comment 0

Anonymity and IP addresses

anonymous_guy_fawkes

This week, I’ll put the final touches on my move from Malaysia to Singapore.

So, I felt it would a good idea to read through some Singaporean tech articles to see how tech events played out on the little red dot, and offer some unsolicited  and completely useless advice on them.

It wasn’t easy shifting through a boat-load of gadget reviews masquerading as tech journalism (I guess some things are the same in every country), but underneath the hundreds of phone reviews and fiber broadband comparison, I found a little interesting report on illegal downloads.

The Singapore Straits time reports that:

A local law firm that started proceedings to go after illegal downloaders in Singapore on behalf of two Hollywood studios said it will cooperate with the local authorities to ensure no abuse of process.

It follows a rare intervention by the Attorney-General’s Chambers (AGC) in civil applications made by Samuel Seow Law Corp (SSLC) in the High Court last month.

“We will work with the local authorities to ensure that there will be no unnecessary alarm to consumers who receive the letters of demand we plan to send out,” Mr Samuel Seow, managing director of SSLC, told The Straits Times yesterday.

This is just a re-hashed version of what happened last year in Singapore, when the same law firm went after downloaders of another movie, the difference is that this time they’ll be doing it under the watchful eyes of the AGC.

There is something to be said here about copyright-trolling, the abuse of power and the bullying tactics usually involved. But, we’ll leave that discussion for another day.

Today, I want to explore a little bit about anonymity and how many people have a mistaken notion about what it is.

Anonymity and Identity

Anonymity isn’t the absence identity.

Rather, it is having an online identity that is separate and untraceable to your ‘real-world’ identity.

Superman is anonymous, because no one has tied his super-hero identity (Superman) to his real-world identity of mild-mannered Clark Kent. Both Superman and Clark Kent have individual identities that are separate and untraceable to each other even though they’re the same person, and quite frankly a different hairstyle and a pair of glasses isn’t exactly cutting-edge anonymization technology.

But the fact that there are two separate identities, one being anonymous is very important.

An anonymous commenter on this blog that refuses to even provide a pseudonym, would be both anonymous and identity-less, but being anonymous doesn’t require the absence of an identity.

No one can charge Superman for a crime, because Superman isn’t a registered citizen, but the moment we tie that identity of Superman back to Clark Kent, then we have the basis for criminal and civil proceedings.

So why is this important?

Technology always requires at least some form of Identity.

A login to facebook requires a Facebook username, the use of bitcoin requires a bitcoin address, and even downloading on bit-torrent requires an IP address. All of these things, a Facebook username, a bit coin address and an IP address provide an identity to the systems you’re connecting to, the question is whether these identities in the digital world can be tied back to the real world.

In more techie speak, this isn’t anonymity it’s pseudonymity.

Every single connection to the bit-torrent swarm is ledgered and documented somewhere. Some years back, I did some digging on Scaneye and figured out that some Malaysian Government Employees, were using the Government infrastructure to download porn online….you can visit Scaneye to see just what downloads are attributed to your IP adddress here.

There’s an important lesson here–if you use bit-torrent, your IP address is going on a record somewhere.

But that’s not the point, the point is whether that IP address can be traced back to a real-world person. One that can be sued and tried in a court of law.

Is an IP address an Identity?

I wrote a couple post about IP addresses, here, here and here.

The crux of the matter is that an IP address belongs to a connection, not a person or end-device. One internet connection, like the fibre broadband you have in your home can be used by many persons, including your family members, domestic helpers, and some nefarious hackers to lurk within WiFi distance.

So can an IP address be used to determine a persons identity?

Here’s some points to help along with that.

Point 1: The IP address of a connection is tied to the internet connection and not to the end-device. Meaning if you have a connection at home, and all 4 of your family members connected to YouTube at the same time, YouTube would see the same IP address for all 4 devices. No difference. So if only one of you were hosting illegal content or all 4 of you were going it, there’d be no visible difference on the network pattern. Is it reasonable to assume that just because I own the account, that I was sharing the content? How do you know it wasn’t my 16-year old daughter, or 61-year old mother-in-law?

IP Address LAN/WAN 1

Point 2: If someone hacked into your router, the hacker would have the same IP address as yourself. Meaning, you could be held liable even though you were a victim of  a hack. And since most home routers have no logging functionality–there’d be no way to prove your innocence.

Point 3: If you use software like TOR, or Hola Unblocker–your connection could be used as an exit-node for other traffic. i.e. Someone could be using your connection to post seditious comments, or download/upload illegal content without your specific knowledge. It’s part and parcel of how these systems are designed.

Point 4: Many US court cases (1 , 2, 3) have already ruled that an IP address cannot uniquely identify a person. Similar to point 1, an IP address identifies a connection not a person. And in order to threaten legal action you need to identify a person, you can’t sue a connection.

Conclusion

All of these points, bring us to one single logical conclusion. An IP address is a internet-identity you have online that cannot be tied to a individual real-world identity.

Which then brings up an even more interesting question–if an IP address can’t be tied to a person, is it even reasonable for an ISP to release personal details of subscribers based on a flimsy case built on IP address identification?

Let’s wait and see how this turns out.

Meanwhile, singaporelegaladvice.com suggest that those threatened with these letters can make a claim for “groundless threat of infringement”—interesting 🙂

TL;DR

NIST, the most authoritative body on security standards, released a special publication on digital authentication that included the following paragraph:

Digital authentication is the process of establishing confidence that a given claimant is the same as a subscriber that has previously authenticated. The robustness of this confidence is described by categorization known as the Authenticator Assurance Level (AAL). The separation of AAL from Identity Assurance Level (IAL), described in SP 800-63A, better supports applications requiring strong authentication that may be pseudonomymous. The separation of authenticator issuance from the establishment of credentials binding those authenticators to individuals provides additional flexibility in the enrollment and identity proofing process

If you’re lost in the goobledy-gook, don’t worry. The point I want to make is that there are two separate standards for authenticator issuance (verifying a digital identity) and the “establishment of credentials binding those authenticators to individuals” or in plain English, tying that digital identity to a real-world person.

It’s important establishing an identity (getting IP addresses from a bit-torrent swarm) is easy, but tying that identity to an actual real-life person isn’t quite so trivial, and NIST acknowledge this in their separation of the standards.

#YourComment