Posts Tagged ‘cybersecurity’

I stumbled upon an interview with Internet security guru Eugene Kaspersky in which he makes some troublesome statements supporting an end to online anonymity.

E.K: The Internet was never designed with security in mind. If I was God, and wanted to fix the Internet, I would start by ensuring that every user has a sort of Internet passport: basically, a means of verifying identity, just like in the real world, with driver’s licenses and passports and so on. The second problem is one of jurisdiction. The Internet has no borders, and neither do the criminals who operate on the Internet. However, law enforcement agencies have jurisdictional limits, and are unable to conduct investigations across the globe. I feel we need an international agency to combat this problem, something like an Interpol for the Internet.

PCW: Won’t your suggestion of Internet Passports remove the anonymity from online browsing, thus causing problems for people who may be operating in countries that are not friendly to their views, and so on?

E.K: There is no such thing as anonymity on the Internet, for the average user. It is relatively easy to identify the casual surfer from his IP address and the ISP’s logs. Criminals, on the other hand, are professionals who know how to hide their tracks. A passport would be beneficial to law-abiding users, and would make it that much more difficult for cyber-criminals to hide.

Admittedly, Kaspersky doesn’t have a whole lot of space to elaborate on his “Internet passport,” so I stand the chance of misunderstanding him, but as I understand it, such an idea would be dangerous and unneeded.

One of the major problems confronting cybersecurity is attribution. When Estonian websites are pounded with DDoS attacks, it is next to impossible for the sysadmins to know if the IP address attacking them is just a zombie conduit or the intentioned attacker. Therefore, it is hard to punish those responsible for cybercrime. An Internet passport would, it seems, lower this level of non-attribution and make the senders accountable for their packet-streams.

Free speech relies on anonymity – a face the Supreme Court has recognized, saying,

“Protections for anonymous speech are vital to democratic discourse. Allowing dissenters to shield their identities frees them to express critical, minority views . . . Anonymity is a shield from the tyranny of the majority. . . . It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation . . . at the hand of an intolerant society.”

An “Internet passport” would not only jeopardize that, it would disproportionately affect the innocent. Curiously, Kaspersky seems to make this point, saying “there is no such thing as anonymity on the Internet, for the average users… Criminals, on the other hand, are professionals who know how to hide their tracks.” Does Kaspersky really think a criminal-proof system could be created? It seems to me that cybercriminals would simply steal, fake or cheat the Internet passport system, just as they do with our current equivalent – IP addresses and ISP logs. They have both the intent and capability to do so.

While it is true that regular users can be tracked to a certain extent in our current system, there are dozens of well-known methods available to dissidents, journalists and business people to be anonymous online. An Internet passport, by attempting to curtail the criminals’ use of anonymity would do more damage to those who rely on user-friendly, non-technical solutions like TOR. We should not walk down that path.