Privacy-preserving forensic attribution is a new architectural primitive we propose that allows individual network packets to be attributed, post-hoc, to the physical machines from which they were sent. Importantly, while our architecture allows any network element to verify that a packet has a valid forensic signature, only a trusted authority is able to reveal the sender's identity. In this way, the privacy of individual senders is protected from serendipitous use, while criminal actors cannot presume anonymity. We have developed a prototype implementation, called Clue, that demonstrates the fundamental feasibility of this approach while also illustrating the design challenges and opportunities in integrating this functionality with the network layer. We hope this work stimulates further technical investigations in this area, as well as broader political and sociological discussions on the criteria for network-based privacy-preserving forensic attribution and its ability to address the current tensions between the demand for strong privacy and the push towards greater, privacy-invasive forensic techniques.

Pre-2018 CSE ID: CS2009-0940