X

FBI, DEA warn IPv6 could shield criminals from police

The FBI, DEA, and Royal Canadian Mounted Police say IPv6 may erode their ability to trace Internet addresses -- and warn new laws may be necessary if industry doesn't do more.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read

U.S. and Canadian law enforcement agencies are warning that a historic switch to the next-generation Internet protocol called IPv6 may imperil investigations by making it more difficult to trace who's using which electronic address.

FBI, Drug Enforcement Administration, and Royal Canadian Mounted Police officials have told industry representatives that IPv6 traceability is necessary to identify people suspected of crimes. The FBI has even suggested that a new law may be necessary if the private sector doesn't do enough voluntarily.

Investigations stemming from kidnappings, the September 11 terrorist attacks, and the Mytob worm have involved tracing previous-generation IPv4 addresses back to an Internet provider's customer, the FBI says. The bureau says it needs the same level of traceability for IPv6, which got a boost in popularity last week thanks to World IPv6 Day.

"We're looking at a problem that's about to occur," John Curran, president of the American Registry for Internet Numbers (ARIN), a nonprofit group that allocates blocks of IPv4 and IPv6 addresses in North America and the Caribbean, told CNET. "It occurs as service providers start to roll out V6."

This IPv6-related effort comes as the FBI is redoubling its efforts to combat what it calls the "Going Dark" problem, meaning that its surveillance capabilities may diminish as technology advances. CNET was the first to report last month that the bureau had formed a Domestic Communications Assistance Center to keep abreast of technological changes that may otherwise imperil government surveillance.

Blame people, not machines
Law enforcement's difficulty with IPv6 traceability has little to do with the underlying technology -- and a lot to do with the foibles of human bookkeeping.

This slide, labeled unclassified, from an FBI presentation says that tracing IP addresses through Whois has been part of investigations stemming from kidnappings, the September 11 terrorist attacks, the Mytob worm, and others. Click for larger image.
This slide, labeled unclassified, from an FBI presentation says that tracing IP addresses through Whois has been part of investigations stemming from kidnappings, the September 11 terrorist attacks, the Mytob worm, and others. Click for larger image. FBI

ARIN and the other regional registries maintain public Whois databases for IP addresses, meaning that if you type in 64.30.224.118, you can see that it's registered to CNET's publisher. ARIN tries to ensure that Internet providers keep their segments of the Whois database updated, and because it's been handing out IPv4 addresses blocks every few months, it currently enjoys enough leverage to insist on it.

But for IPv6, ARIN will be handing out much larger Internet address blocks only every 10 to 15 years, meaning it loses much of its ability to convince Internet providers to keep their Whois entries up-to-date. That means it may take law enforcement agencies -- presumably armed with court orders -- longer to trace an IPv6 address such as 2001:4860:4860::8888 back to an Internet service provider's customer.

Accurate IPv6 record-keeping does more than help law enforcement. It's useful for combating abuse. It's useful for anti-spam measures. It's useful for figuring out what's going on with distributed denial of service attacks. And it's useful for civil litigants.

An FBI spokesman told CNET that the bureau is concerned about IPv6 because:

An issue may also arise around the amount of registration information that is maintained by providers and the amount of historical logging that exists. Today there are complete registries of what IPv4 addresses are "owned" by an operator. Depending on how the IPv6 system is rolled out, that registry may or may not be sufficient for law enforcement to identify what device is accessing the Internet.

"This is not a question of willful rejection," Curran says, referring to the service providers who are receiving huge blocks of IPv6 addresses. "ISPs are happy to do this. They're just lazy...It doesn't have a direct impact on them and their ability to get new address space because they don't need new address space."

During an investigation, police typically look up the originating IP address in the Whois database to glean a pointer to the organization sending the problematic traffic. Unless the database is kept up-to-date, including what Internet engineers call "subdelegations," it can mean repeated subpoenas or court orders, which could delay investigations for days or weeks until the final provider in the chain is identified and contacted. (There are also more manual processes that can be used if Whois records are unavailable.)

"When law enforcement is looking at these records, we need to know who to serve our legal process to," FBI supervisory special agent Bobby Flaim said at an ARIN meeting in April. "When we're looking at this information, we need for it to be accurate... We need the speed because digital evidence evaporates so quickly. That's why it's so key to us."

Still working on it
Most Internet providers contacted by CNET declined to comment publicly.

Some said they are still drafting IPv6 transition policies. "Cox is still developing our IPv6 transition plans," said Todd Smith, director of media relations for Cox Communications. Anita Lamont, a spokeswoman for Charter Communications, said that "Charter is formalizing its IPv6 management policy for allocation."

About a quarter or a third of the Internet providers have automated systems to keep track of their address assignments, ARIN estimates, with the rest keeping track of where their IP addresses are used through spreadsheets or in-house databases.

Flaim, who works for the FBI's Operational Technology Division based in Quantico, Va., which boasts of creating "the latest and greatest investigative technologies to catch terrorists and criminals," suggested during April's ARIN meeting that the industry has a strong incentive to keep accurate IPv6 address records.

"We're hoping through all of this you can come up with some self-regulatory method in which you can do it," Flaim said. "Because otherwise, there will be other things that people are going to consider."

Royal Canadian Mounted Police Staff Sgt. Marc Moreau offered a similar prediction: "We're hoping that people in the community seize the opportunity to work and to have that self-regulation, because, if not, if all of the different governments then get involved, it could get uglier."

The DEA and the RCMP told CNET yesterday that they needed more time to respond to questions.

Law enforcement has also warned about other problems relating to IPv4 address exhaustion, including greater use of carrier-grade Network Address Translation, or CGN, which means Internet providers that want to help with investigations would have to keep track of what port number a customer is assigned.

Another FBI priority is requiring Internet providers to keep records of what IP addresses their customers are assigned, also known as data retention; a House of Representatives committee approved those requirements last summer.

Last updated at 1 p.m. PT

Watch this: FBI homes in on new snooping tool: Social media