Location layer
By Dave Birch posted Sep 16 2008 at 9:14 AM[Dave Birch] I recently gave a talk about the using mobile phones as carriers of identity "cards", pointing out the kind of functionality that such an implementation could deliver into the hands of citizens and consumers. I'd used Neil McEvoy's "identity as utility" as the paradigm and demonstrated, I think, that the mobile phone is (for the time being) the most logical means to implement national-scale solutions. Caspar Bowden of Microsoft was in the audience and -- as I always genuinely appreciate -- asked me a couple of tough questions that I've been reflecting on. One of them concerned the relationship between security and privacy in an environment where the connection layer not only knows who the users are, but where they are at all times. This, Caspar reasoned, means that any implementation that tries to use privacy-enhancing technologies at a higher layer will necessarily be confounded, since trivial data matching in mobile phone records or ISP records will deliver an accurate record of both where you were and who you were talking to. This is, of course, correct. As Ben Laurie has so clearly pointed out, unless the connection layer is anonymous, nothing else matters. Uh oh...
A United Nations agency is quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous. The U.S. National Security Agency is also participating in the "IP Traceback" drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.
[From U.N. agency eyes curbs on Internet anonymity | Politics and Law - CNET News]
Shouldn't there be some kind of informed public debate about this kind of thing? (If you want to read up, start with the document that Robin Wilton pointed me to at the ITU.) This isn't a bit of irrelevant geekery on the margins of society, it's a fundamental issue, a fundamental bound on the development of communications.
There are a variety of technical solutions being investigated. Some of them -- such as requiring every router to keep a record of every packet that passes through it -- are clearly infeasible, but that's not the point. Ultimately...
..until there is something on the magnitude of a legal mandate, IP Traceback may never exist.
[From IP traceback - Wikipedia, the free encyclopedia]
Ultimately, this is not resolvable in our space. If the EU say that every e-mail, every phone call must be retained for two years (or whatever it is) then that's what will have to be implemented. If the ITU can persuade national governments to adopt their standards and mandate the implementation of IP-trackback, then that's what will have to be implemented.
Hard cases make bad law. While it is possible to imagine pathological cases -- of cyberwarfare or international terrorism -- whereby reliably knowing the source of packets would help law enforcement (and benefit us, as citizens) we have to be very careful not to lose more than we gain, accidentally making it easy for husbands to track down their ex-wives or for mobsters to track to down witnesses or for foreign governments to track down dissidents.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
Comments