器可读隐私声明的激励措施》
32. "Facilitate, don't mandate" by Ari Rabkin, Nick Doty, and Deirdre K. Mulligan
32. Ari Rabkin、Nick Doty和Deirdre K.Mulligan合著的《促进,而非强制》
33. "Location Privacy in Next Generation Internet Architectures" by Oliver Hanka
33. Oliver Hanka的“下一代互联网架构中的位置隐私”
34. "HTTPa: Accountable HTTP" by Oshani Seneviratne and Lalana Kagal
34. Oshani Seneviratne和Lalana Kagal的“HTTPa:负责任的HTTP”
35. "Personal Data Service" by Paul Trevithick
35. Paul Trevithick的“个人数据服务”
36. "Several Pressing Problems in Hypertext Privacy" by Peter Eckersley
36. 彼得·埃克斯利的《超文本隐私中的几个紧迫问题》
37. "Adding Privacy in Existing Security Systems" by Sam Hartman
37. Sam Hartman的“在现有安全系统中增加隐私”
38. "Mobility and Privacy" by S. Brim, M. Linsner, B. McLaughlin, and K. Wierenga
38. S.Brim、M.Linsner、B.McLaughlin和K.Wierenga的《移动和隐私》
39. "Saveface: Save George's faces in Social Networks where Contexts Collapse" by Fuming Shih and Sharon Paradesi
39. 《拯救面子:在语境崩溃的社交网络中拯救乔治的脸》,施福明和莎伦·帕拉迪斯合著
40. "eduroam -- a world-wide network access roaming consortium on the edge of preserving privacy vs. identifying users" by Stefan Winter
40. Stefan Winter的“eduroam——一个全球网络接入漫游联盟,在保护隐私与识别用户的边缘”
41. "Effective Device API Privacy: Protecting Everyone (Not Just the User)" by Susan Landau
41. Susan Landau的“有效的设备API隐私:保护每个人(不仅仅是用户)”
42. "Safebook: Privacy Preserving Online Social Network" by L. Antonio Cutillo, R. Molva, and M. Onen
42. L.Antonio Cutillo、R.Molva和M.Onen合著的“Safebook:保护隐私的在线社交网络”
Author's Address
作者地址
Alissa Cooper CDT 1634 I Street NW, Suite 1100 Washington, DC 20006 USA
Alissa Cooper CDT 1634 I Street NW,美国华盛顿特区1100号套房,邮编:20006
EMail: acooper@cdt.org URI: http://www.cdt.org/
EMail: acooper@cdt.org URI: http://www.cdt.org/