Can law enforcement catch bad actors online anymore?

8 Dec 2016 11:15h - 12:45h

Event report

[Read more session reports and live updates from the 11th Internet Governance Forum]

Mr Robert Guerra, member of ICANN’s Security and Stability Advisory Committee and the Chair of the session, provided some brief context of the issue to be discussed. He noted that while we all want bad actors on the Internet to be caught, at the same time we want to maintain the privacy of the genuine actor on the platform. 

President and CEO of ARIN, Mr John Curran, gave some background of the discussion topic regarding how IPv4 depletion will make law enforcement and investigation a difficult task going forward. Providing details on statistics, he mentioned that we have a total of 4 billion (less than 50% of the Earth’s population which stands at a little more than 8 billion) IPv4 addresses, while the total number of IPv6 address is 340 undecillion (more than the grains of sand on the planet). He mentioned that the IETF had predicted that the entire IPv4 pool would run out of space between 2012 and 2017, a prediction which is coming true. As a result of depleting IPv4 addresses, ISPs are coming up with innovative solutions such as NAT (Network Address Translation) that utilises switching between public and private IP addresses. However, such mechanisms make it difficult for law investigation bodies to trace the bad actor. Adding to this difficulty is the increasing use of technology such as TOR and VPN.

Mr Jeff Bedser, CEO of iThreat Cyber Group, offered a scenario that depicts a real-world IP Address Investigation.  He mentioned that IP address utilisation has seen a 15000% increase in the total in the last 10 years. He presented a case where an ISP is routing the same IP address to many users within a 24-hour period. This makes it difficult for the investigator to track the actual culprit; they have to rely heavily on the timestamp details provided which are maintained optimally. He also mentioned details of the Aidra Botnet that utilized IPv6 addresses to launch malware and denial of service attacks. To bring a perspective to the scale of IPv6 addressing scheme, he mentioned that a Brute force vulnerability scanning of the entire IPv6 range would take 100,000 years, more than the ‘total time sun gets burned out’.

Mr Ben Butler, Director of Digital Crime Unit at GoDaddy, provided a perspective on the law investigation process from a hosting service provider. He suggested that to catch up with the pace of IPv4 depletion and offer timely support to investigations, it is important that the service provider come up with a framework of robust logging of IP details and a sustainable data retention period.

Mr Iranga Kahangama, joining remotely from the Federal Bureau of Investigation (FBI), noted the issue of jurisdiction conflict and delays in getting relevant technical evidence as the key challenges for law enforcement agencies and the investigative domain. He also emphasised the importance of partnership, as investigation agencies such as the FBI are heavily reliant on partners such as registries, ISPs and commercial products for leading these investigations.

Ms Athina Fragkouli, Head of Legal RIPE NCC, also joining remotely, presented a case on the unique position that all registries have while dealing with law enforcement agencies. She highlighted that the ISPs are mandated to maintain an updated WHOIS database that is frequently utilised by investigation agencies for reconnaissance. Failing to do so, the registries can deny services to these ISPs.

by Mohit Sarawsat, Internet Society UAE