[Search] [txt|pdf|bibtex] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06                                          
Network Working Group                                          W. Haddad
Internet-Draft                                         Ericsson Research
Expires: December 28, 2006                                   E. Nordmark
                                                        Sun Microsystems
                                                           June 26, 2006

                      Privacy Aspects Terminology

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on December 28, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2006).


   This memo introduces the terminology for the main privacy aspects.
   The prime goal is to avoid situations where different interpretations
   of the same key privacy aspects result in different requirements when
   designing specific solutions, thus leading to an unnecessary

Haddad & Nordmark       Expires December 28, 2006               [Page 1]

Internet-Draft             Privacy Terminology                 June 2006

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Conventions used in this document  . . . . . . . . . . . . . .  4
   3.  General Terminology  . . . . . . . . . . . . . . . . . . . . .  5
   4.  Privacy  . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
   5.  Location Privacy . . . . . . . . . . . . . . . . . . . . . . .  7
   6.  Overview of Different Privacy Aspects  . . . . . . . . . . . .  8
     6.1.  Anonymity  . . . . . . . . . . . . . . . . . . . . . . . .  8
     6.2.  Unlinkability  . . . . . . . . . . . . . . . . . . . . . .  8
     6.3.  Unobservability  . . . . . . . . . . . . . . . . . . . . .  9
     6.4.  Relation Between Anonymity and Unlinkability . . . . . . .  9
     6.5.  Pseudonymity . . . . . . . . . . . . . . . . . . . . . . .  9
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
   Intellectual Property and Copyright Statements . . . . . . . . . . 12

Haddad & Nordmark       Expires December 28, 2006               [Page 2]

Internet-Draft             Privacy Terminology                 June 2006

1.  Introduction

   Privacy is becoming a key requirement to allow deployment of specific
   internet services.  However, privacy has many aspects, which differ
   in scope, properties and limitations.

   To avoid any possible confusion with regard to the meanings of
   privacy in some particular scenarios and to differentiate between
   requirements related to each scenario, privacy aspects have to be
   well defined before designing any solution.  It is the intention of
   this memo to introduce the terminology for the main aspects of

Haddad & Nordmark       Expires December 28, 2006               [Page 3]

Internet-Draft             Privacy Terminology                 June 2006

2.  Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [TERM].

Haddad & Nordmark       Expires December 28, 2006               [Page 4]

Internet-Draft             Privacy Terminology                 June 2006

3.  General Terminology

   Item of Interest (IOI)

   An Item of Interest (IOI) represents what an attacker is trying to
   discover, learn, trace and possibly link to other IOI(s), in order to
   identify its target.  Examples of IOI include a subject, event,
   action (e.g., send, receive, move, etc), specific type of messages,


   In the field of privacy, knowledge refers to the information
   available to an attacker about its target.  In terms of IOI,
   knowledge can be described by the probability of one or more IOIs.
   We refer to any prior information available to an attacker about a
   specific target as background knowledge.

Haddad & Nordmark       Expires December 28, 2006               [Page 5]

Internet-Draft             Privacy Terminology                 June 2006

4.  Privacy

   Privacy is a fundamental human right.  The most common definition of
   privacy is the one by Alan Westin: "Pivacy is the claim of
   individuals, groups and institutions to determine for themesleves,
   when, how and to what extent information about them is communicated
   to others".

   Privacy is a general term that involves several different aspects.
   These aspects enable features like hiding the node's address(es)
   (e.g., MAC and/or IP), name(s) (e.g., DNS), and/or location(s), in
   addition to hiding specific IOIs.  One or more of these features can
   be obtained during one particular session.

   In wireless telecommunications, privacy addresses especially the
   protection of the content as well as the context (e.g., time,
   location, type of service, ...) of a communication event.

   Consequently, neither the mobile node nor its system software shall
   support the creation of user-related usage profiles.  Such profiles
   basically comprise of a correlation of time and location of the
   node's use, as well as the type and details of the transaction

   The main prvacy aspects are anonymity, unlinkability,
   unobservability, and pseudonymity.  Note that privacy can be achieved
   by disconnectivity, i.e., not being connected to a network.

Haddad & Nordmark       Expires December 28, 2006               [Page 6]

Internet-Draft             Privacy Terminology                 June 2006

5.  Location Privacy

   Location privacy is the ability to prevent other parties from
   learning one's current and/or past location.  In order to get such
   ability, the concerned (i.e., targeted) node must conceal any
   relation between its location and the personal identifiable

   In our context, location privacy refers normally to the topological
   location and not the geographic one.  The latter is provided by other
   means (e.g., GPS) than an IPv6 address.  But it should be noted that
   it may be possible sometimes to deduce the geographical location from
   the topological one.

Haddad & Nordmark       Expires December 28, 2006               [Page 7]

Internet-Draft             Privacy Terminology                 June 2006

6.  Overview of Different Privacy Aspects

   As mentioned above, privacy is a general term, which refers to many
   different aspects.  In the following, we define the main privacy
   aspects and describe the different relations between them.

6.1.  Anonymity

   Anonymity is the state of being not uniquely characterized, i.e.,
   identifiable, within a set of subjects (e.g., node, user) called the
   anonymity set.  The set of possible subjects depends on the knowledge
   of the attacker and may vary overtime.  Thus, anonymity is relative
   with respect to the attacker and is very much context dependent.

   In the security field, anonymity is a property of network security.
   An entity "A" in a set has anonymity if no other entity can identify
   "A", nor is there any link back to "A" that can be used, nor any way
   to verify that any two anonymous act are performed by "A".

   From a user perspective, anonymity ensures that a user may use a
   resource or service without disclosing the user's identity.

   In wireless networks, anonymity means that neither the mobile node
   nor its system shall by default expose any information, that allows
   any conclusions on the owner or current use of the node.

   Consequently, in scenarios where a device and/or network identifiers
   are used (e.g., MAC address, IP address), neither the communication
   partner nor any outside attacker should be able to disclose any
   possible link between the respective identifier and the user's

6.2.  Unlinkability

   Unlinkability of two or more IOIs means that from an attacker's
   perspective, these IOIs are no more and no less related after his
   observation than they are related concerning his background

   For example, two messages (e.g., binding updates) are unlinkable for
   an attacker if the a-posteriori probability describing his background
   knowledge that these two messages are sent by the same sender and/or
   received by the same recipient is the same as the probability imposed
   by his a-priori knowledge.

   From a user perspective, unlinkability ensures that a user may make
   multiple uses of resources or services without other being able to
   link these uses together.

Haddad & Nordmark       Expires December 28, 2006               [Page 8]

Internet-Draft             Privacy Terminology                 June 2006

6.3.  Unobservability

   Unobservability is the state of IOIs being indistinguishable from any
   IOI.  This means that messages are not discernable from e.g., random
   noise.  Consequently, unobservability deals with events instead of

   From a user perspective, unobservability ensures that a user may use
   a resource or service without others, especially third parties, being
   able to observe that the resource or service is being used.

6.4.  Relation Between Anonymity and Unlinkability

   In terms of unlinkability, anonymity can be defined as the
   unlikability of an IOI and any identifier of a subject.
   Consequently, unlinkability is a sufficient condition of anonymity
   but is not a necessary condition.

6.5.  Pseudonymity

   Pseudonymity is a weaker property related to anonymity.  It means
   that one cannot identify an entity, but it may be possible to prove
   that two pseudonyms acts were performed by the same entity.

   From a user perspective, pseudonymity ensures that a user may use a
   resource or service without disclosing its user identity, but can
   still be accountable for that use.

   Consequently, a pseudonym is an identifier for a party to a
   transaction, which is not in the normal course of events, sufficient
   to associate the transaction with a particular user.

   Hence a transaction is pseudonymous in relation to a particular party
   if the transaction data contains no direct identifier for that party,
   and can only be related to them in the event that a very specific
   piece of additional data is associated with it.

   For more literature about the privacy terminology content, please
   refer to [ANON], [ISO99], [PRIVNG], [FREEDOM] and [ANON-PRIV].

Haddad & Nordmark       Expires December 28, 2006               [Page 9]

Internet-Draft             Privacy Terminology                 June 2006

7.  Security Considerations

   This document introduces terminology for different privacy aspects.
   It does not raise any security issues.

8.  References

   [ANON]     Pfitzman, A. and M. Hansen, "Anonymity, Unlinkability,
              Unobservability, Pseudonymity, and Identity Management - A
              consolidated Proposal for Terminology", Draft v0.28,
              May 2006.

              Schmidt, M., "Subscriptionless Mobile Networking:
              Anonymity and Privacy Aspects within Personal Area
              Networks", IEEE WCNC, 2002.

   [FREEDOM]  Westin, A., "Privacy and Freedom", Atheneum Press,
              NY, USA, 1967.

   [ISO99]    "ISO IS 15408", http://www.commoncriteria.org/ , 1997.

   [PRIVNG]   Escudero-Pascual, A., "Privacy in the Next Generation
              Internet", December 2002.

   [TERM]     Bradner, S., "Key Words for Use in RFCs to Indicate
              Requirement Levels", RFC 2119, BCP , March 1997.

Haddad & Nordmark       Expires December 28, 2006              [Page 10]

Internet-Draft             Privacy Terminology                 June 2006

Authors' Addresses

   Wassim Haddad
   Ericsson Research
   Torshamnsgatan 23
   SE-164 Stockholm

   Phone: +46 84044079
   Email: Wassim.Haddad@ericsson.com

   Erik Nordmark
   Sun Microsystems
   17 Network Circle
   Menlo Park, CA 94025

   Phone: +1 650 786 2921
   Email: Erik.Nordmark@sun.com

Haddad & Nordmark       Expires December 28, 2006              [Page 11]

Internet-Draft             Privacy Terminology                 June 2006

Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at

Disclaimer of Validity

   This document and the information contained herein are provided on an

Copyright Statement

   Copyright (C) The Internet Society (2006).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


   Funding for the RFC Editor function is currently provided by the
   Internet Society.

Haddad & Nordmark       Expires December 28, 2006              [Page 12]