I.4 Unobservability (FPR_UNO)

Unobservability ensures that a user may use a resource or service without others, especially third parties, being able to observe that the resource or service is being used.

User notes

Unobservability approaches the user identity from a different direction than the previous families Anonymity, Pseudonymity and Unlinkability. In this case, the intent is to hide the use of a resource or service, rather than to hide the user's identity.

A number of techniques can be applied to implement unobservability. Examples of techniques to provide unobservability are:

a)   Allocation of information impacting unobservability: Unobservability relevant information (e.g. information that describes that an operation occurred) can be allocated in several locations within the TOE. The information might be allocated to a single randomly chosen part of the TOE such that an attacker does not know which part of the TOE should be attacked. An alternative system might distribute the information such that no single part of the TOE has sufficient information that, if circumvented, the privacy of the user would be compromised. This technique is explicitly addressed in FPR_UNO.2 Allocation of information impacting unobservability .

b)   Broadcast: When information is broadcast (e.g. ethernet, radio), users cannot determine who actually received and used that information. This technique is especially useful when information should reach receivers which have to fear a stigma for being interested in that information (e.g. sensitive medical information).

c)   Cryptographic protection and message padding: People observing a message stream might obtain information from the fact that a message is transferred and from attributes on that message. By traffic padding, message padding and encrypting the message stream, the transmission of a message and its attributes can be protected.

Sometimes, users should not see the use of a resource, but an authorised user must be allowed to see the use of the resource in order to perform his duties. In such cases, the FPR_UNO.4 Authorised user observability could be used, which provides the capability for one or more authorised users to see the usage.

This family makes use of the concept "parts of the TOE". This is considered any part of the TOE that is either physically or logically separated from other parts of the TOE. In the case of logical separation FPT_SEP may be relevant.

Unobservability of communications may be an important factor in many areas, such as the enforcement of constitutional rights, organisational policies, or in defence related applications.