how to preserve the freedom and openness of the Internet while protecting against the harmful behaviors that have emerged in this global medium. That this is a significant challenge cannot be overstated. The bad behaviors range from social network bullying and misinformation to email spam, distributed denial of service attacks, direct cyberattacks against infrastructure, malware propagation, identity theft, and a host of other illsCerf's proposed solution is:
differential traceability. The ability to trace bad actors to bring them to justice seems to me an important goal in a civilized society. The tension with privacy protection leads to the idea that only under appropriate conditions can privacy be violated. By way of example, consider license plates on cars. They are usually arbitrary identifiers and special authority is needed to match them with the car owners ... This is an example of differential traceability; the police department has the authority to demand ownership information from the Department of Motor Vehicles that issues the license plates. Ordinary citizens do not have this authority.Below the fold I examine this proposal and one of the responses.
The first thing to note is that while Cerf's license plate example seems good:
It is illegal to run a license plate check on someone else, regardless of the circumstances. Only a member of law enforcement can run a license plate or lookup license plate numbers to find vehicle owner information.Unfortunately, it illustrates one of the problems with trusting the police to remove the veil of "apparent anonymity". For example, Hack Attack, Nick Davies' astonishing account of the Murdoch press' "information operations" shows how dependent they were on bribing corrupt serving and former police officers:
While there are companies that offer such things as a free license plate or tag number search, you should always be careful when dealing with this type of company and always read the fine print. If you see an online license plates search, It is most likely a scam.
the reporter who first told me about bribing police officers ... had spent years with the Daily Mail, probably the most hardline law-and-order newspaper in the country ... unless it is itself the offender. [He] told detailed stories of using a former detective as a go-between, to hand over envelopes of cash for serving officers, to persuade them to disclose material from police computers or from current investigations. ... It turned out that all this crime had built up slowly among numerous Fleet Street papers, quality and tabloid. It had reached the point in the early 2000s where several news desks had banned their reporters from commissioning investigators, not because so much of their work was illegal but simply because they were costing such a lot. ... two [Information Commissioner] reports described a network which for years had been run by a private investigator called Steve Whittamore, who ... had two men inside the Driver and Vehicle Licensing Agency.Among those deanonymized by Whittamore were:
the owners of every car which was parked near a village green where the actor Hugh Grant was playing cricket.Police corruption is a world-wide problem whose effects are probably worse than "social network bullying and misinformation". For a more recent example see last Thursday's New York Times:
It was a sweeping and complex criminal enterprise: brothels in Brooklyn, where 15-minute sexual encounters added up to more than $2 million in profits in a 13-month period, and nail salons in Queens, where managers, runners and agents placed bets in an old-school numbers racket.In the US, private investigators use license plate databases to provide "ordinary citizens" with deanonymization services for a price:
And the mastermind was a retired New York City police detective who recruited at least seven police officers acting as foot soldiers, according to court documents charging the group on Thursday.
if a client asks us to trace a suspicious license plate, we log into a specialized database that supplies DMV/MVD data on vehicles in all 50 states.Where do the databases get their information?
Government custodians aren't the only ones with a corruption problem. Another investigator described by Nick Davies:
had targeted the call centres of the main mobile phone companies by paying cash bribes to some staff there ... doubling their legitimate salary by selling confidential information.Mobile phone companies, now the world's leading ISPs, see collecting and selling personal information as essential to their business model. Other platform companies face similar corruption problems:
Employees of Amazon, primarily with the aid of intermediaries, are offering internal data and other confidential information that can give an edge to independent merchants selling their products on the site, according to sellers who have been offered and purchased the data, brokers who provide it and people familiar with internal investigations.On Dave Farber's IP list Lauren Weinstein responded to Cerf's article:
While I have frequently called for greater accountability in key aspects of Internet operations (in particular, public access to WHOIS domain data except in limited circumstances), I fear that in the general case Vint's Traceability proposal would mostly gladden the hearts of bad governmental players in countries such as China, Russia, and even here in the USA. It basically amounts to an escrowed identity system, a concept that has been widely and appropriately criticized in the encryption arena. Given that a significant degree of anonymity is crucial for human rights advocates and others who live in areas of the world that are routinely under government oppression, I do not see obvious ways that Vint's proposal could be implemented without innocent parties being even more at the mercy of oppressive governments than they are today.Weinstein is right to stress the importance to free society of "a significant degree of anonymity". Cerf is right to point out that:
absolute anonymity is actually quite difficult to achieve ... and might not be absolutely desirable given the misbehaviors apparent anonymity invites.The important point to note is the agreement that what we have now is a "significant degree" of "apparent anonymity". Recent events and research have illuminated the capabilities governments, corporations and malign actors have to deanonymize Internet actors. Examples include:
- The fact that Robert Meuller's office was able to indict twelve named GRU operatives, justifying the indictments with copious details about their organizations and activities. This despite the fact that, as professional cyber intelligence operatives, the twelve would have been intensively trained in counter-surveillance.
- Tor is the best widely-available tool for anonymous access to the Web. But, like all software, it has flaws. In Tor's case, these flaws often allow users to be deanonymized. For example, in Exploit vendor drops Tor Browser zero-day on Twitter Catalin Cimpanu reports that:
Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network.Not to mention the time when, with DOD funding:
In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions. ... Zerodium CEO Chaouki Bekrar provided more details about today's zero-day. ... "This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers."
The Software Engineering Institute ("SEI") of Carnegie Mellon University (CMU) compromised the network in early 2014 by operating relays and tampering with user traffic.The deanonymized individual's information was supplied to the FBI.
- Despite the fact that all transactions are recorded in a public database, it is widely assumed that Bitcoin and other cryptocurrencies provide "significant anonymity", especially when combined with "mixers" such as CoinJoin. But Bitcoin and Anonymity: Not So Much on CoinLab's blog reports that:
CoinLab’s Patent for methods for deanonymizing Bitcoin wallets and transactions was released March 28 . We have held off on describing methodologies and impacts until the patent was published, but it seems past time to talk about what we can see using this technology, and possible impacts on Bitcoin businesses.Deanonymizing cryptocurrency users has been a fruitful research field. Examples include Toward De-Anonymizing Bitcoin by Mapping Users Location, When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies and even Bitcoin over Tor isn't a Good Idea.
- Correlating the vast amount of information collected and traded by trackers in the Internet advertising ecosystem allows platforms and their customers (and their customers' customers, ...) to deanonymize Web users with ease. Jack
Balkin and Jonathan Zittrain's A Grand Bargain to Make Tech Companies Trustworthy suggests making the platforms "information fiduciaries":
Like older fiduciaries, [platforms] have become virtually indispensable. Like older fiduciaries, these companies collect a lot of personal information that could be used to our detriment. And like older fiduciaries, these businesses enjoy a much greater ability to monitor our activities than we have to monitor theirs. As a result, many people who need these services often shrug their shoulders and decide to trust them. But the important question is whether these businesses, like older fiduciaries, have legal obligations to be trustworthy. The answer is that they should.By restricting the flow of tracking data through the ecosystem, this proposal would reduce the number of companies with easy deanonymization capability, but it would cement the platforms' role as the one-stop-shop for corporate and government deanonymization services.
Currently, the cost of deanonymization is probably higher for law enforcement than for companies or bad actors. How could a large cost reduction be made available only to law enforcement users trusted not to abuse it? Explicit support for "differential traceability" has the same problem as the Clipper chip, Ray Ozzie's recent "Clear" proposal, government advocacy of encryption "backdoors", etc. The support would have to be implemented in widely-available software. It would have bugs, so even if law enforcement were incorruptible, the bad guys (whether criminals or hostile nation-state actors) would find ways to subvert it.
These would likely include both the ability to create new Sybil identities, and the ability to impersonate innocent users. The first vitiates the whole point of the system, the second makes it even more dangerous than the current situation. At least now everyone understands that attributing Internet actions to specific people is dangerous. But after implementing "differential traceability" the authorities would need to convince everyone that it was flawless, otherwise why did they go to all that trouble? So the general public's valuable skepticism about Internet identities would be undermined.
The significant problems Cerf lists could perhaps be somewhat mitigated if the cost and hassle factor for law enforcement of deanonymizing Internet malefactors were reduced. But law enforcement, especially international law enforcement, has limited resources and many tasks for good reason assigned higher priority than "social network bullying and misinformation". It is doubtful that such cost reduction would change these priorities much. Mueller's GRU indictments show that in important cases law enforcement can and does deanonymize bad actors; Facebook's deletion of material from the Internet Research Agency shows that, under pressure, companies do the same.
Unless priorities were changed enough to greatly raise malefactors perception of the risks they run, efforts to implement explicit as opposed to implicit "differential traceability" would be ineffectual. The impossibility of restricting explicit "differential traceability" to law enforcement, and the fact that law enforcement's trustworthiness is highly variable, argue strongly against efforts to implement it.
Thanks to Lauren Weinstein for permission to quote his response in full.