February 05, 2010

The FBI Wants Access to Your Web Browsing Records

Greetings. For years I've talked about the bizarre conflict between calls to rapidly delete or anonymize data that could be used for abusive tracking of Internet users, vs. calls from other quarters -- mostly in law enforcement -- for extended retention of such data.

Sometimes different divisions of the same governments are pulling on opposite ends of this particular issue.

So at the same time that Google, for example, has made excellent strides in limiting the retention periods for non-anonymized tracking data (such as IP addresses), we see pressures rising from police agencies pushing in exactly the opposite direction.

Now this conflict has become even more explicit, with word that the FBI has been pressuring ISPs to maintain two years of user Web browsing data -- something that -- to the ISPs' credit -- no major U.S. ISP is thought to be currently doing.

Similar pressures -- including calls for explicit laws to require such retention -- have also been spewing forth from other law-enforcement-related organizations for quite some time, with the usual claim that c-porn investigations (somehow this usually seems to be listed ahead of terrorism concerns) justify the creation of a massive Internet activity records surveillance regime.

Right now the focus appears to be on origin and destination IP addresses, which ISPs can easily capture on any direct connection (including https: encrypted connections), to the extent that proxies are not in use.

But a bit of mental exploration illuminates why the proponents of mass Internet data retention will never be satisfied with IP addresses alone.

Let's think about why.

First, most Web sites are actually "virtual hosts" -- meaning that hundreds, thousands, or even more individual Web sites may be served on the same destination IP addresses.

For surveillance records to be useful, it is certain that authorities would want to know exactly which sites, and in many cases ideally which specific URLs, were being accessed.

Unless deep packet inspection (DPI) were employed to spy on unencrypted traffic (or sophisticated man-in-the-middle techniques were attempted against encrypted traffic when practicable) the obvious means to determine specific site and URL information would be from server-side logs.

That is, authorities would need to go to the operators of the Web servers in question and request or demand the logs that showed which sites had been accessed at particular times. These same logs would typically provide URL information as well.

Combine this with ISP-provided source and destination IP address data, and ISP mappings of which subscribers were assigned to particular dynamic IP addresses at any given point in time, and you have everything you need to reduce the privacy of typical Web browsing to the level of postcards on parade. So passing ISP data retention laws or otherwise strong-arming ISPs into maintaining the data of interest won't do the trick alone -- you need to force every public Web site to similarly maintain log data and make it available to authorities on demand.

But wait a minute. We know that simple IP addresses can't themselves be relied upon to pinpoint individuals, even in the same household. And wouldn't people who didn't want to be tracked learn to rely on proxies, public Internet access points in libraries and coffee shops and ...

Hmm. How to box in those freedom-loving would-be criminal types?

Perhaps that's where Microsoft's Craig Mundie, who as I noted a few days ago is pushing for an Internet "Driver's" License, can help achieve a totality of Internet surveillance nirvana.

Any sort of "Internet User License" concept would be fraught with many more technical and infrastructural complexities than the "simple" data retention requirements discussed above, and would also be subject to various workarounds by the savvy.

But some relatively definitive means to identify individuals as opposed to only identifying Internet connections themselves would seem to be an ultimate Internet surveillance requirement, as anonymous Internet usage would increasingly undermine the ability of retained Internet connection records to provide the necessary raw meat for the sorts of surveillance society activities that are being propagandized as necessary for society's survival.

Internet surveillance proponents will attempt to claim that -- at least for now -- all that they really want is the Internet equivalent of called telephone number records.

Don't you believe it. The Internet has become integral to virtually every aspect of our lives. The spread of Cloud Computing -- a technology with enormous positive potential if appropriately managed and protected -- will further wed us all to distant servers.

The Internet sites and URLs that we visit, and the associated data that we send and receive, can reveal everything from the day-to-day trivia of our lives to our deepest passions and fears. Our personal, economic, political, and virtually every other aspect of our existence can increasingly be directly or indirectly discerned from the pulsing of our broadband connections.

The ability of Internet users to confidently trust the organizations and instrumentation of the Internet, everything from ISPs to Web services themselves, is not only a matter of faith in those specific entities' own veracities, but also a question of knowing that those enterprises will not be corrupted, blackmailed, or otherwise forced into the role of surveillance operatives at the behest or demand of potentially well-meaning, but still overzealous law enforcement paradigms.

Crime, terrorism, and the other evils of society are dark enough specters without attempts to control them shunting us into a different sort of nightmare.

Benjamin Franklin's now oft-quoted admonition that, "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety" has never been more relevant.

In the calls for steps toward a Surveillance Internet, we can hear the echos of past governments who promised their citizens law and order, and in the process marched them down the path of good intentions directly into figurative Hells on Earth.

We won't be fooled again.

Will we?


Posted by Lauren at February 5, 2010 09:01 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein