Re: TOR and the Digital Freedom Conversation

["Shalla, Kevin" <kshalla () UIC EDU>]

I'm not sure what you're saying here. Is it that people don't want privacy when they think they do? Or perhaps that 
anonymity is impossible in some activities? Perhaps it's impossible to buy a lottery ticket without being recorded on 
camera. Should it be?

Kevin

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, 
Mark B
Sent: Wednesday, December 11, 2013 9:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation

+1

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel L. 
Rosenblatt
Sent: Wednesday, December 11, 2013 8:46 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] TOR and the Digital Freedom Conversation

I would argue that your Case 2 example is no longer valid in many cases - citing the lady who lost her ticket and was 
tracked using video footage of her buying the ticket sold at that time - I know it's not exactly the same (she did use 
a credit card, but that was used to verify her identity after then found her - it was $50 million that they handed her) 
http://www.dailymail.co.uk/news/article-2518174/Canadian-woman-Kathryn-Jones-wins-50m-lost-lottery-ticket.html<https://urldefense.proofpoint.com/v1/url?u=http://www.dailymail.co.uk/news/article-2518174/Canadian-woman-Kathryn-Jones-wins-50m-lost-lottery-ticket.html&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=SxFWJnBkqUHL1m%2FU5VWMAEUl1OhbvHfUHCj8YqjkxJc%3D%0A&s=c1884055648bac73e4a54f5fd3b3aa04d0ec062220463eace125e337e48569e1>

It is becoming increasingly difficult to "go off the grid" or ever hide from the grid.

My 2 cents

Joel




Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel<https://urldefense.proofpoint.com/v1/url?u=http://www.columbia.edu/~joel&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=SxFWJnBkqUHL1m%2FU5VWMAEUl1OhbvHfUHCj8YqjkxJc%3D%0A&s=150bfe27d89b459c9d4c48978f484601e9b49581d59ad2f188112c1aea010dba>
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3<https://urldefense.proofpoint.com/v1/url?u=http://pgp.mit.edu:11371/pks/lookup?op%3Dget%26search%3D0x90BD740BCC7326C3&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=SxFWJnBkqUHL1m%2FU5VWMAEUl1OhbvHfUHCj8YqjkxJc%3D%0A&s=7c3d0e77180a732351cae57259886da8573609aa175bed27f0ac2d816bee4aca>

On Wed, Dec 11, 2013 at 9:27 AM, Tim Doty <tdoty () mst edu<mailto:tdoty () mst edu>> wrote:
On 12/10/2013 06:22 PM, Jones, Mark B wrote:
There is a difference between 'Privacy' and 'Secrecy'

You are correct that there is a difference, but they are not exclusive. While the use of authentication and no 
anonymity may be an approach to protecting published online information from those without access, it does nothing to 
preserve privacy in the face of authorized but unwanted access. Nor does it address the loss of privacy from complete 
tracking -- in fact, a true lack of anonymity would destroy privacy.

Case 1: I want to store information in the cloud, but I want to retain confidentiality of the data. This is a case 
where strong authentication/no anonymity would be a viable approach, but there is no reason to deny anonymity in a 
general sense. That is, strong authentication can be used to establish an access control to a data set without 
requiring that a person's identity be publicly disclosed.

Case 2: I desire to have some privacy in my actions. Some degree of anonymity is *required* to accomplish this. For 
example, if I buy some books on medieval mysticism it used to be that a simple cash transaction kept it essentially 
private. There are some caveats (if the seller knows my personally then they will know I bought them, but for a random 
person off the street it would be essentially anonymous).

It is trivial to demonstrate a connection between privacy and anonymity. Those promoting a police state are naturally 
against anonymity. Those promoting privacy understand the utility of strong encryption and anonymity.

Tim Doty

 Tor seems like it
may lean toward the latter.



I have found that the following site has a useful perspective on privacy
issues:  
http://www.privacilla.org<https://urldefense.proofpoint.com/v1/url?u=http://www.privacilla.org&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=SxFWJnBkqUHL1m%2FU5VWMAEUl1OhbvHfUHCj8YqjkxJc%3D%0A&s=f45d0183f3a4fd2a7f98ee1975ee054786ce89475049e8e030e421d3643601a0>

Here are some key quotes:

"Importantly, privacy is a personal, subjective condition. One person cannot
decide for another what his or her sense of privacy should be."

"While privacy is held up as one of our highest values, people also
constantly share information about themselves by allowing others to see
their faces, learn their names, learn what they own, and learn what they
think. In fact, it is a desirable lack of privacy that allows people to
interact with one another socially and in business. This does not mean that
people should lose control over the information they want to keep private.
It means that generalizations about privacy are almost always wrong."

http://www.privacilla.org/fundamentals/whatisprivacy.html<https://urldefense.proofpoint.com/v1/url?u=http://www.privacilla.org/fundamentals/whatisprivacy.html&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=SxFWJnBkqUHL1m%2FU5VWMAEUl1OhbvHfUHCj8YqjkxJc%3D%0A&s=c0e598e8ec0e92b543a92649d2fda850a19fe26f9fbe234e4df166c463268120>



Also 'Privacy' is not the same as 'anonymity'.  It is my opinion that strong
authentication and the lack of anonymity are the keys to improved privacy
online.  Only with strong authentication can consumers and services be held
accountable for behavior online.



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Jeffrey Sabin
Sent: Tuesday, December 10, 2013 2:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] TOR and the Digital Freedom Conversation



All,



Given the wider US technology community discussions on online privacy and
monitoring - this seems to be very topical.  In case anyone was not aware,
this story is taking place at Iowa State University with Tor being a
relevant part of the discussion:



http://www.insidehighered.com/news/2013/12/10/digital-freedom-groups-road-re<https://urldefense.proofpoint.com/v1/url?u=http://www.insidehighered.com/news/2013/12/10/digital-freedom-groups-road-re&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=SxFWJnBkqUHL1m%2FU5VWMAEUl1OhbvHfUHCj8YqjkxJc%3D%0A&s=c7b10da946e54658991b0726bfdb2e7e3df45788d287172ac20aa64d1ed30263>
cognition-sparks-legal-debate-iowa-state-u
<https://urldefense.proofpoint.com/v1/url?u=http://www.insidehighered.com/ne
ws/2013/12/10/digital-freedom-groups-road-recognition-sparks-legal-debate-io
wa-state-u&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmiz
yPIIFTSGui%2BBSZ5A%3D%0A&m=hnGoebKdLtnE2yvxLiQ0OlhXMu%2FRMEVn0qZFzyM2pgE%3D%
0A&s=5dcb52d50601a7d4ddc3b0479ff3aa4491e442f9a0d830ba2ff5db38ae6c9762<https://urldefense.proofpoint.com/v1/url?u=http://www.insidehighered.com/ne%0bws/2013/12/10/digital-freedom-groups-road-recognition-sparks-legal-debate-io%0bwa-state-u&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmiz%0byPIIFTSGui%2BBSZ5A%3D%0A&m=hnGoebKdLtnE2yvxLiQ0OlhXMu%2FRMEVn0qZFzyM2pgE%3D%25%0b0A&s=5dcb52d50601a7d4ddc3b0479ff3aa4491e442f9a0d830ba2ff5db38ae6c9762>>



and



https://www.eff.org/deeplinks/2013/12/open-letter-urging-universities-encour<https://urldefense.proofpoint.com/v1/url?u=https://www.eff.org/deeplinks/2013/12/open-letter-urging-universities-encour&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIFTSGui%2BBSZ5A%3D%0A&m=SxFWJnBkqUHL1m%2FU5VWMAEUl1OhbvHfUHCj8YqjkxJc%3D%0A&s=7cecd57948e1143d31faa08099e5573ed316e4e29ec57f3b7d31e4b279c3dd3d>
age-conversation-about-online-privacy
<https://urldefense.proofpoint.com/v1/url?u=https://www.eff.org/deeplinks/20
13/12/open-letter-urging-universities-encourage-conversation-about-online-pr
ivacy&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=o50KCUcRVN10tgtglyNVFw2kmizyPIIF
TSGui%2BBSZ5A%3D%0A&m=hnGoebKdLtnE2yvxLiQ0OlhXMu%2FRMEVn0qZFzyM2pgE%3D%0A&s=
75b3522379697ac135dd77ae55292b93024c9c4ab21538dc9f8faf9b4a1fd56e>



Realizing that this isn't necessarily new, but given this recent story, I am
curious to know what others are doing or observing as it relates to Tor and
it's discussion at your particular institution.



Many thanks,



Jeff



Jeffrey D. Sabin

DIRECTOR, COMMUNICATIONS AND NETWORK SERVICES



oit



Dial Center

2507 University Avenue    Des Moines, Iowa 50311-4505

Tel  515.271.2935<tel:515.271.2935>

Fax 515.271.1938<tel:515.271.1938>

1.800.44.DRAKE x2935

E-mail jeff.sabin () drake edu<mailto:jeff.sabin () drake edu>