Privacy Enhancements and Assessments Research Group (PEARG) Agenda - IETF 123

Administrivia (5 Minutes)

• Blue sheets / scribe selection / NOTE WELL
• Agenda revision

Draft updates (10 Minutes)

• RG draft statuses (10 Minutes)
  • Guidelines for Performing Safe Measurement on the Internet
    • New Version published today
    • Please review
    • There will be at least one more update before potentially
      going for last call, aiming for Montreal

Presentations (75 Minutes)

* "Covert Web-to-App Tracking via Localhost on Android" Aniketh Girish - 25 Minutes

Max Inden: Great work, is there a geniune usecase for an app to listen
on localhost?
Aniketh: For testing purposes or react native build servers to serve
static files would be an example
Max: How did Yandex do this over HGPS
Aniketh: They had this particular domain that resolved to the local IP,
so the traffic was being sent to the loopback address.
Browser Implementers in the room want to come to mic?
Martin Thomspon: There are a few frightening things that aren't fixed in
browsers because we don't know how to fix them yet, however to Max point
there are no reasons for an app to use localhost to other apps. There
are other ways to do this, there's no legitamite reason. Some platform
level changes are needed to improve the situation (desktop is also
vulnerable)
Aniketh: We found that Android was the only one being targetted, we
didn't see examples of this on Desktop.
Aniketh: We are researchers, no legal background, but the regulators are
aware of this.

* "Local Frames: Exploiting Inherited Origins to Bypass Content Blockers" Alisha Ukani - 25 Minutes

Steve Hill: Are local frames being used intentionally to evade blocking
or just a side effect?

Alisha: Hard for us to determine intent, they're used for a variety of
things like ads or captcha, or just a clean enviroment

Shivan Sahib: Just wondering why you mentioned that most of the vuln
that were reported was fixed?

Alisha: We talked to the maintainer of a project and they said they
wanted to wait till the problem becomes more widespread before
addressing.

* "Is Fully Homomorphic Encryption Ready For Now? — Developments and standards" - Xianhui Lu, Xuan Shen - 25 Minutes

Li Lun: impressive on performance issue. are all the FHE algorithms you
discussed quantum safe?

Xianhui: They are all based on lattice algorithms and thought to be
quantum safe.

Li Lun: How to filter the protocol design for FHE, and distribute the
computation key?

Xianhui: currently we only consider the performance on a single machine,
but in real liefe you need a key management protocol.

"Privacy preserving computation use cases and problem statement" - Wenting Chang - 10 Minutes

Martin Thomson: the important question to ask is not can we do those
things but should we do these things? You gave interesting examples from
an academic perspective, but could be potentially hazardous legally, so
important to understand context. Also laws are extremely shortsighted
and forbid privacy preserving computation, so coming to conclusions
abotu what is acceptable in different companies.

Sara Dickinson: We should have ad iscussion on the list on wehter to do
work on formalizing primitives.

Wenting: I don't think they're trying to solve the legal issue, they're
trying solve the security problem

Martin: in most cases privacy preserving computing is about protecting
commercial interests rather than pure privacy reasons.