U.N. agency eyes curbs on Internet anonymity

Mon Sep 15 07:39:44 PDT 2008

http://news.cnet.com/8301-13578_3-10040152-38.html

September 12, 2008 4:00 AM PDT

Posted by Declan McCullagh

A United Nations agency is quietly drafting technical standards, proposed by
the Chinese government, to define methods of tracing the original source of
Internet communications and potentially curbing the ability of users to
remain anonymous.

The U.S. National Security Agency is also participating in the "IP Traceback"
drafting group, named Q6/17, which is meeting next week in Geneva to work on
the traceback proposal. Members of Q6/17 have declined to release key
documents, and meetings are closed to the public.

The potential for eroding Internet users' right to remain anonymous, which is
protected by law in the United States and recognized in international law by
groups such as the Council of Europe, has alarmed some technologists and
privacy advocates. Also affected may be services such as the Tor anonymizing
network.

"What's distressing is that it doesn't appear that there's been any real
consideration of how this type of capability could be misused," said Marc
Rotenberg, director of the Electronic Privacy Information Center in
Washington, D.C. "That's really a human rights concern."

Nearly everyone agrees that there are, at least in some circumstances,
legitimate security reasons to uncover the source of Internet communications.
The most common justification for tracebacks is to counter distributed denial
of service, or DDoS, attacks.

But implementation details are important, and governments participating in
the process -- organized by the International Telecommunication Union, a U.N.
agency -- may have their own agendas. A document submitted by China this
spring and obtained by CNET News said the "IP traceback mechanism is required
to be adapted to various network environments, such as different addressing
(IPv4 and IPv6), different access methods (wire and wireless) and different
access technologies (ADSL, cable, Ethernet) and etc." It adds: "To ensure
traceability, essential information of the originator should be logged."

The Chinese author of the document, Huirong Tian, did not respond to repeated
interview requests. Neither did Jiayong Chen of China's state-owned ZTE
Corporation, the vice chairman of the Q6/17's parent group who suggested in
an April 2007 meeting that it address IP traceback.

A second, apparently leaked ITU document offers surveillance and monitoring
justifications that seem well-suited to repressive regimes:

Steve Bellovin (Credit: Declan McCullagh/mccullagh.org)

    A political opponent to a government publishes articles putting the
government in an unfavorable light. The government, having a law against any
opposition, tries to identify the source of the negative articles but the
articles having been published via a proxy server, is unable to do so
protecting the anonymity of the author.

That document was provided to Steve Bellovin, a well-known Columbia
University computer scientist, Internet Engineering Steering Group member,
and Internet Engineering Task Force participant who wrote a traceback
proposal eight years ago. Bellovin says he received the ITU document as part
of a ZIP file from someone he knows and trusts, and subsequently confirmed
its authenticity through a second source. (An ITU representative disputed its
authenticity but refused to make public the Q6/17 documents, including a ZIP
file describing traceback requirements posted on the agency's
password-protected Web site.)

Bellovin said in a blog post this week that "institutionalizing a means for
governments to quash their opposition is in direct contravention" of the
U.N.'s own Universal Declaration of Human Rights. He said that traceback is
no longer that useful a concept, on the grounds that few attacks use spoofed
addresses, there are too many sources in a DDoS attack to be useful, and the
source computer inevitably would prove to be hacked into anyway.

Another technologist, Jacob Appelbaum, one of the developers of the Tor
anonymity system, also was alarmed. "The technical nature of this 'feature'
is such a beast that it cannot and will not see the light of day on the
Internet," Appelbaum said. "If such a system was deployed, it would be
heavily abused by precisely those people that it would supposedly trace. No
blackhat would ever be caught by this."

Jacob Appelbaum (Credit: Declan McCullagh/mccullagh.org)

Adding to speculation about where the U.N. agency is heading are indications
that some members would like to curb Internet anonymity more broadly:

b"  An ITU network security meeting a few years ago concluded that anonymity
should not be permitted. The summary said: "Anonymity was considered as an
important problem on the Internet (may lead to criminality). Privacy is
required but we should make sure that it is provided by pseudonymity rather
than anonymity."

b"  A presentation in July from Korea's Heung-youl Youm said that groups such
as the IETF should be "required to develop standards or guidelines" that
could "facilitate tracing the source of an attacker including IP-level
traceback, application-level traceback, user-level traceback." Another Korean
proposal -- which has not been made public -- says all Internet providers
"should have procedures to assist in the lawful traceback of security
incidents."

b"  An early ITU proposal from RAD Data Communications in Israel said:
"Traceability means that all future networks should enable source trace-back,
while accountability signifies the responsibility of account providers to
demand some reasonable form of identification before granting access to
network resources (similar to what banks do before opening a bank accounts)."

Multinational push to curb anonymous speech

By itself, of course, the U.N. has no power to impose Internet standards on
anyone. But U.N. and ITU officials have been lobbying for more influence over
the way the Internet is managed, most prominently through the World Summit on
the Information Society in Tunisia and a followup series of meetings.

The official charter of the ITU's Q6/17 group says that it will work "in
collaboration" with the IETF and the U.S. Computer Emergency Response Team
Coordination Center, which could provide a path toward widespread adoption --
especially if national governments end up embracing the idea.

Patrick Bomgardner, the NSA's chief of public and media affairs, told CNET
News on Thursday that "we have no information to provide on this issue." He
would not say why the NSA was participating in the process (and whether it
was trying to fulfill its intelligence-gathering mission or its other role of
advancing information security).

Toby Johnson, a communications officer with the ITU's Telecommunication
Standardization Bureau in Geneva, also refused to discuss Q6/17. "It may be
difficult for experts to comment on what state deliberations are in for fear
of prejudicing the outcome," he said in an e-mail message on Thursday.  U.N.
"IP traceback" documents

China's proposal obtained by CNET News says "to ensure traceability,
essential information of the originator should be logged."

Leaked requirements document says governments may need "to identify the
source of the negative articles" posted by political adversaries.

Korean presentation says standards bodies should be "required to develop
standards or guidelines" to facilitate unmasking users.

Verisign executive's summary summarizes presentation saying protocols must
have "a strong traceback capability, and establishing traceback
considerations in developing any new standards."

When asked about the impact on Internet anonymity, Johnson replied: "I am not
fully acquainted with this topic and therefore not qualified to provide an
answer." He said that he expects that any final ITU standard would comport
with the U.N.'s Universal Declaration of Human Rights.

It's unclear what happens next. For one thing, the traceback proposal isn't
scheduled to be finished until 2009, and one industry source stressed that
not all members of Q6/17 are in favor of it. The five "editors" are: NSA's
Richard Brackney; Tian Huirong from China's telecommunications ministry;
Korea's Youm Heung-Youl; Cisco's Gregg Schudel; and Craig Schultz, who works
for a Japan-based network security provider. (In keeping with the NSA's
penchant for secrecy, Brackney was the lone ITU participant in a 2006 working
group who failed to provide biographical information.)

In response to a question about the eventual result, Schultz, one of the
editors, replied: "The long answer is, as you can probably imagine, this
subject can get a little 'tense.' The main issue is the protection of privacy
as well as not having to rely on 'policy' as part of a process. A secondary
issue is feasibility and cost versus benefit." He said a final recommendation
is at least a year off.

Another participant is Tony Rutkowski, Verisign's vice president for
regulatory affairs and longtime ITU attendee, who wrote a three-page summary
for IP traceback and a related concept called "International Caller-ID
Capability."

In a series of e-mail messages, Rutkowski defended the creation of the IP
traceback "work item" at a meeting in April, and disputed the legitimacy of
the document posted by Bellovin. "The political motivation text was not part
of any known ITU-T proposal and certainly not the one which I helped
facilitate," he wrote.

Rutkowski added in a separate message: "In public networks, the capability of
knowing the source of traffic has been built into protocols and
administration since 1850! It's widely viewed as essential for settlements,
network management, and infrastructure protection purposes. The motivations
are the same here. The OSI Internet protocols (IPv5) had the capabilities
built-in. The ARPA Internet left them out because the infrastructure was a
private DOD infrastructure."

Because the Internet Protocol was not designed to be traceable, it's possible
to spoof addresses -- both for legitimate reasons, such as sharing a single
address on a home network, and for malicious ones as well. In the early part
of the decade, a flurry of academic research focused on ways to perform IP
tracebacks, perhaps by embedding origin information in Internet
communications, or Bellovin's suggestion of occasionally automatically
forwarding those data in a separate message.

If network providers and and the IETF adopted IP traceback on their own,
perhaps on the grounds that security justifications outweighed the harm to
privacy and anonymity, that would be one thing.

But in the United States, a formal legal requirement to adopt IP traceback
would run up against the First Amendment. A series of court cases, including
the 1995 decision in McIntyre v. Ohio Elections Commission, provides a
powerful shield protecting the right to remain anonymous. In that case, the
majority ruled: "Under our Constitution, anonymous pamphleteering is not a
pernicious, fraudulent practice, but an honorable tradition of advocacy and
of dissent. Anonymity is a shield from the tyranny of the majority."

More broadly, the ITU's own constitution talks about "ensuring the secrecy of
international correspondence." And the Council of Europe's Declaration on
Freedom of Communication on the Internet adopted in 2003 says nations "should
respect the will of users of the Internet not to disclose their identity,"
while acknowledging law enforcement-related tracing is sometimes necessary.

"When NSA takes the lead on standard-setting, you have to ask yourself how
much is about security and how much is about surveillance," said the
Electronic Privacy Information Center's Rotenberg. "You would think (the ITU)
would be a little more sensitive to spying on Internet users with the
cooperation of the NSA and the Chinese government." 