I have restrained from saying this so far but... "I told you so." When I attended the Oakland NANOG in October 2001, I had just returned from Washington DC. The trip originally was for my brother's wedding but I extended it for some personal lobbying on the so-called USA PATRIOT bill as it rushed through the process, having not one single public hearing in either the House or Senate. During that time I was continually in contact with the very knowledgeable staff at CDT, EFF and an attorney who is a recognized expert on Fourth Amendment search and seizure law and the 1996 AEDPA anti-terrorism law that laid the groundwork for "Patriot". As a USENIX member and NANOG participant, I had more insight into the practical effect of the sweeping proposals in "Patriot" on actual net operations than the attorneys did. I realized that the "Patriot" law, when passed, would sooner or later entangle network operators in crucial decisions affecting the ability of ordinary users to traverse the net freely as we have always done. I did my best to alert my Oregon congressional delegation to these issues, in personal meetings with their staff on Capitol Hill the first week of October. I've got a lot of background in lobbying but found this very hard to do. Bridging the gap between communications and security policy and operational reality is a difficult matter at best. But still, we have to try. At the Oakland NANOG, following meeting procedure, I sent an email query requesting some discussion of the implications of the "Patriot" bill, which ended up passing late in the month, and received a polite but firm reply from Susan Harris: this was beyond the scope of NANOG. I begged to differ then, and now I suggest that we all give serious thought to the implications that increasing and direct government intervention in the operation of the Net is starting to have. We all want security, but security without liberty runs contrary to the founding principles of the United States. And as Bruce Schneier has emphatically pointed out, security is a process not a product, whether it's a firewall or Total Information Awareness. Avi Rubin observes the issue is not that the potential already exists to do great damage with the Internet. With the advent of ever more potent attacks, from ordinary worms and viruses to Code Red and Nimda to root server DDOS and beyond, that is not disputed. The question is why this capability is not used more often. The restraint from using technology for its maximum destructive potential is the social bonds that we have as human beings. The great benefit of the Internet is that it helps strengthen those bonds, improve our planetary communications, and at its best help us collectively address the issues our societies face. If we do not have the maximum freedom to use the net for those purposes, free of government interference and arbitrary control wherever possible, but consistent with *reasoned and reasonable* security measures, our security will instead be undermined in the long run. That is why the approach and attitude of network operators makes a difference. It mattered at the time of the Oakland NANOG, and it matters now. Perhaps NANOG is not the organizational locale to work these issues out, although I could see it being so. But a coherent response to increasing intrusion of governmental policy on network operations needs to happen, one way or another. You might say, "it's not my job to make policy." And that may be true. It's not a branch librarian or circulation manager's job to make policy either, but they all belong to the American Library Association, which has emerged as an effective champion of real security and real freedom on the Internet, because they are committed to the principle that their primary obligation is to the users of library services. I believe network operators should, and do, take very seriously their primary obligation to the users of Internet services. So I ask my friends in this organization NANOG whose purpose and work I, a mere net user, greatly admire, to consider this question with the greatest thoroughness. When the government (whichever one, not just the US) comes knocking and asking you to do something that restricts the freedom of net users, what will you do? When those in your organization who set policy come asking what it will cost and what it will mean to users to do what the government wants, what will you say? I don't mean to place the entire burden on the shoulders of NANOG and its members. But I do think it's important to consider the obligations that all of us, who have some in-depth knowledge of how the Internet *really* works, have to the users of the Internet, which will ultimately be every last one of us on the planet. thanks, Fred ------ mail forwarded, original message follows ------ From: Valdis.Kletnieks@vt.edu <> Subject: Re: White House to Propose System for Wide Monitoring of Internet (fwd) Date: Fri, 20 Dec 2002 14:31:39 -0500 On Fri, 20 Dec 2002 11:31:39 MST, "Wayne E. Bouchard" said:
On Fri, Dec 20, 2002 at 11:12:43AM -0500, David Lesher wrote:
[This just jumped into the operational arena. Are you prepared with the router port for John Poindexter's vacuum? What changes will you need to make? What will they cost? Who will pay?]
Heard about this on the news this morning and you know, I am so not worried about it.
IMO, it's so completely unfeasable at every level as to be actually funny.
All the same, I suggest you forward the rest of your quite well-reasoned comments to your congresscritter and/or the White House. Remember that the idea was probably propsed by people who have little or no clue of what the actual impact would be - and the final decision will likely be made by somebody with even less technical edge. The truly scary part is that it could actually be approved....