Schneier’s recent blog post on a paper published by Steven J. Murdoch and Ross Anderson entitled, aptly enough – “Security Protocols and Evidence: Where Many Payment Systems Fail” demonstrates what many have probably expected from the beginning. That is – a system designed primarily for transaction authentication may not have the same utility when used for evidentiary purposes.
I recall reading a similar paper published about fifteen years ago on the weaknesses of using RADIUS data from ISPs in court proceedings for offenses such as downloading inappropriate and illegal pornography (I am trying to be tactful; but understand that given the extremely harsh prison terms given to such offenders in many Western nations and their social repugnance, it would appear that clear determination as to whether such an act was committed would be pretty important. Not so.) On more than one occasion the ISP I was working within was ordered to provide RADIUS and later (when they realized we had it – we soon removed it once the privacy implications were made concrete in the rest of management’s head) proxy logs for individuals.
In the dialup era at least we had the ANI information. That too could be spoofed but it provided at least some kind of tangible connection with the user. The court orders generally ask – to paraphrase – “184.108.40.206 is part of one of your dynamic IP pools. Can you please supply logs for the user in possession of a lease for this address on 2000-02-01 03:23:14 UTC” which can present problems, especially when someone’s freedom is at risk and you know that half your equipment hasn’t synchronized to a reliable NTP server since Clinton entered into office.
Their response to an answer of – “this was on the cusp – two people occupied this lease within a few minutes of each other” isn’t to abandon this attempt and scald us for not having decent clock synchronization (the whip of big government’s rod would come later when we were forced to implement Cisco LI – uh legal interception – at our expense or lose our license), but rather to demand the two users and amend their request to include server content including their pop/imap boxes and personal web space. No doubt they had armed police storming these two residences knowing that *one* of them has to be their perpetrator. That isn’t good enough, even when heinous crimes have been committed.
We are fast becoming a society where guilt is assumed and innocent must be proven. Thanks to the PATRIOT ACT and co. your constitutional rights to a fair trial have been scrambled especially if they can connect your “case” to a vague concept they call “national security”. A child making a dry ice bomb and detonating it in a pond near a school could face such “justice” (enclosed in quotes because they have redefined this word. I must get an updated dictionary and reacquaint myself with what justice means today. The answer won’t please me nor anyone who considers themselves a “patriot” or even a free thinker.
Whilst a dialup or cable ISP might share IP leases with a couple of users, it is now quite common due to lack of IPv4 addresses for mobile phone operators to share with a “COUPLE OF HUNDRED” users…
Thus those keeping logs need to keep port numbers as well and supplie them with any “lawfull” request. Likewise if a “lawfull” request comes in without port numbers bounce it back and say why.
Yeah I have noticed some providers basically have their users on an internal network of sorts and route out via NAT and a few external IPs. Some do the opposite and have a real IP pool for their users but almost all force their users through a transparent cache.
The sad thing is – people still think the Internet grants them some kind of anonymity by default. This is sadly not the case.