Tuesday, September 13, 2005

Anonymity and your IP address

As I'm sure everyone is well aware, going online means that you require an IP address. For the average user, this means that they are required to purchase an internet account from an ISP (in Singapore, mainly either Pacific Internet, Singnet or Starhub).

These ISPs then, can track where you go and what you do. Unless, of course, you use an independent proxy server or an anonymizer, and even in those cases if they're -really- interested in you they can still look at the data packets you send to figure out what you're doing. The only way prevent your ISP from figuring out what you're doing is to additionally encrypt all the data. Anoymizer actually povides such a service, albeit at a price.

However, most people aren't going to be paying for that, (and won't have looked around for free options) and therefore whenever someone is caught doing something naughty on the internet, with it's oh-so-thin layer of anonymity dust surrounding him, the immediate reaction is: "Oh! The ISP's are in CAHOoOTs! with the GAHMEN!"

An example of this is the recent seditions blogger case. I'm quoting elia diodati here (look under the second heading): "Yet how on earth did the police find out their true identities? Did the accused blatantly advertise their real names online, or was some kind of cyberskullduggery successful in tracing down their IP addresses? ISPs are supposedly only allowed to reveal such data with the sanction of court action, so the idea of a liaison with GLCs is unlikely, albeit not inconceivable."

While accusing the ISPs might be accurate for something like file-sharing, in the present situation this is not necessary. Apply Occam's Razor.

Taking the more difficult case first, the forum site was www.doggiesite.com. Getting an IP address would already require the support of the forum moderator, and apart from that the moderator would almost definitely have a working e-mail address. Even if that was insufficient, perhaps the other members of the forum had information regarding the identity of their fellow.

All the above points apply in the case of www.upsaid.com, except that because that service is not free (since Mar 23) and so there might be an additional credit card (or other) trail via paypal. I somehow don't think that blogger sent money by post to Belgium.

Having said all that, I would also note that it is true that "The ISP's are in CAHOoOTs! with the GAHMEN!"

I suspect that the idea that "ISPs are supposedly only allowed to reveal such data with the sanction of court action" is related to the much publicized RIAA cases. Note that here it is the State which is bringing the complaint. (As opposed to the RIAA which is a private citizen.) Insofar as any ISP is required to obey the laws of the jurisdiction, the ISP is obliged to assist as far as it is able.

Stahub, for example, states this explicitly in it's Info-communication Services General Terms & Conditions at 24 (b): "We may use the Customer Information for the purposes of: planning, provisioning and billing for the Services; managing bad debt and preventing fraud; facilitating interconnection and inter-operability between Service Providers; rendering assistance to law enforcement, judicial, governmental or regulatory agencies and/or complying with any regulatory requirements imposed by IDA authorising the use of Customer Information."

In conclusion, note the many ways your information may be revealed online. Remember that when you sign up for a forum site, even if you're using the full anonymizer service, your e-mail is still with the moderator! And that it's very easy to unintentionally leave details of who you actually are online.