Internet protocol proposal raises privacy concerns

Next month, the Internet Engineering Task Force (IETF) will decide whether a new standard for assigning Internet protocol numbers--which all devices need to hook into the Net--should improve the ability of law enforcement to tap online communications, such as phone calls carried over the global network. Another feature being proposed also could improve the ability to track Net users through unique identifiers attached to their computers' IP numbers.

This week's outcry resembles the one that surrounded protests against serial numbers embedded in Intel chips that consumer groups said could be used to trace Net users. The same groups are waking up to the privacy implications of the new IP standard--Internet protocol version 6 (IPv6)--which could eventually affect every Net user if it is widely adopted.

"There is a basic concern about technologies that could create a sort of a national ID number through the Net," said Ari Schwartz, a policy analyst for the Center for Democracy and Technology, which is reviewing the protocol.

A unique number known as an IP address designates every device connected to the Internet. Unlike a person's phone number, however, IP addresses are usually assigned to Net users every time they access the network, which makes it difficult to track their online travels from session to session. Under the new protocol, those numbers wouldn't change as often. A Net user could have the same IP number for more than a year, for example.

Already companies like Microsoft, Apple, Sun, MCI WorldCom, and IBM have endorsed IPv6, and the Internet Assigned Numbers Authority, which is responsible for allocating Internet addresses, issued numbers based on the new standard for the first time in July. Some observers say the new protocol could be fully implemented within four years.

IPv6 was developed in response to a potential shortage of IP numbers and other infrastructure issues. There are 4 billion IP numbers, but the supply of free numbers is expected to dwindle because of devices that require static IP addresses, such as cable Net access.

Proponents of the proposed standard say it will increase the IP pool--the same way adding a new area code increases the amount of phone numbers available--and could provide for better security while supporting wireless phones and other network devices.

Members of the IETF say that both issues--the government surveillance question and the unique identification numbers--have yet to be decided. The IETF has opened up the Net telephony wiretapping issue to the entire task force through a mailing list. The group usually bangs out policies in small working groups.

The debate involves whether a federal law that requires the telephone infrastructure to support law enforcement wiretapping also applies to Net telephony.

"The key questions are: Should the IETF develop new protocols or modify existing protocols to support mechanisms whose primary purpose is to support wiretapping or other law enforcement activities," the IETF stated in an announcement sent out this week.

"If the companies who employ the IETF participants and deploy the IETF's technology feel that having wiretap capability is a business necessity due to the regulatory requirements in the countries where they want to sell their products, would that make a difference to the IETF position on this subject?" the announcement continued.

Scott Bradner, senior technical consultant at Harvard University, who is an area director for the IETF, said that so far the discussion on the list has been strongly opposed to Net telephony wiretapping. Of the approximately 50 posts today, most didn't support any such plan.

"The result of that discussion on the mailing list and the plenary at next month's meeting will be used to advise as to what the IETF position will be--my guess is that there will be a clear consensus," he said today.

Other ways to track Net users Aside from the Net telephony wiretapping issue, privacy groups are concerned that IPv6 will make it easier to follow Net users.

A feature to simplify hooking up devices to the Net would also assign a static, unique number to the device. The number would provide one more way to track Net users. The tag could be used to collect marketing data or to build a detailed user profile in conjunction with Web site registration forms, for example.

"It certainly raises real concerns, because it will be embedded--like a fingerprint or ID that can be traced to the Net user," said Evan Hendricks, editor of the Privacy Times.

"We oppose that kind of capability because the potential for abuse is too great," he added. "The law should say that there should be no identification schemes built into communications technologies like this. "

The privacy concerns are not lost on the IETF. A working group explored the IPv6 issue extensively in a draft paper published in June.

"The use of a constant identifier within an address is of special concern because addresses are a fundamental requirement of communication and cannot easily be hidden from eavesdroppers and other parties," the paper states.

But this is not a new issue, the IETF contends.

"Although the topic of this document may at first appear to be an issue new to IPv6, similar issues already exist in today's Internet already. That is, addresses used in today's Internet are often constant in practice for extended periods of time," the draft states.

The paper says Net users could still avoid being tracked via IPv6 if their access providers continued to generate temporary IP numbers, or if the autoconfiguration architecture were revamped to change the unique number embedded in an IP address over time.

"This issue arises whenever you use an address over and over again," said Thomas Narten, who works for IBM and is an IETF's area director.

"The IETF is aware of the concerns," he added. "This is only a proposal at this time. The technical details are being worked out."