Communications of the ACM

Challenges for law enforcement and content regulation. The Internet’s vital role in cross-border commerce means it contends with diverse national and international policies regulating publication and use of content. Content produced by illegal activities may be restricted (for example, bans on the sale of Nazi memorabilia in France have led to restrictions on content listed in online marketplaces); other forms of content may have use restrictions designed to guarantee a profit to content creators. Enforcing publication and use regulations on content across the global Internet is a challenging task in today’s IP Internet. Corporate interests often use the where of IP source addresses to enforce market-based restrictions on content access via IP geolocation heuristics. Law enforcement uses a range of tactics—ranging from IP address tracing to deep packet inspection—to track and prosecute both producers and consumers of illegal or pirated content. A transition to NDN will change the tools needed for tracing individuals and monitoring and restricting communications, making current forms of content regulation more challenging, but also potentially more equitable.

Complications for law enforcement.
NDN’s emphasis on semantic names
and data signatures may make certain
types of law enforcement easier. For ex-
ample, keys used to sign data provide
strong provenance. In the Io T scenario,
the publisher of critical content might
be traced by matching the key to iden-
tifiable (perhaps registered) devices.
And if clear-text data names reflect
actual content (for example, data pre-
fixed with /local/PIR was known to be
generated by passive infrared security
sensors), network-level packet-sniff-
ing and therefore, network regulation
could become less computationally in-
tensive. On the other hand, encryption
of both NDN names and packet content
could mitigate the risk of packet-sniff-
ing. A social shift toward widespread
data encryption would raise new chal-
lenges for law enforcement. Police
and regulatory regimes have long been
wary of widespread use of encryption,
while developers have resisted provid-
ing back doors for law enforcement to
inspect or wiretap communications.
Encryption would limit the capabili-
users—might not accept comments
sent in packets without verified, real-
world signatures. Namespace owner-
ship records may also reveal publisher
identities, similar to today’s WHOIS
database. Thus, another important
area of NDN research is trust schemes
that provide alternatives to real-world
identity for content authentication.

NDN researchers have explored special routing approaches to preserve content source anonymity. 17 Content producers might desire anonymity to participate in free speech, evade censorship, and experiment with multiple online identities. 25 Unfortunately, anonymity is also used to evade prosecution for criminal behavior or support mob behavior and hate crimes. 10 Though designing a network architecture to prevent all criminal behavior is an impossible (and, we believe, undesirable) goal, it is worthwhile to consider the benefits and costs of measures to increase content producer anonymity as the project goes forward.

Improvements for content access control. As mentioned earlier, the NDN architecture encourages applications to secure data by encrypting it rather than relying on channel-based security over which the data flows, as is currently done through secure sockets layer/transport layer security, (SSL/ TLS), virtual private networks (VPN)s, and similar schemes on IP networks. In the IoT example, there is no need to set up secure connection between two communicating devices, because any potentially sensitive data is encrypted by the application. Securing the data directly should reduce the impact of now-common perimeter and channel security compromises, while still leveraging NDN caching for group communication.

Once published, encrypted data can
be replicated and hosted in many (po-
tentially hostile) locations, although
only those with access to the right
keys can decrypt the information. In
this way, NDN makes explicit what is
already implicit in schemes like SSL/
TLS: encrypted data in transit can be
sniffed and stored by others. NDN
makes it easier to request a chunk of
someone’s encrypted data (for exam-
ple, by sending Interests for common
namespaces like /local/appliance),
and that encrypted data might be
cached anywhere. Encrypted data may
be widely available for extended peri-
ods of time, increasing the long-term
potential for unauthorized decryp-
tion. Content access control will thus
require careful design and integration
of modern encryption mechanisms
and techniques, such as forwarding
secrecy and long-term encrypted stor-
age. Further, NDN’s integrated use of
cryptography also will require navigat-
ing open challenges such as the com-
putational burden of encryption in
resource-constrained environments
(like the Io T) and the challenges of key
distribution and revocation. 9

Challenges for the right to be forgotten. As personal data proliferates on the Internet, there is increasing concern that such data cannot be erased or forgotten. The specter of total accountability for our past actions is considered unpleasant at best and potentially limiting to social interaction and democracy at worst. 7, 23 International privacy scholars as well as policymakers in Europe have been paying increased attention to data retention and disposal, or the “right to be forgotten.” 7, 23, 27 More recently, California adopted Senate Bill 568, which requires websites to enable minors to easily remove their own posts from websites.

IP routers purge data from buffers as soon as it leaves the routers. That is, they default toward “forgetting” at the infrastructure level, with substantial data retention occurring at the application layer, to support targeted advertising and other purposes. In contrast, NDN routers default toward remembering at the infrastructure level, via content stores and repos. In IP, parties can request that publishers remove data from hosting sites at the edges of the network. Although copies may proliferate elsewhere on user machines, any new request to the hosting site will go unsatisfied. Returning to the Io T example, in NDN, cached copies of data from baby monitors or mobile devices may proliferate on routers, repositories, as well as application-specific stores, and thus remain accessible to Interests. Architectural support for “forgetting” in an NDN world will require mitigation measures, such as time-to-live information in packets, protocols that respect those limits, and further research into self-destructing data.