开始讨论第三类威胁:Non-repudiation 不可否认性。
Non-repudiation 不可否认性
“不可否认性”威胁表现为由于个人(或其他个人)在系统中收集、共享的数据或采取的行动,该个人无法否认与其在系统中的行为有关的特定主张,或更广泛地与他们自己有关的任何主张。
这些主张的不可否认性威胁涉及两个关键要素:
(i) 系统维护与个人相关的事实或行为的证据或证明(例如,来自相关方的可能被篡改的日志文件,或为证据的真实性提供强有力保证的数字签名),影响合理的推诿;
(ii) 该证据可归因于个人。
这两种证据可能具有不同的强度,这将导致不同的不可否认性威胁影响。
该威胁类型包括如下子类型:
本文讨论 Nr.1 - Nr.1.1,其余待续。
Nr.1 Attributable data evidence 可归因数据证据
A data record or message is (or can be) attributed to a user or data subject. The data itself can impact deniability claims.
数据记录或消息归于(或可归于)某用户或数据主体。这数据本身会影响可否认性主张。
Nr.1.1 Data 数据
Data can be used to prevent an individual from denying certain claims. Data that is kept in an accessible form could be used as evidence to prevent an individual from denying certain claims with regard to the data or what is described in the data.
数据可用于防止个人否认某些主张。以可访问形式保存的数据可以用作证据,阻止个人否认与数据或数据中描述的内容有关的某些主张。
Criteria 辨识要素
-
Record data impacting deniability
记录的数据影响可否认性- Does the system record data impacting deniability?
系统是否记录影响可否认性的数据? - Is there data describing something that requires plausible deniability by a data subject.
是否有数据描述了数据主体要求合理否认的事情。
- Does the system record data impacting deniability?
-
Data impacting deniability
影响可否认性的数据- Does the data itself impact deniability claims?
数据本身是否影响可否认性主张?
- Does the data itself impact deniability claims?
Examples 示例
-
Logged transmissions:
被日志记录的传输- Transmissions are logged as evidence of communication
传输被日志记录为通信的证据 - Systems that log the transmission of messages can provide evidence that certain messages were sent. This may be undesirable if users should have plausible deniability of their communication.
日志记录消息传输的系统可以提供某些消息已发送的证据。如果用户对他们的通信有合理的否认权,这可能是不必要的。
- Transmissions are logged as evidence of communication
-
Random data could indicate encryption
随机数据可能暗示加密- Random data could be an indication that there is encrypted data, especially if it concerns the full drive or external device.
随机数据可能暗示了存在加密数据,尤其是在涉及完整驱动器或外部设备的情况下。 - When a complete disk or external storage drive is full of random data, this could be a strong indication that the drive is encrypted. As it is unlikely to just be a drive full of random data. Given the likelihood of the encryption, this could lead to forced key disclosure.
当整个磁盘或外部存储驱动器充满随机数据时,这可能强烈表明该驱动器已加密。因为它不太可能只是一个充满随机数据的驱动器。考虑到加密的可能性,这可能会导致强制密钥披露。
- Random data could be an indication that there is encrypted data, especially if it concerns the full drive or external device.
-
Encrypted office document
加密的office文档- An encrypted office document still has the office file format, but requires a password to open it. This document format makes it clear that there is encrypted data.
加密的office文档仍然具有office文件格式,但需要密码才能打开。这种文档格式清楚地表明存在加密数据。 - If the encryption preserves the file format (for example, an encrypted office document), it removes any plausible deniability about the fact that there is encrypted data there.
如果加密保留了文件格式(例如,加密的office文档),就消除了对文件中存在加密数据这一事实的任何合理否认。
- An encrypted office document still has the office file format, but requires a password to open it. This document format makes it clear that there is encrypted data.
-
Credentials
凭证- An account with a corporate email address prevents the employee’s deniability of having used that service.
拥有机构电子邮件地址的账户可以阻止员工否认使用过该服务。 - If employees use their corporate email address to sign up for a service, their employer may have evidence of their use of those services in their mail logs.
如果员工使用其机构的电子邮件地址注册服务,他们的雇主可能会在其邮件日志中记录他们使用这些服务的证据。
- An account with a corporate email address prevents the employee’s deniability of having used that service.
-
Corporate email address
机构的电子邮件地址- The use of a corporate mail address makes it impossible to deny being affiliated with that organization.
使用机构电子邮件地址导致无法否认与该组织的关系。
- The use of a corporate mail address makes it impossible to deny being affiliated with that organization.
-
Admin access logs
管理员读取日志记录- Administrators could have broad access to the logs of many internal organizational systems. This allows those administrators to tie employee submissions or registrations in internal systems to the particular individuals having performed them, thereby removing the plausible deniability of those employees.
管理员可以广泛访问许多内部组织系统的日志。这使得这些管理员可以将内部系统中的员工提交或注册与执行这些操作的特定个人联系起来,从而消除这些员工的合理否认。
- Administrators could have broad access to the logs of many internal organizational systems. This allows those administrators to tie employee submissions or registrations in internal systems to the particular individuals having performed them, thereby removing the plausible deniability of those employees.
Impact 影响
-
Identifying information amplification
标识信息放大- Identity information can amplify the impact
标识信息会放大影响。
- Identity information can amplify the impact
-
Service context
服务上下文- Depending on the context (e.g., medical, whistleblower), this can have a large impact on the data subject.
根据上下文(例如医疗、举报人),这可能会对数据主体产生很大影响。
- Depending on the context (e.g., medical, whistleblower), this can have a large impact on the data subject.
Additional information 额外信息
-
Data selection
数据采集- If deniability is required, it is best not to store the data at all or to remove any data that would attribute it to an individual.
如果要求支持可否认权,最好根本不要存储数据或删除任何会将其归因于个人的数据。
- If deniability is required, it is best not to store the data at all or to remove any data that would attribute it to an individual.
-
Credentials:
凭证- If not needed, avoid credentials with identity information.
如果不必须,避免使用包含标识信息的凭据。
- If not needed, avoid credentials with identity information.
