In the first article in this series I discussed why massive use of Network Address Translation (NAT) means that traceability for mobile Internet access requires the use of source port numbers. In the second article I explained how in practice the NAT logging records, that record the mapping from IP address to customer, are available for only a short time — or may not exist at all.
This might seem a little surprising because within the EU a “data retention” regime has been in place since the Spring of 2009. So surely the mobile phone companies have to keep the NAT records of Internet access, even though this will be horribly expensive?
They don’t!
The reason is that instead of the EU Directive (and hence UK and other European laws) saying what was to be achieved — “we want traceability to work” — the bureaucrats decided to say what they wanted done — “we want logs of IP address allocation to be kept”. For most ISPs the two requirements are equivalent. For the mobile companies, with their massive use of NAT, they are not equivalent at all.
The EU Directive (Article 5) requires an ISP to retain for all Internet access events (the mobile call itself will require other info to be retained):
(a)(i) the user ID(s) allocated;
(a)(iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;
(c)(i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user;
(e)(ii) the digital subscriber line (DSL) or other end point of the originator of the communication;
That is, the company must record which IP address was given to the user, but there is no requirement to record the source port number. As discussed in this series of articles, this makes traceability extremely problematic.
It’s also somewhat unclear (but then much more of the Directive is technically unclear) whether recording the “internal” IP address allocated to the user is sufficient, or whether the NAT records (without the port numbers) need to be kept as well. Fortunately, in the UK, the Regulations that implement the Directive make it clear that the rules only apply once a notice has been served on an ISP, and that notice must say to what extent the rules apply. So in principle, all should be clear to the mobile telcos!
By the way … this bureaucratic insistence on saying what is to be done, rather than what is to be achieved, can also be found in the Digital Economy Bill which is currently before the House of Lords. It keeps on mentioning “IP addresses” being required, with no mention of source port numbers.
But perhaps that particular problem will turn out OK? Apple will not let anyone with an iPhone download music without permission!
“It keeps on mentioning “IP addresses” being required, with no mention of source port numbers.”
This problem will get much worse over the coming years. Given the minimal uptake of IPv6 and the dwindling pool of IPv4 addresses remaining, we will see more fixed line consumers connected via Carrier NAT, and thus being essentially untraceable using only an IP address.
After a while, new legislation will be brought forth which explicitly states things like “must retain NAT mappings”. I predict that this will become law at around the time people finally move to IPv6, rendering NATs and legislation regarding NATs redundant.
This legislation by detailed technical specification rather than desired effect has always bothered me.
The 1989 regulations for road vehicle stop lamps require a wattage of between 15 and 36 watts. A 15 watt LED would be rather bright; a 36 watt incandescent bulb could be pretty dim.
Curiously, optional stoplights are limited to between 20 and 60 candelas brightness for vehicles manufactured after April 1991.
(Ref: Statutory Instrument 1989 No. 1796
The Road Vehicles Lighting Regulations 1989. It’s also amusing to read the valiant attempt to list all possible exceptions to the rule that all lights visible from the rear of a vehicle must be red in Part II Section 14….)