Security bill: The challenge of identifying internet users

Theresa May Image copyright Getty Images
Image caption Theresa May outlined the bill to the Royal United Services Institute (Rusi) in London

It is still unclear exactly what information internet providers will be expected to collect under the UK's new Counter-terrorism and Security Bill.

The Home Secretary, Theresa May, has said the legislation would "require internet providers to retain internet protocol - or IP - address data to identify individual users of internet services".

If someone uses an illegal service - such as a terrorist chat room or paedophile website - the network logs can serve as evidence linking the perpetrator to their crime.

But IP addresses alone do not necessarily pinpoint "individuals", at least not the way they are gathered at the moment. And internet providers wonder whether this signals they will have to change the way they monitor users.

Image copyright Thinkstock
Image caption Public wi-fi operators track specific gadgets, but broadband providers do not


There are two separate bits of information that can be used to help identify online users:

  • An IP address - a numeric identifier used to recognise machines on a network. Internet providers log the IP address used by a router, the specialised device that sends data back and forth to computing kit in a building, which may change each time it connects to the net. This provides a way for investigators to trace back which router was used to access a specific service
  • A MAC (media access control) address - a mixture of both numbers and letters that identifies a specific device. These are used by routers to ensure the right data is sent to the right hardware and can be used by the police to link a crime to a specific PC, tablet or phone

An analogy would be that an IP address represents a person's postcode, while a MAC address represents their letter box number.

Image copyright Thinkstock
Image caption A single router can provide internet access to several computers via the same IP address

Broadband providers already typically keep IP address logs for 12 months for residential properties and up to seven years for businesses.

The problem for the authorities is that several devices often share a single IP address via both wired and wi-fi links to a single router.

In other words, many people might be simultaneously using the internet at an office or shared accommodation via the same logged IP address, making it hard to know who was acting illegally.

While it would be more useful for investigators to know which MAC address was associated with each activity, this is not something that broadband providers currently monitor.

The question is whether the government wants them to start do so by harvesting the information from the routers.

Public wi-fi operators do, however, record the MAC addresses of kit using their facilities, meaning coffee shop, airport lounge and other wireless location logs can already be used to flag specific devices, assuming they can later be tracked down.

ISPs warn, however, that since a MAC address is editable, a user can simply change their settings after taking part in an illegal activity, to mask their identity.

Mobile gateways

Image copyright Thinkstock
Image caption Mobile phone networks do not currently record individuals' IP addresses

Smartphones add a further complication.

Handsets are not typically shared and do not require separate routers to connect to 3G and 4G data services.

So, you might suppose it would relatively easy to identify individuals from a mobile network's IP address logs. But that is not the case.

The reason is that mobile phones connect to networks via gateways, which can involve 200 people sharing the same public IP address at once.

In order to "identify individual users", as requested, the mobile networks would also have to start collecting extra data.

Image copyright Thinkstock
Image caption There are several legal services that allow users to mask their online identities

Even if the government and internet providers do agree to expand their record-keeping without sparking a public backlash, there is one added issue.

Criminals can use anonymising services such as virtual private networks (VPN) and Tor to prevent their IP address ever being linked to an illegal site in the first place, thus making the internet providers' records inconsequential to any investigation.

More on this story