From the Winter 2016 Issue

Rejecting Anonymity: Confronting the Internet’s Insecure Architecture

Adam Firestone
Editor-in-Chief | United States Cybersecurity Magazine

In @War: The Rise of the Military-Internet Complex, Shane Harris wrote: 

The Internet offered a cloak of anonymity. Anyone could set up an e-mail address with a fake name using Google or Hotmail, which had millions of customers and kept their data in repositories located around the world. Those people were hard enough to find. But more sophisticated adversaries knew how to route their traffic through servers or computers in different countries, making it nearly impossible for them to be tracked to their actual physical location.1 

 

Whether anonymity was an intentional attribute of the Internet’s design is open for debate; that it is a seminal component of the global network’s architecture is not. The result of such architectural anonymity is a chaotic and hostile cyberspace that defies regulation and fosters crime, terrorism, and espionage. The basis for this state of affairs is political and cultural, not technological. From some perspectives this is reassuring, as solutions do not depend on rare and unpredictable breakthroughs in basic science. Other viewpoints are more bleak: changing education and culture can be much more difficult than achieving scientific progress.

Nevertheless, the seeds of a solution exist. This article explores the origins of Internet insecurity and offers a way out of it, combining policy and technical architectures to nurture a cyberspace that protects privacy while ensuring accountability and offers an acceptable level of security for all.

The definition of security varies based on individual, group, and societal perspectives. Given that, it’s more productive to discuss achievable security. Achievable security reflects and incorporates societal values, education, the state of current technology, and applicable standards.

In the United States, civil society comprises three discrete components: the private, the commercial, and the collective. The private component includes individuals, families, and those things which are considered deeply personal, such as religious institutions. The commercial consists of businesses and a broad spectrum of not-for-profit entities. The collective entails government at all levels, from local and municipal to tribal, federal, and national.

A cursory examination indicates that each component has interests that place it at odds with the others and militate against the maintenance of a civil society. The commercial component’s profit and policy motivations imply an adversarial relationship with the private and collective. Similarly, there is an inherent dissonance between the collective’s impetus to govern by fiat and the interests of the private and commercial components.

The nuclear force binding these components into a cohesive whole is a social contract with inherent obligations. For example, the collective component is obligated to govern only with the consent of the private. Conversely, the private and commercial components agree to be bound by laws enacted and enforced by the collective, while the commercial, for its part, is allowed to prosper in return for continued support of both the collective and private components.

Central to these obligations is the notion of accountability. Accountability assures each component that the obligations of the others will be satisfied. On a more granular level, it enables each of us to have confidence that others will not exert their self-interest in a manner that is hostile, illegal, or destructive. In essence, accountability is an entity’s acknowledgement that it is responsible for its actions and inactions, and that it will, when called upon, report, explain, and be answerable for any consequences that result.

Accountability is the foundational bond that enables civil society to function, and it is found everywhere. Law is the codification of accountability such that it can be predictably applied to any situation. Our traditions are often hagiographies of accountability: the myth of George Washington and the cherry tree stands as an archetype of this concept; grading in our educational system holds students accountable for their studies; and commercial and marriage laws are intended to ensure that parties to a contract, whether it be between businesses or domestic partners, live up to their obligations.

In order for accountability to work, the responsibility it entails must accrue to a specific individual (a person, organization, or government entity). This concept is well engrained in all of us, and we all automatically adhere to and implement it every day. Every vehicle on a public thoroughfare displays a license plate so that its owner can be identified. Land is dotted with survey markers so that property boundaries can be accurately delineated, enabling ready identification of the owner. Locks not only secure a home but identify those who have legitimate access (i.e., key holders).

The common thread is that actions are linked to a specific identity or set of identities. As a result, anonymity cannot exist in any cases where accountability is present (barring some subversion of the system). In a nutshell, accountability is a prerequisite for a functioning society and, where there is accountability, there cannot be anonymity. This is not a controversial issue. When was the last time the news media reported protestors at the Department of Motor Vehicles (DMV) demonstrating against the license plate requirement?

The codification of accountability in our society is uncontroversial for two reasons. First, the linkage of action to identity is not done in an irresponsible manner: while accountability is ensured, privacy is protected. One cannot simply walk into the DMV and demand the identity of the person(s) associated with license plate WMD-2003.

Second, there is a common understanding that the ability to take action without accountability leads to chaos and a breakdown in social order. It’s safe to say that (beyond certain extremist and fringe elements) nobody wants society to break down into a chaotic melee.

To recap: Our civil society requires accountability. Accountability, in turn, requires the reliable and robust linkage of identity to action. Once identity is established, there can be no anonymity. As a society, we accept this linkage between action and identity because privacy protections are built into the linking mechanisms.

Given all of this, it’s hard to escape a fundamental question: Why is it that we accept and expect this sort of accountability in physical space while vehemently rejecting it in cyberspace?

The answer has a lot to do with the Internet’s origins. At its core, the Internet is a communications backbone intended to provide assured communications between sender and recipient. As a result, robust and redundant communications were prioritized over user identity and accountability during the Internet’s development phase, as well as the confidentiality of communicated content.

Why is it that we accept and expect accountability in physical space while vehemently rejecting it in cyberspace? 

Additionally, the Internet’s growth was both prodigious and extraordinarily rapid. In December 1995, there were approximately 16 million Internet users, or about 0.4% of the world’s population. By June 2015, there were approximately 3.3 billion Internet users. That’s about 45% of the world’s population. This phenomenal growth rate undoubtedly opened doors and created opportunities; unfortunately, it also eclipsed the ability of most users to understand the technology’s social implications. Worse, it has led to a sense that “the way it is” is “the way it should be.”

History has repeatedly demonstrated that “is” does not equate to “should be.” Slavery was legal in 1865 and as late as 1918 women did not have the right to vote. Up until the 1980s, many communities were served by shared service or “party” telephone lines in which a single telephone circuit was shared by many subscribers. None of those conditions, regardless of the circumstances that led to their inception, are “the way it should be,” and none of them are tolerated today.

The Internet’s current architecture, which enables anonymous usage, is neither the way it should be nor is it tolerable. This architecture has resulted in the Internet becoming a breeding ground for incivility, criminality, espionage, and warfare. Without accountability, there are no constraints on behavior. Think of Harry Potter, wandering Hogwarts after curfew in his invisibility cloak.

Clearly, Internet anonymity is a problem. And it’s one we tolerate. It’s not because we’re unaware of the problem – it’s because, as a society, we value privacy as the guarantor of liberty over security. 

In Internet culture, users of message boards such as 4chan and 8chan routinely post graphic or disturbing images or commentary while safely cloaked behind screen names. It’s unlikely that they would post the same things were their real names tied to the posts. Hacktivists participate in denial of service (DDoS) attacks while comfortably unidentified. Criminals routinely deal in stolen credit card numbers, safe in Internet obscurity (indeed, there’s so little risk involved with dealing in stolen credit cards that the cost for valid credentials is between $1.00 and $3.00). And just a single advanced persistent threat (APT) group, protected by the Internet’s architecture, has absconded with over $1 billion from banks and financial institutions to date, not to mention the unnamed group that breached the US Office of Personnel Management.2

Clearly, Internet anonymity (and the resulting lack of accountability) is a problem. And it’s one we tolerate. It’s not because we’re unaware of the problem – it’s because, as a society, we value privacy as the guarantor of liberty over security. This concept is woven into, and in fact predates, the fabric of the United States (Benjamin Franklin’s famous line about liberty and safety dates from 1755).

However, we no longer have to tolerate an insecure Internet and a hostile cyberspace. We have the technical means available to ensure both privacy and accountability. In physical space, we don’t care whether our cars are seen driving down the highway, that our letter or parcel is in the hands of the Postal Service while in transit, or that we’re seen walking the street. We only care whether it’s known that we own that particular car, that the contents of the package are secure, or that our thoughts and intentions are available only to us. In other words, it’s not knowledge of our presence that’s the issue – it’s knowledge of our information.

Applying this to cyberspace, we should be concerned with protecting the payload contained in a communication’s packets, not the fact that a particular user put that data onto the Internet. In fact, the ability to identify which user sent which packets across the network is essential to creating an accountable and regulable Internet. Fortunately, the technology to enable this capability exists – and has for about a decade.

While political parties argue across the aisles and policy experts argue with technologists, while industry argues with government and privacy advocates argue with law enforcement, the problem only gets worse.

 Internet Protocol Security (IPsec) is a protocol suite that secures communications by authenticating and encrypting each IP packet of a communication session. It can be applied to IPv4 and is integral to IPv6. Using IPsec, a unique identifier can be attached to the header of each packet, thus creating accountability by linking the sender to the packet. The correlation between the identifier and a user could be held by an internet service provider (ISP) and not made public absent a warrant or court order. Just like a license plate.

Similarly, IPsec offers the ability to encrypt, and thus protect, the content of all communications, end to end, as does the transport level protocol, tcpcrypt. The encryption happens at the internet and transport layers of the internet protocol suite respectively, and is thus more robust than application-layer encryption.

Neither IPsec nor tcpcrypt is new or technically risky; nor are they technical silver bullets that solve the whole problem. What they do is force a question and open a conversation: since embedded accountability increases the risk for malicious actors and encryption protects privacy, and an identity/encryption implementation employing available technologies would lower the overall risk in cyberspace why isn’t this being done as a matter of course?

The answer may be an issue of best versus good, of educating more people on the nuances of the problem, or one of political will. It’s not clear. What is clear is that cybersecurity is one of the most pressing security issues facing the nation today. And while political parties argue across the aisles and policy experts argue with technologists, while industry argues with government and privacy advocates argue with law enforcement, the problem only gets worse.

The ability to secure cyberspace exists. The real question is whether we have the collective will to put parochial concerns aside and work collaboratively towards a solution.


Sources

  1. Harris, Shane. @War: The Rise of the Military-Internet Complex. Eamon Dolan/Houghton Mifflin Harcourt, 2014.
  2. Drozhzhin, Alex. “The Greatest Heist of the Century: Hackers Stole $1 Bln.” February 16, 2015. https://usblog.kaspersky.com/billion-dollar-apt-carbanak/5139/.

Leave a Comment

1 thought on “Rejecting Anonymity: Confronting the Internet’s Insecure Architecture”

Comments are closed.