[governance] ITU work on IP traceback

Tue Sep 16 10:10:22 EDT 2008

Here are some more sources of information about the development of the
standard directly from the ITU

Note two things: 1) this is real. 2) the impetus for it cannot be blamed
entirely on China, as some journalists imply, the US Defense Dept and
Cisco and VeriSign are also involved. 

http://www.itu.int/osg/csd/cybersecurity/WSIS/3rd_meeting_docs/Rutkowski
_IPtraceback_callerID_rev0.pdf

http://www.itu.int/md/meetingdoc.asp?lang=en&parent=T05-SG17-070416-TD&q
uestion=Q6/17

--Milton Mueller

________________________________

From: expression-bounces at ipjustice.org
[mailto:expression-bounces at ipjustice.org] On Behalf Of Robin Gross
Sent: Friday, September 12, 2008 3:53 PM
To: expression at ipjustice.org
Cc: Laura DeNardis; Nick Dearden; nicholas.dearden at amnesty.org
Subject: [Expression] Fwd: [oni] U.N. agency eyes curbs on Internet
anonymity

Colleagues,

Below is a concerning story about the ITU and the NSA working together
to dismantle Internet anonymity via technical standards despite the
well-recognized right to anonymous speech in international treaties and
national constitutions. 

I'd like to see this Free Expression Dynamic Coalition explore this
issue further in Hyderabad.

Has anyone else heard about this initiative or have any information
about it? Can this report be confirmed?

Thanks,

Robin

	---------- Forwarded Message ---------

	Subject: [oni] U.N. agency eyes curbs on Internet anonymity

	Date: Friday, 12 September 2008

	From: Rafal Rohozinski <rafal at cambridgesecurity.net>

	To: "oni at eon.law.harvard.edu Initiative" <
oni at eon.law.harvard.edu>

	September 12, 2008 4:00 AM PDT

	U.N. agency eyes curbs on Internet anonymity

	Posted by Declan McCullagh

	A United Nations agency is quietly drafting technical standards,

	proposed by the Chinese government, to define methods of tracing
the 

	original source of Internet communications and potentially
curbing the 

	ability of users to remain anonymous.

	The U.S. National Security Agency is also participating in the
"IP 

	Traceback" drafting group, named Q6/17, which is meeting next
week in 

	Geneva to work on the traceback proposal. Members of Q6/17 have 

	declined to release key documents, and meetings are closed to
the 

	public.

	The potential for eroding Internet users' right to remain
anonymous, 

	which is protected by law in the United States and recognized in

	international law by groups such as the Council of Europe, has
alarmed 

	some technologists and privacy advocates. Also affected may be 

	services such as the Tor anonymizing network.

	"What's distressing is that it doesn't appear that there's been
any 

	real consideration of how this type of capability could be
misused," 

	said Marc Rotenberg, director of the Electronic Privacy
Information 

	Center in Washington, D.C. "That's really a human rights
concern."

	Nearly everyone agrees that there are, at least in some
circumstances, 

	legitimate security reasons to uncover the source of Internet 

	communications. The most common justification for tracebacks is
to 

	counter distributed denial of service, or DDoS, attacks.

	But implementation details are important, and governments 

	participating in the process -- organized by the International 

	Telecommunication Union, a U.N. agency -- may have their own
agendas. 

	A document submitted by China this spring and obtained by CNET
News 

	said the "IP traceback mechanism is required to be adapted to
various 

	network environments, such as different addressing (IPv4 and
IPv6), 

	different access methods (wire and wireless) and different
access 

	technologies (ADSL, cable, Ethernet) and etc." It adds: "To
ensure 

	traceability, essential information of the originator should be
logged."

	The Chinese author of the document, Huirong Tian, did not
respond to 

	repeated interview requests. Neither did Jiayong Chen of China's
state-

	owned ZTE Corporation, the vice chairman of the Q6/17's parent
group 

	who suggested in an April 2007 meeting that it address IP
traceback.

	A second, apparently leaked ITU document offers surveillance and

	monitoring justifications that seem well-suited to repressive
regimes:

	Steve Bellovin

	(Credit: Declan McCullagh/mccullagh.org)

	A political opponent to a government publishes articles putting
the 

	government in an unfavorable light. The government, having a law

	against any opposition, tries to identify the source of the
negative 

	articles but the articles having been published via a proxy
server, is 

	unable to do so protecting the anonymity of the author.

	That document was provided to Steve Bellovin, a well-known
Columbia 

	University computer scientist, Internet Engineering Steering
Group 

	member, and Internet Engineering Task Force participant who
wrote a 

	traceback proposal eight years ago. Bellovin says he received
the ITU 

	document as part of a ZIP file from someone he knows and trusts,
and 

	subsequently confirmed its authenticity through a second source.
(An 

	ITU representative disputed its authenticity but refused to make

	public the Q6/17 documents, including a ZIP file describing
traceback 

	requirements posted on the agency's password-protected Web
site.)

	Bellovin said in a blog post this week that "institutionalizing
a 

	means for governments to quash their opposition is in direct 

	contravention" of the U.N.'s own Universal Declaration of Human 

	Rights. He said that traceback is no longer that useful a
concept, on 

	the grounds that few attacks use spoofed addresses, there are
too many 

	sources in a DDoS attack to be useful, and the source computer 

	inevitably would prove to be hacked into anyway.

	Another technologist, Jacob Appelbaum, one of the developers of
the 

	Tor anonymity system, also was alarmed. "The technical nature of
this 

	'feature' is such a beast that it cannot and will not see the
light of 

	day on the Internet," Appelbaum said. "If such a system was
deployed, 

	it would be heavily abused by precisely those people that it
would 

	supposedly trace. No blackhat would ever be caught by this."

	Jacob Appelbaum

	(Credit: Declan McCullagh/mccullagh.org)

	Adding to speculation about where the U.N. agency is heading are

	indications that some members would like to curb Internet
anonymity 

	more broadly:

	An ITU network security meeting a few years ago concluded that 

	anonymity should not be permitted. The summary said: "Anonymity
was 

	considered as an important problem on the Internet (may lead to 

	criminality). Privacy is required but we should make sure that
it is 

	provided by pseudonymity rather than anonymity."

	A presentation in July from Korea's Heung-youl Youm said that 

	groups such as the IETF should be "required to develop standards
or 

	guidelines" that could "facilitate tracing the source of an
attacker 

	including IP-level traceback, application-level traceback,
user-level 

	traceback." Another Korean proposal -- which has not been made
public 

	-- says all Internet providers "should have procedures to assist
in 

	the lawful traceback of security incidents."

	An early ITU proposal from RAD Data Communications in Israel
said: 

	"Traceability means that all future networks should enable
source 

	trace-back, while accountability signifies the responsibility of

	account providers to demand some reasonable form of
identification 

	before granting access to network resources (similar to what
banks do 

	before opening a bank accounts)."

	Multinational push to curb anonymous speech

	By itself, of course, the U.N. has no power to impose Internet 

	standards on anyone. But U.N. and ITU officials have been
lobbying for 

	more influence over the way the Internet is managed, most
prominently 

	through the World Summit on the Information Society in Tunisia
and a 

	followup series of meetings.

	The official charter of the ITU's Q6/17 group says that it will
work 

	"in collaboration" with the IETF and the U.S. Computer Emergency

	Response Team Coordination Center, which could provide a path
toward 

	widespread adoption -- especially if national governments end up

	embracing the idea.

	Patrick Bomgardner, the NSA's chief of public and media affairs,
told 

	CNET News on Thursday that "we have no information to provide on
this 

	issue." He would not say why the NSA was participating in the
process 

	(and whether it was trying to fulfill its intelligence-gathering

	mission or its other role of advancing information security).

	Toby Johnson, a communications officer with the ITU's 

	Telecommunication Standardization Bureau in Geneva, also refused
to 

	discuss Q6/17. "It may be difficult for experts to comment on
what 

	state deliberations are in for fear of prejudicing the outcome,"
he 

	said in an e-mail message on Thursday.

	U.N. "IP traceback" documents

	China's proposal obtained by CNET News says "to ensure
traceability, 

	essential information of the originator should be logged."

	Leaked requirements document says governments may need "to
identify 

	the source of the negative articles" posted by political
adversaries.

	Korean presentation says standards bodies should be "required to

	develop standards or guidelines" to facilitate unmasking users.

	Verisign executive's summarysummarizes presentation saying
protocols 

	must have "a strong traceback capability, and establishing
traceback 

	considerations in developing any new standards."

	When asked about the impact on Internet anonymity, Johnson
replied: "I 

	am not fully acquainted with this topic and therefore not
qualified to 

	provide an answer." He said that he expects that any final ITU 

	standard would comport with the U.N.'s Universal Declaration of
Human 

	Rights.

	It's unclear what happens next. For one thing, the traceback
proposal 

	isn't scheduled to be finished until 2009, and one industry
source 

	stressed that not all members of Q6/17 are in favor of it. The
five 

	"editors" are: NSA's Richard Brackney; Tian Huirong from China's

	telecommunications ministry; Korea's Youm Heung-Youl; Cisco's
Gregg 

	Schudel; and Craig Schultz, who works for a Japan-based network 

	security provider. (In keeping with the NSA's penchant for
secrecy, 

	Brackney was the lone ITU participant in a 2006 working group
who 

	failed to provide biographical information.)

	In response to a question about the eventual result, Schultz,
one of 

	the editors, replied: "The long answer is, as you can probably 

	imagine, this subject can get a little 'tense.' The main issue
is the 

	protection of privacy as well as not having to rely on 'policy'
as 

	part of a process. A secondary issue is feasibility and cost
versus 

	benefit." He said a final recommendation is at least a year off.

	Another participant is Tony Rutkowski, Verisign's vice president
for 

	regulatory affairs and longtime ITU attendee, who wrote a
three-page 

	summary for IP traceback and a related concept called
"International 

	Caller-ID Capability."

	In a series of e-mail messages, Rutkowski defended the creation
of the 

	IP traceback "work item" at a meeting in April, and disputed the

	legitimacy of the document posted by Bellovin. "The political 

	motivation text was not part of any known ITU-T proposal and
certainly 

	not the one which I helped facilitate," he wrote.

	Rutkowski added in a separate message: "In public networks, the 

	capability of knowing the source of traffic has been built into 

	protocols and administration since 1850! It's widely viewed as 

	essential for settlements, network management, and
infrastructure 

	protection purposes. The motivations are the same here. The OSI 

	Internet protocols (IPv5) had the capabilities built-in. The
ARPA 

	Internet left them out because the infrastructure was a private
DOD 

	infrastructure."

	Because the Internet Protocol was not designed to be traceable,
it's 

	possible to spoof addresses -- both for legitimate reasons, such
as 

	sharing a single address on a home network, and for malicious
ones as 

	well. In the early part of the decade, a flurry of academic
research 

	focused on ways to perform IP tracebacks, perhaps byembedding
origin 

	information in Internet communications, or Bellovin's suggestion
of 

	occasionally automatically forwarding those data in a separate
message.

	If network providers and the IETF adopted IP traceback on their
own, 

	perhaps on the grounds that security justifications outweighed
the 

	harm to privacy and anonymity, that would be one thing.

	But in the United States, a formal legal requirement to adopt IP

	traceback would run up against the First Amendment. A series of
court 

	cases, including the 1995 decision in McIntyre v. Ohio Elections

	Commission, provides a powerful shield protecting the right to
remain 

	anonymous. In that case, the majority ruled: "Under our
Constitution, 

	anonymous pamphleteering is not a pernicious, fraudulent
practice, but 

	an honorable tradition of advocacy and of dissent. Anonymity is
a 

	shield from the tyranny of the majority."

	More broadly, the ITU's own constitution talks about "ensuring
the 

	secrecy of international correspondence." And the Council of
Europe's 

	Declaration on Freedom of Communication on the Internet adopted
in 

	2003 says nations "should respect the will of users of the
Internet 

	not to disclose their identity," while acknowledging law
enforcement-

	related tracing is sometimes necessary.

	"When NSA takes the lead on standard-setting, you have to ask
yourself 

	how much is about security and how much is about surveillance,"
said 

	the Electronic Privacy Information Center's Rotenberg. "You
would 

	think (the ITU) would be a little more sensitive to spying on
Internet 

	users with the cooperation of the NSA and the Chinese
government."

	-------------------------------------------------------

	--

	If you want to know what is going on in Cambodia,

	please visit us regularly - you can find something new every
day:

	http://cambodiamirror.wordpress.com (English)

	http://kanhchoksangkum.wordpress.com (Khmer)   

IP JUSTICE

Robin Gross, Executive Director

1192 Haight Street, San Francisco, CA 94117 USA

p: +1-415-553-6261 f: +1-415-462-6451

w: http://www.ipjustice.org e:robin at ipjustice.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20080916/e39624a2/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 30991 bytes
Desc: image001.jpg
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20080916/e39624a2/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 19056 bytes
Desc: image002.jpg
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20080916/e39624a2/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 7382 bytes
Desc: image003.jpg
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20080916/e39624a2/attachment-0002.jpg>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.cpsr.org
To be removed from the list, send any message to:
     governance-unsubscribe at lists.cpsr.org

For all list information and functions, see:
     http://lists.cpsr.org/lists/info/governance