Computer Crime Research Center
Agency Weighed, but Discarded, Plan Reconfiguring the Internet

(By John Markoff)

The Pentagon research agency that is exploring how to create a vast database of electronic transactions and analyze them for potential terrorist activity considered but rejected another surveillance idea: tagging Internet data with unique personal markers to make anonymous use of some parts of the Internet impossible.

The idea, which was explored at a two-day workshop in California in August, touched off an angry private dispute among computer scientists and policy experts who had been brought together to assess the implications of the technology.

The plan, known as eDNA, called for developing a new version of the Internet that would include enclaves where it would be impossible to be anonymous while using the network. The technology would have divided the Internet into secure "public network highways," where a computer user would have needed to be identified, and "private network alleyways," which would not have required identification.

Several people familiar with the eDNA discussions said such secure areas might have first involved government employees or law enforcement agencies, then been extended to security-conscious organizations like financial institutions, and after that been broadened even further.

A description of the eDNA proposal that was sent to the 18 workshop participants read in part: "We envisage that all network and client resources will maintain traces of user eDNA so that the user can be uniquely identified as having visited a Web site, having started a process or having sent a packet. This way, the resources and those who use them form a virtual `crime scene' that contains evidence about the identity of the users, much the same way as a real crime scene contains DNA traces of people."

The proposal would have been one of a series of technology initiatives that have been pursued by the Bush administration for what it describes as part of the effort to counter the potential for further terrorist attacks in the Unites States. Those initiatives include a variety of plans to trace and monitor the electronic activities of United States citizens.

In recent weeks another undertaking of the the Defense Advanced Research Projects Agency, or Darpa, the Pentagon research organization, has drawn sharp criticism for its potential to undermine civil liberties. That project is being headed by John M. Poindexter, the retired vice admiral who served as national security adviser to President Ronald Reagan.

Dr. Poindexter returned to the Pentagon in January to direct the research agency's Information Awareness Office, created in the wake of the Sept. 11 attacks. That office has been pursuing a surveillance system called Total Information Awareness that would permit intelligence analysts and law enforcement officials to mount a vast dragnet through electronic transaction data ranging from credit card information to veterinary records, in the United States and internationally, to hunt for terrorists.

In contrast, with eDNA the user would have needed to enter a digital version of unique personal identifiers, like a fingerprint or voice, in order to use the secure enclaves of the network. That would have been turned into an electronic signature that could have been appended to every Internet message or activity and thus tracked back to its source.

The eDNA idea was originally envisioned in a private brainstorming session that included the director of Darpa, Dr. Tony Tether, and a number of computer researchers, according to a person with intimate knowledge of the proposal. At the meeting, this person said, Dr. Tether asked why Internet attacks could not be traced back to their point of origin, and was told that given the current structure of the Internet, doing so was frequently not possible.

The review of the proposal was financed by a second Darpa unit, the Information Processing Technology Office. This week a Darpa spokeswoman, Jan Walker, said the agency planned no further financing for the idea. In explaining the reason for the decision to finance the review in the first place, Ms. Walker said the agency had been "intrigued by the difficult computing science research involved in creating network capabilities that would provide the same levels of responsibility and accountability in cyberspace as now exist in the physical world."

Darpa awarded a $60,000 contract to SRI International, a research concern based in Menlo Park, Calif., to investigate the concept. SRI then convened the workshop in August to evaluate its feasibility.

The workshop brought together a group of respected computer security researchers, including Whitfield Diffie of Sun Microsystems and Matt Blaze of AT&T Labs; well-known computer scientists like Roger Needham of Microsoft Research in Cambridge, England; Michael Vatis, who headed the National Infrastructure Protection Center during the Clinton administration; and Marc Rotenberg, a privacy expert from the Electronic Privacy Information Center.

The workshop was led by Mr. Blaze and Dr. Victoria Stavridou, an SRI computer scientist, one of those who had originally discussed the eDNA concept with Darpa officials.

At the workshop, the idea was criticized by almost all the participants, a number of them said, on both technical and privacy grounds. Several computer experts said they believed that it would not solve the problems it would be addressing.

"Before people demand more surveillance information, they should be able to process the information they already have," Mark Seiden, an independent computer security expert who attended the workshop, said in an interview. "Almost all of our failures to date have come from our inability to use existing intelligence information."

Several of the researchers told of a heated e-mail exchange in September over how to represent the consensus of the workshop in a report that was to be submitted to Darpa. At one point, Mr. Blaze reported to the group that he had been "fired" by Dr. Stavridou, of SRI, from his appointed role of writing the report presenting that consensus.

In e-mail messages, several participants said they believed that Dr. Stavridou was hijacking the report and that the group's consensus would not be reported to Darpa.

"I've never seen such personal attacks," one participant said in a subsequent telephone interview.

In defending herself by e-mail, Dr. Stavridou told the other panelists, "Darpa asked SRI to organize the meeting because they have a deep interest in technology for identifying network miscreants and revoking their network privileges."

In October, Dr. Stavridou traveled to Darpa headquarters in Virginia and — after a teleconference from there that was to have included Mr. Blaze, Mr. Rotenberg and Mr. Vatis was canceled — later told the panelists by e-mail that she had briefed several Darpa officials on her own about the group's discussions.

In that e-mail message, sent to the group on Oct. 15, she reported that the Darpa officials had been impressed with the panel's work and had told her that three Darpa offices, including the Information Awareness Office, were interested in pursuing the technology.

This week, however, in response to a reporter's question, Darpa said it had no plans to pursue the technology. And an SRI spokeswoman, Alice Resnick, said yesterday, "SRI informed Darpa that the costs and risks would outweigh any benefit."

Source: www.nytimes.com

Home | What's New | Articles | Links
Library | Staff | Contact Us
Copyright © Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at 380-612-735-907
[email protected]
Rambler's Top100 Rambler's Top100