IP address matching: Just Communications Data by another name?

According to the Open Rights Group, (ORG) who are often right on soon-to-be-published legislation, the forthcoming bill on “IP Address Matching” is about mobile networks performing NAT.

There are probably a few reading this whose eyes have already started to glaze over, given the first paragraph mentions a three letter acronym. It is likely that a few civil servants and ministers suffered from the same. That is worrying because it is entirely possible that this bill may, if ORG are correct, involve collection of communications data – here’s why:

Network Address Translation (NAT) is a way of hiding many computers behind a single Internet address. It was invented because under the system of addressing currently in use in much of the world, there are not enough addresses for every computer to connect at once. Using the analogy of a telephone system, it is like a company having a few well-publicised phone numbers for their major services but hiding all their other staff behind a single generic phone number whenever they make an outbound call.

If someone is making nuisance calls that you are trying to trace, being told that the call came from your generic phone number is not much use. As with IP addresses hidden behind NAT, there could have been tens of thousands of phone calls being made outbound from that phone number at any point in time. You can only trace who made the call if you also logged which number each handset dialed.

Now, the internet also uses port numbers. They are fixed for servers (web servers typically run on port 80 or 443) but randomly assigned for outbound connections, so that the address and port will be unique for anyone talking to a particular service. This makes it theoretically possible to trace a user using both the address and port if you already know which service they were talking to.

Unfortunately for that approach, servers in the internet generally only record source addresses and not source ports.

If the Home Office want the data they are collecting to be useful, this means they will likely also be asking service providers to be storing destination addresses, which brings us back to having to store communications data. It would allow security services, police or even an anti-piracy company with a court order to ask a service provider questions such as “tell me everyone who accessed www.aljazeera.com in the last 12 months”.

Hopefully I’m wrong.

(Some further reading for the more technically inclined is over at ISPReview. The comments are also worth a read.)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.