Nigel Lang says his life was ruined by a typo.
Wrongly arrested in 2011 by South Yorkshire Police, in the UK, for allegedly sharing images of child abuse, the police refused to tell him how the error had been made. Lang spent 6 years fighting to find out how he’d been erroneously pushed into a nightmare. Police said too much time had passed to figure it out, but after Lang hired a solicitor, they managed to cough up the truth.
The truth being that a mistyped IP address had been traced to his partner. It was off by one digit. Lang filed a complaint of racism and sexism – he’s a black man, and his partner’s a white woman – but the complaint was dismissed.
As of March 2017, Lang was unemployed, frightened to return to his work as a drug recovery worker with troubled youth lest they accuse him of sexual advances, and said he was suffering from mental health problems. When this all went down, he left his children, moved in with his mother, and feared that any of them might be attacked by vigilantes.
Unfortunately, his is not a one-off horror story.
Police have been increasingly making errors in IP address resolution, according to a letter presented by the Interception of Communications Commissioner (IOCCO), Sir Stanley Burnton, to accompany his annual report to the prime minister.
Burton explains that while “errors and more general problems form a very small percentage of the total activity I inspect”, he is “concerned by the increasing number of errors that occur when public authorities try to resolve IP addresses” and that errors are “far more common than is acceptable”.
The errors mainly stem from manual entry of details into software that helps police work out the location at which a specific IP (internet protocol) address has been used. As it is, communication service providers (CSPs) can easily reassign IP addresses, for good reasons, Burnton explained, such as…
- Many CSPs have more customers than IP addresses, so they only assign IP addresses to active customers (those online). When you log off, the IP address you were using is reassigned to somebody else.
- When you log back in, you may well be assigned a different IP address.
- Security reasons: changing your IP address makes it harder for cybercrooks to find you.
- More recently, CSPs have been routing multiple users through the same IP address: a practice that saves on the number of IP addresses used but makes it hard to know which of those users is responsible for any activity coming through that address.
It all means that tracing an IP address to a specific location is increasingly tough. To do so, you need a specific time when the online activity occurred. But here, too, data entry gums things up because there are differing ways to record date stamps: 1am on the first of January 2017 could be represented as: 201701010100; 1.00 1-Jan-17; or 0100 1 January 2017. In addition, not all of these systems record the time zone, Burton explains.
The impact of these errors has in some cases been enormous, he says, citing Nigel Lang for “having had the courage to highlight this issue in the media.”
People have been arrested for crimes relating to child sexual exploitation. Their children have been taken into care, and they have had to tell their employers.
One of the errors outlined in Burnton’s report is that of an incorrect day and month being typed into an IP resolution request. It happened during an investigation into the blackmailing of children into performing sexual acts over social media. The consequence was a raid on the home of innocent people, forensic searches on their devices, interviews with four people, and the removal of children from their parents for a weekend.
It’s not just typos that result in errors tracing an IP number back to a residential address, though they’re the most common cause. Out of 29 cases classified as serious errors in 2016, 20 resulted from human error, seven were system/workflow errors, and two resulted when communications data was obtained without lawful authority.
Burnton noted that there’s a reason why such serious errors are “relatively more common” in relation to child sexual exploitation cases than other crimes – with the welfare of children at stake, police err on the side of getting children out of harm’s way quickly:
Public Authorities are understandably unwilling to take the risk of exposing children to paedophiles. As a result, where an IP address resolution shows a property at which children are living, some of the usual investigative work, which would corroborate the resolution but takes time, is not always done before executive action is taken.
He suggests that mindsets need to change: we just can’t assume that “technical intelligence” such as IP address resolution is infallible.
The commissioner made these recommendations in his earlier, July 2015 half-yearly report:
- Make it easier for applicants to be able to electronically transfer (i.e. copy/paste) communications addresses and timestamps into their applications.
- Resolve more than one IP address relating to the same activity and compare results.
- Make it easier for those processing applications to check the source information on which an application is based.
- Those receiving from CSPs the results of a resolution should double-check all disclosures against the original requirements prior to taking action.
- Investigators should undertake further research and intelligence checks to try to corroborate the result before executing warrants.
Since that report came out, his inspectors have heeded his recommendations, particularly with regards to working with staff who regularly resolve IP addresses using time stamps.
Errors are still occurring, though, and unfortunately, that means that there will likely be more stories like that of Mr. Lang:
Ultimately, there remains every likelihood that more innocent people will suffer a catastrophic event similar to Mr Lang’s experience.
Chris TX
Let’s not forget how a Kansas home keeps getting visits from police agencies because of erroneous geo-IP data. Google: kansas police ip address
Tom
It is not the erroneous GeoIP data that is problem. The problem is that some people think that GeoIP can be used to find a precise location of an IP, when it is just a regional designation at best. And it is just a guess.
Paul Ducklin
That’s because the geographical centre (i.e. the centroid) of the contiguous 48 states of the Union is in Kansas. For some reason, geoip companies seem to think that it is acceptable to disguise imprecision in their data by pretending that a datum that is no more accurate than a few 1000 kilometres is in fact accurate to 100 metres. You can excuse the cops for assuming that a data point stated to N decimal places of precision is, in fact, precise. Here are other examples, one at a city level, and the other at a global level:
https://nakedsecurity.sophos.com/2013/01/18/the-man-who-steals-all-the-phones-in-las-vegas-pinpointed-precisely/
https://nakedsecurity.sophos.com/2012/09/26/ieee-squirms-after-sensational-security-spill/
In the second example, you can see how 0.00000S0.00000E (fortunately a spot in the Atlantic ocean), or 0.00000N0.00000W if you prefer, appears surprisingly often in real “terrestrial” data.
Wilderness
Damn, that’s rough!
marc marcelo thomson (@pipervu)
that story sounds unreal … whenever someone wants to track down internet surfers and for legit purpose such as of police investigations, not only IP addresses are placed under scrutiny in fact, a mac address ( the ethernet or wifi card unique id ) is also required to identify the apparatus ( smartphone or laptop or desktop ) that was used to commit a felony
marc marcelo thomson (@pipervu)
…. and even with a mac address…. may still be tough, these days, to identify both the apparatus and the net surfer committing criminal offence ( OEM’s “have just” started to also change a mac address for computer’ network card after each reboot )
Spryte
It has been fairly easy to spoof mac addresses for at least eight to 10 years, if not more. Coupled with what could be an erroneous geo-ip result…
What could go wrong?
Tom
Unfortunately, you can’t charge a device with a felony. You have to identify the person using the device too. If there are a few people in the household or office, it is difficult to prove who was at the keyboard/screen the felony occurred.
And ISPs can’t track MAC addresses behind customer owned routers.
Anonymous
this is what just looking for certifications over actual experience gets you
Estelle Naude
Lisa thanks for a very informative article, great read.
Steven
Using Geo-tracking I did some tests of 2 companies their software said I was next door with one yet the other one wrote I was at a non-existent address – I was near the middle of the street yet it wrote I was 4 houses past the last real house.
Anonymous
IP address = vpn
Mac address = macchanger ..
+ Tor
where technecally sophistacation was the prime of security professionals, nowadays every wannbe cyber crook can utilize these means.
marc marcelo thomson (@pipervu)
@tom @spryte
ISP’s also provide ( usually ) a router/modem where mac addresses and even hostnames are recorded and regularly sent to ISP’s hosts; Spoofing mac addresses likely works with application layer only ( ISO/OSI model ) in addition…
no one in a courts system ( judiciary ) really care about who is at the keyboard at a given time, all we care of is tracking down to whom that device was assigned ( who is responsible for whatever happens with that device, office scenario ) or finding out who owns a apparatus ( personal computer or mobile device in a household scenario ) and to identify the person responsible for whatever happens ( felonies, torts , criminal offence )
wrwolf2
@tom @spryte
ISP’s also provide ( usually ) a router/modem recording mac addresses and even hostnames then regularly sending a report to ISP’s hosts; Spoofing mac addresses likely works with application layer only ( ISO/OSI model ) in addition… in a system of courts ( judiciary ) no one really cares for who is at the keyboard at a given time, all we care of is tracking down to whom that device was assigned ( who is responsible for whatever happens with that device, office scenario ) or the actual owner of a apparatus ( mobile device or personal computer in a household scenario ) and to identify the person responsible for whatever wrongdoing may happen ( criminal offence , felonies, torts )
at the end of the day…. when you own a personal smart device or computer or even when at work, you get your own desktop or laptop you will be responsible for, it may be good to keep login credentials private and eventually set a password on your BIOS / EFI settings ( if ever a computer or smart device may be compared to a gun, weapon, you may also want to lock that in a cupboard and kept out of reach from kids )
Uhmm… this may as well be the start for a congress consultation whether computers and smart devices in general should require a DL ( driving license at age 16 ) enhancing what we have in EU ( ECDL )