Home / Blogs


At a recent workshop on cybersecurity at Ditchley House sponsored by the Ditchley Foundation in the U.K., a primary topic of consideration was how to preserve the freedom and openness of the Internet while protecting against the harmful behaviors that have emerged in this global medium. That this is a significant challenge cannot be overstated. The bad behaviors range from social network bullying and misinformation to email spam, distributed denial of service attacks, direct cyberattacks against infrastructure, malware propagation, identity theft, and a host of other ills requiring a wide range of technical and legal considerations. That these harmful behaviors can and do cross international boundaries only makes it more difficult to fashion effective responses.

In other columns, I have argued for better software development tools to reduce the common mistakes that lead to vulnerabilities that are exploited. Here, I want to focus on another aspect of response related to law enforcement and tracking down perpetrators. Of course, not all harms are (or perhaps are not yet) illegal, but discovering those who cause them may still be warranted. The recent adoption and implementation of the General Data Protection Regulation (GDPR) in the European Union creates an interesting tension because it highlights the importance and value of privacy while those who do direct or indirect harm must be tracked down and their identities discovered.

In passing, I mention that cryptography has sometimes been blamed for protecting the identity or actions of criminals but it is also a tool for protecting privacy. Arguments have been made for "back doors" to cryptographic systems but I am of the opinion that such proposals carry extremely high risk to privacy and safety. It is not my intent to argue this question in this column.

What is of interest to me is a concept to which I was introduced at the Ditchley workshop, specifically, differential traceability. The ability to trace bad actors to bring them to justice seems to me an important goal in a civilized society. The tension with privacy protection leads to the idea that only under appropriate conditions can privacy be violated. By way of example, consider license plates on cars. They are usually arbitrary identifiers and special authority is needed to match them with the car owners (unless, of course, they are vanity plates like mine: "Cerfsup"). This is an example of differential traceability; the police department has the authority to demand ownership information from the Department of Motor Vehicles that issues the license plates. Ordinary citizens do not have this authority.

In the Internet environment, there are a variety of identifiers associated with users (including corporate users). Domain names, IP addresses, email addresses, and public cryptography keys are examples among many others. Some of these identifiers are dynamic and thus ambiguous. For example, IP addresses are not always permanent and may change (for example, temporary IP addresses assigned at Wi-Fi hotspots) or may be ambiguous in the case of Network Address Translation. Information about the time of assignment and the party to whom an IP address was assigned may be needed to identify an individual user. There has been considerable debate and even a recent court case regarding requirements to register users in domain name WHOIS databases in the context of the adoption of GDPR. If we are to accomplish the simultaneous objectives of protecting privacy while apprehending those engaged in harmful or criminal behavior on the Internet, we must find some balance between conflicting but desirable outcomes.

This suggests to me that the notion of traceability under (internationally?) agreed circumstances (that is, differential traceability) might be a fruitful concept to explore. In most societies today, it is accepted that we must be identifiable to appropriate authorities under certain conditions (consider border crossings, traffic violation stops as examples). While there are conditions under which apparent anonymity is desirable and even justifiable (whistle-blowing, for example) absolute anonymity is actually quite difficult to achieve (another point made at the Ditchley workshop) and might not be absolutely desirable given the misbehaviors apparent anonymity invites. I expect this is a controversial conclusion and I look forward to subsequent discussion.

This post was originally published on the ACM website.

By Vint Cerf, Vice President & Chief Internet Evangelist, Google Inc.

Filed Under


>Ordinary citizens do not have this authority.No Charles Christopher  –  Aug 8, 2018 5:58 AM

>Ordinary citizens do not have this authority.

No we don’t, we have Experian.

From your post it appears your VIN starts with “5YJSA” and ends with “92454”, a 2017 Tesla.

Is that correct?

For a few dollars Experian is offering to tell me a lot more about you, including your address. Perhaps I can just dig around and find their stolen database and get the information for free.

Its funny how we think Law Enforcement has access the rest of us do not, while Law Enforcement contracts out our personal records to private companies ...  Or is it the other way around? Private companies have consolidated so much about us that Law Enforcement now goes to them to find out about us ... They just buy data in volume and thus get a better rate ... Come to think about it we pay either way, I think its called taxes.

Meanwhile GDPR is going to save us, but not from Experian .... :)

>Arguments have been made for "back doors" Charles Christopher  –  Aug 10, 2018 4:43 PM

>Arguments have been made for “back doors”

Who needs them:


August 6, 2018:

“Facebook Inc. wants your financial data.

The social-media giant has asked large U.S. banks to share detailed financial information about their customers, including card transactions and checking-account balances, as part of an effort to offer new services to users.”

So long as the government has private corporations sharing such data out of our control, and making it available for sale, back doors are not needed. Just pay to play.

I’m still not a fan of GDPR. I’m a fan of disallowing tax payer subsidies to improve competition. Its the conflict of interest that is the problem. Its the lack of unbiased competition that is the issue, and how government rewards those that make available what it wants:


“The courts have rightly recognized that when millions of bits of data

are aggregated into a dossier about your behavior

, that is no longer properly public and violates privacy rights.”

Thus your license plate in fact allows me to purchase your specific dossier. When its government itself involved with building that system the conflict becomes clear:


“Brussels says new GDPR law DOESN’T apply to EU - after ‘embarrassing’ leak on website”

While I can’t find a good reference at the moment I will try to point out the issue via available references:


One of the reason the US brought German “scientists” into the US including adoption of Germanys social control systems to be applied in the US. Note the list above, we see it all very clearly happening in the US today via the internet. At the time it started one could laugh off that fact, not so easy now is it? China’s government has a bit more freedom than ours, it can do it directly versus by proxy using Facebook etc. There is NOTHING new here.

In 1928 Edward Bernays (nephew of Sigmund Freud) wrote “Propaganda”.


“The conscious and intelligent manipulation of the organized habits and opinions of the masses is an important element in democratic society. Those who manipulate this unseen mechanism of society constitute an invisible government which is the true ruling power of our country.

We are governed, our minds are molded, our tastes formed, our ideas suggested, largely by men we have never heard of. This is a logical result of the way in which our democratic society is organized. Vast numbers of human beings must cooperate in this manner if they are to live together as a smooth- ly functioning society.”



Facebook, etc., would make Bernays very proud. To suggest Facebook is unaware of this is ludicrous:


Edward Bernays was hired by the US government to “sell” war via the Committee on Public Information. This is a significant man in history. Again, that was in 1928, that is 90 years ago. Roman satirical poet Juvenal pointed it out 2000 years ago:

“Already long ago, from when we sold our vote to no man, the People have abdicated our duties; for the People who once upon a time handed out military command, high civil office, legions — everything, now restrains itself and anxiously hopes for just two things:

bread and circuses



father of public relations

The results will be Edward Bernays. Bernays was to society as Freud was to the individual. Now Mark Zuckerberg provides society Bread and Circuses, in exchange for building our dossier to “earn” his income.

The is nothing new here.

US laws generally prevent government from doing these things. But nothing stops it from using its laws to create incentives for COOPERATIVE (Back to In-Q-Tel above) private corporations to collect the data so that our government can consume it. Or if not consume it directly use it to create the desired influences on society. Currently under construction here in the US:


https://www.bloombergquint.com/business/2018/08/30/google-and-mastercard-cut-a-secret-ad-deal-to-tra Charles Christopher  –  Aug 31, 2018 6:16 PM


“For the past year, select Google advertisers have had access to a potent new tool to track whether the ads they ran online led to a sale at a physical store in the U.S. That insight came thanks in part to a stockpile of Mastercard transactions that Google paid for.

But most of the two billion Mastercard holders aren’t aware of this behind-the-scenes tracking. That’s because the companies never told the public about the arrangement.”

https://www.thesun.co.uk/tech/7303020/apple-trust-score-phone-calls-emails/"Apple gives you a TRUST Charles Christopher  –  Sep 20, 2018 4:26 PM


“Apple gives you a TRUST rating - and it’s based on your phone call and email habits

The new system was quietly added as part of the new iOS 12 update for iPhones


It’s currently not possible to see your own trust score on your device.”


“China has started ranking citizens with a creepy ‘social credit’ system — here’s what you can do wrong, and the embarrassing, demeaning ways they can punish you”

Is this just a ruse to allow Apple to cull more valuable user data Charles Christopher  –  Sep 22, 2018 3:39 AM

"Is this just a ruse to allow Apple to cull more valuable user data that it can then monetize without triggering a public backlash? Or is there something more nefarious at play?" https://www.zerohedge.com/news/2018-09-20/apples-mysterious-new-trust-score-iphone-users-leaves-many-unanswered-questions

How China Used a Tiny Chip to Infiltrate U.S. Companies Charles Christopher  –  Oct 4, 2018 4:05 PM


“The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.”

“During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”


“Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”

Can EU residents “GDPR” Supermicro or the Chinese government? Governments around the world are the greatest threat to our privacy. As in the above, and as in their subcontracting out work which in effect extends an umbrella of impenetrable legal protection .... While at the same time claiming to be protecting us, and we foolishly believe them.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC


Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign