[sacw] Proposed Net address changes cause privacy fears (AP)

[Harsh Kapoor]

=46YI
Harsh Kapoor
------------------------------
Proposed Net address changes cause privacy fears (AP)
Privacy experts are "appalled" by a proposal to expand IP addresses to
include a serial number that would identify any computer on the Net.

- - - - - - - - - - - -

Associated Press

Oct. 11, 1999 -- Engineers designing a new way to send information
across the Internet want to include a unique serial number from each
personal computer within every parcel of data, an idea that privacy
advocates fear could lead to tracing of senders' identities.

Critics warn that, if adopted, the move could potentially strip away a
measure of anonymity and security enjoyed by tens of millions of home
computer users who dial into America Online Inc. and other Internet
providers over traditional telephone lines.

The issue also illustrates the danger of the unintended potential
consequences from arcane design decisions aimed at ensuring the Internet's
stability into the 21st century.

The proposal by the Internet Engineering Task Force, an international
standards body, would include the unique serial number for each computer's
network connection hardware as part of its expanded new Internet protocol
address.

These "IP" addresses, planted within e-mails and all other information
flowing across the Internet, must be as unique as telephone numbers to
distinguish each computer on the global network and to guide the billions
of bits and bytes flowing among them.

The IETF's top engineers acknowledge some implications for online privacy,
but "I think the privacy concerns are overrated," said Fred Baker, the task
force's chairman.

But some privacy experts said they were appalled that IETF engineers would
consider the idea. The new address scheme, called "IPv6," would not become
widely used for years but ultimately would affect every Internet user.

Critics warned that commercial Internet sites, which already routinely
record IP addresses, could begin to correlate these embedded serial numbers
against a consumer's name, address and other personal details, from
clothing size to political affiliation.

The task force itself will ultimately decide whether to include the
identifying numbers in the new IP addresses. The timing on that decision is
unclear.

Baker said the task force is also envisioning ways to configure Internet
devices manually so addresses won't contain the sensitive numbers.

"Those folks concerned about the privacy issue could use this (alternate)
technique," said Thomas Narten, an IBM software engineer working with the
IETF.

Most home computer users currently are assigned a different IP address each
time they connect to the Internet through a telephone line, which affords
some extra security and anonymity. It's akin to a person using a different
phone number every day to shield his identity and avoid prank phone calls.

But under the IETF proposal, a portion of even those somewhat
randomlyassigned addresses could include the consumer's unique serial
number _ and that information would be stamped on every piece of
information sent from his computer.

"I'm just winding the tape forward here five years, when we all say, 'Oh,
my God!'" said Richard L. Smith of Brookline, Mass., a security expert who
was among the first to question the plan.

The danger worsens, critics warn, as Internet sites are expected to begin
to share information about their customers: A consumer visiting a Web site
for the first time could be identified by his computer's serial number that
had been recorded at another site.

"There's no doubt there are serious privacy concerns," said Marc Rotenberg
of the Washington-based Electronic Privacy Information Center.

Baker and others said the plan is meant to simplify configuring these new
types of addresses.

Supporters also question how invasive the disclosure of those numbers might
be. They note that most of today's business computers and home computers
with high-speed Internet connections use IP addresses that never or rarely
change -- and thus already are susceptible to use as a type of identifier.

"Yes, you are externalizing a little more information ... but correlating
that back to a person -- I don't think you actually gain more information,"
Baker said.

Smith discovered earlier this year that Microsoft's Windows operating
system was planting a similar identifier number within some electronic
documents. Within days, following a public outcry, executives offered a way
for consumers to strip the numbers from their records.

The latest controversy also follows criticism of Intel Corp., the world's
largest manufacturer of computer processors, which designed its new Pentium
III chips to transmit a unique serial number internally and to Web sites
that request it to help verify the identity of consumers.

=A9 1999 The Associated Press. All rights reserved. The information containe=
d
in the AP News report may not be published, broadcast, rewritten or
redistributed without the prior written authority of The Associated Press.