To party 1: "Give us a netflow log of all of this user's traffic."
To party 2: "Give us a list of all outbound connections matching this netflow list of inbound proxying requests."
It would work the other way around as well (going from visited sites to a given Apple id). If you can monitor all nodes in an onion routing network, you can deanonymize everybody.
Well, here’s the catch. Even if logs were kept, the 2nd party as far as we know does not have a unique identifier passed onto it.
This means that Apple’s logs would say this user authenticated and passed some encrypted stuff to Fastly, and Fastly would say that it received requests from Apple, without an identifier to match it up against the first request.
Once this scales and Apple has millions of requests incoming, there will be no way to conclusively prove that two requests are the same.
In which case a double subpoena is again useless. And this assuming they keep logs - if they don’t keep logs, which is more likely, it’s even more useless.
This also aligns with something we currently know. Apple says they can’t see your requests. This implies that they just pass data along in an encrypted format to their partners. So all Apple does is make it so their partners don’t know your device, and the partners ensure Apple doesn’t know your request.
Ultimately, even if logs were kept, there would have to be a unique identifier of some sort that was passed on to the second server from the first server to break the system. You decide the odds that they did that. Sounds a lot like an IP Address, in which case why not just build a classic VPN?
Surely some "unique" identifier is required for each TCP session between Apple and the exit node so that Apple knows where to send the data it gets back, even if it's just the port on which Apple connect to the exit node as with standard TCP session management.
If Apple logged (incoming IP from user, outgoing port to exit node) pairs for each session, and the exit node logged all requests, this should be sufficient to associate all requests with a given user IP, right? Or am I misunderstanding you?
I wouldn’t expect them to log it, personally, I think that can only lead to headaches down the line. My reason for responding is just that I disagree that there is no way for another party to associate all requests even if Apple & exit node both fully cooperate and keep logs.
We are thinking about this the same way. Individual sessions don't do you much good, but there is traceability iff both parties keep complete logs. Which seems unlikely unless coerced.
It would work the other way around as well (going from visited sites to a given Apple id). If you can monitor all nodes in an onion routing network, you can deanonymize everybody.