Although this may not seem as obvious to us in Fiji at present for the first time in human history, nearly every person is under daily surveillance – surveillance not in spite of, but because of the accomplishments of the networking community.
In a very interesting article on the Decoupling Principle (which I have paraphrased), the authors relook at an old principle of building privacy into the servers themselves. I think we all assumed this is the case, but I assure you it’s not!
Privacy violations are a multi-billion dollar industry, and have for some time now been a core business model of the Internet. All those free accounts by Facebook and other Apps come at a price – your data (details/photos/ videos/etc)!
People require privacy in their daily lives, but privacy matters beyond the individual: societies progress when we prevent the chilling effects of total surveillance. Individual privacy is synonymous with organisational security: in each case, the parties involved wish to maintain control over their private data and metadata.
Thankfully, network designers and researchers alike have recognised the need for, at minimum, data confidentiality. Transport Layer Security (TLS) isused for nearly all types of communications in the Internet, and is the default in all major browsers, modern protocols like QUIC and HTTP/3, and much more.
Despite TLS’s success, Internet communications are nonetheless more heavily surveilled today than ever before, both in the network and at the endpoints. While data is encrypted in flight, significant metadata is typically leaked in transit (e.g., IP addresses, DNS messages, etc.) and at the endpoints (by endpoints themselves and their partner organisations).
While for decades the research community, along with numerous scattered deployments, have tried to address communications metadata privacy, reusable design patterns for addressing this problem are notably absent from the protocol designer’s toolbox.
In their paper, what the authors call the Decoupling Principle is a simple idea that to ensure privacy, information should be divided architecturally and institutionally such that each entity has only the information they need to perform their relevant function.
Makes sense, sort of a ‘need to know’ basis which we use in organisations at various levels to segment and provide confidentiality of information. Architectural decoupling entails splitting functionality for different fundamental actions in a system, such as decoupling authentication (proving who is allowed to use the network) from connectivity (establishing session state for communicating).
Institutional decoupling entails splitting what information remains between non-colluding entities, such as distinct companies or network operators, or between a user and network peers. This decoupling makes service providers individually breach-proof, as they each have little or no sensitive data that can be lost to hackers.
Put simply, the Decoupling Principle suggests always separating who you are from what you do.
This is partly done in current system authentication like AD where users are only able to access systems or databases which they are authorised to use. Chaum was one of the first to design privacy protocols and systems in this manner, in a series of foundational papers. Many systems have built upon Chaum’s insights, including some of the most popular privacy systems ever built, such as Tor (used to access the Darknet).
However, due to rising pressure to improve Internet privacy for end-users, only in the last decade have Chaum’s ideas begun to see widespread application and adoption. Some prior approaches have failed to heed the Decoupling Principle.
For example, VPNs and middleboxes shift trust from a diffuse set of network endpoints (e.g., websites a user might visit, DNS resolvers a user might use, etc.) to a single trusted intermediary (e.g., a VPN provider).
Depending on the threat model, this design may address the privacy concerns of end-users, especially if the network is even more untrustworthy. However, here the single trusted intermediary sees all user activity bundled together with user identity, requires more trust than is necessary, and is susceptible to data breaches.
This pattern does not adhere to the Decoupling Principle. Examples such as these lend credence to the idea that decoupling is fundamental to network privacy.
This is the authors’ argument. What is Internet Privacy? Privacy is being free from observation, and nowhere is this more important than in the Internet, where we must rely upon others to carry our traffic.
Since data confidentiality is, thankfully, largely solved, privacy challenges have moved elsewhere: to metadata of traffic (rather than the now-encrypted payloads) and to the endpoints where application-level processing occurs.
In addition, privacy challenges abound in ensuring unlinkability between multiple streams of traffic from a single user/ entity (in the network) and multiple identifiers (at the endpoints). Privacy challenges exist across the network stack, and so privacy solutions must also be layered.
For example, encrypting application traffic can provide confidentiality of message content, yet unprivileged observers of lower layers (e.g., IP routing infrastructure) can readily observe who is talking to whom by recording IP endpoints.
Systems that adhere to the Decoupling Principle must consider privacy holistically, and take into account leakage of information across the stack. Privacy interacts with security mechanisms in important ways.
As network security has grown in importance, more systems rely upon authentication to confirm the identity of a user or device and authorisation to confirm the levels of access that should be conferred.
But authentication and authorisation, both real-time and for later forensic use, often create a nonrepudiable record of who used a network service when, how, and even why. The actors involved are simultaneously decentralised – with authentication and authorisation used from the most securitycritical applications to lowrisk contexts – and centralised (such as OAuth and SSO) with a view into the uses of a huge range of services.
Privacy hinges on trust that users must place in the Internet systems with which they interact.
When we use systems we place our privacy in their hands. In the past 15 years, the Internet has become increasingly centralised with the majority of traffic being attributable to a handful of cloud providers, CDNs, and content providers deemed hypergiants.
For instance, the number of ASNs (or large scale network numbers) required to make up 50 per cent of Internet traffic decreased from 150 in 2009 to only five in 2019. This trend has resulted in the unprecedented centralisation of trust, and knowledge of users’ behaviour, into these organisations.
This centralisation has come with some upsides for users, as large organisations are sometimes capable of securing user data effectively, but this comes with distinct costs and consequences as well.
Most networking protocols assume end-to-end co-ordination and thus end-to-end trust. Baked into this assumption is a separate reliance on authentication mechanisms that ensure that a source is certain of the destination it is communicating with (e.g., using certificate hierarchies or other out-ofband mechanisms).
Users often implicitly or explicitly make judgments about whether a particular piece of data should be revealed to a particular service in a particular context, and this judgement requires unenumerable factors that only the user can consider.
What many do not realise that all traffic on the Internet can be tracked and even if encrypted you can trace the path. Given a server or other digital device, with proper digital forensics tools it would be quite easy to track where all Internet traffic on that device (including services and even data) has been – source/destination.
Cybercriminals using Bitcoin and other cryptocurrencies are now finding that out to their demise as law enforcement agencies have now clued on to this methodology of simply tracking the Internet traffic for Bitcoin wallets.
As the inventor of the World Wide Web (WWW) – Tim Berners-Lee observed: “There are converging webrelated issues cropping up, like privacy and security, that we currently have no way of thinking about.
Nobody has thought to look at how people and the web combine as a whole – until now.” World Cup soccer finals this weekend and good luck to France and Argentina! As always, God bless and stay safe in both digital and physical worlds.
• ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and are not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@ cyberbati.com
Read More: news.google.com
Bitcoin 
Ethereum 
XRP 
Tether 
Solana 
BNB 
Dogecoin 
Cardano 
USDC 
Lido Staked Ether 
Avalanche 
TRON 
Shiba Inu 
Toncoin 
Stellar 
Wrapped stETH 
Polkadot 
Wrapped Bitcoin 
Chainlink 
Bitcoin Cash 
WETH 
Sui 
Hedera 
Litecoin 
Pepe 
NEAR Protocol 
LEO Token 
Uniswap 
Wrapped eETH 
Aptos 
Internet Computer 
USDS 
Cronos 
POL (ex-MATIC) 
Ethereum Classic 
Artificial Superintelligence Alliance 
Bittensor 
Ethena USDe 
Render 
Filecoin 
Algorand 
Kaspa 
VeChain 
Arbitrum 
Cosmos Hub 
Dai 
Stacks 
Immutable 
WhiteBIT Coin 
Celestia