New plans for Internet could carry privacy risks

WASHINGTON (AP) -- Engineers designing a new way to send<br>information across the Internet want to include a unique serial<br>number from each personal computer within every parcel of data.<br> <br>Critics

Monday, October 11th 1999, 12:00 am

By: News On 6

WASHINGTON (AP) -- Engineers designing a new way to send
information across the Internet want to include a unique serial
number from each personal computer within every parcel of data.

Critics warn that, if adopted, the move could potentially strip
away anonymity and security enjoyed by tens of millions of home
computer users who dial into America Online Inc. and other Internet
providers over traditional telephone lines.

The debate illustrates the unintended potential consequences of
design decisions aimed at ensuring the Internet's stability into
the 21st century.

The proposal by the Internet Engineering Task Force, an
international standards body, would include the unique serial
number for each computer's network connection hardware as part of
its expanded new Internet protocol address.

These "IP" addresses, planted within e-mails and all other
information flowing across the Internet, must be as unique as
telephone numbers to distinguish each computer on the global
network and to guide the billions of bits and bytes flowing among
them.

The IETF's top engineers acknowledge some implications for
online privacy, but "I think the privacy concerns are overrated,"
said Fred Baker, the task force's chairman.

But some privacy experts said they were appalled that IETF
engineers would consider the idea. The new address scheme, called
"IPv6," would not become widely used for years but ultimately
would affect every Internet user.

Critics warned that commercial Internet sites, which already
routinely record IP addresses, could begin to correlate these
embedded serial numbers against a consumer's name, address and
other personal details, from clothing size to political
affiliation.

The task force itself will ultimately decide whether to include
the identifying numbers in the new IP addresses. The timing on that
decision is unclear.

Baker said the task force is also envisioning ways to configure
Internet devices manually so addresses won't contain the sensitive
numbers.

"Those folks concerned about the privacy issue could use this
(alternate) technique," said Thomas Narten, an IBM software
engineer working with the IETF.

Most home computer users currently are assigned a different IP
address each time they connect to the Internet through a telephone
line, which affords some extra security and anonymity. It's akin to
a person using a different phone number every day to shield his
identity and avoid prank phone calls.

But under the IETF proposal, a portion of even those somewhat
randomly assigned addresses could include the consumer's unique
serial number -- and that information would be stamped on every
piece of information sent from his computer.

"I'm just winding the tape forward here five years, when we all
say, 'Oh, my God!"' said Richard L. Smith of Brookline, Mass., a
security expert who was among the first to question the plan.

The danger worsens, critics warn, as Internet sites are expected
to begin to share information about their customers: A consumer
visiting a Web site for the first time could be identified by his
computer's serial number that had been recorded at another site.

"There's no doubt there are serious privacy concerns," said
Marc Rotenberg of the Washington-based Electronic Privacy
Information Center.

Baker and others said the plan is meant to simplify configuring
these new types of addresses. They question how invasive the
disclosure of those numbers might be, noting that most of today's
computers with high-speed Internet connections use IP addresses
that never or rarely change -- and thus already are susceptible to
use as a type of identifier.

"Yes, you are externalizing a little more information ... but
correlating that back to a person -- I don't think you actually gain
more information," Baker said.

Smith discovered earlier this year that Microsoft's Windows
operating system was planting a similar identifier number within
some electronic documents. Within days, following a public outcry,
executives offered a way for consumers to strip the numbers from
their records.