The Role of Confinement in Privacy

I argue here that confinement of programs is emerging as the sole hope for privacy in the new world of Internet. The argument rests on the observation that large quantities of code by unknown people inhabit the user’s machine and that all of this code must be trusted with the user’s secrets in the current scheme of things.

Before most personal computers were connected to the telephone network, or any other network, it was difficult for nosey code in my machine to smuggle my secrets from my machine to a place where a perpetrator could access my secrets. In effect all the code in my machine was pretty well confined.

As modems became widespread it was possible for a program to wait until an inactive period, instruct the modem not to emit noises into the room, dial an 800 number, export private data from the computer in a few seconds, and then put the modem back as it was. The user is none the wiser. This scenario presumes confederate, called the mole here which observes what applications start and intervenes when some trusted application starts that is likely to handle sensitive information. At that point the mole modifies the application to capture and save the sensitive information. It is this secret information that is sent then or later outside the machine. If someone should discover the program and dissect it, the phone number would be discovered and perhaps the perpetrator would be caught. It is not clear what laws might apply.

Alas with Internet it becomes even easier. A small fragment of code can inquire if the computer is currently connected to the internet, (increasingly more likely), and if so transmit a UDP which is a kind of packet about like a postcard. The packet has an address and small amount of data. The address need not be valid but will cause the packet to be routed over various public switches under control of a variety of communications companies and tappable by a much wider set of organizations and individuals. A satellite downlink is most easily tapped! If such code is discovered there is no obvious way of finding the recipient.

Confinement discipline provides a way to reduce the code in the user’s machine that must be trusted from giga bytes to less than a megabyte. That code can be published and effectively vetted by multiple paranoid volunteers.

The obvious application of this discipline would have the user view his machine as largely a public place but with a source of objects which could be relied upon to preserve his confidence.

This is similar to the problem that the Java applet design aims to solve but

The owner of a computer should be able to identify and banish visible trouble makers. The spy will be careful to behave however and it may be necessary to protect against the spy rather than identify him.

An entirely separate privacy issue.