Surveillance
From FIpedia
The Disagreement
Background: With the increasing concern over security, there are calls for the equivalent of surveillance cameras in cyberspace: logging elements that observe traffic and log it at some level of detail, from source-destination pairs in the headers of packets to complete capture of all packets.
This proposal raises substantial social issues having to do with the value of such an approach, the potential social cost in lost of privacy and potential abuse of the resulting information, and an overall chilling effect on the utility of the Internet. Any proposal for a future architecture will need to take a position along this spectrum, and (perhaps) to find a way to derive some of the benefits of surveillance without all of the associated costs.
Viewpoint 1: Inappropriate and unjustified
There is little or no evidence that wide-spread "preventative" surveillance is of any value in preventing abuse and misbehavior. Designers of a future Internet should express a strong social preference for an architecture that makes such surveillance ineffective, and take no steps to distort the architecture in order to make this objective easier or less costly.
Viewpoint 2: End-node self-protection
Traffic monitoring may be proposed as a means to solve several different problems. One problem is to observe (intercept) communication among a set of parties who are willing communicants. This is the story of the "good guys" trying to overhear communication among a set of communicating "bad guys". In this point of view, this objective is not realistic--the bad guys, if they try, can hide their communication.
However, this is not the only objective of observation and monitoring. Another objective is to observe an attack launched by a "bad guy" on a "good guy": a network-based attack. While widespread surveillance may be very costly and of little value, tracking and observing attacks may be of value.
An architectural approach that might support this goal without triggering some of the risks listed above would be to have the logging carried out at (or near and under the control of) the end-node itself. The log could be presented after the fact as evidence of an attack, but only at the discretion of the aggrieved party. A third party might attempt to seize the log, but only with some sort of court order.
So there may be a compromise that captures somf of the benefits without all of the costs.
Viewpoint3: Accountability is essential, whatever the other costs
It is unrealistic to imagine that we can continue to have access to infrastructure as critical as the Internet without having to identify ourselves in some way, and to expect to be held accountable for our actions. An architecture may be designed in such a way that some effort is required to interpret the results of network surveillance, but the network should be designed with tools that make it possible. Just as cars have license plates, packets should be traceable back to their source in a robust way, independent of the wishes of the sender.
Moderator
David Clark
