Wednesday 15 May 2013

I am not an IP address

[Update 3 December 2014. 18 months on, this has now come alive. The 'IP address resolution' proposals flagged up in the Queen's Speech are included in the Counter-Terrorism and Security Bill introduced in Parliament on 26 November. Initial analysis here

The Draft Communications Data Bill Joint Committee Report in December 2012 reached some consensus around this issue: "Not all United Kingdom providers currently obtain all the data necessary to trace which subscriber is using which IP address. During the course of our inquiry we heard of various circumstances in which the lack of this data has impeded investigations. We accept that if CSPs could be required to generate and retain information that would allow IP addresses to be matched to subscribers this would be of significant value to law enforcement. We do not think that IP address resolution raises particular privacy concerns."

The truism that an IP address denotes a device, not a human being, is ingrained in anyone with a technical understanding of the internet.  Nothing gets a geek going like the suggestion that an IP address identifies a person.  

So when the briefing document (PDF) on last week’s Queen’s Speech said: “When communicating over the Internet, people are allocated an Internet Protocol (IP) address”, sharp intakes of IT literate breath could be heard up and down the land.  The somewhat contradictory statement a few lines later that law enforcement had a problem with being unable to match individuals to IP addresses did little to improve matters, accompanied as it was by the suggestion that addressing this issue may involve legislation.
Cybergeeks are right to be exercised about this, a technical issue but no mere technicality.
Legislating around IP addresses is a dubious idea at the best of times.  A legislative approach that embeds specific technical implementations falls foul of an important principle of lawmaking in the tech field, technological neutrality.  Professor Chris Reed explains in his book Making Laws for Cyberspace how legislating at too detailed a technical level is likely to create legal uncertainty.  Legislation that assumes or mandates specific technology is at risk of impeding new technological developments.  Technology-specific law is bad law.
Legislating at a detailed technical level also requires a sound understanding of the technology.  The Digital Economy Act was the first UK statute to mention IP addresses.  One has to wonder whether that was done with a full appreciation of IP addressing's manyfold variations.
The particular problem on which the Queen's Speech focuses is that public IP addresses are often shared, so an IP address does not necessarily identify a single end user device.  The public IP address can denote the gateway of a domestic household or of a large organisation, a point within a public network or even the gateway of an entire public network (often mobile).  So thousands of household or organisation routers and potentially millions of end user devices may sit behind a single public IP address.  This is why, when the first draft Initial Obligations Code for the Digital Economy Act was published in May 2010, port numbers (not mentioned in the Act) were included as well as IP address information.    
Ironically, one thing that DEAct did appreciate was that an IP address does not identify a copyright infringer.  Much of the opposition to DEAct was aimed at its mechanism for overcoming this by creating a presumption, which the subscriber had to rebut, that a subscriber identified from the public IP address allocated by the subscriber's ISP was responsible for repeated infringement; even though anyone with access to the subscriber’s system could have used the device identified by the IP address. 
The courts know that this is an important issue.  The speculative invoicing business depended on asserting that a harvested public IP address provided grounds on which to assert a copyright claim against a subscriber identified from the IP address and the ISP's records.  In the UK this was discussed by H.H.J. Birss in the Media Cat case:
“IP addresses  are numerical references used to identify entities on the internet.
“Media CAT's monitoring exercise cannot and does not purport to identify the individual who actually did anything. All the IP address identifies is an internet connection, which is likely today to be a wireless home broadband router.  All Media CAT's monitoring can identify is the person who has the contract with their ISP to have internet access. Assuming a case in Media CAT's favour that the IP address is indeed linked to wholesale infringements of the copyright in question …, Media CAT do not know who did it and know that they do not know who did it.”
Numerous US courts have made the same point, summarised in May 2012 by magistrate judge Gary Brown in K-Beech:

“In sum, although the complaints state that IP addresses are assigned to “devices” and thus by discovering the individual associated with that IP address will reveal “defendants’ true identity,” this is unlikely to be the case. Most, if not all, of the IP addresses will actually reflect a wireless router or other networking device, meaning that while the ISPs will provide the name of its subscriber, the alleged infringer could be the subscriber, a member of his or her family, an employee, invitee, neighbor or interloper.”
Port numbers (if retained) can reach beyond the public IP endpoint to an end user device.  In combination with other contextual information it may then be possible to identify a person who was using the device.  For this reason law enforcement authorities want access to information associated with IP addresses and seek ways of matching an IP address to a unique end user device.  For exactly the same reason such schemes, even if embarked upon for the worthiest and most serious of motives, have civil liberties implications. 
These were articulated most starkly in the 1960s TV series The Prisoner.  When No. 6 said “I am not a number, I am a free man”, he did more than reject a numeric tag.  He pitted his personal autonomy against an all-controlling bureaucratic embrace: “I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.”  Today Patrick McGoohan could as easily have written “I am not an IP address”.