Identification on the internet based on IP address


For the Research and Documentation Centre (WODC) of the Dutch Ministry of Justice and Security, I led a project at Dialogic researching possibilities for improving identification on the internet on the basis of IP addresses.

When a criminal offence is committed, but the offender is not caught in the act, they have to be found through traces, in order to proceed with prosecution. For instance, the perpetrator of a speed violation can be found if the vehicle licence plates are registered. A similar principle applies to online crime. When communication takes place via the internet, the recipient usually knows the sender’s IP address – which is necessary for communication in the other direction. This IP address thus provides a direct indication of the connection and/or system used to commit an offence. IP addresses are issued by internet service providers (ISPs). Investigation services can request ISPs to disclose to which subscriber they have issued a certain IP address.

As a result of internet developments, the link between an individual and an IP address is no longer as evident as in the past. Due to the scarcity of IPv4 addresses (4th version of the internet protocol), these are assigned dynamically: subscribers have to share the same IP address but never simultaneously. Based on date, time and public IP address, an individual subscriber can, however, be identified. This is similar to searching for a driver of a rental vehicle based on the licence plate: this registration number belongs to the rental company, which, by checking its administration, can of course trace the hirer.

In situations where the number of available IPv4 addresses is much lower that the number of devices online at the same time, it is necessary to share IPv4 addresses simultaneouslyamong users. This can be done by applying CG-NAT (carrier grade network address translation). In the analogy with rental vehicles, CG-NAT means that various hirers drive around the country in different rental vehicles, but all with the same licence plate. If the police want to identify a driver right away, along with the date and time, they need either more information about the car (for example the type and colour) or about the route (where was the car seen, or what was its destination?).

Currently, CG-NAT is mostly used in mobile networks. Depending on the operator, a public IP address is simultaneously shared with a handful to a thousand other subscribers. In CG-NAT cases, an IP address alone does not give the police enough information to identify the person they are trying to track down. More details are required to narrow down this group of people.

Research question

In light of proposed legislation introducing a limited retention obligation on telecommunications data for detection and prosecution purposes, we examined whether it is technically feasible to identify individual users based on a public IP address. The question addressed in this study is:

How do (mobile) internet providers identify an individual user of a public IP address, up until 12 months after use, for investigation and prosecution purposes, and what are the relevant (social) considerations?

We define social considerations as: (1) usability for investigation and prosecution, (2) citizens’ privacy, and (3) the costs for internet providers. To address this research question, we reviewed the literature and held interviews with (mobile) internet providers, the police, and other stakeholders/experts. The findings enabled us to formulate strategy options.

The full report can be downloaded here. A management summary in English can be found here.