Simply Security - News, Views, and Opinions from Trend Micro

Posted on March 16th, 2012 in CounterMeasures, Cybercrime by CounterMeasures | Be the first to comment |

used by permission from AhmadHammoud's Flickr photostream

 
This Valentine’s Day, the Serious Organised Crime Agency in the UK took control of a domain that had previously been used to distribute copyrighted material, notably music files. The domain in question is rnbexclusive.com (I know, I know… RnB, why would you?) SOCA replaced the landing page with a very direct message, advising visitors to the site of the action that had been taken and warning them that they may be liable to a ten year prison sentence and an unlimited fine.
 
The message from United Kingdom law enforcement reads “If you have downloaded music using this website you may have committed a criminal offence which carries a maximum penalty of up to 10 years imprisonment and an unlimited fine under UK law”. In what could be considered scare tactics, the message goes on to display the IP address, browser type and Operating System of the visitor along with the current date and time; presumably to demonstrate the “evidence” available to law enforcement. In the equivalent of a digital reading of your rights, the site visitor is informed “SOCA has the capability to monitor and investigate you and can inform your internet service provider of these infringements. You may be liable for prosecution and the fact that you have received this message does not preclude you from prosecution.”
 
In a news release on the SOCA website the agency reported that the International Federation of the Phonographic Industry (IFPI) estimates that losses to businesses and recording artists to be in the order of £15 million per year. According to the same release three similar sites have decided to take unilateral action ranging from voluntarily going offline to posting a notice that they only deal in legal content. From the perspective of law enforcement this must be viewed as a successful action.
 
Let’s consider for a second the nature of the “evidence” offered up to the site visitors and its effectiveness in identifying an individual.
 
What does your IP address say about you?
 
Every computer connected to a network has a unique identifier that allows network traffic to reach the correct destination, for replies to return to the correct originator. In the case of the internet this identifier is an IP address. Sometimes computers are individually addressable online through their IP address, if they are behind a router or access point very often it is only this access point that is directly visible on the wider internet. In effect the access point acts as a front for all the computers behind it, meaning that a single IP address can represent multiple computers.
 
Your IP address is, in most cases assigned to you by your ISP. Your IP address does not publicly expose your name, address or even (reliably) your geographical location to public scrutiny. In order for reliable information to be ascertained regarding the physical allocation of an IP address at a given point in time, only the ISP holds they key. They know who their customers are, they keep records of which customer was assigned which IP at which moment. It is only through access to these records that further information can be gained. This access procedure may involve a request to a judge from law enforcement, and will always require the furnishing of appropriate evidence of illegal activity before such access can be obtained.
 
In the rnbexclusive.com example it is entirely possible that sufficient evidence exists for this request to be granted. So what now?
 
Is an IP Address proof of identity?
 
In the above example the information provided by the ISP will, in most cases, prove the address at which the router is located that provided internet access for the alleged infringement. It cannot prove which person was behind the keyboard, or even which computer was used. This of course assumes that the alleged perpetrator was not making use of a proxy to mask their true IP address.
 
Even this is not enough to be considered primary evidence. It could be argued that an unknown person was making unauthorised use of your wireless network at the time, that you had allowed a visitor access to your home network, that your computer was infected with malware and being used as a proxy by persons unknown, or even that you are unaware of anyone being responsible for a specific activity.
 
Of course where there is enough evidence it is entirely possible for law enforcement to make equipment seizures. They may search for further evidence on individual internet access devices to support a case and in this case the evidence may well be more directly personal in nature. This kind of evidence could truly be considered primary evidence. The correlation of internet activity with an IP address is circumstantial at best and cannot reliably identify an individual clicking a mouse, despite what you see on the TV.
 
This kind of evidence has already been tested in courtrooms around the globe and found wanting. I am not a number. I am a free man.