When the Internet architecture was designed some 40 years ago, its architects focused on the challenges of the time. These included the creation of a distributed communication network that is robust against packet loss and other network failures; support across multiple types of networks and communication services; and the management of Internet resources in a cost-effective and distributed way. As history has shown, the Internet's architects succeeded on many dimensions. The phenomenal success of the Internet has often been attributed to its basic architectural principles.
As the uses of the Internet have expanded beyond the original creators' wildest dreams, its protocols have been stretched to accommodate new usage models, such as mobile, video, real-time, and security-sensitive applications. A string of extensions has resulted in an infrastructure that has increasingly become ossified due to the numerous constraints each extension introduces, in turn complicating further extensions. These challenges have prompted researchers to rethink architectural principles, thereby engaging in visionary thinking about what a future Internet architecture, which should last for many decades, should look like.
One important dimension of clean-slate Internet architecture proposals is to rethink the role of accountability. The general idea is that accountability for one's actions would enable identification of the offender, making it possible to either defend oneself against misbehavior or deter it altogether. It is therefore natural to consider accountability as a way of addressing network attacks, ranging from route hijacking, to various kinds of network denial-of-service attacks and remote exploitation of host vulnerabilities. Increased accountability could not only address some of the technical shortcomings of the current Internet architecture. It could also enable various partly legal solutions to problems which, to date, have not been solved by purely technical means.
In recent years, security incidents have repeatedly stressed the need for accountability mechanisms. We highlight the use of accountability to address the hijacking of Internet traffic routing by altering or deleting authorized Border Gateway Protocol (BGP) routes. In 2008, YouTube became globally unreachable after a Pakistani Internet service provider (ISP) altered a route in an attempt to block YouTube access in Pakistan. In 2013, the network intelligence firm Renesys documented that traffic routes from Mexico to Washington, D.C., and from Denver to Denver had been rerouted via Belarus and Iceland. In March 2014, Google's Public Domain Name System (DNS) server, which handles approximately 150 billion queries a day, had its IP address hijacked for 22 minutes. During this time, millions of Internet users were redirected to British Telecom's Latin America division in Venezuela and Brazil. Such rerouting, whether deliberate or not, abuses the implicit trust enshrined in the BGP routing protocol. Traffic rerouting is often difficult to detect for both Internet users and network operators. It can be used for a wide range of attacks. Despite the introduction of BGPSEC (a security protocol that promises to stop hijacking attacks), accountabilitywhich makes it possible for an attacker to be identified, sued, and prosecutedmay prove a better solution to the hijacking problem.
Another example where accountability matters is the network neutrality debate. Insufficient accountability mechanisms in today's Internet prevent consumers from finding out why their access to particular services has been blocked or slowed down. Is today's access to Hulu slow due to technical problems at Hulu's servers, due to delays somewhere in the network, or due to bandwidth limitations between your ISP and your home network? It is difficult to determine. More generally, if a technical architecture does not provide means for users to monitor whether service providers keep their promises with regard to service quality and features, service providers may have insufficient incentives to actually keep their promises.
An architecture that leaves loopholes in legal and technical accountability has it costs. As the Internet traffic hijacking example shows, it may encourage unlawful online activities, with all the negative effects this entails for society. As the network neutrality example demonstrates, it may deter business partners from entering into contractual agreements, as their terms may be unenforceable.
Currently, manifold attempts are being made to deal with accountability loopholes. On the legal front, legislators and government agencies are designing rules to provide network providers and users with the right incentives despite limited accountability. In the ongoing battle over network neutrality regulations, for example, the U.S. Federal Communications Commission (FCC) has proposed rules that will force ISPs to disclose their network management practices.a In June 2014, the FCC announced it would investigate the impact peering agreements between ISPs such as Comcast and Verizon and content providers such as Netflix have on broadband consumption and Internet congestion.
Security incidents have repeatedly stressed the need for accountability mechanisms.
On the technical front, any technology aimed at increasing accountability should provide irrefutable proof that parties have performed certain actions: in particular, of who is being held accountable for what action to whom. End users, hosts, ISPs (or their routers and network equipment), service operators, or content providers could all potentially be held accountable or be enabled to verify the accountability. Consider a system that would hold an ISP's routers accountable for delayed packet forwarding. It would have to ensure the routers cannot hide the fact they delayed forwarding a packet. Such accountability for delays could serve as a technical measure to validate the network neutrality of an ISP.
Researchers have proposed numerous technical solutions for various types of accountability. Bender et al. propose to hold the source accountable for packets created, and enable each router to verify.2 Such packet origin accountability is a popular property, which subsequent researchers have pursued with varying assumptions and approaches for cryptographic key setup.1,3,7 Li et al. propose a general key setup mechanism between sources and network routers to enable packet origin, router forwarding, and routing message accountability.6 Naous et al. propose a system for packet origin and strong router forwarding accountability.9 Zhou et al.11 propose a strong notion of making the network accountable for any state it may have ("secure network provenance"). The same authors have extended their work to also provide time-aware provenance.12
Implementing only legal or technical measures to increase accountability on the Internet has limitations. We believe it is a fruitful exercise to combine technical and legal aspects for two reasons. First, this challenges perceptions lawyers have about technology and vice versa. As the Internet traffic hijacking and the network neutrality examples demonstrate, it is often difficult to identify what caused network errors. From a legal perspective, lacking identifiability makes it impossible to hold someone accountable for the error. This, in turn, reduces everyone's incentive to prevent network errors, as the risk of being held liable is low. All too often, the legal debate simply assumes such accountability loopholes are a given fact on the Internet. The debate has not considered how liability regimes and the types of contracts and services offered on the Internet would change if a future Internet architecture were to provide enhanced accountability mechanisms. The current lack of accountability, for example, prevents service level agreements that span beyond a single autonomous system. Accountability for network operations could enable an ISP to provide inter-ISP service-level agreements, as the ISP could restrict his liability to internal errors, thereby excluding external errors that can be attributed to the appropriate responsible party. Increasing accountability could thus make liability risks manageable and contractable.
Second, by combining technical and legal aspects of accountability in network design, we can focus on trade-offs in network design decisions that might otherwise pass unnoticed. An important issue is the trade-off between accountability and privacy. Usually they are in conflict, as accountability requires sacrificing privacy.5 However, in some cases, both can be achieved. For example, Mallios et al. have proposed a system where privacy is achieved as long as a user does not misbehave, whereas misbehavior will render the user accountable.8,b Another important trade-off exists between accountability and personal freedom. Lessig argues that e-commerce will require accountability at the cost of personal freedom.5 There might be other issues here. If everyone's actions on the Internet were traceable, how could political activists communicate under oppressive political systems? How could highly privacy-sensitive citizens communicate? Technical solutions such as anonymous communication systems implemented as an overlay network on the Internet can achieve anonymous communication despite a traceable or accountable underlying network architecture. The important research question is how the two properties can be meaningfully combined. The answer may be something similar to the privacy example described previously: As long as users communicate within some defined traffic pattern, their communications remain anonymous. If they deviate from the pattern, their (potential mis-) behavior can be traced back. It is also worth noting that increased accountability can be advantageous to political activists. In societies where governments control Internet traffic within the country and across borders, increased accountability can impede unobtrusive censorship, as the increase in transparency makes it more difficult for the government to hide its censoring activities.
Many design decisions have implications for social interactions that lie in the realm of the law.
We cannot offer any easy ways to deal with such trade-offs. We can, however, observe that many important problems in today's Internet are due to a lack of accountability and transparency. The responseto increase accountabilityis not a mere technical enterprise. Many design decisions have implications for social interactions that lie in the realm of the law. Because law and technology are sometimes interchangeable and sometimes lead to difficult trade-offs, legal considerations should be taken into account not only after a novel Internet architecture has been implemented, but as an integral part of the design process of the architecture itself.4,10 Such an approach could do more than enhance the value of the architecture itself. Increased accountability may also produce novel services that we cannot envision at present, precisely because of accountability loopholes that affect the current Internet.
As the interaction between network usage and the law increases, the network's technical architecture must cope with trade-offs and policy values that have long been familiar within the legal system. It is one of the challenges of future Internet architecture design to develop holistic approaches that will integrate technical and legal aspects and enable researchers and developers to be versatile in both fields.
a. This aspect of the proposed Open Internet Rules has not been affected by the January 2014 decision of the U.S. Court of Appeals for the District of Columbia, which struck down antiblocking and anti-discrimination obligations.
The authors would like to thank Srdjan Capkun, Susanne Hambrusch, John L. King, and Timothy Roscoe for helpful feedback.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2014 ACM, Inc.
The following letter was published in the Letters to the Editor of the November 2014 CACM (http://cacm.acm.org/magazines/2014/11/179829).
British philosopher and social theorist Jeremy Bentham would have wholeheartedly endorsed many of the accountability mechanisms Stefan Bechtold and Adrian Perrig outlined in their Viewpoint "Accountability in Future Internet Architectures" (Sept. 2014). It reminded me of Bentham's Panopticon (late 18th century), a prison where the prisoners would be motivated to behave in a more civilized manner by being made to think they were always under surveillance. Likewise, Bechtold and Perrig took the view that network users being tracked and made accountable for their actions would improve the Internet.
I am certain the majority of governments today would endorse this architecture, in which it would be possible to trace all Internet Protocol communication packets from source to destination and guarantee everyone is using the network responsibly. Indeed, many governments already pursue such a goal.
On the other hand, I am concerned the pervasive monitoring already present in today's global Internet without these technical aids might not be in society's best interests. I have been working with U.S. State Dept. sponsorship aiding a user group of journalists and democracy advocates in African countries, many with authoritarian tendencies. I am developing anonymization tools and training participants to use them. In many of the countries, accountability for accessing information considered innocuous in the West has dire consequences. Many of those lacking human rights protections found in Western democracies indeed use the technology produced in the West.
I dislike the idea of making people accountable for the information they consume, which would be a by-product of the ideas Bechtold and Perrig proposed.
Richard R. Brooks
Like Brooks, we strongly support privacy and anonymity for users. However, we also strongly disagree with an interpretation of our Viewpoint that says we envision a future Internet architecture that tracks users. Our aim was (and is) more discerning. As we pointed out, it is sometimes possible to achieve both privacy and accountability, whereby users maintain their privacy and become accountable only if they violate some policy as by, say, perpetrating an attack. Moreover, anonymity can be achieved through an overlay network, even if the underlying network is accountable. We also highlighted the research challenges involved in balancing accountability, privacy, anonymity, political freedom, and other values. Brooks seems to have missed this core point.
Stefan Bechtold and Adrian Perrig
Displaying 1 comment