Europol Calls for a Solution to the IP Address Attribution Problems Caused by CGNs
Europol has called for the end of carrier grade NAT (CGN) to increase accountability online. This is not a new campaign from Europol, but it now seeks to gain public support: “Are you sharing the same IP address as a criminal?” it asks.
“Law enforcement is using the ‘distinguish yourself from a criminal’ tactic in order to provoke the ‘nothing to hide’ scare tactic,” Tom Van de Wiele, principal security consultant at F-Secure told SecurityWeek, “which is unfortunate, because as far as our privacy is concerned it’s about protection. Privacy is the right to select which people to share what information with. But when it comes to the push of Europol in this case, there is more to it than that.”
Van de Wiele sees the call as symptomatic of law enforcement’s desire to remove anonymity from the internet, which is effectively an attack against privacy.
Everybody with home computers uses network address translation (NAT) within their routers. The ISP allocates an IP address for the router (usually on a temporary basis), and the NAT ensures incoming traffic to that IP goes to the right computer. It allows one IP address to be used for multiple home computers.
NATs are not a problem for law enforcement — the problem comes with the carrier grade NATs (CGNs) used by the ISPs. These allow dozens, hundreds and perhaps even thousands of routers or computers or mobile devices to share a single IP address simultaneously. The problem for law enforcement is that the ISP is currently unable to say which computer is being used by a particular IP address at a particular time.
For law enforcement, it means that it is virtually impossible to trace the physical location of an IP address under investigation. “This is relevant as in criminal investigations an IP address is often the only information that can link a crime to an individual,” said Europol in an announcement https://www.europol.europa.eu/newsroom/news/are-you-sharing-same-ip-addr… yesterday. “It might mean that individuals cannot be distinguished by their IP addresses anymore, which may lead to innocent individuals being wrongly investigated by law enforcement because they share their IP address with several thousand others – potentially including criminals.”
There is some irony in this since in October 2016, the Court of Justice of the European Union (CJEU) ruled that IP addresses can in some circumstances qualify as personal data under European law. Europol is now implying, however, that an innocent user could be investigated by law enforcement solely by the accident of sharing the same IP address as a criminal.
Van de Wiele sees something verging on sinister from this latest push by Europol. “This is another attempt by law enforcement to try and single out individuals and to reduce the possibilities of anonymity to get closer to their active targets while increasing their success of traffic analysis for all traffic they are vacuuming up.” He points out that it was law enforcement that forced Facebook into the policy of all users using their own identity, and getting ‘friends’ to confirm whether profiles are accurate. “These are cold war tactics and they are troubling,” he says.
Europol’s concern over the growing use of CGNs is not new. It raised the issues in its Internet Organised Crime Threat Assessment (IOCTA) in both 2014 http://www.securityweek.com/europol-analyzes-cybercrime-services-industry and 2016. A study it conducted in summer 2016 showed that 80% of surveyed European cybercrime investigators had encountered problems in their investigations relating to the use of CGN, causing them to be either delayed or stopped. These cases concerned investigations of offenses including online child sexual exploitation, arms trafficking and terrorist propaganda.
Europol’s Executive Director Rob Wainwright said yesterday, “CGN technology has created a serious online capability gap in law enforcement efforts to investigate and attribute crime. It is particularly alarming that individuals who are using mobile phones to connect to the internet to facilitate criminal activities cannot be identified because 90% of mobile internet access providers have adopted a technology which prevents them from complying with their legal obligations to identify individual subscribers.”
Steven Wilson, Head of Europol’s European Cybercrime Center, added: “The issues relating to CGN, specifically the non-attribution of malicious groups and individuals, should be resolved.”
This will be difficult. ISPs introduced CGNs, ostensibly as a temporary technical measure, to bridge the gap between the depletion of IPv4 addresses and the uptake of effectively limitless IPv6 addresses. But IPv6 uptake has been far slower than expected. “This was supposed to be a temporary solution until the transition to IPv6 was completed,” says Europol, “but for some operators it has become a substitute for the IPv6 transition. Despite IPv6 being available for more than 5 years the internet access industry increasingly uses CGN technologies (90% for mobile internet and 50% for fixed line) instead of adopting the new standard.”
Indeed, it could be said that the use of CGNs is actually delaying the transition to IPv6. The 2016 study, ‘A Multi-perspective Analysis of Carrier-Grade NAT Deployment’, concluded, “CGNs actively extend the lifetime of IPv4 and hence also fuel the demand of the growing market for IPv4 address space, which in turn affects market prices and possibly hampers the adoption IPv6.”
“Most peering companies and ISPs are nowhere near being ready when it comes to IPv6,” says Van de Wiele; “and with it, we will also see a whole slew of security issues when the SOHO and home users get IPv6 in the process. Having a unique IP address for every user or device without NAT offers tremendous possibilities technically, but that also means you can be tracked more easily by ad companies and other entities such as law enforcement.”
In the meantime, what was introduced as a temporary fix has become entrenched. In most cases the use of CGNs is unnoticed and unknown by the user — and hence, perhaps, this new appeal to public opinion by Europol. However, even if Europol solves the CGN issue, it is not at all clear that it will solve the problem of attribution.
“Unfortunately, CGN is not the only challenge when enforcing enacted laws and prosecuting cybercrime,” commented Ilia Kolochenko, CEO of High-Tech Bridge. “A great wealth of currently available VPN service providers that you can purchase for bitcoins open up new opportunities to all kinds of digital offenders and predators.” Without backdoor access to the VPN concerned, law enforcement will not have access to the IP address at all.
Furthermore, Kolochenko points out that the ability to tie a particular IP address to a particular physical computer will still not solve the problem. “The new trend in cybercrime,” he said, “is to compromise a third-party with a motive to commit crime (e.g. a competitor) and conduct the attack from its infrastructure. On the Dark Web, you can buy compromised machines of law enforcement and judicial officers to be used as proxies for attacks. Most cybercrimes become technically uninvestigable or the price of their investigation outweighs any public interest.”