The Internet was developed as a medium for sharing data. Its basic architectural principles–to break data into a numbered set of small packets and transmit the packets as efficiently as possible–reflects that underlying premise. Each packet is transmitted using the Inter – net protocol (IP). Packets typically have three parts. The header says where the packet is from (the sender’s IP address), where the packet is going (the receiver’s IP address), the type of communications protocol (email, Web page, video, voice, and so on), and its position (packet number) in that particular transmission. The payload –the actual content–follows. Finally a trailer marks the end of a packet. Applications–an http connection to a Web page, an email connection, a Voice over IP call (VOIP)–are broken into packets and then reassembled at the receiver’s end.
Mobility of devices means that the user’s IP address at the café at 10 a.m. is different from that in the seminar room at 11 a.m. Each time the user connects back to the network, his IP address is transmitted to his service provider. That is how Facebook communications and your email reach her even when he has moved locations and his IP address has changed.
IP location provides partial identification. While an IP address delimits a location from which and to which packets are transmitted, that address is, for a number of reasons, not necessarily useful in identification. The IP address may be one used temporarily, and without strong identification, such as at an Internet café or an airport. Without ancillary information, such an IP address may provide minimal identifying information. Another reason that an IP address may not provide definitive identification is that few routers along the transmission check a sender’s address; so spoofing an IP address is easy.
Even if the IP address is correct, it may not provide an investigator with information to determine who is responsible for a particular action.That is because in such instances, the connecting machine may be just a way station. Consider, for example, DDoS attacks(Distributed Denial of Service attacks), in which hundreds of thousands of computers simultaneously send messages to an online service, overwhelming it and taking it offline. The machines sending these messages are simply intermediaries that have been compromised themselves. DDOS is an example of a multistage attack, in which a perpetrator infiltrates a series of machines to launch an attack.
Cyberexploits–theft of information from networked systems–are also typically multi stage attacks. The first machine to receive the exfiltrated data is often itself compromised, and the stolen data will be quickly moved from that machine to another and another–a lengthy chain of compromised machines–before the data end up in the attacker’s hands. An investigation may lead to the initial machine that was used in the scam, but is unlikely to lead all the way to the real attacker
The fact that IP addresses do not provide precise identity matters very little in certain cases. Spoofing does not concern the Recording Industry Association of America, which uses an IP address as a jumping off point for copyright infringement suits. IP addresses have also served law enforcement as a starting point for investigations.They can also be useful in investigations in which the participants’ addresses are re lated; for example, if they all work at Enron.
Investigators often seek identity, though not necessarily at the level of an IP address. Following users across the Internet became important with the arrival of free services such as Facebook, Google search, and Yik – Yak. Such services are supported through advertising. In this instance, identity does not mean identifying a user in the sense of “Joe Bloggs is visiting honda.com,” but rather that the browser currently viewing nytimes.com is the same that ran an Internet search for compact cars earlier in the day. This enables the search provider, for example, to serve a Honda ad on The New York Timeswebsite that the user is browsing. Identification is derived through cookies in the browser, not an IP address.
There are times when identity on the Internet at the level of a person matters. A bank does not particularly care what a user’s IP address is, but if there’s a transaction occurring, the bank seeks assurance that the person is who she claims to be and wants him to authenticate his identity at the bank’s site. For many situations, including transactions with high value, authentication conducted within an application is sufficient proof of identity.
When the Facebook login is used to authenticate a user to an app, Facebook shares with the app the user’s name and gender, and provides a list of the user’s friends who also use the application. This makes the Facebook login valuable to the app, but not to a user seeking privacy.
The existing model of advertising and tracking in exchange for services is not the only possible model for the Internet. One alternative would be to charge for services: a tenth of a cent for a search, a monthly charge for email support, and so on. And there is no reason the two systems could not coexist: charges for users seeking privacy-protective services, and an advertise-and-track model for those who are indifferent to the privacy issue or unable to pay.
By making the network indispensable to daily life, the Internet drove the development of smartphones. Most Internet accesses now occur through mobile devices, a fact with profound implications for privacy and surveillance. While a laptop can be “on” but not connected to the network –functioning as a computer, not a communications device–if a smartphone is on (and not in “airplane mode”), it will be connected to the telephone network when – ever the provider’s system is within range. Thus, a phone’s location, which is broadcast several times an hour to announce “I am here,” is a relatively public piece of information.
The phone’s connection is through the nearest base station: the cell tower closest to the user. As the user moves to new locations, the phone connection is “handed off” to the next base station. That is information that the phone network– or an interceptor–will learn. Desktops, laptops, and tablets are, to some extent, multiuser machines; but smart phones are more strictly associated with individuals. Thus, just tracking the phone’s location provides an extremely ac – curate way of determining a phone’s user.
Know the recipients of a person’s calls, and you can infer who he is and what is happening in his life: whether he has just lost his job, his mother is ill, or his son has just gone off to college. Because people carry personal transmitters and receivers, government investigators no longer need to tail individuals and monitor phone booths to capture conversations and movements; they simply track mobile phones. Because communications patterns are so revealing, if a government can fully surveil a nation’s communications network, it can even track “burner” phones (anonymous prepaid phones) through correlations in location and use.
Governments are not the only ones following users’ locations; in fact they may be collecting far less information than many companies. To provide the Internet with services for which smartphones are valued –finding a local restaurant and making dinner reservations and then determining the best route there–the phone must provide location information to the app. This is done through GPS, which typically operates on a resolution within ten meters. So the network provider knows where the phone is and with which service the user is communicating, while the app provider learns phone location and what information is delivered through the app. This is an interesting design choice in location data tracking: Apple’s ios8 does not allow apps to collect location information when the app is not in use, but there is no such restriction for Android phones
With such interest in following the user and such capabilities for surveillance, it becomes difficult to imagine that any privacy is possible. Yet there are many technical solutions for protecting privacy. It is particularly striking that there are even technical solutions for obscuring with whom you are communicating. In the mid-1990s, the United States Naval Research Laboratory began work on a system that makes it difficult to determine who is connecting with whom on the Internet.
While use of encryption for confidenti ality had been controlled, its use for authentication–assurance that a person or site is who they say they are–had not. Https, the secure version of the http linking protocol, is used to authenticate a website and encrypt communications between a user and the site. This protocol was essential for electronic commerce, and was already deployed by the mid- to late 1990s. Given that https was widely deployed quite early for ecommerce, it is surprising and somewhat striking that Web mail, the service that provides email through a browser, was not similarly protected.
An example of alternative privacy protection is Off-the-Record (OTR) chat. Google’s OTR chat does not store chat histories in users’ accounts, or in the accounts of the people with whom they are chatting. But Google policy does not preclude storing the communications elsewhere. A more protective version would be not to store the communications whatsoever. Even more protective would be not storing and providing encryption for the chat. Most protective would be to encrypt using a technique called forward secrecy, so that even if the encryption key is compromised at some point, no previously intercepted messages can be decrypted. There are OTR systems that provide this level of security.
As the Snowden disclosures confirmed, national-security agencies may exploit vul nerabilities in communications devices to ex filtrate data from targets. Such capabilities are used not only by intelligence agencies, but by law enforcement as well. As encryption becomes increasingly common, such “lawful hacking” will increasingly be used when communications content cannot be retrieved in other ways. It is no silver bullet; a vulnerabilities approach is more complex legally and technically, and more expensive than if unencrypted communications can be made available.
The privacy situation is about to grow far more difficult. While Internet transactional information is remarkably revelatory, the information from sensors on toothbrushes, watches, clothes, heart monitors, phones–and everything else–will be many times more so. Cheap sensors communicating with the Internet will soon be every – where: sensors to measure tire pressure and bridge structural health; sensors to report on the freshness of food in the fridge, the dampness in the soil, and the movement of an elderly person at night; sensors to determine whether the car driver or passenger is making a call.
Communications between people at a distance have never been entirely private. Delivery is variable, seals can be broken. Communications that were once ephemeral now have a trail, and being anonymous in modern society is no longer plausible. It not only means eschewing the use of smartphones (and credit cards, transit passes, and so forth), but also requiring companions to do the same. You cannot hide from network detection if your known companions’ phones broadcast their whereabouts
Privacy has always been about economics. How much does it cost to use Lavabit’s encrypted email services instead of free Gmail services? Or how much more does it cost to use cash at the bookstore instead of ordering over Amazon? On the flip side, how many resources must be devoted to investigations if communications are protected through privacy-protective technologies?
The Internet changed the equation in various ways. In the initial development of Internet applications, we tipped in one direction, allowing collection and release of massive amounts of information about ourselves. Application design, however, pro vides a plethora of possibilities. Our current Internet design is a world in which applications sometimes provide privacy-protective solutions for those who want them. But these give only a modicum of privacy. Changing the ease with which surveillance can be performed, making it more difficult to track user preferences and activity, is largely a matter of choices.
Choices for more privacy-protective solutions can come from government regulations, and they can come from customer demand. But such alternatives in application design do exist. Humans are a highly communicative species, and the Internet fed this aspect of our nature. That the Internet grew spectacularly alongside the terrorist attacks of September 11th and their aftermath meant that privacy, always on a societal pendulum, largely suffered over the last decade and a half. Now choices abound; we may be reaching a time when the pendulum swings back. But the market will only provide effective privacy-protective solutions if enough users demand them.
By Ashoka Jahnavi Prasad