...was participating in the process (and whether it was trying to fulfil its intelligence-gathering mission or its other role of advancing information security).
Toby Johnson, a communications officer with the ITU's Telecommunication Standardization Bureau in Geneva, also refused to discuss Q6/17. "It may be difficult for experts to comment on what state deliberations are in for fear of prejudicing the outcome," he said in an email message on Thursday.
China's proposal obtained by CNET News.com says "to ensure traceability, essential information of the originator should be logged".
Leaked requirements document says governments may need "to identify the source of the negative articles" posted by political adversaries.
Korean presentation says standards bodies should be "required to develop standards or guidelines" to facilitate unmasking users.
Verisign executive's summary summarises presentation saying protocols must have "a strong traceback capability, and establishing traceback considerations in developing any new standards".
When asked about the impact on internet anonymity, Johnson replied: "I am not fully acquainted with this topic and therefore not qualified to provide an answer." He said that he expects that any final ITU standard would comport with the UN's Universal Declaration of Human Rights.
A 'tense' subject
It's unclear what happens next. For one thing, the traceback proposal isn't scheduled to be finished until 2009, and one industry source stressed that not all members of Q6/17 are in favour of it. The five 'editors' are: NSA's Richard Brackney; Tian Huirong from China's telecommunications ministry; Korea's Youm Heung-Youl; Cisco's Gregg Schudel; and Craig Schultz, who works for a Japan-based network security provider. (In keeping with the NSA's penchant for secrecy, Brackney was the lone ITU participant in a 2006 working group who failed to provide biographical information.)
In response to a question about the eventual result, Schultz, one of the editors, replied: "The long answer is, as you can probably imagine, this subject can get a little 'tense'. The main issue is the protection of privacy as well as not having to rely on 'policy' as part of a process. A secondary issue is feasibility and cost versus benefit." He said a final recommendation is at least a year off.
In public networks, the capability of knowing the source of traffic has been built into protocols and administration since 1850
Tony Rutkowski, Verisign
Another participant is Tony Rutkowski, Verisign's vice president for regulatory affairs and longtime ITU attendee, who wrote a three-page summary for IP traceback and a related concept called 'International Caller-ID Capability'.
In a series of email messages, Rutkowski defended the creation of the IP traceback "work item" at a meeting in April, and disputed the legitimacy of the document posted by Bellovin. "The political motivation text was not part of any known ITU-T proposal and certainly not the one which I helped facilitate," he wrote.
Rutkowski added in a separate message: "In public networks, the capability of knowing the source of traffic has been built into protocols and administration since 1850! It's widely viewed as essential for settlements, network management and infrastructure protection purposes. The motivations are the same here. The OSI internet protocols (IPv5) had the capabilities built-in. The ARPA internet left them out because the infrastructure was a private DOD infrastructure."
Because the IP was not designed to be traceable, it's possible to spoof addresses — both for legitimate reasons, such as sharing a single address on a home network, and for malicious ones as well. In the early part of the decade, a flurry of academic research focused on ways to perform IP tracebacks, perhaps by embedding origin information in internet communications, or Bellovin's suggestion of occasionally automatically forwarding those data in a separate message.
If network providers and the IETF adopted IP traceback on their own, perhaps on the grounds that security justifications outweighed the harm to privacy and anonymity, that would be one thing. But in the US, a formal legal requirement to adopt IP traceback would run up against the First Amendment. A series of court cases, including the 1995 decision in McIntyre v Ohio Elections Commission, provides a powerful shield protecting the right to remain anonymous. In that case, the majority ruled: "Under our Constitution, anonymous pamphleteering is not a pernicious, fraudulent practice, but an honourable tradition of advocacy and of dissent. Anonymity is a shield from the tyranny of the majority."
More broadly, the ITU's own constitution talks about "ensuring the secrecy of international correspondence". And the Council of Europe's Declaration on Freedom of Communication on the Internet, adopted in 2003, says nations "should respect the will of users of the internet not to disclose their identity", while acknowledging law enforcement-related tracing is sometimes necessary.
"When NSA takes the lead on standard-setting, you have to ask yourself how much is about security and how much is about surveillance," said the Electronic Privacy Information Center's Rotenberg. "You would think [the ITU] would be a little more sensitive to spying on internet users with the co-operation of the NSA and the Chinese government."
