Flaws in 'Internet SAFETY' bill

* Unexpected consequences of required dynamic address allocation logging

Friend and colleague Robert Gezelter points to serious deficiencies in the thinking behind legislation currently under consideration in the House and Senate. The remaining text is entirely Bob's with minor edits.

* * *

In February, Sen. John Cornyn (R-Texas) introduced the “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act of 2009” (referred to as the “Internet SAFETY Act”). Rep. Lamar Smith (R-Texas) introduced a parallel resolution in the House of Representatives.

Both measures amend 18 USC §2703 and require that “A provider of an electronic communications service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a temporarily assigned network address the service assigns to that user.”

Taken broadly, as some legal commentators have concluded, such requirements extend beyond the level of commercial ISPs and ensnare everyone who operates a Wi-Fi hot-spot or firewall, requiring every home or small business to become a long-term custodian of network logging data.

This requirement has problems of technical feasibility and accuracy. It may create both a surveillance hazard and a subpoena target.

The proposed legislation presumes the use of a network protocol suite that uses hardware MAC addresses, such as the IP suite. There are serious technical issues. Dynamic addresses are typically managed using Dynamic Host Configuration Protocol (DHCP). However, IP address assignment can also be done dynamically without any centralized authority under Microsoft’s “Automatic IP Addressing” (AIPA). DHCP servers issue “Leases” to requesting machines on specific IP addresses for a specified period of time, subject to renewal.

The association managed by either scheme depends on associating an IP address with an IEEE 802.3 MAC address. Although all IEEE 802.3 interfaces have a default hardware MAC address, the default is not always used by software. MAC addresses were never intended as non-forgeable machine serial numbers, and indeed MAC address spoofing (forging) and related attacks are well-known security hazards. MAC addresses are not a non-repudiable identifier.

Thus, it is quite possible to assume a DHCP lease without any knowledge of the original lessor. When the original lessor is seen to cease operation, the pretender merely assumes the mantle of the original MAC address and continues to use the network.

A second, far more serious problem is time correlation. Log records are reliable only if the timeline recorded in different logs can be correlated to a common clock. Tracking an Internet connection to a given address on one side of a firewall is useful only if it can be determined precisely which address on the far side of the firewall corresponded to that connection (in IP, the port number) at that precise time. Thus, TCP port 8465 may point to one address at 12:00:15 and to a different address at 12:00:30. Absent precisely correlated logs, which connection is the one of interest is not easily determined.

Thus, the attributability of the resulting logs is called into question, even without raising a question of MAC forgery.

There are millions of home and small office firewalls presently deployed. These appliances are not even physically capable of storing the information required without replacement. Who will cover the cost and effort required to upgrade or replace this equipment? Who will incur the cost of preserving the logs generated by this equipment?

There is far more at risk from this legislation than the child pornography referred to in its title and preamble. Bruce Schneier’s comment in a January essay concerning the Mumbai terror attack is apropos: 

“Society survives all of this because the good uses of infrastructure far outweigh the bad uses, even though the good uses are – by and large – small and pedestrian and the bad uses are rare and spectacular. And while terrorism turns society's very infrastructure against itself, we only harm ourselves by dismantling that infrastructure in response – just as we would if we banned cars because bank robbers used them too.”

Imposing a duty to log all Internet activity on every home and small business, and requiring the data to be retained for two years, imposes an unprecedented burden with limited utility. It also poses severe risks for invasions of privacy engendered by this very log data.

A more extensive discussion of this legislation is outlined in “Will Long Term Dynamic Address Allocation Record Retention Help or Hurt?” 

[MK adds: You might want to start contacting your senators and your representative about this issue.]

* * *

Robert Gezelter, CDP, has 33 years of experience in operating systems, networks and security consulting. He can be reached via his firm’s Web site. He is the author of the “Mobile Code” and “E-Commerce and Web Server Safeguards” chapters in the Computer Security Handbook, 5th Edition, edited by Seymour Bosworth, M. E. Kabay and E. Whyne (2009) published by John Wiley & Sons. 

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT