AP wire 'slams' IPv6 autoconfig

Rohit Khare (rohit@uci.edu)
Mon, 11 Oct 1999 20:35:15 -0700


Sigh... I know Ted talked to a lot of people who made it quite clear
this is a harmless stage of autoconfiguration. My own point was that
the IP->MAC mapping is already public information -- that's the whole
point of IP routers, to maintain that reverse lookup.

A panicky smith just seems like a better story, doesn't it?
Especially since guids in OLE ended up such a hot-button.

Sigh,
Rohit

OCTOBER 11, 14:28 EDT
Internet Plan Spurs Privacy Fear
By TED BRIDIS
Associated Press Writer

WASHINGTON (AP) - Engineers designing a new way to send information
across the Internet want to include a unique serial number from each
personal computer within every parcel of data, an idea that privacy
advocates fear could lead to tracing of senders' identities.

Critics warn that, if adopted, the move could potentially strip away
a measure of anonymity and security enjoyed by tens of millions of
home computer users who dial into America Online Inc. and other
Internet providers over traditional telephone lines.

The issue also illustrates the danger of the unintended potential
consequences from arcane design decisions aimed at ensuring the
Internet's stability into the 21st century.

The proposal by the Internet Engineering Task Force, an international
standards body, would include the unique serial number for each
computer's network connection hardware as part of its expanded new
Internet protocol address.

These ``IP'' addresses, planted within e-mails and all other
information flowing across the Internet, must be as unique as
telephone numbers to distinguish each computer on the global network
and to guide the billions of bits and bytes flowing among them.

The IETF's top engineers acknowledge some implications for online
privacy, but ``I think the privacy concerns are overrated,'' said
Fred Baker, the task force's chairman.

But some privacy experts said they were appalled that IETF engineers
would consider the idea. The new address scheme, called ``IPv6,''
would not become widely used for years but ultimately would affect
every Internet user.

Critics warned that commercial Internet sites, which already
routinely record IP addresses, could begin to correlate these
embedded serial numbers against a consumer's name, address and other
personal details, from clothing size to political affiliation.
The task force itself will ultimately decide whether to include the
identifying numbers in the new IP addresses. The timing on that
decision is unclear.

Baker said the task force is also envisioning ways to configure
Internet devices manually so addresses won't contain the sensitive
numbers.

``Those folks concerned about the privacy issue could use this
(alternate) technique,'' said Thomas Narten, an IBM software engineer
working with the IETF.

Most home computer users currently are assigned a different IP
address each time they connect to the Internet through a telephone
line, which affords some extra security and anonymity. It's akin to a
person using a different phone number every day to shield his
identity and avoid prank phone calls.

But under the IETF proposal, a portion of even those somewhat
randomlyassigned addresses could include the consumer's unique serial
number - and that information would be stamped on every piece of
information sent from his computer.

``I'm just winding the tape forward here five years, when we all say,
'Oh, my God!''' said Richard L. Smith of Brookline, Mass., a security
expert who was among the first to question the plan.

The danger worsens, critics warn, as Internet sites are expected to
begin to share information about their customers: A consumer visiting
a Web site for the first time could be identified by his computer's
serial number that had been recorded at another site.

``There's no doubt there are serious privacy concerns,'' said Marc
Rotenberg of the Washington-based Electronic Privacy Information
Center.

Baker and others said the plan is meant to simplify configuring these
new types of addresses.

Supporters also question how invasive the disclosure of those numbers
might be. They note that most of today's business computers and home
computers with high-speed Internet connections use IP addresses that
never or rarely change - and thus already are susceptible to use as a
type of identifier.

``Yes, you are externalizing a little more information ... but
correlating that back to a person - I don't think you actually gain
more information,'' Baker said.

Smith discovered earlier this year that Microsoft's Windows operating
system was planting a similar identifier number within some
electronic documents. Within days, following a public outcry,
executives offered a way for consumers to strip the numbers from
their records.

The latest controversy also follows criticism of Intel Corp., the
world's largest manufacturer of computer processors, which designed
its new Pentium III chips to transmit a unique serial number
internally and to Web sites that request it to help verify