[Update 3 December 2014. 18 months on, this has now come alive. The 'IP address resolution' proposals flagged up in the Queen's Speech are included in the Counter-Terrorism and Security Bill introduced in Parliament on 26 November. Initial analysis here.
The Draft Communications Data Bill Joint Committee Report in December 2012 reached some consensus around this issue: "Not all United Kingdom providers currently obtain all the data necessary to trace which subscriber is using which IP address. During the course of our inquiry we heard of various circumstances in which the lack of this data has impeded investigations. We accept that if CSPs could be required to generate and retain information that would allow IP addresses to be matched to subscribers this would be of significant value to law enforcement. We do not think that IP address resolution raises particular privacy concerns."]
The truism that an IP address denotes a device, not a human being, is ingrained in anyone with a technical understanding of the internet. Nothing gets a geek going like the suggestion that an IP address identifies a person.
The Draft Communications Data Bill Joint Committee Report in December 2012 reached some consensus around this issue: "Not all United Kingdom providers currently obtain all the data necessary to trace which subscriber is using which IP address. During the course of our inquiry we heard of various circumstances in which the lack of this data has impeded investigations. We accept that if CSPs could be required to generate and retain information that would allow IP addresses to be matched to subscribers this would be of significant value to law enforcement. We do not think that IP address resolution raises particular privacy concerns."]
The truism that an IP address denotes a device, not a human being, is ingrained in anyone with a technical understanding of the internet. Nothing gets a geek going like the suggestion that an IP address identifies a person.
So when the briefing document (PDF) on last week’s Queen’s Speech said:
“When communicating over the Internet, people are allocated an Internet
Protocol (IP) address”, sharp intakes of IT literate breath could be heard up
and down the land. The somewhat contradictory
statement a few lines later that law enforcement had a problem with being
unable to match individuals to IP addresses did little to improve matters, accompanied
as it was by the suggestion that addressing this issue may involve legislation.
Cybergeeks are right to be exercised about this, a technical
issue but no mere technicality.
Legislating around IP addresses is a dubious idea at the
best of times. A legislative approach
that embeds specific technical implementations falls foul of an important
principle of lawmaking in the tech field, technological neutrality. Professor Chris Reed explains in his book Making Laws for Cyberspace how
legislating at too detailed a technical level is likely to create legal
uncertainty. Legislation that assumes or
mandates specific technology is at risk of impeding new technological
developments. Technology-specific law is
bad law.
Legislating at a detailed technical level also requires a sound
understanding of the technology. The Digital
Economy Act was the first UK statute to mention IP addresses. One has to wonder whether that was done with a
full appreciation of IP addressing's manyfold variations.
The particular problem on which the Queen's Speech focuses is
that public IP addresses are often shared, so an IP address does not necessarily
identify a single end user device. The
public IP address can denote the gateway of a domestic household or of a
large organisation, a point within a public network or even the gateway of an
entire public network (often mobile). So
thousands of household or organisation routers and potentially millions of end
user devices may sit behind a single public IP address. This is why, when the first draft Initial
Obligations Code for the Digital Economy Act was published in May 2010, port numbers (not mentioned in the Act) were included as well as IP address
information.
Ironically, one thing that DEAct did appreciate was that an
IP address does not identify a copyright infringer. Much of the opposition to DEAct was aimed at
its mechanism for overcoming this by creating a presumption, which the subscriber
had to rebut, that a subscriber identified from the public IP address allocated
by the subscriber's ISP was responsible for repeated infringement; even though anyone
with access to the subscriber’s system could have used the device identified by
the IP address.
The courts know that this is an important issue. The speculative invoicing business depended
on asserting that a harvested public IP address provided grounds on which to
assert a copyright claim against a subscriber identified from the IP
address and the ISP's records. In the UK this was discussed by
H.H.J. Birss in the Media Cat case:
“IP addresses are numerical references used to identify
entities on the internet.
…
“Media CAT's monitoring exercise
cannot and does not purport to identify the individual who actually did anything.
All the IP address identifies is an internet connection, which is likely today
to be a wireless home broadband router. All
Media CAT's monitoring can identify is the person who has the contract with
their ISP to have internet access. Assuming a case in Media CAT's favour that
the IP address is indeed linked to wholesale infringements of the copyright in
question …, Media CAT do not know who did it and know that they do not know who
did it.”
Numerous US courts have made the same point, summarised in
May 2012 by magistrate judge Gary Brown in K-Beech:
“In sum, although the complaints
state that IP addresses are assigned to “devices” and thus by discovering the
individual associated with that IP address will reveal “defendants’ true
identity,” this is unlikely to be the case. Most, if not all, of the IP
addresses will actually reflect a wireless router or other networking device,
meaning that while the ISPs will provide the name of its subscriber, the
alleged infringer could be the subscriber, a member of his or her family, an
employee, invitee, neighbor or interloper.”
Port numbers (if retained) can reach beyond the public IP
endpoint to an end user device. In combination with other contextual information it may then be possible to identify
a person who was using the device. For
this reason law enforcement authorities want access to information associated
with IP addresses and seek ways of matching an IP address to a unique end user
device. For exactly the same reason such
schemes, even if embarked upon for the worthiest and most serious of motives, have
civil liberties implications.
These were articulated most starkly in the 1960s TV series The Prisoner. When No. 6 said “I am not a number, I am a
free man”, he did more than reject a numeric tag. He pitted his personal autonomy against an all-controlling
bureaucratic embrace: “I will not be pushed, filed, stamped, indexed, briefed,
debriefed or numbered. My life is my own.”
Today Patrick McGoohan could as easily have written “I am not an IP
address”.
This comment has been removed by a blog administrator.
ReplyDeleteIn a sense IP addresses are addresses on the Internet (capital "I") whereas most devices live on networks that use the internet protocol but are private networks rather than the Internet. NAT is the magic that connects the two.
ReplyDelete