Re: privacy

[Karl Auerbach <karl@cavebear.com>]

On Wed, 8 Jan 2003, Randy Bush wrote:

> which is one of the reason per-field granularity is desired.  it
> maximizes flexibility, i.e., you're not just stuck with "don't publish
> tech poc."  it handles the union of requests heard from various
> registrars, locales, and registries.

I'm not sure that mere item tagging is adequate.

Way back in the 1970's in the days when we were worrying about database
privacy rather than net privacy it was realized that data has a
synergistic property - that N items of sensitive S often have an aggregate
sensitivity much larger than N*S.

Thus the privacy policies had to express limitions of combinations.

Sometime the policies had to express other things, such as whether to lose
precision (e.g. turn a full postal address into a mere postal code, or a
phone number into a mere city code) possibly based on relationships 
between the requestor and the requested record (e.g. obtain records only 
when subject's salary is lower than that of querier.)

I don't think that these kinds of policies can be mechanized with only
simple item tags.  Certainly tags are useful and valuable for simple
scenerios.  And it may be that they are a good balance between nothing and
a fully flexible generalized system of enormous complexity.  But until 
somebody actually thinks through the generalized systems it's hard to know 
if simple tags are, in fact, a good middle ground or whether they will 
prove to be a good idea that doesn't quite do the job (like ICMP source 
quench) and were a waste of time to specify and to implement.

		--karl--