NNSquad - Network Neutrality Squad
[ NNSquad ] The FBI Wants Access to Your Web Browsing Records
The FBI Wants Access to Your Web Browsing Records
http://lauren.vortex.com/archive/000679.html
Greetings. For years I've talked about the bizarre conflict between
calls to rapidly delete or anonymize data that could be used for
abusive tracking of Internet users, vs. calls from other quarters --
mostly in law enforcement -- for extended retention of such data.
Sometimes different divisions of the same governments are pulling on
opposite ends of this particular issue.
So at the same time that Google, for example, has made excellent
strides in limiting the retention periods for non-anonymized tracking
data (such as IP addresses), we see pressures rising from police
agencies pushing in exactly the opposite direction.
Now this conflict has become even more explicit, with word that the
FBI has been pressuring ISPs to maintain two years of user Web
browsing data -- something that -- to the ISPs' credit -- no major
U.S. ISP is thought to be currently doing ( http://bit.ly/bojdZ5 [CNET] ).
Similar pressures -- including calls for explicit laws to require such
retention -- have also been spewing forth from other
law-enforcement-related organizations for quite some time, with the
usual claim that c-porn investigations (somehow this usually seems to
be listed ahead of terrorism concerns) justify the creation of a
massive Internet activity records surveillance regime.
Right now the focus appears to be on origin and destination IP
addresses, which ISPs can easily capture on any direct connection
(including https: encrypted connections), to the extent that proxies
are not in use.
But a bit of mental exploration illuminates why the proponents of mass
Internet data retention will never be satisfied with IP addresses
alone.
Let's think about why.
First, most Web sites are actually "virtual hosts" -- meaning that
hundreds, thousands, or even more individual Web sites may be served
on the same destination IP addresses.
For surveillance records to be useful, it is certain that authorities
would want to know exactly which sites, and in many cases ideally
which specific URLs, were being accessed.
Unless deep packet inspection (DPI) were employed to spy on
unencrypted traffic (or sophisticated man-in-the-middle techniques
were attempted against encrypted traffic when practicable) the obvious
means to determine specific site and URL information would be from
server-side logs.
That is, authorities would need to go to the operators of the Web
servers in question and request or demand the logs that showed which
sites had been accessed at particular times. These same logs would
typically provide URL information as well.
Combine this with ISP-provided source and destination IP address data,
and ISP mappings of which subscribers were assigned to particular
dynamic IP addresses at any given point in time, and you have
everything you need to reduce the privacy of typical Web browsing to
the level of postcards on parade. So passing ISP data retention laws
or otherwise strong-arming ISPs into maintaining the data of interest
won't do the trick alone -- you need to force every public Web site to
similarly maintain log data and make it available to authorities on
demand.
But wait a minute. We know that simple IP addresses can't themselves
be relied upon to pinpoint individuals, even in the same household.
And wouldn't people who didn't want to be tracked learn to rely on
proxies, public Internet access points in libraries and coffee shops
and ...
Hmm. How to box in those freedom-loving would-be criminal types?
Perhaps that's where Microsoft's Craig Mundie, who as I noted a few
days ago is pushing for an Internet "Driver's" License, can help
achieve a totality of Internet surveillance nirvana
( http://lauren.vortex.com/archive/000676.html ).
Any sort of "Internet User License" concept would be fraught with many
more technical and infrastructural complexities than the "simple" data
retention requirements discussed above, and would also be subject to
various workarounds by the savvy.
But some relatively definitive means to identify individuals as
opposed to only identifying Internet connections themselves would seem
to be an ultimate Internet surveillance requirement, as anonymous
Internet usage would increasingly undermine the ability of retained
Internet connection records to provide the necessary raw meat for the
sorts of surveillance society activities that are being propagandized
as necessary for society's survival.
Internet surveillance proponents will attempt to claim that -- at
least for now -- all that they really want is the Internet equivalent
of called telephone number records.
Don't you believe it. The Internet has become integral to virtually
every aspect of our lives. The spread of Cloud Computing -- a
technology with enormous positive potential if appropriately managed
and protected -- will further wed us all to distant servers.
The Internet sites and URLs that we visit, and the associated data
that we send and receive, can reveal everything from the day-to-day
trivia of our lives to our deepest passions and fears. Our personal,
economic, political, and virtually every other aspect of our existence
can increasingly be directly or indirectly discerned from the pulsing
of our broadband connections.
The ability of Internet users to confidently trust the organizations
and instrumentation of the Internet, everything from ISPs to Web
services themselves, is not only a matter of faith in those specific
entities' own veracities, but also a question of knowing that those
enterprises will not be corrupted, blackmailed, or otherwise forced
into the role of surveillance operatives at the behest or demand of
potentially well-meaning, but still overzealous law enforcement
paradigms.
Crime, terrorism, and the other evils of society are dark enough
specters without attempts to control them shunting us into a different
sort of nightmare.
Benjamin Franklin's now oft-quoted admonition that, "They who can give
up essential liberty to obtain a little temporary safety, deserve
neither liberty nor safety" has never been more relevant.
In the calls for steps toward a Surveillance Internet, we can hear the
echos of past governments who promised their citizens law and order,
and in the process marched them down the path of good intentions
directly into figurative Hells on Earth.
We won't be fooled again.
Will we?
--Lauren--
Lauren Weinstein
lauren@vortex.com
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, NNSquad
- Network Neutrality Squad - http://www.nnsquad.org
Founder, GCTIP - Global Coalition
for Transparent Internet Performance - http://www.gctip.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein