One Man's PET is Another Man's Security Vulnerability

While reviewing for PETS this year, a thought struck me. Many privacy-enhancing technologies are, from some perspective, security vulnerabilities.

In the U.S., we have very little in the way of legal protection when it comes to personal information, and privacy-enhancing technologies can be used by savvy users to protect themselves.

Systems that are designed to prevent user and usage tracking (e.g., Tor, TrackMeNot, NoTrace) often do so by breaking a property of the system they interface with. In particular, many web sites and services implicitly or explicitly expect to be able to tie user sessions together, and to track users across sites and visits. The information a user provides the server is half of a transaction (the other half being the service provided to the user). Further, in some cases, sites’ terms of service or terms of use forbid attempts to circumvent this tracking.

Viewed from the perspective of the web service provider, privacy-enhancing technologies are exploiting a security flaw. Users should have to reveal information to receive service; privacy enhancing technologies are an attack on a vulnerability, breaking the integrity of the transaction.

In a better world, we would also use laws and policies to protect users’s privacy, especially as people (and researchers) claim their privacy is quite important to them.