In the last couple of months, we've seen a concerted attack on the internet's internal name servers, and another attack aimed at Microsoft database servers anywhere on the internet. Security companies have issued alerts. Pundits predict more viruses, worms, denial-of-service attacks and problems. Is all of this threatening to unravel the internet, as some suggest? Is it possible that government attempts to secure the internet will end up compromising its principles instead?
The internet was first deployed as a research and academic network, serving a community that could at least hope to be self-policing. Today, it serves countless users who have no intention of policing themselves. Unfortunately, the basic principles of the internet, such as universal addressing of members and anonymous routing of messages, make it hard to track down those who would use the 'net to harm or invade the privacy of others. So the question is whether we could or should change it, and by doing so eliminate a lot of the threats we now face.
My answer is no. That might surprise those who know that I'm no fan of the internet business model, so I'd better explain.
Adding security to the internet, whether voluntary or by government edict, requires applying two basic protection schemes. First, make sure that each user has an identifiable address so messages from that user can be traced back reliably. Second, provide a mechanism to do that tracing inside the internet routing structure. The clear problem with this combination is its invasion of users' privacy. While the argument is often made that tracing an internet inquiry or message is no different from tracing a call, the differences are profound.
First, you need a court order to trace a call, and the trace is technology-limited to the party or parties covered by the order. You tap a specific line. With the internet, any tapping will expose the traffic of many others passing through the same nodes and trunks.
Second, measures to provide a hard link between a user and an address for the purposes of identification can't be limited in its application to authorised law enforcement types. If you surf a site, you leave a trail.In our straw poll of users (not scientific but interesting), 90 percent admitted to some internet use they wouldn't want their name connected with. It's not all sedition or crime, or even visits to X-rated sites, either. Many just don't want merchants tracking them and getting personal information. We're already fighting cookies and spam, after all. Do we need to make it worse?
Yes! Or so many say. The argument is that surrendering a little anonymity would bring huge benefits in security, in the ability to fight crime, fight terrorism. Well, everybody is entitled to his own view on a privacy-for-security trade, and we're certain to be facing many such trades in our future, but there's a simple out in this case - it won't do any good.
We might be the most powerful and richest country in the world, and we might have the largest number of internet users, and we might have a completely trustworthy police and judicial process (or maybe we don't - you decide), but we're not alone in the world. Our laws reach to our borders. Suppose we shackle our ISPs with all kinds of laws to allow reliable tracking of miscreants and at the same time protect the masses. Who says those laws would work elsewhere? The latest guess is that the Microsoft SQL worm originated in Asia. Would our laws have prevented it?
That's the rub, folks. Like it or not, the internet is truly global, both technically and culturally. It's either secure and regulated and policed everywhere, or it's hard to imagine how you'd effectively police it at all. Because we cannot police it everywhere, all our noble efforts will accomplish is to raise the costs of our domestic providers, and surrender our own rights of privacy, while those hackers and terrorists simply move to offshore servers or ISPs.
So what happens now? Not much, because not much is necessary. Has your own life been disrupted by internet hackers? How about those you know? Sure, it would be nice if the internet could be made absolutely secure, but the little incremental security that additional U.S. legislation could bring wouldn't be worth the price.
Nolle is president of CIMI, a technology assessment firm in Voorhees, New Jersey.