New plans for Internet could carry privacy risks
WASHINGTON – Engineers designing a new way to send information across the Internet want to include a unique serial number from each personal computer within every parcel of data.
Critics warn that, if adopted, the move could potentially strip away anonymity and security enjoyed by tens of millions of home computer users who dial into America Online Inc. and other Internet providers over traditional telephone lines.
The debate illustrates the unintended potential consequences of design decisions aimed at ensuring the Internet’s stability into the 21st century.
The proposal by the Internet Engineering Task Force, an international standards body, would include the unique serial number for each computer’s network connection hardware as part of its expanded new Internet protocol address.
These ”IP” addresses, planted within e-mails and all other information flowing across the Internet, must be as unique as telephone numbers to distinguish each computer on the global network and to guide the billions of bits and bytes flowing among them.
The IETF’s top engineers acknowledge some implications for online privacy, but ”I think the privacy concerns are overrated,” said Fred Baker, the task force’s chairman.
But some privacy experts said they were appalled that IETF engineers would consider the idea. The new address scheme, called ”IPv6,” would not become widely used for years but ultimately would affect every Internet user.
Critics warned that commercial Internet sites, which already routinely record IP addresses, could begin to correlate these embedded serial numbers against a consumer’s name, address and other personal details, from clothing size to political affiliation.
The task force itself will ultimately decide whether to include the identifying numbers in the new IP addresses. The timing on that decision is unclear.
Baker said the task force is also envisioning ways to configure Internet devices manually so addresses won’t contain the sensitive numbers.
”Those folks concerned about the privacy issue could use this (alternate) technique,” said Thomas Narten, an IBM software engineer working with the IETF.
Most home computer users currently are assigned a different IP address each time they connect to the Internet through a telephone line, which affords some extra security and anonymity. It’s akin to a person using a different phone number every day to shield his identity and avoid prank phone calls.
But under the IETF proposal, a portion of even those somewhat randomly assigned addresses could include the consumer’s unique serial number – and that information would be stamped on every piece of information sent from his computer.
”I’m just winding the tape forward here five years, when we all say, ‘Oh, my God!”’ said Richard L. Smith of Brookline, Mass., a security expert who was among the first to question the plan.
The danger worsens, critics warn, as Internet sites are expected to begin to share information about their customers: A consumer visiting a Web site for the first time could be identified by his computer’s serial number that had been recorded at another site.
”There’s no doubt there are serious privacy concerns,” said Marc Rotenberg of the Washington-based Electronic Privacy Information Center.
Baker and others said the plan is meant to simplify configuring these new types of addresses. They question how invasive the disclosure of those numbers might be, noting that most of today’s computers with high-speed Internet connections use IP addresses that never or rarely change – and thus already are susceptible to use as a type of identifier.
”Yes, you are externalizing a little more information … but correlating that back to a person – I don’t think you actually gain more information,” Baker said.
Smith discovered earlier this year that Microsoft’s Windows operating system was planting a similar identifier number within some electronic documents. Within days, following a public outcry, executives offered a way for consumers to strip the numbers from their records.