U.N. agency eyes curbs on Internet anonymity

A United Nations agency is quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous.

The U.S. National Security Agency is also participating in the "IP Traceback" drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.

The potential for eroding Internet users' right to remain anonymous, which is protected by law in the United States and recognized in international law by groups such as the Council of Europe, has alarmed some technologists and privacy advocates. Also affected may be services such as the Tor anonymizing network.

"What's distressing is that it doesn't appear that there's been any real consideration of how this type of capability could be misused," said Marc Rotenberg, director of the Electronic Privacy Information Center in Washington, D.C. "That's really a human rights concern."

Nearly everyone agrees that there are, at least in some circumstances, legitimate security reasons to uncover the source of Internet communications. The most common justification for tracebacks is to counter distributed denial of service, or DDoS, attacks.

But implementation details are important, and governments participating in the process -- organized by the International Telecommunication Union, a U.N. agency -- may have their own agendas. A document submitted by China this spring and obtained by CNET News said the "IP traceback mechanism is required to be adapted to various network environments, such as different addressing (IPv4 and IPv6), different access methods (wire and wireless) and different access technologies (ADSL, cable, Ethernet) and etc." It adds: "To ensure traceability, essential information of the originator should be logged."

The Chinese author of the document, Huirong Tian, did not respond to repeated interview requests. Neither did Jiayong Chen of China's state-owned ZTE Corporation, the vice chairman of the Q6/17's parent group who suggested in an April 2007 meeting that it address IP traceback.

A second, apparently leaked ITU document offers surveillance and monitoring justifications that seem well-suited to repressive regimes:

Steve Bellovin

(Credit: Declan McCullagh/mccullagh.org)

A political opponent to a government publishes articles putting the government in an unfavorable light. The government, having a law against any opposition, tries to identify the source of the negative articles but the articles having been published via a proxy server, is unable to do so protecting the anonymity of the author.

That document was provided to Steve Bellovin, a well-known Columbia University computer scientist, Internet Engineering Steering Group member, and Internet Engineering Task Force participant who wrote a traceback proposal eight years ago. Bellovin says he received the ITU document as part of a ZIP file from someone he knows and trusts, and subsequently confirmed its authenticity through a second source. (An ITU representative disputed its authenticity but refused to make public the Q6/17 documents, including a ZIP file describing traceback requirements posted on the agency's password-protected Web site.)

Bellovin said in a blog post this week that "institutionalizing a means for governments to quash their opposition is in direct contravention" of the U.N.'s own Universal Declaration of Human Rights. He said that traceback is no longer that useful a concept, on the grounds that few attacks use spoofed addresses, there are too many sources in a DDoS attack to be useful, and the source computer inevitably would prove to be hacked into anyway.

Another technologist, Jacob Appelbaum, one of the developers of the Tor anonymity system, also was alarmed. "The technical nature of this 'feature' is such a beast that it cannot and will not see the light of day on the Internet," Appelbaum said. "If such a system was deployed, it would be heavily abused by precisely those people that it would supposedly trace. No blackhat would ever be caught by this."

Jacob Appelbaum

(Credit: Declan McCullagh/mccullagh.org)

Adding to speculation about where the U.N. agency is heading are indications that some members would like to curb Internet anonymity more broadly:

•  An ITU network security meeting a few years ago concluded that anonymity should not be permitted. The summary said: "Anonymity was considered as an important problem on the Internet (may lead to criminality). Privacy is required but we should make sure that it is provided by pseudonymity rather than anonymity."

•  A presentation in July from Korea's Heung-youl Youm said that groups such as the IETF should be "required to develop standards or guidelines" that could "facilitate tracing the source of an attacker including IP-level traceback, application-level traceback, user-level traceback." Another Korean proposal -- which has not been made public -- says all Internet providers "should have procedures to assist in the lawful traceback of security incidents."

•  An early ITU proposal from RAD Data Communications in Israel said: "Traceability means that all future networks should enable source trace-back, while accountability signifies the responsibility of account providers to demand some reasonable form of identification before granting access to network resources (similar to what banks do before opening a bank accounts)."

Multinational push to curb anonymous speech
By itself, of course, the U.N. has no power to impose Internet standards on anyone. But U.N. and ITU officials have been lobbying for more influence over the way the Internet is managed, most prominently through the World Summit on the Information Society in Tunisia and a followup series of meetings.

The official charter of the ITU's Q6/17 group says that it will work "in collaboration" with the IETF and the U.S. Computer Emergency Response Team Coordination Center, which could provide a path toward widespread adoption -- especially if national governments end up embracing the idea.

Patrick Bomgardner, the NSA's chief of public and media affairs, told CNET News on Thursday that "we have no information to provide on this issue." He would not say why the NSA was participating in the process (and whether it was trying to fulfill its intelligence-gathering mission or its other role of advancing information security).

Toby Johnson, a communications officer with the ITU's Telecommunication Standardization Bureau in Geneva, also refused to discuss Q6/17. "It may be difficult for experts to comment on what state deliberations are in for fear of prejudicing the outcome," he said in an e-mail message on Thursday.

U.N. "IP traceback" documents

China's proposal obtained by CNET News says "to ensure traceability, essential information of the originator should be logged."

Leaked requirements document says governments may need "to identify the source of the negative articles" posted by political adversaries.

Korean presentation says standards bodies should be "required to develop standards or guidelines" to facilitate unmasking users.

Verisign executive's summary summarizes presentation saying protocols must have "a strong traceback capability, and establishing traceback considerations in developing any new standards."

When asked about the impact on Internet anonymity, Johnson replied: "I am not fully acquainted with this topic and therefore not qualified to provide an answer." He said that he expects that any final ITU standard would comport with the U.N.'s Universal Declaration of Human Rights.

It's unclear what happens next. For one thing, the traceback proposal isn't scheduled to be finished until 2009, and one industry source stressed that not all members of Q6/17 are in favor of it. The five "editors" are: NSA's Richard Brackney; Tian Huirong from China's telecommunications ministry; Korea's Youm Heung-Youl; Cisco's Gregg Schudel; and Craig Schultz, who works for a Japan-based network security provider. (In keeping with the NSA's penchant for secrecy, Brackney was the lone ITU participant in a 2006 working group who failed to provide biographical information.)

In response to a question about the eventual result, Schultz, one of the editors, replied: "The long answer is, as you can probably imagine, this subject can get a little 'tense.' The main issue is the protection of privacy as well as not having to rely on 'policy' as part of a process. A secondary issue is feasibility and cost versus benefit." He said a final recommendation is at least a year off.

Another participant is Tony Rutkowski, Verisign's vice president for regulatory affairs and longtime ITU attendee, who wrote a three-page summary for IP traceback and a related concept called "International Caller-ID Capability."

In a series of e-mail messages, Rutkowski defended the creation of the IP traceback "work item" at a meeting in April, and disputed the legitimacy of the document posted by Bellovin. "The political motivation text was not part of any known ITU-T proposal and certainly not the one which I helped facilitate," he wrote.

Rutkowski added in a separate message: "In public networks, the capability of knowing the source of traffic has been built into protocols and administration since 1850! It's widely viewed as essential for settlements, network management, and infrastructure protection purposes. The motivations are the same here. The OSI Internet protocols (IPv5) had the capabilities built-in. The ARPA Internet left them out because the infrastructure was a private DOD infrastructure."

Because the Internet Protocol was not designed to be traceable, it's possible to spoof addresses -- both for legitimate reasons, such as sharing a single address on a home network, and for malicious ones as well. In the early part of the decade, a flurry of academic research focused on ways to perform IP tracebacks, perhaps by embedding origin information in Internet communications, or Bellovin's suggestion of occasionally automatically forwarding those data in a separate message.

If network providers and the IETF adopted IP traceback on their own, perhaps on the grounds that security justifications outweighed the harm to privacy and anonymity, that would be one thing.

But in the United States, a formal legal requirement to adopt IP traceback would run up against the First Amendment. A series of court cases, including the 1995 decision in McIntyre v. Ohio Elections Commission, provides a powerful shield protecting the right to remain anonymous. In that case, the majority ruled: "Under our Constitution, anonymous pamphleteering is not a pernicious, fraudulent practice, but an honorable tradition of advocacy and of dissent. Anonymity is a shield from the tyranny of the majority."

More broadly, the ITU's own constitution talks about "ensuring the secrecy of international correspondence." And the Council of Europe's Declaration on Freedom of Communication on the Internet adopted in 2003 says nations "should respect the will of users of the Internet not to disclose their identity," while acknowledging law enforcement-related tracing is sometimes necessary.

"When NSA takes the lead on standard-setting, you have to ask yourself how much is about security and how much is about surveillance," said the Electronic Privacy Information Center's Rotenberg. "You would think (the ITU) would be a little more sensitive to spying on Internet users with the cooperation of the NSA and the Chinese government."

[inachu]

Just put legal notices about this future traceback protocol that the usage of this traceback program shall not be used to eliminate free speech or political dissent and that it will be used only for technical criminal matters such as spreading of malware,trojans,spyware. Hacking is not free speech.

[Lerianis]

Exactly. I have no problems using something like this for tracking criminal stuff (hackers, crackers, etc.) but I don't want it to be used to eliminate free speech, go after people who are looking at porn, or trying to quiet political dissent.

[Michael Grogan]

Do you really believe that 'legal notices' will be enough to dissuade the NSA or the Chinese gov from misusing this for spying and cracking down on dissidents? Did you just fall off the turnip truck this morning?

[DigitalFrog]

As noted, China has a law making it a criminal offense to criticize the govt. So restricting the use of traceback only to criminal matters is useless as it would then be dependent on a legal system controlled by the govts.

[blsith]

Something interesting - they aren't looking at other things that are done anonymously in the United States every day - death threats, attacks on individuals via disturbing pictures and pictures of sexual deviancy. If these trespasses are made on the PSTN, they can be traced and the person responsible can be held accountable. Cyber-stalking and related attacks are very personal in nature, and create victims.

I'm not one for wanting Big Brother to be breathing down my back, but there are way to many that look at the anonymity of the Internet as an excuse for miscreant behavior. Since we know human nature isn't to grow up, we need safeguards in place to help those that are trying to use the service for something more than a way to foster a miscreant inner 12-year old.

[inachu]

Then perhaps we should have a 2 tired internet? One for those who are guilty and innocent so both sides can be traced for historical purposes and the innocent and guilt free can remain on the untouchable untraceable old internet such as internet gamers and hospitals and universities and big media.

[Lerianis]

Foster a miscreant 12 year old? Get real, jackass. The fact is that if you are going on the internet, sooner or later if you have ANY, repeat, ANY IN BOLD things that are 'controversial' that you hold an opinion of that is against 'societies' or what they want you to believe that society has...... you are going to get harassed.
I get harassed every single day on the internet because of my opinion on 'child sexual abuse' (that it doesn't really exist). Do I whine about it? No, I just blow holes in the other person's argument, and if they degenerate to 'name-calling' or excessive profanity.... BLOCK!

[edwarddrexel]

If something can be abused, it will be. Didn't NSA's shenanigans with the US phone companies show that? And then immunity is granted to whoever broke the law at NSA's request. This suggests the thinking the KGB used when they took a print sample form every typewriter in the Soviet Union so that they could trace every anonymous pamphlet. And I'm sure the KGB sincerely said they did it to ensure national security and protect honest citizens from criminals and terrorists, too.

All NSA (or the Chinese security services, or ... Fox News?) needs to claim is "National Security" and they can pretty much do whatever they want, including silencing political opposition, without showing probable cause or bringing formal charges against whoever has a blog, forum posts, or online shopping records they want to get their hands on.

Eternal vigilance is indeed the price of freedom - but that might just mean carefully watching the people who claim be be protecting us more than giving them a free pass to spy on us.

[ghostofitpast]

I think we have to accept, as a premise, that any system can be both thwarted and abused. The question is whether the system is robust enough to withstand and/or compensate (punitively, if necessary) for abuse. We might wish to consider wiretapping as an instructive analogy. The technology is in place to allow for it, but by law the procedure may only be applied with court approval. It would be nice to imagine a situation in which such protocols could escalate to an international scale, particularly since an International Criminal Court is now in place. However, since the Bush Administration has made it a point of NOT ratifying United States participation in the international justice system, the whole institution has been seriously undercut. It is all very well and good to point at a country like China as a threat to Internet anonymity, but the last eight years have demonstrated that the greatest threats to Americans lie within their own borders.

[classicalduck]

Reply to ghostofpast's post of 9/12 at 7:20 a.m.: In other words, "Kill them all and let God sort it out later"?

[Dr_Zinj]

This capability represents a very real, grave threat to the life and liberty of people all over the world. It would permit any government to localize any person with whom it has a grevieance and allow them to send agents to seize or destroy property, intimidate, harm or kill said individuals. The People's Republic of China has agents in the U.S. and has no compunctions against using them for exactly this purpose. (The U.S. has done this (and probably still continues) with their rendition programs with people found by other methods.) I certainly don't want this in ANY government's hands.

The people pushing for this capability are a real and present danger to the life and liberty of everyone. THEY should be identified and stopped by ANY means possible.

[Lerianis]

You are exactly right. That is the fear that I have with this: that it will be used against people who have differing opinions from the 'majority' like pedosexual advocates, advocates for genocide victims, and people who are speaking out against China and other countries.

We do not need this. The next argument they are going to use is "We need this to track child pornographers!" No, they don't. Really, what they need to do: make child pornography legal and regulated, just like adult pornography, and move on! That would protect a BOATLOAD more children than our laws do right now from being forced into sex against their will.

[Dalkorian]

Lerianis, you have developed an uncanny knack for making the right argument for the wrong reasons. ;-)

I bet you already know I vehemently disagree with your views on sex with children, so we don't really need to go there again (and again and again - yet you might not realize how I'll defend your right to speak your mind despite my disagreement with it). But you're right in realizing that removing internet anonymity will only do harm by allowing a wide lane for government abuse against the citizens of the world.

Is it just me, or is it ironic that this seems to be supported by countries like China and our own NSA? Speaking of sex, who are we in bed with here anyway? Is this what we want our country to become?

[drfrost]

Lerianis, you could not be more wrong about pedophiles. You could try, but you would fail. And don't throw everyone against such behavior in the "religious zealot" bin. That's called "poisoning the well" and it's not going to work with most intelligent people. Those religious zealots would not eat their young. Does that mean eating your young is good? Of course not. You're attacking your opponents character because your argument doesn't stand on it's own. An argument should always stand or fail on its own merits. If Charles Manson was debating FOR the theory of relativity, that would not make it wrong. If the latest Nobel Peace prize winner were debating FOR the flat earth theory, that wouldn't make it right. The fact that you're resorting to misrepresentation of your opponents (who I assure you are NOT all religious zealots) and then attacking their character (sort of a combination of a straw man argument and poisoning the well) just shows you're lacking in the ability to defend your argument based on it's own merits, either because you're innately incapable or your argument has no merits.

As a sidenote, this country is ruled by the majority with "protection" for the minorities. Sex between adults and minors is ILLEGAL in this country. Don't do it.

If you want to argue against these laws, you have that right and you should not be punished for your opinions (though I personally cannot conceive of anything more apparently evil). If, however, you act on your beliefs and engage in this activity, you should be put in jail... indefinitely in my opinion.

As far as anonymity goes, I think the internet backbone should ENSURE our privacy. In this country the principal used to be "We'd rather 10 guilty people go free than imprison one innocent man." Now the principal is "One person out of a million MIGHT be a terrorist so we're going to put EVERYONE in chains JUST IN CASE." If the government was to trace a signal, they'll have to get a court order and THEN do it real time.... there should be no way to trace "yesterdays" content, but there should be a way to trace "todays" with a court order in hand.

My 2 cents...

[ifoster]

Sort of ironic, after generations of democratic countries concerned with China's closed society and trying to get them to open up, China champions openness of the internet. LOL

[spkrman6]

This story needs to be spread far and wide, it poses a very real threat to our privacy, protection from unreasonable limits on our freedom, and our constitutional rights. Anyone who believes we can trust our government, much less an international body like the UN, to protect our rights, has not been paying much attention lately. Voices of political dissent will be the first thing targeted by this legislation, the internet has provided the only means for alternative viewpoints which are sorely lacking in the mainstream media. This is just one step to silence anyone who is telling the truth about government.

[humanssssss]

To let any governing body impose the limit of free speech is detrimental to a thriving and free flowing of ideas society. Harassment, cyber-stalking, threats, etc are speech that should be protected under freedom of speech. Shall any person who doesn't like the speech that is coming in his/her email, IM, any vehicle of communication, it is reasonable for this person to block or ignore or set a price to be paid for it to be seen. Having the government to control my thoughts is very dangerous and remind me of 1984. The more the government controls the people, the days of tyranny will come, and all freedom we have worked so hard will be lost. Freedom is constantly being attack by few people in power to control the people.

[caitlin56]

There's no problem with anonymous posting, as long as it is clearly labeled
as being from an anonymous source.

The real problem with spam is that it claims to be from somebody else,
interfering with your ability to sort the incoming mail. An IP traceback that
worked unless explicitly blocked would be fine.

Having an option for anonymous messages should not be a problem
for most people, since most people have no need to receive anonymous
messages. They would not help DoS attackers or spammers.

[IKE:)]

What is the UN? A club of 80% of the worlds most repressive, corrupt regimes, Using every measure to stay in power. Welcome 1984...
The internet is the single most democratic invention in the history of man. Do we want repressive governments to use this to repress and control more? The Chinese government has far more worries than the control of the internet to take car of. The WWW in China is already abused and controlled far beyond the law. It is used to track down people visiting web pages which are not "allowed", using rubberband law to incriminate and imprison people who do nothing more than being critical.
We cannot have a controlled Internet, never!.

[fitnessforyoutoo]

All this does is take away peoples rights. Any hacker can steal a laptop and borrow an unsecured wireless connection and he is in business and he will be totally untraceable.

[IKE:)]

What is the UN? A club of 80% of the worlds most repressive, corrupt regimes, Using every measure to stay in power. Welcome 1984...
The internet is the single most democratic invention in the history of man. Do we want repressive governments to use this to repress and control more? The Sino government has far more worries than the control of the internet to take care of. The WWW in China is already abused and controlled far beyond the law. It is used to track down people visiting web pages which are not "allowed", using rubberband law to incriminate and imprison people who do nothing more than being critical.
We cannot have a controlled Internet, never!.
Those comments here which suggest to "just build some provisions" into the "so-called technical standards" are extremely naive. Governments everywhere are abusing human rights and the www FAR MORE and FAR MORE OFTEN than those few perpetrators using the internet for their intentions.
The implications of Q6/17 should worry every freedom loving person, everywhere. They are Astronomical, a vicious circle.

[ozidigga]

China are nothing less than a becon for human rights abuse and want to control all mechanisms of media. The olympics has simply given China more credability in the right for abuse of power, and now it's over they will show some teeth.

[ralfthedog]

I don't see how this could work. Are they planning to pass laws in every country requiring anonymous proxy servers and re-mailers to embed some hash into every message that identifies the source? Are they planning to do away with anonymous proxy servers? How about freenet?

This sounds like wishful thinking on several governments parts. It would be far too hard to implement and far to easy to get around.

[shava23]

Actually, what they will do is arrest the operators of the proxies, if they do not log every packet that goes through their service. This is called "data retention," and makes anonymous internet impossible, if fully enforced. Already, we've seen arrests of proxy operators in such civilized places as Germany, where contradictory laws are duking it out in the courts. One side considers privacy to be a consumer advocacy issue (as well as privacy) and the other wants three months of records of everything saved for Interpol.

Internet anonymity is tantamount to caller-id blocking on your phone. Yes, these things can be used to mask abuse -- most tools are subject to abuse if they are worth anything -- but the benefits far outweigh the costs, IMO

On top of the privacy issues, consider what a honeypot three months of non-anonymized unencrypted records of personally identifying information will be to crackers bent on identity theft. A nearly certain side effect of such laws is to consolidate internet providers to only those who can afford a heightened "arms race" with hungry malicious data-theives, and prices for access will go up for all of us.

Anonymity is used by many people including journalists, human rights workers, labor organizers, health information agencies, and even law enforcement for totally legitimate purposes -- and even many ordinary folks who don't want web-bugs tracing their internet habits for marketing/spammers.

The fact is either everyone can be anonymous or no one can. So what is the cost to society of the chilling effect of never allowing an anonymous voice of dissent, a brave but sane organizer, a journalist in a state in civil unrest with government owned telcoms, or a human rights worker in a repressive country? What is the cost of denying access to anonymity to those seeking medical, mental health, or victim support services online?

I read someone commenting that deviants use anonymity. Let me assure you, there are probably millions of people using anonymity to seek support for alcoholism, for abuse recovery or planning to escape abusive situations, or for support around issues they might not feel comfortable being traced to -- for example, a prominent professional seeking support to break with a sexual or drug addiction. Many of these people are easily discouraged -- the malicious folks are not so easily deterred. People who have a compulsion or profit motive will find a way around any system, but the people who just have simple legitimate needs will perhaps be left behind.

It's sad that almost any creative tool can be abused. We don't say that the mails can be slit because we want to deter content that can be passed through the mails maliciously or illegally, without cause. Most countries don't allow surveillance without cause of telecoms like the phone systems (sorry US), or cameras on street corners (sorry UK). The reasons are that in most places, we value freedom and we also don't care for our tax dollars to be going into making sure our neighbors aren't using any bad words or whatnot.

If you want to see what pervasive surveillance does to a society, look up the history of the Stasi, who kept files on fully 1/3 of the east German population, and used telecoms, neighbors, and random entry to try to enforce good behavior. What they accomplished was demoralization and a greatly eroded social contract.

Think beyond the obvious benefits of catching bad guys. The cost of eliminating anonymity is too high.

Shava Nerad
former executive director, The Tor Project
(not speaking for Tor)

[Earl Benzar]

China huh? I'm not surprised. Implementing this idea would indeed be a totalitarian step.

[panthecat]

The first sentence should be a red flag, as it only has to mention the Chinese Communists (ChiComs), which should immediately bring to mind massive human rights violations. Remember Tiananman Square, which is something the ChiComs want everybody to forget.

[brentpieczynski]

That reason why these protocols need to be formalized for tracking people, is so they can grow large-enough to become difficult to manage. Every protocol after it grows more complex than it is worth, will be shaped by a committee, which will find ways to attack all of those people, which complain about items becoming, less usable.

[nicki73]

I CANT BELIEVE THIS IS EVEN NEWS! DO YOU KNOW HOW LONG IT TAKES A PERSON TO GET-ON-THE-RADAR AND BE AN UNKNOWN? ANY NETWORK THAT PROTECTS MY DIGITAL COMMUNICATIONS IS A NETWORK CREATED FOR A REASON. IT IS MY RIGHT TO RE-MAIN UNKNOWN, SUBMIT FACTUAL INFORMATION HAVE IT EDITED, FILTERED AND USED. USED REAL-TIME IN ANY AREA OF WORLDY EVENTS. EVEN IF I CHOOSE TO TELL A STORY OF MY CHILDHOOD FOR PBS'S INSPIRATION FOR A CARTOON...THAT IS MY CHOICE TO DO SO AND RE-MAIN UNKNOWN. DIGITAL PHONE, INTERNET, TV...NO WAY NOBODY CAN TUNE-IN ON ME AND POLL WITHOUT MY SAYSO! REALLY WHAT ARE THEY THINKING?

[jjjooooooooooooom]

I can't see this working in practice. We already can "trace" machines to a degree given certain assumptions. The problem is these assumptions are often wrong. It would be impossible to associate every packet with an individual. We already can trace to some degree- but isn't reliable and we shouldn't be doing it in even the most horrendous of cases. It doesn't work well enough to use as evidence or even probable cause. Misled governments use it as probable cause all the time and we even get convictions almost solely based up on this information. It is a sad state of affairs. Besides how easy it is to forge an IP addresses the wide variety of devices that connect by means of parties where it isn't cost effective to verify identity makes it impractical. Are you going to show McDonals your're passport before they let you connect? Well, if you do I'm just going to use the IP address you were issued since it is easier than giving them credentials. Even if this was required do you really think a McDonalds employee is going to care enough to check? You can't even get employees to verify credit card signatures (even those that look don't compare the signatures- it isn't reliable anyway). Try getting this done in countries like Russia, Africa, and the United States or anywhere that doesn't have either the resources to police it or being impractical due to the technological prevalence of cheap and easy access.

[hassan_bin_sober]

The big glass BLACK BOX at Ft. Meade. There's an old saying.
"People who live in glass houses shouldn't throw stones"

[hassan_bin_sober]

Some people throw airplanes!