Individuals can be identified despite IP address sharing
The use of Internet Protocol (IP) address sharing technology will not prevent individuals from being identified as the perpetrators of illegal online activity, BT has claimed.
The internet service provider (ISP) has announced that it is currently piloting technology called Carrier-Grade Network Address Translation (CGNAT) that will see as many as nine different customers share the same IP address.
BT said it is trialling CGNAT in a bid to make the most efficient use of existing “IPv4 internet address”, which are currently “running out”, before new “IPv6 addresses become widely adopted”. Doing so will enable fixed-line internet customers to stay connected, it said.
Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that there were privacy implications to IP address sharing that BT, and other ISPs that want to conduct similar trials, would have to consider.
“EU privacy watchdogs have identified IP addresses as, generally, constituting ‘personal data’,” Wynn said, “This means that organisations responsible for IP addresses are bound by data protection laws.”
“IP addresses can identify individuals, but where IP addresses are shared, even though it may seem that the data has been depersonalised, there is potential for individuals to be at best prejudiced by the actions of others and at worst implicated for illegal activity undertaken by others. ISPs that want to deploy IP address sharing technology need to provide customers with a transparent explanation of the implications that technology could have on their privacy and provide those individuals with the ability to opt out from such a scheme,” she said,
“In addition, the ISPs must have a background mechanism in place to unpick any prejudicial treatment customers experience as a result of IP address sharing, such as being identified as being, or somehow connected to, the perpetrator of a crime they are in fact not responsible for,” Wynn added.
Last year, the Article 29 Working Party, a committee made up of representatives from the 27 national data protection authorities based throughout the EU, said organisations should generally have to treat IP addresses as personal data under a reformed data protection framework currently being negotiated at EU level.
“When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers,” the Working Party said. “This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify or single them out. It follows that identification numbers, location data, online identifiers or other specific factors as such should as a rule be considered personal data.”
In June last year Ofcom outlined a draft anti-piracy code that would, if brought into law, place IP addresses at the heart of a new enforcement framework to combat online copyright infringement.
Under Ofcom’s proposals, ISPs would issue “standard form” notifications to customers on the basis of evidence of alleged online copyright infringement gathered by rights holder groups and compiled in a ‘copyright infringement report’ (CIR). The evidence gathering procedures must be approved by Ofcom.
ISPs that issue subscribers with three letters within the space of a year would add the anonymous details of those customers to a ‘copyright infringement list’. Rights holders would be able to request access to the list each month and could seek a court order obliging the ISPs to disclose the identity of the suspected infringers so that they can take legal action against them under the Copyright, Designs and Patents Act.
Under Ofcom’s plans suspected infringers would generally have 20 working days to challenge warning letters from the moment they receive them. An “independent appeals body” would be appointed by the regulator to deal with the cases, although the suspected infringers would have to pay a refundable £20 fee to have their appeals heard. One of the grounds of appeal is that “the copyright infringement report did not relate to the subscriber’s IP address at the time of the apparent infringement.”
BT told Out-Law.com that its CGNAT technology would not prevent the correct perpetrators of illegal online activity from being identified.
“The technology does still allow individual customers to be identified if they are sharing the same IP address, as long as the port the customer is using is also known,” a BT spokesperson said in a statement. “Although the IP address is shared, the combination of IP address and port will always be unique and as such these two pieces of information, along with the time of the activity can uniquely identify traffic back to a broadband line.”
“The IP address determines the location (each computer or device on the internet will have one) and a port makes a connection for the required application, e.g. accessing a web page, connecting to an email server. We dynamically allocate our broadband customers a source IP address which is allocated to the customer’s Hub or router by our broadband network. The port is allocated by the TCP or UDP language the computer is using, based on the application or task in progress. For each IP address there are 65,000 ports that can be used,” the statement said.
“With CGNAT our broadband network ‘translates’ the source IP address on the Hub to a shared IP address, and also translates the ports being used to one within a unique block, from the 65,000 IP addresses ports available. This block is assigned for that user and that user only. We log this translation i.e. the shared IP address assigned, the block of ports and the time. If we subsequently receive a request to identify someone who is using IP address x, and port number y, and time z we can then determine who this is from the logs,” the spokesperson said.
“[In the case of the application of Ofcom’s draft anti-piracy code] the copyright owner will provide the IP address, port and timestamp for a CGNAT customer, or IP address and timestamp for a non CGNAT customer. If only the IP address and timestamp are provided for a CGNAT customer then we are unable to identify the activity back to a broadband line,” they added.
BT said its CGNAT trial will affect some of its Total Broadband customers.
“We believe they are the least likely group of customers to experience any issues or disruptions due to CGNAT, which can interfere with complex online activities like hosting servers at home,” BT said, “We do not think these customers will notice any difference at all in their broadband performance, but if any of these customers did have any resulting issues, we would be happy to restore their connection to an individual IP address.”