Technology, Thoughts & Trinkets

Touring the digital through type

IPv6 and the Future of Privacy

There is an increasing urgency to transition to a new infrastructure for addressing space on the Internet, and in this space all individuals and their devices could be uniquely identifiable by their Internet Protocol (IP) address(es). It is in light of this surveillant future that France’s recent ruling that IP addresses are not personally identifiable information is so serious. Further, it is with this longer temporal viewpoint (i.e. not just the here and now) that has more generally worried technologists about governmental rulings concerning binary ‘yes/no IP addresses are private information’.

Before I go any further, let me break down what an IP address is, the distinctions between versions 4 (IPv4) and 6 (IPv6), and then get to the heart of the privacy-related issues concerning the transition to IPv6. The technical infrastructure of the ‘net tends to be seen as dreadfully boring but, as is evidenced by the (possible) computer failures of Toyota vehicles, what goes on ‘under the hood’ of the ‘net is of critical importance to understand and think about. It’s my hope that you’ll browse away with concerns and thoughts about the future of privacy in an increasingly connected biodigital world.

An IP address is a number that is assigned to devices that participate in a computer network that uses the Internet Protocol (often as part of the TCP/IP protocol suite) to exchange data between members of the network. Each device on a network is assigned a unique number, which can be metaphorically thought of as the equivalent of a housing address – your IP address is where digital packets of information arrive, and where your own packages originate from. In the contemporary networking environment a house, or business, or particular government department might be assigned a single IP address that has to be shared amongst hosts of computers. In my home alone, there are at least 10 Internet-enabled devices that connect to my wireless and wired network, to say nothing of the dozens, hundreds, or thousands of devices that businesses and government find in their networks. To share that single IP address, routers that assign separate IP addresses to each member of those local area networks (LANs) have been developed. This means that in the local environment (i.e. the home, business, government agency) each computer has a unique number given to it by the router but that, once the data has passed beyond the local environment, data traffic is correlated with the single IP address assigned to the home, business, or agency. Practically all contemporary routers enable this sharing of IP addresses.[1]

It’s in light of this widespread ‘sharing’ of IP addresses that the present IP addressing system has remained operable. I won’t bore you with the details, but there is a finite number of overall addresses that can be assigned to homes, businesses, and agencies, and we’re rapidly running out of those addresses. The absolute, precise, date of when the present, IPv4, system will run out of IP addresses is subject to debate: if I link to anything, then the various technical folk who read this will immediately write to me telling me I’m off by X days/months/years. In lieu of linking to a specific number, I’m going to say that in the next few years the IPv4 addressing spacing is likely to have been used up. Think of this as the equivalent of a real estate developer always extending beyond the city core, always extending the suburbs, until eventually the various cities’ suburbs start running into each other. Efforts to ‘build upwards’ are the rough equivalent of building apartment buildings and other high rises, where such building projects correlate with the deployment of LANs that see the mass sharing of particular IP addresses.

What does it mean to shift from the present addressing system (IPv4) to the ‘new’ system (IPv6)? To begin, it means that there is a lot more of IP real-estate; whereas IPv4 offers roughly 4.3 billion addresses, IPv6 provides 340 trillion trillion trillion (!) unique addresses. One can quickly appreciate the numerical difference. More significantly, it means that the system of LANs that we have today will no longer be required because of IP address scarcity. Each of the Internet-enabled devices  in my home could have its own IPv6 address – there is no real need to route all the data through a single IP address that is provided by my ISP.

In a situation where all Internet enabled devices have a constant address, the regular refrain “we don’t know who’s IP address we’re monitoring; it is possible that a set of users are sharing the same address!” is quickly disabused. With a persistent IP address, depending on the degree of algorithmic surveillance, it is possible to develop very, very good understandings of who is presumably the agent ‘using’ the IP address. Similar to how marketers can figure out who you are with very little information, advertising companies such as Doubleclick are in a comparable situation to develop very detailed, very personal, accounts of the individuals that regularly use Internet enabled devices.[2] In a situation where all devices have unique IP addresses, this could facilitate more accurate advertising (read: better targeted and more invasive), and that government agencies and ISPs alike could more accurately identify and track particular users online.

If this sounds like a kind of ‘privacy Chernobyl’ that puts issues like Facebook’s Beacon and Google’s Buzz to shame, you would be in good (?) company: journalists have been warning of the dangers of IPv6 since Bill Frezza’s 1999 piece “Where’s All the Outrage about IPv6 Privacy?

Fortunately, the good engineers that develop Internet Protocols were aware of the potentially devastating consequences that static IP addresses for each device would have on anonymity online and, as a result, privacy. The Internet Protocol next generation (IPng) working group crafted a solution that involved creating;

pseudorandom interface identifiers and temporary addresses using an algorithm … The temporary address would not derive from a completely random generation process, which might result in two computers generating the same number, but instead would produce a temporary pseudo-random sequence dependent on both the globally unique serial number and a random component. The number would be globally unique because it would derive from the interface identifier and from the history of previously generated addresses, but would be difficult for an external node to reverse engineer to determine the source computer. [3]

In layman’s terms, this means that the engineers responsible for IPv6 were mindful of the surveillance capacities of the new Internet Protocol, and built privacy into a system that would otherwise lend itself to surveillance and authoritarian tendencies. The catch, however, is that is requires the parties responsible for assigning IP addresses to participate in the pseudo-anonymization process itself: it’s possible for ISPs to forcibly assign particular address to each and every device on their network.

(Before advancing any further I should note that I don’t know that ISPs have any such intentions: the following is ‘academic’, or theoretical, work.)

One might ask: “Chris, why would my ISP want to assign particular IP addresses to each device, instead of permitting for pseudo-anonymization? Are ISP’s privacy-haters?” No, person that I’m pretending to respond to, I’m not suggesting that ISP’s hate privacy, but instead that ISPs are in love with following the law.

In Canada, we’re looking at the re-re-re-introduction of lawful access legislation and associated electronic surveillance legislation. Presently, law enforcement claims they regularly run into challenges with monitoring presumed-criminals’ digital communications. In a domain where all devices are IP-enabled and have unique IP-addresses that are assigned by an IP provisioning body, such as an ISP, a license to wiretap a particular address would let law enforcement monitor when a particular device was engaged in the exchange of digital packets, regardless of whether the packets themselves were encrypted. The distinction between the IPv4 and IPv6 world: in an IPv4 world you can’t distinguish between users that share a common IP address (or so claims are made) as precisely as a judge might demand. IPv6 remedies this ‘worry’.

It’s a combination of the possibility to forcibly assign an IP address alongside the strong (governmental) security initiatives to ‘protect and secure’ the Internet that makes me claim that IP addresses could soon be very, very important from a privacy and security position. While the next generation protocol has reasonable privacy protections built in, various academic scholars (and, unofficially, several of Canada’s privacy commissioners) suggest that the ‘security institutions’ are better at dissolving privacy protections than the privacy community is at enshrining privacy in law. Especially worrying in the case noted at the top of this post is that France – a member of the EU – is arguing that an IP addresses shouldn’t be considered personally identifiable information. The EU is recognized as imposing privacy protections on the rest of the world, and thus if France’s decision is upheld then the EU would be seen as ‘pushing’ the position that IP addresses are not personally identifiable information. While this position might be tenable in an IPv4 world, in an IPv6 world that sees security lobbies advocate for relatively static IP addresses the privacy of individuals would be significantly put at risk.

Maybe this is just doomsday talk – perhaps the security lobbies will avoid pushing for assigned IPv6 addresses, and demand that the full privacy protections of the IPv6 protocol are implemented. Unfortunately, as witnessed in Newman’s Protectors of Privacy and Ross’ 2009 piece “Privacy in the Digital Age: States, Private Actors, and Hybrid Arrangement,” the digital era’s privacy provisions are being rapidly eroded in a post-9/11 world. Unless there is a substantial change, unless privacy protections are genuinely entrenched in law with a strong civic commitment to privacy, unless IP addresses are recognized as always potentially personally identifiable information (at a minimum), then IP addresses are going to matter a whole lot more to security and marketing groups than they already do. And when marketers are interested in particular information, you can be sure that it’s not curiosity, but because they can leverage it to invade our minds and track our actions.

************

[1] Yes, businesses and government agencies may have multiple IP addresses assigned to them. I’ve intentionally simplified things for the purposes of analytic and metaphoric clarity.

[2] Phillips and Curry have a particularly good piece, titled “Privacy and the phenetic urge: geodemographics and the changing spatiality of local practice” in Surveillance as Social Sorting that outlines marketers’ capacity to draw detailed temporal-geographic patterns of mobilities.

[3] from  Laura Denardis’ Protocol Politics: The Globalization of Internet Governance

5 Comments

  1. IP is not the *only* way to identify and track people.

    Sites can identify you because they get info from you like: screen resolution, browser name, browser version, your country and city (even if IP changes), connection speed, Flash player version, and many other information.

    If all that information is put together is like saying: “I hide the number of my house, but it has white walls, red roof, three big windows, and a BMW-X1 car at the front”.

    It really doesn’t matter the number of your house (your IP), I know which one it is.

    They know who you are because of your software/hardware/location. Each site/forum/blog receive all that info already.

  2. @Marse Paul

    You’re absolutely correct; it’s not the only way, but it is a potentially significant way that may be made more significant if the privacy features of IPv6 aren’t fully (or properly) implemented. The items that you raise are other facets of identifying users, but the IP address is significant (along with cookies, and other unique identifiers) because it can granularly identify you. While true that the information you provide about the house is likely to limit the set of individuals with that home, it is possible that a variety of people around the world would be included in that set. Thus, you’re not necessarily identified. You tend to be identified with an IP address (barring using a proxy, or similar attempts at obfuscation).

    Also, it’s important to note that a lot of browsers and their computers are reasonably similar. While you can potentially ‘pick out’ individuals using an analysis of traits, it is much, much easier to do so with some kind of permanent identifier, such as a static IP address.

  3. I`m also actually thinking about IPv6. Up till now i only thought about security problems like: Will the into the router integrated firewall also work with IPv6? Your article opened my eyes for the privacy issue. Especially the combination of a static IP and IPv6 is scaring me. On the other hand it would be nice if you have set up a little home server. There is no more need of complicated port forwarding rules and dynamic domain name services like dyndns.

    Best Regards from Germany, where the IP is still a private information.

  4. hi,
    I enjoyed reading your article very much and in fact I spent 2-3 hours before looking for something around these lines. I have a couple of questions which I am thinking you might be able to answer. I am purely talking about implementation in mobile internet devices i.e. smartphones, pda’s etc.

    IPV4 implementation on mobile network – Currently my mobile operator uses a NAT which gives me a new ip every time I connect to internet. For external IP I don’t know how many IP addresses are there with my current operator. However I have read somewhere that mobile operators keep a log of internal IP being used by each customer for billing purposes (mobile data usage etc). If that is the case, then say someone (some authority) wants to know who accessed a certain website at x time, they should be able to know that it was my operator using that site and after that they can contact my operator to check logs who accessed that site at that time which will show my dynamic (internal) ip. so its still traceable? what are your thoughts?

    Second question – is IPV6 implementation – as far as I have read that they will be using the MAC Address (of your machine) as salt with the static ip address which makes it more of a concern (although you can spoof your MAC address) but when it comes to legal stuff they can probably check your physical MAC Address if the need be. I am not sure about the source for “pseudorandom interface identifiers and temporary addresses using an algorithm … ” but would like to read up on that.

    Look forward to your response.

    Vin

    • re: IPv4 and mobile operations. My understanding is that port numbers are the primary means of tracing communications to individual subscribers, on the basis that such information is retained. That said, the methodology adopted will vary depending on the mobile operator in question. Much comes down to business operations and data retentions policies demand/require.

      IPv6 will offer stateful and stateless IP configuration. Stateful means it could be assigned by a DCHP server, whereas stateless involves a combination of hardware serial number, history of created IP addresses, and router prefix information. Combined, this means that you retain a unique IP while also enabling a regularly shifting IP address to alleviate the privacy concerns. You can read more about this in RFC 3041.

      The source cited is Laura Denardis, and her book ‘Protocol Politics’; the book focuses on IPv6 and has an excellent section on the civil rights/privacy issues related to IPv6. I’d highly recommend the book if you’re interested in the politics of IPv6.

Leave a Reply

Your email address will not be published.

*