Links

Ben Laurie blathering


Presence is a Privacy Problem

I don’t know why I’ve never written about this before. One thing that’s always bugged me about instant messaging is that I can’t choose who sees my presence and who doesn’t. As a result, I don’t advertise presence, as people who IM with me will know.

Why do I care? Mostly because I am being a purist. But the purist point is this: by my presence information I give away information that can be correlated across channels. To take Kim Cameron’s favourite example, if my alter ego LeatherBoy always comes online at the same time as me, someone who can view both alter egos can eventually make the correlation. There are other channels – for example if LeatherBoy is always online when I buy something at Amazon, then, again, one can start to entertain the notion that we are the same.

There are people I wouldn’t mind assisting in organising their time by advertising my presence to. And probably others to whom I’d like it to be fabricated. But I can’t do that. IM is broken.

I did toy with turning it on, but with the definition of idle turned up really high (like, after 100 minutes), but the problem there is you can time my actual idle time from my advertised time and likewise the time I come back online. Clients don’t (currently) offer the option of being somewhat random about when they start to advertise a status change.

At least, though, I can fix that problem by modifying the client code. The selective presence problem is less tractable: the protocols do not support it.

8 Comments

  1. The good protocols do support it — read section 10 of RFC 3921, for example. I can’t promise that any given XMPP client or XMPP server supports it, but we’re working on that…

    Comment by Peter Saint-Andre — 7 Jan 2008 @ 20:37

  2. Presence is wonderfully generative of case studies for privacy/identity issues. Martin Geddes has thought a lot about what a poor job the industry is doing of monetizing this data stream with services that would actually be useful to people. My favorite is his insight that celebrities could sell theirs.

    Comment by Ben Hyde — 7 Jan 2008 @ 21:20

  3. Technically, since IM supports approval by the handle owner prior to IM presence advertisement, the only way to correlate LeatherBoy and Ben Laurie via IM would be for somebody out there to coincidentally convince you to grant access for both of your IM handles to two separate IM handles that happen to be the same person/entity underneath.

    In the case where ben/leatherboy happens to hook up in two separate worlds with jane/vinylgirl, I would guess there would be many correlation factors in addition to IM presence.

    Comment by Pamela DIngle — 8 Jan 2008 @ 3:57

  4. Damn, I thought VinylGirl was Alice.

    What about cross-referencing Twitter or Facebook stuff? That’s much more open than IM, albeit still – supposedly – under user control.

    Comment by robin — 9 Jan 2008 @ 7:11

  5. You rightly point out that being on-line at the same time gives away information that might allow an adversary to link two pseudonyms. Interestingly *never* being on-line at the same time also allow linking.

    This is of interest since web-services relying on cookies for session management often only allow one user to be logged in at a time (per open browser that is.) The technical reason for this is that the browser enforces `same domain’ policies per website, and not per tuples of (pseudonym, website).

    In this case the web browser security model is to blame for not supporting properly split personalities.

    George

    PS A key service with this negative `feature’ is of course gmail.com, as well as the rest of the google log-in system.

    Comment by George Danezis — 10 Jan 2008 @ 0:36

  6. This is similar to always sending signed/encrypted email: If you only sign or encrypt sensitive things, you open yourself up to traffic analysis.

    My solution to this problem is to simply ensure that I’m online all the time (I use finch that attach to via screen), and never advertise idle or away (unless I specifically set it that way). I tell everyone that I correspond with that I stay online all the time, and idle/away doesn’t mean what they think it means, and I’ll respond when I’m actually there (maybe!). This also has the added benefit of being able to ignore IM for a while without people gettig upset because I’m ignoring them.

    Comment by Darren Chamberlain — 10 Jan 2008 @ 18:40

  7. Hmm – well after today’s attempts to get my IM request to you from a non-gmail account, using gTalk/Jabber – individual status is the least of your problems (though I totally agree with your post). Sorry this probably makes little sense to other readers without context, but you had to be there…

    Comment by Dominic Hawken — 12 Jan 2008 @ 1:51

  8. […] support this should allow you to control who can see you presence. This is a feature that I and others have been waiting […]

    Pingback by jadickinson » Blog Archive » Openfire — 17 Mar 2008 @ 13:39

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress