|
draft-internet2-mace-i2im-pseudonymous-cases-01.html |
Brendan Bellina Notre Dame |
|
Copyright © 2004 by Internet2 and/or the respective authors |
June 2004 |
|
|
Author: Brendan Bellina
Last Revised: June 25, 2004
Instant Messaging (IM), as a medium of information exchange, often occurs between entities who have willingly identified themselves both within the context of the local discussion and the broader context of multiple discussions and perhaps non-IM communications. IM communications, however, should not require that participants provide identifying information or attributes that could be used to track their involvement across multiple discussions or outside of IM. IM participants should be able to function in a pseudonymous fashion, as well as to block or filter those who are functioning in a pseudonymous fashion.
entity – Something that has a real existence [Oxford English Dictionary, Standard edition 1989]
handle – the identifier used by an entity when communicating over IM. An entity may have multiple handles simultaneously, and may use a single handle over multiple IM discussions. No two entities can have the same handle simultaneously.
handle domain – the issuer of a handle
Instant Messaging (IM) – Using protocols common to products in the Instant Messaging space. Generally used to transmit data between individuals in one-to-one or one-to-many fashion.
identity – The sameness of a person or thing at all times or in all circumstances; the condition or fact that a person or thing is itself and not something else [Oxford English Dictionary, Standard edition 1989]
identifying attributes – electronic data about an entity which can be used to determine identity
pseudonymous IM – communicating over IM protocols without divulging identifying attributes. Not truly anonymous communication because IM system administrators may be able to determine identifying attributes from IM and system logs.
An entity should be able to communicate using IM without revealing identifying attributes.
An entity should be able to reinitiate IM communication and be recognized as the prior communicant without revealing identifying attributes. (This may be time-limited).
An entity should be able to reinitiate IM communication with a prior pseudonymous communicant without having to know identifying attributes of the pseudonymous communicant. (This may be time-limited).
With the potential for pseudonymous callers, IM callees must be able to filter sessions with callers via allowances and restrictions based on attributes other than simply handles and handle domains. Filtering based on handles and/or handle domains is insufficient because pseudonymous handles should not carry embedded relationship information.
Filtering based on non-identifying attributes will allow the use of pseudonymous communication while minimizing the risk of IM-protocol-based spam (“SpIM”?).
An entity should be able to filter potential communicants using rules that rely upon communicant attributes that have been vouched for by a recognized attribute authority.
An entity should be able to determine which filter rules are true for a communicant.
An entity should not be his/her own attribute authority except within the governance of an external policy agreement between the communication participants.
Case 1:
In this case the IM callee receives attributes from the caller’s attribute authority (specifically in this case only that the caller is a registered student in Classic Literature 101 at the University State College Institute - USCI), but does not receive identifying information. This allows the callee to determine whether or not to participate but maintains the privacy of the caller.
A student seeking clarification about a professor’s policy on plagiarism does not wish his identity revealed. The student is enrolled in class Classic Literature 101 at the University State College Institute. In the initial session negotiation the attributes necessary to demonstrate that the person is a student taking CL101 at USCI are passed and the professor receives a notice that a student of CL101 at USCI wishes to converse pseudonymously. The professor receives only information that indicates that the caller is a student of CL101, nothing that indicates the attribute authority of the individual or any other attributes.
Case 2:
In this case the IM callee refuses pseudonymous connections. To protect the callee’s privacy, no information is returned other than that the connection failed.
[Subcase 1] A person attempts to distribute spam via an IM automated script to faculty at USCI. For faculty members who have specified that pseudonymous connections be refused the spammer receives only messages that the connection attempts were unsuccessful and therefore cannot know that the IM addresses he/she used were in fact valid IM addresses.
[Subcase 2] A person attempting to locate his ex-spouse sends IM messages to college campuses as a way of identifying her affiliation with a particular campus and determine her physical location. Because the ex-spouse has specified that pseudonymous connections be refused the caller receives only messages that the connection attempts were unsuccessful and therefore cannot use IM as a means of locating her even though he knows her preferred handle.
Case 3:
In this case the IM callee receives no attributes about the caller. Although with appropriate access to IM system logs it MAY be possible to “trace” the call. (The IM handle in this case might be algorithmically generated based on non-person-related content such as a date-time stamp.)
The campus suicide prevention hotline allows pseudonymous IM from anyone with no need to pass attributes of any kind other than the caller’s pseudonymous handle. The hotline operator will need to rely on their communication skills to retrieve additional attributes about the caller.
Case 4:
In this case the IM callee participates in multiple connections with the same pseudonymous caller simultaneously without being aware that there is a single caller.
A student initiates two independent pseudonymous IM sessions with a professor. The professor participates in each session unaware that they are each from the same student.
Case 5:
In this case an IM caller-callee pair participate in an extended communication session over multiple IM pseudonymous sessions in time.
An entity initiates a pseudonymous session with a callee and they exchange messages. The IM session ends. Some time later the originator wishes to continue the conversation and re-contacts the callee again. The callee is able to determine only that the caller of both sessions is the same individual, but remains unaware of the identity of the individual.
Case 6:
In this case an IM caller-callee pair participate in an extended communication session over multiple IM pseudonymous sessions in time, with the known callee of one session being the caller of a later session.
An entity initiates a pseudonymous session with a callee and they exchange messages. The IM session ends. Some time later the first session callee intentionally initiates a session with the pseudonymous first session caller. The first session callee/second session caller does not need to know the identity of the pseudonymous first session caller/second session callee in order to establish communications.
Brendan Bellina
June 25, 2004