Diaspora Part Three

Published on Friday, May 28th 2010. Edited by Rat Outzipape. tag

Extended Discussion of Security, Privacy and Trust
Security, Privacy and Trust
Security and Privacy
I distinguish between security and privacy. Security is one means by which privacy is obtained but does not create it. A reasonable form of privacy can also be obtained without extreme security measures.
Security can be visualised as on a sliding scale. The most extreme is what I will call paranoid. If I were a student from Tiananmen Square through Tehran to Bangkok that is the sort of security I would want on my mobile and blog.
Two Common Negatives
One argument against giving people greater powers of privacy is this:-
This might make it more difficult to intercept criminals engaged in various nefarious activities.
I am aware that this is a common concern and raised it with Henry Story just recently. He pointed out that groups of people, who are citizens of the larger society, are responsible for themselves and can be self policing. At least in the main. I expect that policing authorities would be more concerned about cells (political, criminal or terrorist) but I really have to draw the line here at what I am competent to discuss.
I will have to say the same about another common objection, that this might be popularising tools that enable and encourage Copyright infringement. This encouragement, anyway, already occurs on a much larger scale, for instance by Google, as I point out elsewhere.
To clarify, there are different types of security and privacy that the Diaspora application could offer.
The greatest security would be achieved by having all data encrypted wherever it is stored and encrypted when ever it is transported across the public internet. Since trusted users (the data creator and others) must have access to the same data items both locally and across the internet the means by which the data is decrypted could be the same in both situations. Nevertheless, the encryption of all data is an extra burden that would have implications in different parts of the Diaspora system.
Two terms are introduced. End to end encryption and group encryption.
End to end refers to the SSL certificate authentication, as might be used by a bank where crucial data is being sent to the bank in encrypted form. Usually only certain data is sent in this way. But the mechanism offers and other systems might use encryption of all communications, for instance encrypted email. Group encryption is where access to a domain is always encrypted. Typical use case here is VPN, where companies assure access to their own intranet to employees accessing it over the public internet. Some reasonable decisions must be made about what is needed here. Encrypted email exists for the situation where the traffic to a known domain is of interest to intercept. This is two things, the traffic is of interest and the destination is known.
While just about all the data flowing in and out of Facebook could be intercepted, since it is a series of very well known destinations, there is a certain safety in numbers. Any one piece of data is likely lost in (although in principal recoverable from) the general noise. In more specific intercepts user domains are needed. (Presumably these are readily available by one or another means.)
In the case of a more distributed system intercepts would have to follow on the more difficult to find user domains.
So it is true that if further, near absolute, security is required all data would have to be encrypted, perhaps as a user choice.
This is less of a lightweight process though.
In my Simple Hypothesis above I state that there is a gap between user expectations and perception of the service they are using which is a product of the type of service being used and the way the service provider gains its revenue.
Privacy, on the other hand, can be satisfied by having easy to configure controls, essentially these are read and write controls over content that travel with that content irrespective of context. This is a series of issues quite separate from security apart from access to the privileges to change read write status of a content item.
In the Diaspora architecture it can be seen that the possibility of amalgamating two or three broad category approaches is being considered.
These are the Open Profile / Browser Certificates approach with the Federation of Servers approach and Peer to Peer by allowing for servers to run on the user's computer. The two issues that this would address are:-
a. By putting a certain degree of trust into servers, these become unencrypted trust networks, in addition are the SSL keys considered safe on servers for the future?
Explanation of a.
Unencrypted trust networks. This means that various servers in the federation hold various amounts of data about the users of the network.
Aggregating this data might have great value, for instance for an unscrupulous business or determined government.
There would be no protection against this as the measure of protection that encryption might afford in such circumstances could not be enforced or might be revoked if it existed, by one or more of the federated servers.
The safety of SSL keys refers to the private keys held on behalf of distinct user entities. The question is how safe is the commodity service being relied on at this point.
b. Even if only encrypted messages are transported and stored, the social graphs would still be entrusted to remote servers.
Explanation of b.
This shows both what is being considered in connection with trust of external servers and that peer to peer is considered the highest secure solution. To achieve the highest degree of security all data must be encrypted where ever it is held and in transport, or, next rung down, be encrypted as it is sent over the network.
The social graph refers to the relationship between friends, items and the history of this interaction.
A Reasonable Question About Capability and Capacity
It would seem (in the common perception) that only very big services might be relied on for seamless storage over time. Here the assumptions are that they have the resources to tend to the infrastructure, and a reputation they wish to maintain. Powerful drivers to maintain the offered service.
Again it should be noted that there may not be any contract between provider and service consumer of this nature.
The Diaspora distributed way of guaranteeing capability and capacity is to rely on several nodes, replication between nodes and careful engineering of the relationship between on line and off line nodes in the context of the information that should be delivered to each node (public notices and FOAF relationships plus privacy constraints).
Note the recurrence of the use of the FOAF profile. This is another powerful reason to create an architecture that uses FOAF directly and would be able to exploit its potential as a Semantic medium.
Separating the Profile from the Social Graph
Profiles should be conceived of as a set or rules that allow for dynamic negotiation between different particular profiles into a profile set.
Initial implementation can be straightforward and should just take account of access controls. Later semantic reasoning tools can be applied to the data set for more expressive results.
The Security Context of the Social Graph The social graph must be available for read and write according to a schema which is the intersection of profiles as controlled by the principle, this user.
1: Henry Story
Adam Saltiel
May 2010