Many people see optional anonymity as a key feature of the Internet but increasingly there are calls for stricter identity checks.
Such requirements are not new. In daily life, many people have encountered situations where they have had to prove their identity. When opening a bank account, for example. But online it is rare.
This should change, according to some voices. In recent years copyright holders and industry groups have called for stricter “know your business customer” rules. This effort is starting to pay off in Europe and over in the United States, similar calls are heard.
Earlier this year, then-President Donald Trump signed an executive order that partially addresses this issue. The executive order aims to stop foreign cybercriminals from using US-based Infrastructure as a Service (IaaS) products. Specifically, this can be achieved by requiring such services to properly verify and retain the identities of non-US customers.
The U.S. Department of Commerce is considering how this proposal can be best implemented. To do so, it launched a public consultation requesting various experts and stakeholders for input.
ICLE Chimes In
Last week, the response from The International Center for Law and Economics (ICLE) was published online. This independent bi-partisan research center relies on input from academics and regularly shares its thoughts on important policy debates. That includes the executive cybersecurity order.
According to ICLE, real anonymity is hard to find on the Internet. Using the term “pseudonymous” would be more appropriate. However, certain tools and services definitely make it harder for law enforcement to track down criminals.
VPNs, Tor, and proxy services can be used for good. However, they can also be abused by malicious actors, the research center notes.
“[I]t remains the case that when anonymity is combined with easily accessible tools like virtual private networks, proxy servers, and The Onion Network (Tor), it can tend to confound law enforcement,” they write.
Carefully Calibrated Policy
The overall message of the research center is clear. ICLE believes that, through carefully calibrated policy, IaaS providers can be required to collect and share information that’s sufficient to identify criminals.
This information doesn’t have to be extensive or foolproof. The goal should be to minimize the burden for IaaS providers and their customers while collecting enough information to pinpoint bad actors
“[T]he Department is pursuing a sound policy by instituting KYBC requirements on IaaS providers. Ultimately, the question is not whether to adopt such a policy, but how best to do so,” ICLE writes.
“Understanding that no system will be perfect, and that the vast amount of IaaS providers’ customer relationships should continue relatively unburdened, the Department’s final rules should capture most bad actors by relying on obligations to supply minimal, but sufficient, user information.”
Tor, VPNs, and 8chan
The research center believes that less extreme policy interventions may achieve a great effect. At the same time, however, it also suggests that IaaS products are not the only problem.
ICLE notes that other ‘anonymous’ online services, including 8chan and file-sharing platforms, have been used by terrorists including those involved in the San Diego and Christchurch attacks.
“In the case of an April 2019 attack on a synagogue in San Diego, for example, the perpetrator allegedly both drew inspiration for the attack from 8chan forums and used the site to advertise his actions and garner more attention from likeminded users.
“The perpetrator of the San Diego attack also used other services that allow anonymous interaction, such as Pastebin and Mediafire. Similar sites offering free, anonymous filesharing are widely available online,” ICLE adds.
Anonymity is also abused by copyright infringers. While the research center notes that this isn’t as dramatic as terrorist attacks, services such as VPNs can pose enforcement challenges.
“For instance, LiquidVPN was sued earlier this year for designing and marketing its services as a ‘no-log’ VPN. LiquidVPN promoted its service as enabling use of peer-to-peer networks and pirate-streaming websites with impunity, because the company would be unable to comply with any ISP or rightsholder demands to unmask users.”
These examples could offer policy lessons that can help the Government to shape its anonymity approach in the context of IaaS providers, the researchers write, adding that existing privacy regulations such as Europe’s GDPR should be kept in mind.
ICLE is not the only organization to support new regulations. The Motion Picture Association (MPA) also backs the executive order and argued to expand it to other services such as DNS servers, reverse proxies, and cryptocurrency exchanges.
Coincidentally, or perhaps not, the MPA is also a financial contributor to the ICLE. In the latest MPA tax filing we could find online (2018), the movie industry group listed a $200,000 contribution to the research center.
A copy of the International Center for Law’s comments and suggestions in response to the U.S. Department of Commerce consultation is available here (pdf)