The Queen’s speech at today’s state opening of Parliament includes the prediction:
“In relation to the problem of matching Internet protocol addresses, my Government will bring forward proposals to enable the protection of the public and the investigation of crime in cyberspace”
This is all that remains of the Home Office’s ambition to bring forward a revised version of the Draft Communications Data Bill that two Parliamentary Select Committees were so unimpressed by, and which the Liberal Democrats have declined to support.
The sole issue on which there appears to be political consensus is that “something must be done” about the traceability failure that regularly occurs when the Internet is accessed from a smartphone. The shortage of IPv4 addresses means that the mobile companies cannot give each smartphone a unique IP address — so hundreds of users share the same IP address with only the TCP/UDP source port number distinguishing their traffic. Because this sharing is done very dynamically the mobile phone companies find it problematic to record the source port mapping, and they have argued that the way the EU Data Retention Directive is written they have no obligation to make and keep such records.
I wrote about this issue at some length on this blog in January 2010, although until very recently the Home Office considered it to be tantamount to a state secret and were extremely coy about discussing it in the public.
The Queen’s “bring forward proposals” phrase appears to cover a range of options:
- the mobile companies decide that they can manage to log the source port mapping data after all;
- the Home Office pays for new kit at the mobile companies that will allow source port mapping to be done;
- there is a short bill (or clause in another bill) that requires the logging to be done (this might avoid any question of payments being ultra vires, or would ensure compliance by companies (possibly broadband suppliers) that looked like becoming stragglers;
- there are discussions but nothing happens at all — perhaps because the tide turns against Data Retention as being a necessary and proportionate policy. A number of other EU countries have found it to be incompatible with fundamental human rights.
The Open Rights Group (ORG) have recently produced a pamphlet (available online here) setting out how surveillance might be better approached in this century. I contributed the chapter on the technical issues…
… if you don’t have time to read the whole thing then the New Statesman has an edited version of my chapter; and you can watch a short video of myself (and two other contributors) explaining the major issues.
The problem of identifying customers behind NAT with IP addresses from an external server log has come up in the currently ongoing evaluation of the Danish data retention law.
In addition to the requirements of the EU directive, the Danish data retention law also requires retention of the source+destination IP address, port number and timestamp of every 500th internet packet (called “session logging” in Denmark). This is usually done at the boundary of the ISP’s network where they exchange traffic with other autonomous systems, so it doesn’t really help with NAT.
However, the evaluation report from the Danish government mentions that one ISP has implemented logging of IP addresses, source ports and customer identities in their NAT gateway. The ISP in question uses NAT for mobile internet customers (smartphones and mobile broadband). From my understanding of the Danish data retention law, this extra logging is not formally required by the law, but something that the ISP has done voluntarily, presumably because they were aware of the limitations that NAT would cause.
The description in the report is somewhat confusing (suggesting that the author of that section hasn’t fully understood the problem), but by reading between the lines, it’s pretty clear that they are talking about NAT. I have also discussed the evaluation report with a former employee of the ISP, and he has confirmed the logging of source ports at the NAT gateway.
Now comes the interesting part..
According to the report, this NAT gateway logging has been of very limited use to the Danish police. The ISP can only identify the customer if the police can provide the IP address and source port together with an accurate timestamp. In many cases, the police has not been able to obtain the source port from server log files. Typically, web server logs only contain the IP address of incoming connections, not the source port.
Another (related) issue is the accuracy of the timestamps. Some NAT sessions, e.g. for webserver requests, can be very short.
Jesper Lund
IT-Pol Denmark
This Out-Law.com article from 9 May says that BT is implementing a CG-NAT system which keeps track of source port allocations
http://www.out-law.com/en/articles/2013/may/individuals-can-be-identified-despite-ip-address-sharing-bt-says/