Free Surveillance or Security?: The Risks Posed by New Wiretapping Technologies by Susan Landau Page A

Scientific American server has received an acknowledgment that the last
packet has been received, it closes the connection to the client; that connection session is terminated.

    Figure 3.1
    Client/server interaction. Illustration by Nancy Snyder.
    Now that Alice has received the web page at her machine, she starts to
search for the article she wants. Alice types in the appropriate keywords
(e.g., magic brain) in the search field on the Scientific American web page.
When she clicks on the "search" button on the web page, the connection
process starts afresh. Alice's client opens a connection with the Scientific
American server, sends it information ("Perform a search query on 'magic
brain"'), and the connection process begins (handshake, connection establishment), followed by packet exchange and then connection teardown.
    Note that the Scientific American server did not "know" Alice before
establishing a connection with her machine. TCP does not require any
form of authentication of the user before connections are established. For
the research environment for which TCP was developed, this made good
sense. The network's purpose was sharing information and authentication
was an unnecessary complication that would have been difficult to implement. (By contrast, the phone company did care about authenticating the
call originator because that is who pays for the call.) Authentication would
also not easily scale. Requiring an introduction before a connection could
be made would have prevented the growth that the network experienced
between the early 1990s and the present.
    The real point here is that while the Internet is a communications
network, it is a communications network that behaves nothing like the
telephone network. For some applications such as email, IM, and Voice
over IP conversations, an introduction prior to communication might
make sense. But many other applications function more like a store or library (a library with no requirement for signing out borrowed materials).
For those, an introduction is not only not valuable, it is actually disruptive.
Alice's browsing of the Scientific American website or her browsing of books
and their reviews at Amazon, do not-and should not-require an introduction before the connection is established. Even the first examples I
mentioned, email, IM, VoIP, would have difficulty with an introduction
prior to establishing a TCP connection because of Internet-enabled mobility. The IP address Alice's machine has today in the coffee shop is different
from the one it had yesterday at the airport, and it will be different again
tomorrow even if Alice frequents the same coffee shop (unless the coffee
shop has only one IP address available, an unlikely situation). Yet it is the
IP address that is the identifier in the TCP/IP protocol. By contrast, Alice's
mobile telephone has the same number15 regardless of whether she is in
Paris, Texas, or Paris, France.

    In deciding to adopt TCP/IP for NSFNET, "Our ambition in 1985 was to
have all three-hundred-and-four research universities connected to NSFNET
by the end of 1986 or early 1987," said Dennis Jennings, who ran the NSF
program that built NSFNET. In that respect, the NSF succeeded spectacularly. "Had we any idea that this would be the network for the world, we
probably would have had to go to the PTTs [Public Telegraph and Telecommunications] or ISOs [International Standards Organizations]. Certainly
the PTTs would have designed a hierarchical system and would have built
in authentication."
    Had that occurred, it is likely that the result would have been more
secure than the current Internet. It is also likely that the resulting network
would have lacked the openness and capability for innovation that have
made the Internet so remarkably fruitful. Jennings observed that "had
we known [what was to come], we'd have been terrified and the Internet
[would never have happened]." Jennings paused as he