Accreditation of privacy and proxy services

One of the most relevant issues for law enforcement discussed within ICANN¹⁸¹ relates to the accreditation of privacy and proxy services. Registrars often offer privacy and proxy (P/P) services to customers who wish to keep certain information from being made public via the WHOIS (publicly available database of the registration information of each domain name holder). However, P/P services are often misused to hide criminal activities. For instance bullet proof hosters (BPHs) will use untraceable WHOIS details to register servers aided by privacy-protection legal services¹⁸².

ICANN has committed to establishing an accreditation program for P/P service providers to establish a contractual framework. The bottom line is that ICANN should only accredit Registrars that cooperate with public authorities to avoid - as much as possible - rogue actors providing key elements of bullet proof hosting infrastructure and obscuring pertinent information.

Unfortunately, the concerns of the law enforcement community have not been included in the current recommendations adopted by the ICANN Board¹⁸³. The consequences are detrimental to the prevention of crime online:

• Firstly, according to the ICANN Board recommendations, P/P service providers should only comply with express requests from LEAs not to notify a customer where this is required by applicable law. In other words, P/P service providers will not have to keep law enforcement requests for information confidential unless served with a court order.
• Second, P/P service providers may only be compelled to respond to law enforcement requests coming from within their own jurisdiction while many investigations are cross-border.
• Thirdly, entities running domains/websites actively engaged in commercial transactions – i.e. the collection of money for goods or a service – will be allowed to conceal their identity using privacy and proxy services.

Some of these concerns could possibly be addressed during the implementation of the recommendations but the law enforcement community needs to engage with its government representatives at ICANN to ensure a positive outcome.

Replacing the DNS WHOIS

The WHOIS is a free, publicly available directory containing the contact details of registered domain name holders (registrants). Anyone, including law enforcement, who needs to know who is behind a domain name can make a request for that information via the WHOIS protocol. The data is collected and made available by registrars and registries under the terms of their agreements with ICANN. Accurate WHOIS information is therefore essential for consumer protection and law enforcement to investigate and attribute abuse and unlawful activity online.

However, despite a number of ICANN contractual obligations to ensure accurate WHOIS information, bad actors have found many ways to register domain names anonymously. In parallel data protection authorities have been criticising the WHOIS for failing to adhere to European data protection standards.

A new ICANN Policy Development Process (PDP) has been established in 2016 to determine whether a new system could replace the WHOIS. The PDP has started working on the basis of the recommendations of a report adopted in 2014 by an Expert Working Group (EWG)¹⁸⁴.

In order to reconcile privacy and data protection laws with the requirement to have contact details for each domain names, the EWG recommended a “gated access” to WHOIS information. In other words, the current model of anonymous public access to all gTLD¹⁸⁵ registration data might be discontinued. Instead, registration data would be disclosed for permissible purposes only, with some data elements being accessible only to authenticate requestors. This means that law enforcement agencies will need to be validated and accredited in order to query the database of registration of domain names.

This raises a number of issues as to which organisation will serve as the accrediting body and how this will impact the speed at which LEAs will be able to obtain relevant information.

Carrier-grade network address translation (CGN)

Recently, many new technologies have made the headlines because they hinder law enforcement’s ability to follow criminal leads and attribute crime. But the Going Dark problem is not limited to the Tor network, proxy servers, bullet proof hosting and encrypted communication apps. A far more diffused technology is posing massive attribution problems to the law enforcement community.

The global demand for internet accessibility has led to an explosion in use of internet enabled devices. This growth has resulted in the exhaustion of the Internet Protocol version 4 (IPv4) addresses. The new version of the Internet Protocol, known as IPv6, offers a virtually unlimited number of IP addresses. However, the transition from IPv4 to IPv6 has been slower than expected because of the lack of commercial incentive to do so and the numerous necessary upgrades to the IPv4 legacy infrastructure. The transition from IPv4 to IPv6 has forced many network operators and internet service providers (ISPs) to support and maintain both address infrastructure schemes so that devices are able to run IPv4 and IPv6 in parallel (dual stack).

Against this background, and in order to address the gradual exhaustion of IPv4 addresses, ISPs and mobile internet service providers have adopted a temporary solution called Carrier-Grade Network Address Translation (CGN).

What is Carrier Grade NAT (CGN)?

CGN is an evolution of the traditional Network Address Translation (NAT) protocol, which has been used for the last 25 years in private networks (homes, small businesses). NAT dynamically translates a collection of private IP addresses connected to each of the home or business user's devices to one public IPv4 address used within one network (i.e. routable on the internet). That one public IP address is announced at the customer endpoint user's modem which interfaces with the customer endpoint user's content service provider network. CGN is much more pervasive than NAT; instead of an endpoint user having a single public IP address, CGN allows a single IP address to be shared by potentially thousands of subscribers at the same time.

CGN impact on law enforcement investigations

With CGN, law enforcement has lost its ability to associate and link a particular cyber criminal’s activity back to a particular IP address. Cyber investigators now need to determine which one of the hundreds of consumers associated with a particular public IP address is behind the actions they are investigating.

One Member State reported that in a recent investigation into child sexual exploitation material (CSEM) distributed and hosted via a cloud-based service, the investigators had to investigate each one of the 50 clients using that public IP at this time in order to identify who was ultimately uploading the CSEM, because the cloud-based service provider did not log the relevant information to discriminate which customer was using the public IP.

Scale of the problem

A survey conducted in August 2016 among European cyber-investigators, shows that problems of crime attribution related to CGN technologies are regularly encountered by 90% of the respondents during their investigations¹⁸⁶.

In a number of cases, the investigations were discontinued. Alternatively the investigations were delayed because the investigators needed to resort to additional, lengthy and possibly more invasive investigative techniques in order to identify the end-user. 98% of the respondents support a European-wide mandatory legal requirement for electronic service providers to identify end users of IP addresses.

Future threats and developments

For many years, most actors involved shared the view that the simplest solution to this problem was to wait for the full transition to IPv6, because the trillions of IP addresses available would do away with the need to use CGN. Current trends indicate that the transition to IPv6 will not be completed before at least the next two decades.

Currently, almost all European mobile ISPs use CGN technologies and a large majority of conventional ISPs (cable, fibre and ADSL) have converted their network infrastructure to use CGN.

In addition, responding to customer demand, telecoms equipment companies such as CISCO and JUNIPER have started selling software solutions to translate IPv4 addresses into IPv6 addresses¹⁸⁷. This means that CGN is here to stay and that the law enforcement community needs to resort to other means to be able to continue performing a trace back to an individual end user of an IP address.

Recommendations

• To be able to trace back an individual end user to an IP address on a network using CGN, law enforcement must request additional information¹⁸⁸ from the service providers via legal process:
  • Source and destination IP addresses;
  • Source port number;
  • Exact time of the connection (within a second) .
  • However, the lack of harmonised data retention standard requirements in Europe¹⁸⁹ means that content service, internet service and data hosting providers are under no legal obligation to retain this type of information, meaning that even a more elaborate request from a law enforcement agency would not yield useable information from the provider.
• Regulatory/legislative changes are required to ensure that content service providers systematically retain the necessary additional data (source port) law enforcement requires to identify end users.
• Alternatively, practical solutions can be developed through collaboration between the electronic service providers and law enforcement. Some electronic providers in Europe do store the relevant information (source port). A European-wide portal could maintain an updated list of those providers and a list of contact points to address in case an investigation is stalled by CGN.