Wednesday, October 1, 2008

If this is true, we won't be able to hide.

BY: Jeff Levy

A United Nations agency is quietly drafting technical standards, proposed by non other than the Chinese government, to define methods of tracing the original source of Internet communications, potentially curbing the ability of users to remain anonymous.

The U.S. National Security Agency is also participating in the "IP Traceback" drafting group, named Q6/17. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.

The potential for eroding your rights to remain anonymous on the Internet, which is, by the way, protected by law in the United States and recognized in international law by groups such as the Council of Europe, is setting off alarms for some technologists and privacy advocates.

What's really distressing here is that it doesn't look like there has been any real consideration of how this type of capability could be misused.

Most of us agree that there are, at least in some circumstances, legitimate security reasons to uncover the source of Internet communications. The most common justification for tracebacks is to counter distributed denial of service, or DDoS, attacks.

But implementation details are important, and governments participating in the process -- organized by the International Telecommunication Union, a U.N. agency -- may have their own agendas. A document recently submitted by China said the "IP traceback mechanism is required to be adapted to various network environments, such as different addressing (IPv4 and IPv6), different access methods (wire and wireless) and different access technologies (ADSL, cable, Ethernet. To ensure traceability, essential information of the originator should be logged."

Another document to be considered by this traceback group holds that if a political opponent to a government publishes articles putting the government in an unfavorable light, the government, having a law against any opposition, will try to identify the source of the negative articles but because the articles were published using a proxy server, can’t do so, thereby protecting the anonymity of the author.

So it looks like we have the same old my rights to privacy” vs. “we need to find the bad guys. On a personal note, I wouldn’t ever support this kind of tracing – Currently we here in the U.S. have methods by which law enforce can and does find individuals on the Net. We just don’t need any more legislation designed to make us more visible to prying eyes.