Nigel Lang says his life was ruined by a typo.
Wrongly arrested in 2011 by South Yorkshire Police, in the UK, for allegedly sharing images of child abuse, the police refused to tell him how the error had been made. Lang spent 6 years fighting to find out how he’d been erroneously pushed into a nightmare. Police said too much time had passed to figure it out, but after Lang hired a solicitor, they managed to cough up the truth.
The truth being that a mistyped IP address had been traced to his partner. It was off by one digit. Lang filed a complaint of racism and sexism – he’s a black man, and his partner’s a white woman – but the complaint was dismissed.
As of March 2017, Lang was unemployed, frightened to return to his work as a drug recovery worker with troubled youth lest they accuse him of sexual advances, and said he was suffering from mental health problems. When this all went down, he left his children, moved in with his mother, and feared that any of them might be attacked by vigilantes.
Unfortunately, his is not a one-off horror story.
Police have been increasingly making errors in IP address resolution, according to a letter presented by the Interception of Communications Commissioner (IOCCO), Sir Stanley Burnton, to accompany his annual report to the prime minister.
Burton explains that while “errors and more general problems form a very small percentage of the total activity I inspect”, he is “concerned by the increasing number of errors that occur when public authorities try to resolve IP addresses” and that errors are “far more common than is acceptable”.
The errors mainly stem from manual entry of details into software that helps police work out the location at which a specific IP (internet protocol) address has been used. As it is, communication service providers (CSPs) can easily reassign IP addresses, for good reasons, Burnton explained, such as…
- Many CSPs have more customers than IP addresses, so they only assign IP addresses to active customers (those online). When you log off, the IP address you were using is reassigned to somebody else.
- When you log back in, you may well be assigned a different IP address.
- Security reasons: changing your IP address makes it harder for cybercrooks to find you.
- More recently, CSPs have been routing multiple users through the same IP address: a practice that saves on the number of IP addresses used but makes it hard to know which of those users is responsible for any activity coming through that address.
It all means that tracing an IP address to a specific location is increasingly tough. To do so, you need a specific time when the online activity occurred. But here, too, data entry gums things up because there are differing ways to record date stamps: 1am on the first of January 2017 could be represented as: 201701010100; 1.00 1-Jan-17; or 0100 1 January 2017. In addition, not all of these systems record the time zone, Burton explains.
The impact of these errors has in some cases been enormous, he says, citing Nigel Lang for “having had the courage to highlight this issue in the media.”
People have been arrested for crimes relating to child sexual exploitation. Their children have been taken into care, and they have had to tell their employers.
One of the errors outlined in Burnton’s report is that of an incorrect day and month being typed into an IP resolution request. It happened during an investigation into the blackmailing of children into performing sexual acts over social media. The consequence was a raid on the home of innocent people, forensic searches on their devices, interviews with four people, and the removal of children from their parents for a weekend.
It’s not just typos that result in errors tracing an IP number back to a residential address, though they’re the most common cause. Out of 29 cases classified as serious errors in 2016, 20 resulted from human error, seven were system/workflow errors, and two resulted when communications data was obtained without lawful authority.
Burnton noted that there’s a reason why such serious errors are “relatively more common” in relation to child sexual exploitation cases than other crimes – with the welfare of children at stake, police err on the side of getting children out of harm’s way quickly:
Public Authorities are understandably unwilling to take the risk of exposing children to paedophiles. As a result, where an IP address resolution shows a property at which children are living, some of the usual investigative work, which would corroborate the resolution but takes time, is not always done before executive action is taken.
He suggests that mindsets need to change: we just can’t assume that “technical intelligence” such as IP address resolution is infallible.
The commissioner made these recommendations in his earlier, July 2015 half-yearly report:
- Make it easier for applicants to be able to electronically transfer (i.e. copy/paste) communications addresses and timestamps into their applications.
- Resolve more than one IP address relating to the same activity and compare results.
- Make it easier for those processing applications to check the source information on which an application is based.
- Those receiving from CSPs the results of a resolution should double-check all disclosures against the original requirements prior to taking action.
- Investigators should undertake further research and intelligence checks to try to corroborate the result before executing warrants.
Since that report came out, his inspectors have heeded his recommendations, particularly with regards to working with staff who regularly resolve IP addresses using time stamps.
Errors are still occurring, though, and unfortunately, that means that there will likely be more stories like that of Mr. Lang:
Ultimately, there remains every likelihood that more innocent people will suffer a catastrophic event similar to Mr Lang’s experience.