privecsg-15-0013-01-ecsg Response to comments on Privacy PAR/CSD Date: [2015-03-12] Authors: Name Affiliation Juan Carlos Zúñiga InterDigital Labs Phone Email JuanCarlos.Zuniga@InterDigital.com Notice: This document does not represent the agreed view of the IEEE 802 EC Privacy Recommendation SG. It represents only the views of the participants listed in the ‘Authors:’ field above. It is offered as a basis for discussion. It is not binding on the contributor, who reserve the right to add, amend or withdraw material contained herein. Copyright policy: The contributor is familiar with the IEEE-SA Copyright Policy <http://standards.ieee.org/IPR/copyrightpolicy.html>. Patent policy: The contributor is familiar with the IEEE-SA Patent Policy and Procedures: <http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and <http://standards.ieee.org/guides/opman/sect6.html#6.3>. Abstract The present document proposes some responses to the comments received on the Privacy Recommendation PAR/CSD 1 privecsg-15-0013-01-ecsg March 2015 Comments from Roger Marks • https://mentor.ieee.org/privecsg/dcn/15/privecsg-150008-00-0000-comments-on-privacy-recommendationpar-and-csd.pdf • Dates • The PAR form dates are blank. Dates are consensusbased decisions to which participants may be sensitive. These must be discussed and agreed as part of the technical decision to submit a PAR. They are not editorial issues. – Dates will be provided, stating that the project expects to finalize 2 years after the initial date 2 privecsg-15-0013-01-ecsg March 2015 Comments from Roger Marks • Working Group • The Working Group is indicated as: “Privacy Recommendation EC Study Group (C/LM/PrivacySG).” This is not a valid Working Group. • Proposed change: Name an existing Working Group, or a new one. • Suggestion: 802.1 Working Group – Agreed 3 privecsg-15-0013-01-ecsg March 2015 Comments from Roger Marks • • • • • Title Extraneous language in the title follows format that has generally been abandoned within IEEE 802. Proposed change: Title: Recommended Practice for Information technology-- Telecommunications and information exchange between systems– Local and metropolitan area networks: Privacy considerations for IEEE 802 Technologies. – Agreed 4 privecsg-15-0013-01-ecsg March 2015 Comments from Roger Marks • Scope (1) • Scope refers to “general recommendations”, but the project will be of little use without specific recommendations. • Proposed change: • Title: This document specifies a privacy threat model for IEEE 802 technologies and provides general recommendations for standards developers and implementers on how to protect against privacy threats. – Responding to this comment requires further consideration by the group 5 privecsg-15-0013-01-ecsg March 2015 Comments from Roger Marks • Scope (2) • Scope refers to “recommendations for standards developers,” but the remainder of the PAR and CSD have no indication that the recommendations are relevant to the development of standards within IEEE 802. Is an intent to make recommendations on how IEEE 802 standards should be amended? If no, then “for standards developers” should be deleted from the scope. If yes, then the rest of the PAR and CSD should be aligned (including but not limited to, the “Stakeholders,”“Broad Market Potential,” and “Technical Feasibility” elements). – Propose clarifying that privacy can be engineered by design. Please see: https://mentor.ieee.org/omniran/dcn/15/omniran-150015-00-CF00-privacy-engineered-access-network.pptx 6 privecsg-15-0013-01-ecsg March 2015 Comments from Roger Marks • Purpose • The language mentions “recommendations to address privacy threats” and mentions some threats, but it does not explain the purpose of the recommendations. Presumably, the recommendations will mitigate the threats if adopted. But to whom are the recommendations addressed? To which users, designers, standards groups, implementers, or network elements will the recommendations be applicable? This is not apparent, and, without an understanding of the answer, it is difficult to understand the purpose. – Requires further clarification about the expected audience of the document 7 privecsg-15-0013-01-ecsg March 2015 Comments from Roger Marks • Stakeholders • See comments on Scope and Purpose – Agree to provide coherent information in these sections 8 privecsg-15-0013-01-ecsg March 2015 Comments from Roger Marks • CSD Coexistence • The response “A CA document is not applicable because this project does not use wireless spectrum.” could be understood to mean that the standard is not applicable to wireless networks. • Proposed change: • A CA document is not applicable because this project standard does not use specify wireless spectrum operation. • Smart-aleck remark: The criterion is not applicable because it applies only to a WG proposing a project, not to a Study Group proposing a project. – Agree with clarifying text in a better way 9 privecsg-15-0013-01-ecsg March 2015 Comments from Roger Marks • CSD Broad Market Potential • “Broad Market Potential” refers to “numerous users.” But who are the users of the recommendation? For example, if standards developers are potential users of the recommendation, which standards developers are potential adopters? – Will provide details about expected audience 10 privecsg-15-0013-01-ecsg March 2015 Comments from Roger Marks • CSD Technical Feasibility • The response indicates that “The recommended practice will define recommendations that can be followed by system designers and implementers,” but the Scope refers to “recommendations for standards developers and implementers.” Which is it: system designers or standards developers? – Will provide details about expected audience 11 privecsg-15-0013-01-ecsg March 2015 Comments from Roger Marks • CSD Economical Feasibility • The response does not address economic feasibility. • Increased privacy has economic benefits to some parties and is an economic threat to others. These issues should be articulated. – Should probably state that Privacy control should enhance, not degrade, security and functionality. Please see: https://mentor.ieee.org/omniran/dcn/15/omniran-15-0015-00CF00-privacy-engineered-access-network.pptx – (Consider adding a clear statement like the one used in IETF) – There are examples of solutions that improve privacy without increasing significantly the cost (e.g. MAC address randomization) 12 privecsg-15-0013-01-ecsg March 2015 Comments from 802.3 - PAR • Project number – Agree with suggestion in the EC announcement email that this would fit in 802.1 and should be assigned there with assent of the 802.1 WG. – Agree • 2.1 (non-‐substantive) Title doesn’t include a period (aka, full stop). (It is unlikely that publication editors would include one independent of the PAR.) – Agree • 4.2, 4.3 Dates need to be included – lack of dates could suggest the SG does not yet understand the magnitude of the work to be done and resources required to complete the work. – Agree. See previous comment from Roger Marks 13 privecsg-15-0013-01-ecsg March 2015 Comments from 802.3 - PAR • 5.1 Please justify the estimate of number of participants, for 802, this shouldn’t be the number of people expected to be in the WG ballot group, but the number actively participating in the project (e.g., TF/TG). How many regular ECSG participants is a good indicator. This number is subject to review by the WG and EC at checkpoints, so not inflating this number is wise. – 73 subscribers to mailing list, 24 contributors to mailing list, 12 contributors to mentor, 15-20 attendees to face-to-face meetings, 18-25 attendees to teleconferences – Should mention 18, as per the f2f meetings attendance 14 privecsg-15-0013-01-ecsg March 2015 Comments from 802.3 - PAR • 5.2.a (non-‐substantive) There is a superfluous return in the presumably pasted text. – Agree • 5.4 (non-‐substantive) Inappropriate capitalization of attack methods. – Agree • 5.5 (non-‐substantive) There are superfluous returns in the presumably pasted text. – Agree 15 privecsg-15-0013-01-ecsg March 2015 Comments from 802.3 - CSD • General: The responses are perfunctory and are generally without substance. • Managed Objects: • A recommended practice can include parameters and management capability. The response needs to be relevant to this proposed project and why the scope of work will not include management capability. If high level management architecture or capability definition is included, (what we expect with threat definition and measurement), that should be stated in the response. – Should clarify that no management architecture is expected • Broad Market Potential • This response sounds like it is in satisfaction of an existing and well known privacy requirement, (e.g., an encryption protocol), not for determining the need for encryption (e.g., threat assessment). – We recognize the comment and will address it in a future version of the CSD 16 privecsg-15-0013-01-ecsg March 2015 Comments from 802.3 - CSD • • Technical Feasibility It would be expected for the response to address the technical feasibility to measure each of the multiple threats listed in the Purpose section of the PAR. – List will only include Surveillance, as per 802.1’s comment • • Economic Feasibility Answer is non-‐responsive to the list of considerations. It does not address at all the economic feasibility of doing the threat assessment. – See previous response to Roger Mark’s comment • Most security techniques have some impact on system cost(e.g., encryption hardware, software complexity), security overlays have installation costs. While features integral to implementations may have negligible installation impacts, maintenance costs (updating capabilities for new threats) certainly have operational cost implications. – Should clarify differences between Privacy and Security, and perhaps mention some examples. We will address this in a future version of the CSD 17 privecsg-15-0013-01-ecsg March 2015 Comments from 802.11 • 4.2 and 4.3 need to include target dates for completion. Should be at least 6 months apart. – See previous response to Roger Mark’s comment • • • • • 5.2 Change “document” to “recommended practice” 5.4 delete “document” result “The recommended practice…” 5.5 change “and certain threats” to “and certain privacy threats” 5.5 change “with IETF in many” to “with IETF on many” 5.5 change “guidelines” to “recommendations” – Agree with the above • CSD: • Distinct Identity: change “defines privacy” to “defines a privacy” and “practice” to “practices” • Economic Feasibility – Question was not answered need to provide evidence and address the requested specific areas “a) through e)”. – See previous response to Roger Mark’s comment. We will address this in a future version of the CSD 18 privecsg-15-0013-01-ecsg March 2015 Comments from 802.22 1. There are a lot of carriage returns in Sections 5.2 and 5.5. You may want to remove them. – Agree 2. It will be nice to provide an example of some of the mechanisms on how the system can achieve resilience to (Surveillance, Monitoring, Stored Data Compromise, Intrusion, Misattribution, Correlation, Identification, Secondary Use, Disclosure and Exclusion) without making too many modifications to the operation of the system - e. g. MAC address randomization. – Should provide example of Surveillance 19 privecsg-15-0013-01-ecsg March 2015 Comments from 802.1 (1/3) • General – Many aspects of this proposed PAR seemed to refer to the need for an activity within 802, rather than for the need for the production of a Recommended Practice or other standards document. The timescale over which this activity needs to influence the development of standards within 802 seems to be rather shorter than the time that it would take to develop and approve a Recommended Practice of the proposed scope (typically 2-3 years). There needs to be some consideration of the intended audience for this Recommended Practice. If it is the relative small community of experts that will/could incorporate privacy best practices in 802 standards going forward, other influencing methods may be more appropriate. The Recommended Practice might be retargeted to the external community of developers and users. – • Responding to this comment requires further consideration by the group Scope - We do not understand what is meant in ‘scope’ by ‘privacy threat model’ as there are multiple different interpretations of this term including: (a) reference to ‘privacy considerations’ (RFC 6973); or (b) an analysis of the threats that the project might feasibly address; or (c) reference to a top down security model. – Responding to this comment requires further consideration by the group 20 privecsg-15-0013-01-ecsg March 2015 Comments from 802.1 (2/3) • Purpose – the threats listed appear to be overly broad, with no technical work having been done to date with respect to the feasibility of addressing some of the areas listed, specifically – – – – – Stored Data Compromise Intrusion Misattribution Secondary Use Exclusion • A focus on specific requirements would seem to be essential to timely project completion. Suggest that the current purpose termination after “including Surveillance.” This should make it clear that the project will address the surveillance issue and that it’s successful conclusion should not be held up by objections that it does not satisfactorily address ‘Misattribution’, for example. – Agree 21 privecsg-15-0013-01-ecsg March 2015 Comments from 802.1 (3/3) • Need – The Need section of the PAR should address why this specific project is needed, not why privacy in general is wanted. – Agree • Technical Feasibility – The technical feasibility that has been demonstrated does not match the proposed scope. Demonstration of the successful use of MAC address randomization does not itself demonstrate that a particular privacy goal has been achieved. – Agree • Economic Feasibility – The statement being made in this section of the CSD is a statement of future intent, not evidence of economic feasibility. It would be easier to make a justifiable statement for a PAR with a narrower scope. – We will address this comment in a future version of the CSD 22 privecsg-15-0013-01-ecsg March 2015 Comments from Paul Nikolich (1/2) • 1) 2.1 Title. Shorten to "Recommended Practice on Privacy Recommendations for IEEE 802 Technologies. – Agree (verify with EC) • 2) 5.1 Approximate number of people. 50 seems unrealistically high (I suspect it will be closer to 20), but I may be off base. How did you arrive at that number? – See previous response to 802.3’s comment • 3) 5.2 Scope. I recommend deleting "...for standards developers...". and move it to Purpose. – See previous response to Roger Mark’s comment 23 privecsg-15-0013-01-ecsg March 2015 Comments from Paul Nikolich (2/2) • 4) 5.4 Purpose. part 1 It seems to me much of the Purpose belongs in Scope. • I suggest moving some of the Purpose text to Scope. Possible Scope text: – Scope: "This document specifies a privacy threat model applicable to IEEE 802 link layer technologies. The model addresses privacy threats such as Surveillance, Monitoring, Stored Data Compromise, Intrusion, Misattribution, Correlation, Identification, Secondary Use, Disclosure and Exclusion. • Suggest adopting text, with limited list as per 802.1’s comment • 5) 5.4 Purpose. part 2 • Possible modified Purpose text: – Purpose: To develop a recommendation that defines a privacy threat model and a privacy guideline for 802 standards developers. – Agree 24