The Decoupling Principle

This is a really interesting paper that discusses what the authors call the Decoupling Principle:

The idea is simple, yet previously not clearly articulated: to ensure privacy, information should be divided architecturally and institutionally such that each entity has only the information they need to perform their relevant function. Architectural decoupling entails splitting functionality for different fundamental actions in a system, such as decoupling authentication (proving who is allowed to use the network) from connectivity (establishing session state for communicating). Institutional decoupling entails splitting what information remains between non-colluding entities, such as distinct companies or network operators, or between a user and network peers. This decoupling makes service providers individually breach-proof, as they each have little or no sensitive data that can be lost to hackers. Put simply, the Decoupling Principle suggests always separating who you are from what you do.

Lots of interesting details in the paper.

Posted on December 7, 2022 at 7:04 AM25 Comments


loco December 7, 2022 7:48 AM

This principle has been “invented” in the 1970s in the debate on data protection in Germany, where it was coined “informationelle Gewaltenteilung” – “informational separation of powers”. It was never fully elaborated beyond the legal sphere, and there it was related primarily to data decoupling and institutional decoupling, rather than technical or architectural decoupling. However, it is related to the protection goal of “unlinkability” that has become widespread in the European debate in recent years.

YF December 7, 2022 8:05 AM

In European union they want security in a way it can be unsecured on bureaucrat’s demand for security purposes.

Winter December 7, 2022 8:31 AM

This is just an elaboration of the data-minimization requirements in the GDPR. No institution should collect or store data it does not need. Also, data storage should have privacy protection built-in.

Without having had time to read the article, I see this as implementing the GDPR provisions.

Robin December 7, 2022 9:15 AM

@Winter: I wish the GDPR data-minimization requirements were more widely known and respected. It seems to be increasingly the case that even trivial transactions demand unnecessary information.

This morning I bought tickets for a local concert on Friday. A couple of guys in a room not much bigger than my sitting room; 6.50€ per seat so you can see it’s hardly Bruce Springsteen at Olympia. But to do that I had to create an account and to do that it wanted name, DoB, phone number, about 20 opt-in/opt-out choices for newsletters etc, email address and the names of both people who are going to attend. None of this was optional and since they claim that ID will be checked at the door, false names seem to be a no-no. They didn’t get a true DoB though; a tiny victory.

Identical process to buy tickets for an exhibition last week, except there were no options to reject being subscribed during the signing-up. At least there was an option to unsubscribe from publicity in the first email newsletter that arrived but they had already collected more information than I wanted them to have.

If challenged I’m sure they could come up with reasons why they want to offer a “better experience” (pah) but necessary? No. And this happens all the time.


Winter December 7, 2022 9:58 AM


But to do that I had to create an account and to do that it wanted name, DoB, phone number, about 20 opt-in/opt-out choices for newsletters etc, email address and the names of both people who are going to attend.

Sounds indeed excessive. I am afraid that unless there are laws against it, the only option is to vote with your feet/wallet.

Robin December 7, 2022 10:12 AM

@Winter I am pretty sure that their site contravenes the GDPR but I hold out little hope of being able to get this through to the bureaucracy in the town hall. Having just downloaded the tickets the little bit of rancid cream on the cake is that they insist the two tickets (with their QR codes) are each printed on a sheet of white A4 paper.

But you’re right – I’ll try to avoid them in future.

Clive Robinson December 7, 2022 11:29 AM

@ Bruce,

This is an old principle practiced in governments to stop power building up in any one part of Government thus creating a threat.

It was unfortunately the work of IBM that enabled some governments to invert this idea.

With the use of “card tabulators” they could take census and similar data and “audit out” certain information quite rapidly with very few involved.

The results of the inversion of this idea in Europe from the early 1930’s onwards turned out to be quite horrific.

Sofakinbd December 7, 2022 12:47 PM

Isn’t this the basis of Apple’s Private Relay?

How Private Relay works

Normally when you browse the web, information contained in your web traffic, such as your DNS records and IP address, can be seen by your network provider and the websites you visit. This information could be used to determine your identity and build a profile of your location and browsing history over time. iCloud Private Relay is designed to protect your privacy by ensuring that when you browse the web in Safari, no single party — not even Apple — can see both who you are and what sites you’re visiting.

When Private Relay is enabled, your requests are sent through two separate, secure internet relays. Your IP address is visible to your network provider and to the first relay, which is operated by Apple. Your DNS records are encrypted, so neither party can see the address of the website you’re trying to visit. The second relay, which is operated by a third-party content provider, generates a temporary IP address, decrypts the name of the website you requested and connects you to the site. All of this is done using the latest internet standards to maintain a high-performance browsing experience while protecting your privacy.

Alan Yoder December 7, 2022 1:41 PM

As noted in previous comments, this principle has been around for quite a long time. It is the “previously not clearly articulated” assertion that gets one’s hair up.

That said, it seems pretty clear that whether or not it was well articulated, it has not been very well understood, especially in the last couple decades of rapid change. So I personally welcome seeing it revisited and re-articulated.

Missing from the above is any mention of how difficult it is to really do this decoupling well, in actual practice.

iAPX December 7, 2022 2:14 PM

On my last assignment, I was tasked to send the user email address, sha-256 hashed, to the best known ad-network and search engine.

They call it “encrypted”, we all know that it isn’t, in any way.
I tried to pushback but it didn’t worked out.

Things are getting worse, and they try to hide their malevolence through “encryption” that is hashing in fact.
They pretend that PII (Personal Identifying Information) are safe when hashed.

And some people is accepting it that way…

Ted December 7, 2022 4:10 PM


Isn’t this the basis of Apple’s Private Relay?

I think you’re right on that. Follow along with me for a moment.

Two of the paper’s authors founded INVISV. From what I can tell it’s a company that provides privacy-friendly communication technologies. I might also mention the following comment on their ‘ABOUT US’ page:

INVISV is advised by security and privacy experts Bruce Schneier and Jon Callas.

Wow. Pretty cool.

There’s an INVISV blog post about Multi-Party Relays (MPR) and why they are more privacy-friendly than VPNs. From that article:

Only now, in 2022, are there fast MPR services that cover all mobile users: INVISV Relay (Android) and Apple’s iCloud Private Relay (iOS).

So that principle definitely seems to be in play for both. INVISV also has a great and reader-friendly blog post on Decoupling.

Raphael Khoury December 7, 2022 4:44 PM

I would argue that this principle is a re-statement (or a special case) of the principle of “Least Common Mechanism”, as stated by Saltzer and Schroeder in their seminal paper.

lurker December 7, 2022 5:35 PM

@Ted, All

re INVISV, the de-coupling of user from the internet occurs by INVISV coupling to an upstream provider (Fastly), much like the Tor system. So if I was concerned I might like to know the locations of inlet and outlet nodes, and what precautions they took (if any) to avoid traffic routing through certain jurisdictions.

Anyhow that’s moot, since the link on their blog page took me straight to the Google store, where I am informed,

“This app is not available for your device.”

A quick scratch on that page didn’t tell me why it wasn’t available. If it was not available in my location, G has a different message for that.

Ted December 7, 2022 6:25 PM

@lurker, All

Re: ‘INVISV Relay’ Android app

Would you consider reaching out to them to ask about those things? It looks like the app launched in its Beta version in September 2022. They add:

“However, as a Beta service, you may run into some issues and we’d love to hear about them at – please let us know what you think and any questions you have.”

Sumadelet December 8, 2022 7:00 AM

As Clive Robinson points out, this is an old principle. It was followed in part in the UK with the separation of storage ad processing of records between various arms of the state: the health service (NHS) used a different identifier to the tax authorities (Inland Revenue, then Her (now His) Majesty’s Revenue and Customs), who used a different identifier to the state pension and benefits authority (National Insurance, various state benefits, such as unemployment benefit), local councils have their own identifiers for people; and so on.
Regulations now allow sharing of data between these organisations, but there is still no single ‘National ID number’, so assuring consistency between the various databases is difficult. Governments have tried to introduce a single National ID in the UK, so far without success, against vociferous protest. However, in functional terms, the data sharing fulfils almost the same purpose. Often the protests are against being required to have an ID card, without a strong understanding of the problems of the unified database behind it.
The old systems were inefficient, and had obvious problems with data consistency, and people in the UK live with that legacy now, but there was a real separation of data. Things are done differently now, so, for example, the Passport Agency can access/share the images of people stored by the Driver and Vehicle Licencing Agency (Previously DVLC – it was a ‘centre’ rather than an ‘agency’). It is certainly, at times, convenient: but it makes data trawling much easier.

Benito Bishop December 8, 2022 3:41 PM

@ Sofakinbd,

Isn’t this the basis of Apple’s Private Relay?

Yeah, and that’s pretty similar to Tor, which appeared almost immediately after the Freedom Network died. Freedom, in turn, appeared around the time Paul Syverson’s onion-routing paper was published, and, if I recall correctly, was a pretty straightforward implementation thereof. But they did recognize the privacy problems relating to payment; see Untraceable Nym Creation on the Freedom 2.0 Network (Samuels and Howco, 2000).

I suspect the authors of this new paper were unaware of Freedom. Otherwise, the old paper’s a bit too on the nose to not be cited (though it uses the keyword “association” rather than “coupling”).

vas pup December 8, 2022 4:11 PM

@YF • December 7, 2022 8:05 AM
Same in US.
Unfortunately, US in this case is not following good example of UK – see
@Sumadelet • December 8, 2022 7:00 AM. I.e.
Not having single national identifier. The good idea to have SS# as seed and generate own unique identifier through hash process for each separate data base. When you try to do xref with different DBases you should NOT have single similar primary key to do that but rather submit official request, legal basis for having such data, get information (asap) from unit having interested data and get it. That will really enabling decoupling.

So, authority and data are separated by design, ownership and legal basis for access.

lurker December 9, 2022 3:47 PM


Invisv’s web page for the Sep beta release says “INVISV Relay works on any Android device that has Internet access”, yet somewhere I read that it required Android 9+. An email reply to me advises the current version requires Android 11+ …

Clive Robinson December 9, 2022 8:57 PM

@ Ted, lurker,

“I’ll admit Q would have been a toughie.”


Look up the English dish called “Queen of Puddings” or the Old English fruit “quince” that is made into many things most often mentioned being “quince jam”. There are a number of other “Q” fruits such as, Quandong (Australian native peach), Quenepa (Spanish lime), Querina (Apples), Quinault (Strawberries) etc, that are made into jams, pies, tarts and pudings[1].

Then there are some vegtables, seeds and nuts that also can end up in sweet dishes, used to sweeten like carrots and parsnip (cakes) or are to “bulk out” or thicken. One such is Quinoa both seeds and leaves, as for nuts there is the Queensland (macadamia) nut.

[1] Puding is an akward word that has changed its meaning over the centuries but is still used in both forms. Most people think “puding” is the equivalent of “desert” it’s not. It actually refers to a slow cooking process where a form of pastry is cooked in a double boiler or by “steaming”. It was a form of “cauldron cooking” going back into times long past. Like pies that are dry heat cooked, pudings could be savoury or sweet, but the pastry served the same purpose in both to retain moisture, fat and flavour, whilst the raw ingreedients slowely broke down. One of the reasons meat pudings and stews are “unctuous”[2].

[2] Unctuous is another problematic word and is context sensitive. Whrn said of individuals it is most usually dispataging. When said of food it implies a smooth but oily liquid or sauce that is pleasent, not greasy. But when applied to wine or it means something else in that no oil is present though a deepness of flavour sometimes described as velvety applies. Then there is chocolate, which is mostly fat, but also has that deep velvety quality.

Ted December 9, 2022 11:39 PM

@Clive, lurker

Re: the Q’s

Oh good ideas. I very much like the Quinault (Strawberries) option. In fact, it makes me wonder if some of the other dessert names could have been equally spiffed up.

You would be good at my “counting sheep” game. If I can’t sleep sometimes I will pick a category, say colors, and then go through the alphabet and try to think of one for each letter. So for colors it could go… amber, burgundy, cerulean, dill, ecru and so on. As you can imagine, some letters are more challenging than others. Funnily though, many times I find myself in la la land well before I can make it through the whole alphabet.

Phillip December 13, 2022 5:16 AM

There is the useful psychological aspect with separating “who you are from what you do”, when culturally speaking, an ego too intertwined with what one does creates a strategy.

Pre-announcing how one is near top of any pecking order may satisfy one’s ego. However, it makes anybody else’s guessing game over identifying who occupies a key role easier.

All right, a good principle.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.