Re: iKP requirement for privacy

• To: "'www-security mailing list'" <www-security@ns2.rutgers.edu>
• Subject: Re: iKP requirement for privacy
• From: "Ned Smith (nedbob)" <nedbob@sequent.com>
• Date: Fri, 05 May 95 13:05:00 PDT

What was not evident to me while reading the paper was how the information 
was kept secret. The models described in the paper assume the order 
information was initiated by the consumer - as if the consumer inherently 
knew product codes and prices. What isn't shown is the fact that the 
merchant provided this information in the first place. It makes no sense to 
try to hide information that is already known.

The only argument I can see that suggests the merchant doesn't know what the 
consumer is buying is if sufficiently diverse types of product info in large 
quantities is delivered as an atomic unit. This would make it difficult to 
guess (aggregate) what's contained in the actual order.

Realistically, this will not happen. The very nature of 'browsing' restricts 
the range of possible choices; a key feature of web based e-com. It is 
likely store fronts will be architected to allow consumers to select 
products with precision. If a merchant relays an order, even though they do 
not know the exact contents of the order, they can predict with high degree 
of accuracy what the customer ordered.

Indeed, merchants are motivated to know as much as they can about their 
customers to sharpen marketing effectiveness. Catering to individuals rather 
than market segments or demographics is the ultimate goal so long as it's 
cost effective. I think Web based E-com promises this in the eyes of many 
retailers.

I agree that there may exist consumers who wish to remain anonymous to their 
merchant but I don't see how iKP delivers. Privacy scenarios may exist, but 
the iKP paper is not explicit in this regard. The requirement to separate 
order info from payment protocol specifically SHTTP and SSL smacks of a 
hidden agenda. The 3KP protocol even requires the merchant to calculate 
H(ORDER). In fact, according to figure 5, the ORDER information is broadcast 
in plaintext. I don't think the proponents of iKP are really serious about 
privacy in general or wrt client/aquirer privacy. There are too many other 
issues to consider. Including legally binding trust relationships 
specifically addressing privacy. I doubt legal issues will be resolved 
anytime soon.

Regards,
Ned Smith
 -------------------------------------------------------------
|Ned Smith, <nedbob@sequent.com>, said:
|
|>"Privacy, The privacy of order information and amount of payment should be 

|>implemented independently of the the payment protocol, e.g. SHTTP or SSL"
|> [ . . . ]
|>The merchant already knows this information as a result of the customers
|>interaction with the cyber-store. What is the security principle that
|>motivates the above requirement?
|
|It's probably not so much a _security_ issue as it is a
|_privacy_ issue.  In the same way that it's no-one's business
|what library books a person has checked out, it's also no-one's
|business what products someone has purchased from an on-line
|mall or how much he has spent there.
|
|Keeping the two sets of information separate is safer for the
|fulfillment house in case of some catastrophe like a systems
|failure, a security breach, etc.
|
|
|M. L. Grant
|<grant@medio.com>
|<URL:http://www.medio.net/users/grant/index.htm>
|

• Previous: Re: NCSA httpd: patch for CGI insecurity
• Next: Re: iKP requirement for privacy
• Index(es):
  • Index
  • Thread