Unique identifiers and privacy

["Christian Huitema" <huitema@windows.microsoft.com>]

I am concerned with the general statement that we should merely "do no
worse than the current state of the art". I am specifically concerned
with the use of long lived unique identifiers. We have already got
significant feedback on such identifiers in a number of products, e.g.
identifiers of CPU chips, identifiers of users of audio-video players,
host identifiers in IPv6, use of social security numbers in data bases,
and the list goes on. Any unique identifier is a privacy time bomb.

Obviously, there are places where unique identifiers are unavoidable.
For example, one cannot receive mail without publishing a mail address
of some kind. But there are many places where identifiers are in fact
not needed. For example, a vast majority of Internet connections involve
resolving the name of a server, obtaining the server address or
"locator", and exchanging a few packets between a single pair of
locators. A cautious design would not mandate use of any identifier in
such circumstances.

If we do use identifiers, we should obviously allow systems to create
short-lived identifiers, and to use different identifiers for different
activities. However, we should be very concerned with the default
behavior. In practice, many application developers don't bother with
advanced API and just use whatever is the default behavior of the stack.
A cautious design would be to err on the side of privacy, and to make
sure that by default, an application's traffic will use an identifier
that is both short-lived and specific to that application. The use of
long lived global identifiers should be reserved to those applications
that specifically request them.

-- Christian Huitema