We always suspected that it was true.
Click, click. Send.
As simple as that, with the press of a button, we can communicate with anyone.
Anywhere.
Instantly.
Privately.
Ah, there’s the rub…
Is that email to your Aunt Maggie really so private, or do they know what you’re saying? Why would anyone even care about your rather mundane conversation?
They wouldn’t. Your plans for the fall semester matter to no one. Your upcoming surgery is information superfluous even to the most pernicious eavesdropper, and your titillating recollection of last night’s date is passé.
So why would anyone be listening?
No one cares what you’re saying.
Someone may care greatly what we’re saying.
And herein is the basis for the real threat to Internet privacy.

What is the Internet?

In a strictly technical sense, the Internet is a network of networks. Each network is simply two or more computers that can communicate with each other. Some networks are very small, with few devices attached. Other networks are extremely large and fast. Others are somewhere in between. Almost every company has a network of some kind, as do government agencies, and other organizations large and small. The proliferation of computers, and specifically the need to share data, has made this necessary. This has nothing to do with the Internet.

And everything.

Back in ancient times, in the late nineteen sixties, the government was worried about nuclear war. They still are today, but back then it seemed like it could really happen at any moment. Our leaders became concerned that in the event of such a conflagration, communications between distant data centers would become difficult, or impossible. So they set out to build a system of computer communications that could withstand the destruction of parts of the infrastructure, or even of individual data centers. The organization that developed and built this system was called the Defense Advanced Research Projects Agency, or DARPA, and the first network they built was called DARPANET, later shortened to ARPANET. It connected several university computer centers in California and Utah, and was the start of the Internet.

After its inception the Internet continued to grow and evolve, eventually dividing into two, then four, then many separate networks. Companies bought into the notion, and fiber optics was invented. Extensive fiber backbones—super fast data pathways—were built by numerous vendors. Soon virtually the entire country was wired. Today it is everywhere. You press the send button and your email is delivered next door, or across the planet.

How it Works

In order to communicate, every device on the Internet has to have an address—an Internet Protocol address—that uniquely identifies it. This IP address is a four-part sequence, such as 123.234.456.007. If you are on the Internet, you have a number like this associated with your computer.

In the communication model developed by DARPA, data sent from one computer to another is first broken into pieces. Each piece—called a packet—contains the recipient IP address, the sender’s IP address, a sequence number, and of course the data to be transported. The packets are forwarded by specialized devices, called routers, to the destination computer using the best available connection. Sometimes a router knows the specific network location of the final destination, but often it does not. If it does, it simply directs the packet to the proper network. Otherwise, it will pass it along to another router that knows more about the destination IP number. By this means the packet may pass through a dozen or more networks and routers before it reaches its final destination, where it will be reassembled with all the other packets into its original form.

All of your packets from the same message may or may not follow the same pathway. It depends on what the routers determine is the best route at the time. Of course, this all happens very fast, and in seconds your data may traverse several cities before arriving at its final destination. This decentralization of communications is the foundation of the Internet infrastructure.

Follow it Through

To understand how this all works, let’s follow an email message to your Aunt Maggie at auntmaggie@maggie.com.

Let’s say you’re sitting at home, pondering the intricacies of the Internet. Suddenly you think of your Auntie three states away, and decide to send an email. We’ll assume you have a standard dial-up connection—your computer plugs into a regular phone jack, and your modem dials in to an ISP (Internet Service Provider). It could be AOL, MSN, EarthLink, or any of a number of companies that provide the service of connecting you to the Internet.

When you connect to your service provider, your computer squeals and squeaks like a stuck soprano pig. This is the sound of your computer modem dialing the telephone number of your ISP’s modem. They talk back and forth, confirm that both sides can understand each other, and within minutes you’re connected. A pathway now exists between your computer and your ISP.

You compose your message using email software, enter Aunt Maggie’s email address, and hit the send button.

What happens next?

First, the email message goes to your ISP. They will then forward it to another ISP, somewhere on the Internet, where your Aunt Maggie has her email account. To do this they need to know the IP address of that ISP’s computer, but how? You only provided the email address—auntmaggie@maggie.com.

Simple. They request it from the DNS.

The DNS, or Domain Name Service, is a system of computers worldwide that keeps track of computer names and their corresponding IP addresses. Your ISP communicates with the DNS to get the IP address of the computer named Maggie.com, the second part of auntmaggie@maggie.com. This IP address is used to route your email, now chopped up into packets, to the computer where your Aunt’s account is located. The individual packets now have a destination IP address, and as they are sent out they hit the first of a series of routers. As each packet flies across the Internet, it may take a different path as the routers decide on the most efficient route. In short order they arrive at Aunt Maggie’s ISP and are reassembled and placed in Aunt Maggie’s account, in the form of the original email. It will stay there until she asks for them.

The following day Aunt Maggie connects to her ISP’s computer, and her email is sent to her home computer over the phone line.

Whether you are sending email, or browsing the web, or using an FTP server to transfer files, or conducting an online transaction, if you are doing it on the Internet, you are using packets. Each of these specific activities has its own way of handling the process at the beginning and end of the operation, but in between it’s all about moving packets from router to router, across fiber optic or copper lines, and in and out of networks. The rest of this article will discuss the real threat we face as an increasingly online society.

The Threat

Computer viruses are a serious threat at the desktop level. They can arrive in various forms, and can cause substantial damage. Generally speaking, however, they can be addressed through software patches or personal vigilance. The desktop is the one point where you have the capability to impact your computing environment, and it is your responsibility to do so if you expect to be protected.

But once you press the send button, Elvis has left the building. Your data is no longer under your control. The packets are out there, on the Net. Vulnerable.

Visible.

Network Administrators are very busy people these days. A healthy network needs to be free of unwanted visitors, such as hackers, spammers, or viruses. One of the tools used to watch for such intrusions is a packet sniffer, software used to monitor and analyze network traffic. The packets described earlier can be viewed or analyzed using a packet sniffer, or similar technology. While such tools were originally designed for troubleshooting networks, there is nothing to stop individuals from exploiting the capability of sniffers to secretly acquire information as it passes over a network. The software is readily available from many sources, and an increasingly computer literate population produces plenty of characters willing to do just that, for fun or profit.

The real threat is more ominous.

It could be argued that it began with Carnivore, the online detection software used by the FBI. Essentially this is a packet sniffer that is installed at an ISP to detect email or other Internet communications in conjunction with a criminal investigation. In the past, prior to Nine Eleven and the Patriot Act, the guidelines governing the use of such software were fairly narrow, if fatally flawed. The installation of Carnivore at an ISP required case agents to get it authorized, and FBI techs to actually hook it up and extract recorded data. The scope of what data could be collected was theoretically limited by court order, but if extra information was collected, only the techs would know for sure. Even worse, Carnivore gives the FBI the capability to access the communications of all users of a monitored ISP, whether they are the subject of the investigation or not. It becomes not simply a legal issue, but a technical one.

Who will check the techs?

This is not to disparage the integrity of FBI computer technicians, but could they resist a quick peek? Maybe, and maybe not. The point is that the vulnerability exists. The capability exists. And the violation would be so easy, because we can’t see it. The Internet is basically invisible to us, so the crime of illicit interception of online communications would go unseen, and undetected.

Can they resist?

The government has a long history of monitoring “radical” groups. Wiretaps and hidden microphones, technology that is now archaic in comparison to Carnivore and its successors, were used legally and otherwise against such notable radical entities as Martin Luther King, Jr., and the Democratic Party. The Clinton White House received thousands of FBI documents containing confidential information about prominent Bush staffers.

The hunger for private information crosses political parties.

Many rail against the Patriot Act as a massive violation of our privacy. Indeed, the Fourth Amendment to the U.S. Constitution says the following:

This is not simply a guideline, and the existence of technology that can abrogate its intent does not justify its violation. What we are communicating about, collectively, as a society, should not be subject to general scrutiny, and cannot be done without violating the Constitution. The concept of a legal violation of this expectation is troubling on two grounds. First, on its face the Patriot Act causes concern relating to the legal erosion of online privacy. Law enforcement agencies generally follow the rules, and to the extent that the rules allow for increased scrutiny with decreased justification, we are increasingly imperiled. The counter argument is that of safety. But as Ben Franklin said, “Those who would give up essential liberties for a measure of security, deserve neither liberty nor security.”

Who defines ‘essential’?

This debate shall rage for some time.

The second, more nebulous concern, is the lowering of the bar. Consider the speed limit. When it was a mandated 55mph, drivers regularly went 65, fairly certain that no ticket would be issued. When it went to 65, they drove 75. I’m sure there must be a sociological term for pushing the envelope like this.

What happens when the law says it’s okay to violate some citizens’ privacy? Will those who may be inclined to surreptitiously employ technology for the “greater good”, even if it violates the very rights they are supposedly trying to protect, now feel empowered to do so? We assume that the niceties of the legal system will be observed, but there is precious little to stop a covert group of FBI or other government operatives, or a private organization, for that matter, from violating the Internet at the level of its infrastructure.

To listen. To analyze. To create a societal profile.

The real threat is the organized violation of our online privacy on a societal scale by an entity with the means and ability to scrutinize and analyze our Internet communications.

Of course, this is only a concern to the extent that our communications are online, are vulnerable, and to the extent that we care about their privacy. There are safeguards in place that afford a level of protection against casual threats, but such efforts are susceptible to a sustained assault by a determined, capable, and well-funded organization.

The case is made that in the age of terrorism we must be vigilant. But this must be tempered with the realization that technology now exists that may render our online communications public. Our communications must not be stifled by the fear that someone knows what we are saying. Imagine if in a mall someone walked alongside every group of people with a recorder, capturing bits of discussions for later analysis. Would this intrusion impact the conversation itself? Our freedom?

Of course it would. The Internet represents such a conversation, in fact, millions of such conversations. Gathering the essence of a conversation intended to be private, absent proof of harmful intent by the talkers, is a violation of the Fourth Amendment.

It doesn’t matter, though. The folks who may be listening aren’t constrained by such conventions.

They are limited only by technology.

William R. Vitanyi, Jr. is the author of Palm Sunday, a technological thriller about a stolen palm computer and the organized violation of online privacy. For more information about Mr. Vitanyi or Palm Sunday, visit the book’s website at www.palmsundaybook.com.

(04-0322)