D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication

Title: PROTOCOLS – IDENTIFIERS, IDENTIFIABILITY, AND PERSONAL DATA

First of all we need to clarify our understanding of the terms “identifying information” and “personal data”. By “personal data” within a protocol we mean information transmitted in protocol runs which have a direct link to the user involved. An example would be if the protocol requires the user to send his real name. Whereas the term “identifying information” denotes any information which could be used to link several protocol runs, i.e., it does not necessarily explicitly identify the user, but can be used to establish links between actions by the user or his machine using the communication network. Such information could for example reveal that two requests (which are otherwise independent) came from the same user, and so could be used to profile a user and his behaviour. Of course this profile in itself could be seen as personal data, and indeed if enough profiling information is available, the profile can reveal the identity of the user. More background information on profiling and its threats to privacy could be found in the FIDIS Deliverable D7.2 “Descriptive analysis and inventory of profiling practices” (Hildebrandt, Backhouse 2005). 

In general, identifiers and identifying information within protocols which are usable to distinguish, identify or recognise machines, devices, applications and even users can be divided into two main classes: visible and hidden. Examples for the former are addresses used within protocols to address the sender or recipient of (protocol) messages. A well know and often quoted instance are the IP addresses used within the IP protocol to route packets from the sender to the recipient. Such obviously visible identifiers have the advantage (compared to the hidden ones) that it is much easier to become aware of the fact that they exist and to develop measures to circumvent them. 

There are various reasons for the existence of hidden identifiers: 

1. Protocol obscurities: although protocols are specified and standardised (e.g., RFC or ISO standards) the related documents and descriptions often purposefully do not cover every single detail of the protocol. For instance a specification usually just describes the meaning of protocol options and parameters without specifying explicitly an algorithm to calculate them. This is often left to the implementer of the protocol allowing him to adapt and optimise the protocol according to his needs. Also, specifications concentrate on the error-free runs of the protocol but cannot describe each possible fault situation and the related behaviour. This once again gives the implementer freedom of decision when implementing a certain protocol.

2. Misuse of protocol features: nearly every protocol has parameters and options which can be freely chosen from a given domain. One can, for instance, use these parameters to distinguish between communication partners by using different parameter values when communicating with different partners.

Example: Usually links within web sites (e.g., to subpages or embedded objects) should have the same address (URL) regardless of who is accessing the web site. But of course when delivering the web site the server can generate the link addresses “on the fly” so that each user gets different and unique addresses. If a user subsequently clicks on one of the unique links, the server will know that this has to be the user who received the link beforehand. This way the server can track the whole browsing behaviour of a given user. 

1. Manufacturing deviations: Because of deviations introduced by the manufacturing process it is nearly impossible to build two devices with exactly identical (analogue) characteristics.
   Example: According to Lacknet et al. as well as Ellis and Serinken, wireless network adaptors can be distinguished according to their analogue signal characteristics (Lackner et al. 2006; Ellis, Serinken 2001).

The main problem with these hidden identifiers is that the possibilities of how to utilise the capabilities mentioned above for identification or distinction are endless. Therefore it is hard (if not impossible) to avoid all of them. The research in the past decade in the field of privacy-enhancing technologies has shown that whenever someone has believed to blur all identifying information, somebody else has found a new way to identify or link communicating parties.