Sept. 12, 2008
U.N. Agency Eyes Web Anonymity Controls
China Proposes Methods To Trace Original Source Of Internet Communications
-
Photo
(iStockphoto)
The U.S. National Security Agency is also participating in the "IP Traceback" drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.
The potential for eroding Internet users' right to remain anonymous, which is protected by law in the United States and recognized in international law by groups such as the Council of Europe, has alarmed some technologists and privacy advocates. Also affected may be services such as the Tor anonymizing network.
"What's distressing is that it doesn't appear that there's been any real consideration of how this type of capability could be misused," said Marc Rotenberg, director of the Electronic Privacy Information Center in Washington, D.C. "That's really a human rights concern."
Nearly everyone agrees that there are, at least in some circumstances, legitimate security reasons to uncover the source of Internet communications. The most common justification for tracebacks is to counter distributed denial of service, or DDoS, attacks.
But implementation details are important, and governments participating in the process - organized by the International Telecommunication Union, a U.N. agency - may have their own agendas. A document submitted by China this spring and obtained by CNET News said the "IP traceback mechanism is required to be adapted to various network environments, such as different addressing (IPv4 and IPv6), different access methods (wire and wireless) and different access technologies (ADSL, cable, Ethernet) and etc." It adds: "To ensure traceability, essential information of the originator should be logged."
The Chinese author of the document, Huirong Tian, did not respond to repeated interview requests. Neither did Jiayong Chen of China's state-owned ZTE Corporation, the vice chairman of the Q6/17's parent group who suggested in an April 2007 meeting that it address IP traceback.
A second, apparently leaked ITU document offers surveillance and monitoring justifications that seem well-suited to repressive regimes:
A political opponent to a government publishes articles putting the government in an unfavorable light. The government, having a law against any opposition, tries to identify the source of the negative articles but the articles having been published via a proxy server, is unable to do so protecting the anonymity of the author.
That document was provided to Steve Bellovin, a well-known Columbia University computer scientist, Internet Engineering Steering Group member, and Internet Engineering Task Force participant who wrote a traceback proposal eight years ago. Bellovin says he received the ITU document as part of a ZIP file from someone he knows and trusts, and subsequently confirmed its authenticity through a second source. (An ITU representative disputed its authenticity but refused to make public the Q6/17 documents, including a ZIP file describing traceback requirements posted on the agency's password-protected Web site.)
Bellovin said in a blog post this week that "institutionalizing a means for governments to quash their opposition is in direct contravention" of the U.N.'s own Universal Declaration of Human Rights. He said that traceback is no longer that useful a concept, on the grounds that few attacks use spoofed addresses, there are too many sources in a DDoS attack to be useful, and the source computer inevitably would prove to be hacked into anyway.
Another technologist, Jacob Appelbaum, one of the developers of the Tor anonymity system, also was alarmed. "The technical nature of this 'feature' is such a beast that it cannot and will not see the light of day on the Internet," Appelbaum said. "If such a system was deployed, it would be heavily abused by precisely those people that it would supposedly trace. No blackhat would ever be caught by this."
Adding to speculation about where the U.N. agency is heading are indications that some members would like to curb Internet anonymity more broadly:
Multinational push to curb anonymous speech
By itself, of course, the U.N. has no power to impose Internet standards on anyone. But U.N. and ITU officials have been lobbying for more influence over the way the Internet is managed, most prominently through the World Summit on the Information Society in Tunisia and a followup series of meetings.
The official charter of the ITU's Q6/17 group says that it will work "in collaboration" with the IETF and the U.S. Computer Emergency Response Team Coordination Center, which could provide a path toward widespread adoption -- especially if national governments end up embracing the idea.
Patrick Bomgardner, the NSA's chief of public and media affairs, told CNET News on Thursday that "we have no information to provide on this issue." He would not say why the NSA was participating in the process (and whether it was trying to fulfill its intelligence-gathering mission or its other role of advancing information security).
Toby Johnson, a communications officer with the ITU's Telecommunication Standardization Bureau in Geneva, also refused to discuss Q6/17. "It may be difficult for experts to comment on what state deliberations are in for fear of prejudicing the outcome," he said in an e-mail message on Thursday.
U.N. "IP traceback" documents
identify the source of the negative articles" posted by political adversaries.
When asked about the impact on Internet anonymity, Johnson replied: "I am not fully acquainted with this topic and therefore not qualified to provide an answer." He said that he expects that any final ITU standard would comport with the U.N.'s Universal Declaration of Human Rights.
It's unclear what happens next. For one thing, the traceback proposal isn't scheduled to be finished until 2009, and one industry source stressed that not all members of Q6/17 are in favor of it. The five "editors" are: NSA's Richard Brackney; Tian Huirong from China's telecommunications ministry; Korea's Youm Heung-Youl; Cisco's Gregg Schudel; and Craig Schultz, who works for a Japan-based network security provider. (In keeping with the NSA's penchant for secrecy, Brackney was the lone ITU participant in a 2006 working group who failed to provide biographical information.)
In response to a question about the eventual result, Schultz, one of the editors, replied: "The long answer is, as you can probably imagine, this subject can get a little 'tense.' The main issue is the protection of privacy as well as not having to rely on 'policy' as part of a process. A secondary issue is feasibility and cost versus benefit." He said a final recommendation is at least a year off.
Another participant is Tony Rutkowski, Verisign's vice president for regulatory affairs and longtime ITU attendee, who wrote a three-page summary for IP traceback and a related concept called "International Caller-ID Capability."
In a series of e-mail messages, Rutkowski defended the creation of the IP traceback "work item" at a meeting in April, and disputed the legitimacy of the document posted by Bellovin. "The political motivation text was not part of any known ITU-T proposal and certainly not the one which I helped facilitate," he wrote.
Rutkowski added in a separate message: "In public networks, the capability of knowing the source of traffic has been built into protocols and administration since 1850! It's widely viewed as essential for settlements, network management, and infrastructure protection purposes. The motivations are the same here. The OSI Internet protocols (IPv5) had the capabilities built-in. The ARPA Internet left them out because the infrastructure was a private DOD infrastructure."
Because the Internet Protocol was not designed to be traceable, it's possible to spoof addresses -- both for legitimate reasons, such as sharing a single address on a home network, and for malicious ones as well. In the early part of the decade, a flurry of academic research focused on ways to perform IP tracebacks, perhaps by embedding origin information in Internet communications, or Bellovin's suggestion of occasionally automatically forwarding those data in a separate message.
If network providers and the IETF adopted IP traceback on their own, perhaps on the grounds that security justifications outweighed the harm to privacy and anonymity, that would be one thing.
But in the United States, a formal legal requirement to adopt IP traceback would run up against the First Amendment. A series of court cases, including the 1995 decision in McIntyre v. Ohio Elections Commission, provides a powerful shield protecting the right to remain anonymous. In that case, the majority ruled: "Under our Constitution, anonymous pamphleteering is not a pernicious, fraudulent practice, but an honorable tradition of advocacy and of dissent. Anonymity is a shield from the tyranny of the majority."
More broadly, the ITU's own constitution talks about "ensuring the secrecy of international correspondence." And the Council of Europe's Declaration on Freedom of Communication on the Internet adopted in 2003 says nations "should respect the will of users of the Internet not to disclose their identity," while acknowledging law enforcement-related tracing is sometimes necessary.
"When NSA takes the lead on standard-setting, you have to ask yourself how much is about security and how much is about surveillance," said the Electronic Privacy Information Center's Rotenberg. "You would think (the ITU) would be a little more sensitive to spying on Internet users with the cooperation of the NSA and the Chinese government."
© 2008 CNET Networks, Inc., a CBS Company. All rights reserved.
Video and Galleries from CNET Tech News
-
Video
New Apple Laptop Redesign
-
Video
Scrabulous Shut Down
-
Video
Quick Tips: iPhone Mobile Me
They were imprisoned for the offense of saying / writing something in email or on web-based forums (which include blogs) with which the dictators and censors disagree. This might include statements none in the rest of the world finds offensive- the point being, PRC control over the internet in China is completely arbitrary and almost absolute.
Cisco and other US firms provide computer network switching equipment to the PRC to enable the dictators to track what Chinese citizens (and others in China) do on the internet, and it follows the PRC dictatorship would love to destroy the idea of anonymity on the internet, as well.
We in the rest of the world need to oppose such moves on the international forum. We must guard our internet freedoms (including anonymity) vigorously. Freedom of speech through internet communications is our shining hope that, no matter how many Chinas or North Koreas revert to totalitarianism, the idea of freedom not only will survive but thrive.
This proposal is frightening and pernicious.
Palin would never allow this!
Could be misused? COULD BE MISUSED? Who is he kidding? Of course it would be misused! It would be sooo misused to extents greater than one can easily imagine. Come on, has no one noticed the extent to which the Bush administration went to spy on its own citizens?
Posted by tburzio at 07:53 PM : Sep 12, 2008
-------------------
Are you kidding? She would love this. A way to keep track of everyone on her "enemies list". Good grief she is so Nixon.
HOW ABOUT IT LIBERALS..
Knowing where "fecesonyourfaces" lives
might test personal restraint.
-
by kkinderson
September 14, 2008 10:48 PM PDT
- It''s interesting that the NSA did not provide biographical details on their participant, Richard Brackney, because of their penchant for secrecy, yet you can already find loads of information on their representative online, and they want to reduce Internet privacy further. For a few dollars, and perhaps for free if one is clever enough, one can find Richard Brackney''s home address(es), address history, home phone number(s), birth date, criminal record (if any), whether he has any bankruptcies or liens, a list of relatives as well as a satellite picture of his home. I did not get the information, as I am not really interested in it, I am opposed to violating people''s privacy and I do not want the NSA knocking on or down my door. I am all for tracking down people who perpetrate crimes using the Internet, but in general we should be trying to increase Internet privacy, not decrease it. Also, as the article mentioned, the information could be used by repressive regimes, and repressive regimes are enemies of the U.S., Pakistan and China notwithstanding, and helping repressive regimes track down their enemies them maintain their rule.
-
Reply to this comment
-
See all 20 Comments