Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vint Cerf on Differential Traceability on the Internet (acm.org)

Posted by msmash on from the how-about-that dept.

Addressing the bad behaviors on the Internet, that range from social network bullying and misinformation to email spam, distributed denial of service attacks, direct cyberattacks against infrastructure, malware propagation, identity theft, and a host of other ills require a wide range of technical and legal considerations, says Vint Cerf, even as he steers clear that he supports encryption. But is there a way to bring more accountability and traceability on our actions on the internet without compromising our privacy? He has a proposition: What is of interest to me is a concept to which I was introduced at the Ditchley workshop, specifically, differential traceability. The ability to trace bad actors to bring them to justice seems to me an important goal in a civilized society. The tension with privacy protection leads to the idea that only under appropriate conditions can privacy be violated. By way of example, consider license plates on cars. They are usually arbitrary identifiers and special authority is needed to match them with the car owners (unless, of course, they are vanity plates like mine: "Cerfsup"). This is an example of differential traceability; the police department has the authority to demand ownership information from the Department of Motor Vehicles that issues the license plates. Ordinary citizens do not have this authority.

In the Internet environment there are a variety of identifiers associated with users (including corporate users). Domain names, IP addresses, email addresses, and public cryptography keys are examples among many others. Some of these identifiers are dynamic and thus ambiguous. For example, IP addresses are not always permanent and may change (for example, temporary IP addresses assigned at Wi-Fi hotspots) or may be ambiguous in the case of Network Address Translation. Information about the time of assignment and the party to whom an IP address was assigned may be needed to identify an individual user. There has been considerable debate and even a recent court case regarding requirements to register users in domain name WHOIS databases in the context of the adoption of GDPR. If we are to accomplish the simultaneous objectives of protecting privacy while apprehending those engaged in harmful or criminal behavior on the Internet, we must find some balance between conflicting but desirable outcomes.

7 of 105 comments (clear)

  1. The internet has gotten along well so far... by Jarwulf · · Score: 4, Insightful

    Without all the tracking and authoritarian features they've been crying for all these decades. Why do we suddenly need them now?

    1. Re:The internet has gotten along well so far... by swillden · · Score: 3, Insightful

      Without all the tracking and authoritarian features they've been crying for all these decades. Why do we suddenly need them now?

      I don't think we do.

      However, your question is disingenuous. Even if the Internet has gotten along well so far (which is a claim that really needs to be defined and supported, but I'll ignore that), society's level of dependence on the Internet clearly has changed. As the Internet becomes more and more central to everyone's lives, the context and implications change. When there were only a handful of horseless carriages tooling around on rutted dirt roads the need for regulating them was nil. Within a decade virtually the same vehicles were a major part of traffic and the need for regulation became significant. Within a few more decades they became central to life in the developed world and regulation became critical.

      If your argument is "why now?", there is no need for a sharp answer. As a process of gradual change continues, problems become gradually more clear and the level of interest in addressing them gradually rises until it surfaces in the public discourse. This is normal.

      At this point, this is a debate that we do need to have or, more precisely, to continue having. There are difficult issues here, of how to balance the public interest in law enforcement and security against the public interest in freedom of speech, association and other actions. Anyone who admits only one side or the other of these questions needs to learn some history and to study the way the same issues have been balanced in the past, in other contexts.

      My preference is to err on the side of freedom, and even to accept a certain level of crime and public safety risk as the price of that freedom. But there is room for -- and need for -- constructive debate.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. Abuse by Anonymous Coward · · Score: 5, Insightful

    By way of example, consider license plates on cars. They are usually arbitrary identifiers and special authority is needed to match them with the car owners (unless, of course, they are vanity plates like mine: "Cerfsup"). This is an example of differential traceability; the police department has the authority to demand ownership information from the Department of Motor Vehicles that issues the license plates. Ordinary citizens do not have this authority.

    Considering the government's efforts with license plate readers precisely because they're the only ones with the power to demand ownership information from the DMV, isn't this a great example of the whole problem with trying to introduce traceability? It's become very clear that computers not only allow for the rapid automation of use but also the rapid automation of abuse. Attach that to a global communication network, and you offer pervasive rapid automation of abuse. It stands to reason with that in mind, you want to take steps to reduce traceability as a necessary step towards resilience from the pervasive adversaries, not only to those endowed with authority but those who would bribe, mole, or engineer their way into that authority.

    tl;dr - We need to take more steps towards protecting users, not trying to out villains. Computers are the one space where that's a much more doable option than most.

  3. Doesn't work with conflict between nation states by Anonymous Coward · · Score: 2, Insightful

    Consider the following:

    Facebook: OK, now that we're in the future where Vint Cerf's special differential traceability magic has come to pass, we've identified the IP addresses that these election meddlers were using to connect to their VPNs. Now, to unmask the villains...

    Roskomnadzor: Those IP addresses do not exist.

    Facebook: But--

    Roskomnadzor: Fifty years gulag!
    Vladimir Putin: Fifty years gulag!
    Donald Trump: So I have great confidence in my intelligence people, but I will tell you that President Putin was extremely strong and powerful in his denial today.

    This is where we already are. Improving the paper trail won't fix anything that needs fixing.

  4. It's just speech by KC0A · · Score: 4, Insightful

    "The ability to trace bad actors on the internet...Consider license plates on cars..."

    This is a terrible analogy. Cars are physical objects that directly cause property damage, serious injury, or death. "The internet" is just speech, and not even the "yelling fire in a crowded theater" sort of speech.

    Differential discovery implies that there is some benevolent authority somewhere. I'm wondering who Mr. Cerf believes could be trusted with this responsibility.

  5. never go full authoritarian by ooloorie · · Score: 4, Insightful

    It's not surprising that this proposal comes out of a workshop in the UK; European governments have been trying desperately to deal with their revolting peasants who simply don't seem to want to comply with what Brussels and their own governments tell them to do. Both in the UK and in continental Europe, governments clearly want the ability to censor speech critical of government policies and to sow fear into the hearts of people critical of government policies.

    What is charmingly naive about people like Cerf is that he thinks he can make this happen. The net effect of such a regulatory regime would simply be a shattering of the Internet, as people move to P2P platforms, encryption, and other tools to avoid government censorship of the kind he advocates. A good outcome would be that it would badly hurt platforms like Facebook and Twitter.

    So, I say, bring it on, Vint, baby. Let's see whether the open source community can demonstrate what an authoritarian fool you are.

  6. quite ironic by ooloorie · · Score: 3, Insightful

    In most societies today, it is accepted that we must be identifiable to appropriate authorities under certain conditions (consider border crossings, traffic violation stops as examples).

    It's ironic that many governments wanting this capability aren't even capable of identifying who crosses their borders and have millions of people living illegally in them. And, of course, in the US, many people throw a hissy fit when asked for identification on the street.

    The ability to track, "differentially identify", and punish people for unwanted speech only works for law abiding citizens in the first place. And the net effect of putting more of such laws into place will be to breed more and more contempt for government and the rule of law.