Recent reports suggest that the International Telecommunication Union (ITU), a United Nations agency, is "quietly drafting technical standards, proposed by the Chinese government," aimed at preventing Internet attacks which could also put an end to anonymity on the Internet.
At an up coming ITU meeting in Geneva next week, telecommunication experts will be discussing draft recommendation of "IP Traceback" use case and requirements, looking at ways to identify the source of packets sent across IP (Internet Protocol) networks.
Also posted on Dave Farber's public mailing list, Declan McCullagh has shared some additional findings as a result of speaking to various people involved at ITU and while preparing to write his article:
- The ITU's Q6/17 group is meeting next week in Geneva with an eye to having a final document finished sometime in 2009 (though one editor told me it might take longer). The proceedings are not open to the public — I applied to attend and was rejected — and relatively few documents are public.
- China's proposal submitted in April says the "IP traceback mechanism is required to be adapted to various network environments, such as different addressing (IPv4 and IPv6), different access methods (wire and wireless) and different access technologies (ADSL, cable, Ethernet) and etc." It adds: "To ensure traceability, essential information of the originator should be logged."
- An ITU network security meeting a few years ago concluded that anonymity should not be permitted. The summary said: "Anonymity was considered as an important problem on the Internet (may lead to criminality). Privacy is required but we should make sure that it is provided by pseudonymity rather than anonymity."
- An ITU presentation in July from Korea said that groups such as the IETF should be "required to develop standards or guidelines" that could "facilitate tracing the source of an attacker including IP-level traceback, application-level traceback, user-level traceback." Another Korean proposal — which has not been made public — says all Internet providers "should have procedures to assist in the lawful traceback of security incidents."
Read full story: CNET News
Related topics: Cyberattack, Cybercrime, Internet Governance, Privacy
Comments
You can (and sometimes should) trace bad actions to a source computer, but that doesn't actually prove anything. Given the sophistication of virus and botnet authors, and the relative weakness of consumer operating systems and application platforms to attack, people can't actually be held accountable for what happens on the computers they own or use.
You and your computer are separate entities. Even your cellphone, once thought to be as personal a computer as you can get, is a full-fledged consumer OS running third-party applications downloaded from the 'net.
Any actual policy or law based on removing anonymity from the Internet has to address the fact that there is no way, beyond circumstantial evidence, to "trace back" the actions of a computer to a particular human operator. Anything can be scripted, and no operator has perfect knowledge of what's happening in software.