[governance] ITU work on IP traceback
Carlos Afonso
ca at rits.org.br
Tue Sep 16 10:38:11 EDT 2008
Milton, I managed to catch the first document but not the second (which
actually seems a list of restricted work in progress).
--c.a.
Milton L Mueller wrote:
> Here are some more sources of information about the development of the
> standard directly from the ITU
>
> Note two things: 1) this is real. 2) the impetus for it cannot be blamed
> entirely on China, as some journalists imply, the US Defense Dept and
> Cisco and VeriSign are also involved.
>
>
>
> http://www.itu.int/osg/csd/cybersecurity/WSIS/3rd_meeting_docs/Rutkowski
> _IPtraceback_callerID_rev0.pdf
>
>
>
> http://www.itu.int/md/meetingdoc.asp?lang=en&parent=T05-SG17-070416-TD&q
> uestion=Q6/17
>
>
>
> --Milton Mueller
>
>
>
> ________________________________
>
> From: expression-bounces at ipjustice.org
> [mailto:expression-bounces at ipjustice.org] On Behalf Of Robin Gross
> Sent: Friday, September 12, 2008 3:53 PM
> To: expression at ipjustice.org
> Cc: Laura DeNardis; Nick Dearden; nicholas.dearden at amnesty.org
> Subject: [Expression] Fwd: [oni] U.N. agency eyes curbs on Internet
> anonymity
>
>
>
> Colleagues,
>
>
>
> Below is a concerning story about the ITU and the NSA working together
> to dismantle Internet anonymity via technical standards despite the
> well-recognized right to anonymous speech in international treaties and
> national constitutions.
>
>
>
> I'd like to see this Free Expression Dynamic Coalition explore this
> issue further in Hyderabad.
>
>
>
> Has anyone else heard about this initiative or have any information
> about it? Can this report be confirmed?
>
>
>
> Thanks,
>
> Robin
>
>
>
>
>
> ---------- Forwarded Message ---------
>
> Subject: [oni] U.N. agency eyes curbs on Internet anonymity
>
> Date: Friday, 12 September 2008
>
> From: Rafal Rohozinski <rafal at cambridgesecurity.net>
>
> To: "oni at eon.law.harvard.edu Initiative" <
> oni at eon.law.harvard.edu>
>
>
>
> September 12, 2008 4:00 AM PDT
>
> U.N. agency eyes curbs on Internet anonymity
>
> Posted by Declan McCullagh
>
>
>
>
>
> A United Nations agency is quietly drafting technical standards,
>
>
> proposed by the Chinese government, to define methods of tracing
> the
>
> original source of Internet communications and potentially
> curbing the
>
> ability of users to remain anonymous.
>
>
>
> The U.S. National Security Agency is also participating in the
> "IP
>
> Traceback" drafting group, named Q6/17, which is meeting next
> week in
>
> Geneva to work on the traceback proposal. Members of Q6/17 have
>
> declined to release key documents, and meetings are closed to
> the
>
> public.
>
> The potential for eroding Internet users' right to remain
> anonymous,
>
> which is protected by law in the United States and recognized in
>
>
> international law by groups such as the Council of Europe, has
> alarmed
>
> some technologists and privacy advocates. Also affected may be
>
> services such as the Tor anonymizing network.
>
> "What's distressing is that it doesn't appear that there's been
> any
>
> real consideration of how this type of capability could be
> misused,"
>
> said Marc Rotenberg, director of the Electronic Privacy
> Information
>
> Center in Washington, D.C. "That's really a human rights
> concern."
>
> Nearly everyone agrees that there are, at least in some
> circumstances,
>
> legitimate security reasons to uncover the source of Internet
>
> communications. The most common justification for tracebacks is
> to
>
> counter distributed denial of service, or DDoS, attacks.
>
> But implementation details are important, and governments
>
> participating in the process -- organized by the International
>
> Telecommunication Union, a U.N. agency -- may have their own
> agendas.
>
> A document submitted by China this spring and obtained by CNET
> News
>
> said the "IP traceback mechanism is required to be adapted to
> various
>
> network environments, such as different addressing (IPv4 and
> IPv6),
>
> different access methods (wire and wireless) and different
> access
>
> technologies (ADSL, cable, Ethernet) and etc." It adds: "To
> ensure
>
> traceability, essential information of the originator should be
> logged."
>
> The Chinese author of the document, Huirong Tian, did not
> respond to
>
> repeated interview requests. Neither did Jiayong Chen of China's
> state-
>
> owned ZTE Corporation, the vice chairman of the Q6/17's parent
> group
>
> who suggested in an April 2007 meeting that it address IP
> traceback.
>
> A second, apparently leaked ITU document offers surveillance and
>
>
> monitoring justifications that seem well-suited to repressive
> regimes:
>
>
>
> Steve Bellovin
>
> (Credit: Declan McCullagh/mccullagh.org)
>
>
>
> A political opponent to a government publishes articles putting
> the
>
> government in an unfavorable light. The government, having a law
>
>
> against any opposition, tries to identify the source of the
> negative
>
> articles but the articles having been published via a proxy
> server, is
>
> unable to do so protecting the anonymity of the author.
>
>
>
> That document was provided to Steve Bellovin, a well-known
> Columbia
>
> University computer scientist, Internet Engineering Steering
> Group
>
> member, and Internet Engineering Task Force participant who
> wrote a
>
> traceback proposal eight years ago. Bellovin says he received
> the ITU
>
> document as part of a ZIP file from someone he knows and trusts,
> and
>
> subsequently confirmed its authenticity through a second source.
> (An
>
> ITU representative disputed its authenticity but refused to make
>
>
> public the Q6/17 documents, including a ZIP file describing
> traceback
>
> requirements posted on the agency's password-protected Web
> site.)
>
> Bellovin said in a blog post this week that "institutionalizing
> a
>
> means for governments to quash their opposition is in direct
>
> contravention" of the U.N.'s own Universal Declaration of Human
>
> Rights. He said that traceback is no longer that useful a
> concept, on
>
> the grounds that few attacks use spoofed addresses, there are
> too many
>
> sources in a DDoS attack to be useful, and the source computer
>
> inevitably would prove to be hacked into anyway.
>
> Another technologist, Jacob Appelbaum, one of the developers of
> the
>
> Tor anonymity system, also was alarmed. "The technical nature of
> this
>
> 'feature' is such a beast that it cannot and will not see the
> light of
>
> day on the Internet," Appelbaum said. "If such a system was
> deployed,
>
> it would be heavily abused by precisely those people that it
> would
>
> supposedly trace. No blackhat would ever be caught by this."
>
>
>
> Jacob Appelbaum
>
> (Credit: Declan McCullagh/mccullagh.org)
>
> Adding to speculation about where the U.N. agency is heading are
>
>
> indications that some members would like to curb Internet
> anonymity
>
> more broadly:
>
> An ITU network security meeting a few years ago concluded that
>
> anonymity should not be permitted. The summary said: "Anonymity
> was
>
> considered as an important problem on the Internet (may lead to
>
> criminality). Privacy is required but we should make sure that
> it is
>
> provided by pseudonymity rather than anonymity."
>
> A presentation in July from Korea's Heung-youl Youm said that
>
> groups such as the IETF should be "required to develop standards
> or
>
> guidelines" that could "facilitate tracing the source of an
> attacker
>
> including IP-level traceback, application-level traceback,
> user-level
>
> traceback." Another Korean proposal -- which has not been made
> public
>
> -- says all Internet providers "should have procedures to assist
> in
>
> the lawful traceback of security incidents."
>
> An early ITU proposal from RAD Data Communications in Israel
> said:
>
> "Traceability means that all future networks should enable
> source
>
> trace-back, while accountability signifies the responsibility of
>
>
> account providers to demand some reasonable form of
> identification
>
> before granting access to network resources (similar to what
> banks do
>
> before opening a bank accounts)."
>
> Multinational push to curb anonymous speech
>
> By itself, of course, the U.N. has no power to impose Internet
>
> standards on anyone. But U.N. and ITU officials have been
> lobbying for
>
> more influence over the way the Internet is managed, most
> prominently
>
> through the World Summit on the Information Society in Tunisia
> and a
>
> followup series of meetings.
>
> The official charter of the ITU's Q6/17 group says that it will
> work
>
> "in collaboration" with the IETF and the U.S. Computer Emergency
>
>
> Response Team Coordination Center, which could provide a path
> toward
>
> widespread adoption -- especially if national governments end up
>
>
> embracing the idea.
>
> Patrick Bomgardner, the NSA's chief of public and media affairs,
> told
>
> CNET News on Thursday that "we have no information to provide on
> this
>
> issue." He would not say why the NSA was participating in the
> process
>
> (and whether it was trying to fulfill its intelligence-gathering
>
>
> mission or its other role of advancing information security).
>
> Toby Johnson, a communications officer with the ITU's
>
> Telecommunication Standardization Bureau in Geneva, also refused
> to
>
> discuss Q6/17. "It may be difficult for experts to comment on
> what
>
> state deliberations are in for fear of prejudicing the outcome,"
> he
>
> said in an e-mail message on Thursday.
>
> U.N. "IP traceback" documents
>
> China's proposal obtained by CNET News says "to ensure
> traceability,
>
> essential information of the originator should be logged."
>
> Leaked requirements document says governments may need "to
> identify
>
> the source of the negative articles" posted by political
> adversaries.
>
> Korean presentation says standards bodies should be "required to
>
>
> develop standards or guidelines" to facilitate unmasking users.
>
>
>
> Verisign executive's summarysummarizes presentation saying
> protocols
>
> must have "a strong traceback capability, and establishing
> traceback
>
> considerations in developing any new standards."
>
> When asked about the impact on Internet anonymity, Johnson
> replied: "I
>
> am not fully acquainted with this topic and therefore not
> qualified to
>
> provide an answer." He said that he expects that any final ITU
>
> standard would comport with the U.N.'s Universal Declaration of
> Human
>
> Rights.
>
> It's unclear what happens next. For one thing, the traceback
> proposal
>
> isn't scheduled to be finished until 2009, and one industry
> source
>
> stressed that not all members of Q6/17 are in favor of it. The
> five
>
> "editors" are: NSA's Richard Brackney; Tian Huirong from China's
>
>
> telecommunications ministry; Korea's Youm Heung-Youl; Cisco's
> Gregg
>
> Schudel; and Craig Schultz, who works for a Japan-based network
>
> security provider. (In keeping with the NSA's penchant for
> secrecy,
>
> Brackney was the lone ITU participant in a 2006 working group
> who
>
> failed to provide biographical information.)
>
> In response to a question about the eventual result, Schultz,
> one of
>
> the editors, replied: "The long answer is, as you can probably
>
> imagine, this subject can get a little 'tense.' The main issue
> is the
>
> protection of privacy as well as not having to rely on 'policy'
> as
>
> part of a process. A secondary issue is feasibility and cost
> versus
>
> benefit." He said a final recommendation is at least a year off.
>
> Another participant is Tony Rutkowski, Verisign's vice president
> for
>
> regulatory affairs and longtime ITU attendee, who wrote a
> three-page
>
> summary for IP traceback and a related concept called
> "International
>
> Caller-ID Capability."
>
> In a series of e-mail messages, Rutkowski defended the creation
> of the
>
> IP traceback "work item" at a meeting in April, and disputed the
>
>
> legitimacy of the document posted by Bellovin. "The political
>
> motivation text was not part of any known ITU-T proposal and
> certainly
>
> not the one which I helped facilitate," he wrote.
>
> Rutkowski added in a separate message: "In public networks, the
>
> capability of knowing the source of traffic has been built into
>
> protocols and administration since 1850! It's widely viewed as
>
> essential for settlements, network management, and
> infrastructure
>
> protection purposes. The motivations are the same here. The OSI
>
> Internet protocols (IPv5) had the capabilities built-in. The
> ARPA
>
> Internet left them out because the infrastructure was a private
> DOD
>
> infrastructure."
>
> Because the Internet Protocol was not designed to be traceable,
> it's
>
> possible to spoof addresses -- both for legitimate reasons, such
> as
>
> sharing a single address on a home network, and for malicious
> ones as
>
> well. In the early part of the decade, a flurry of academic
> research
>
> focused on ways to perform IP tracebacks, perhaps byembedding
> origin
>
> information in Internet communications, or Bellovin's suggestion
> of
>
> occasionally automatically forwarding those data in a separate
> message.
>
> If network providers and the IETF adopted IP traceback on their
> own,
>
> perhaps on the grounds that security justifications outweighed
> the
>
> harm to privacy and anonymity, that would be one thing.
>
> But in the United States, a formal legal requirement to adopt IP
>
>
> traceback would run up against the First Amendment. A series of
> court
>
> cases, including the 1995 decision in McIntyre v. Ohio Elections
>
>
> Commission, provides a powerful shield protecting the right to
> remain
>
> anonymous. In that case, the majority ruled: "Under our
> Constitution,
>
> anonymous pamphleteering is not a pernicious, fraudulent
> practice, but
>
> an honorable tradition of advocacy and of dissent. Anonymity is
> a
>
> shield from the tyranny of the majority."
>
> More broadly, the ITU's own constitution talks about "ensuring
> the
>
> secrecy of international correspondence." And the Council of
> Europe's
>
> Declaration on Freedom of Communication on the Internet adopted
> in
>
> 2003 says nations "should respect the will of users of the
> Internet
>
> not to disclose their identity," while acknowledging law
> enforcement-
>
> related tracing is sometimes necessary.
>
> "When NSA takes the lead on standard-setting, you have to ask
> yourself
>
> how much is about security and how much is about surveillance,"
> said
>
> the Electronic Privacy Information Center's Rotenberg. "You
> would
>
> think (the ITU) would be a little more sensitive to spying on
> Internet
>
> users with the cooperation of the NSA and the Chinese
> government."
>
>
>
>
>
> -------------------------------------------------------
>
>
>
> --
>
> If you want to know what is going on in Cambodia,
>
> please visit us regularly - you can find something new every
> day:
>
>
>
> http://cambodiamirror.wordpress.com (English)
>
> http://kanhchoksangkum.wordpress.com (Khmer)
>
>
>
>
>
>
>
> IP JUSTICE
>
> Robin Gross, Executive Director
>
> 1192 Haight Street, San Francisco, CA 94117 USA
>
> p: +1-415-553-6261 f: +1-415-462-6451
>
> w: http://www.ipjustice.org e:robin at ipjustice.org
>
>
>
>
>
>
____________________________________________________________
You received this message as a subscriber on the list:
governance at lists.cpsr.org
To be removed from the list, send any message to:
governance-unsubscribe at lists.cpsr.org
For all list information and functions, see:
http://lists.cpsr.org/lists/info/governance
More information about the Governance
mailing list