IGF 2016 - Day 3 - Room 4 - WS6: Can Law Enforcement catch bad actors online anymore?


The following are the outputs of the real-time captioning taken during the Eleventh Annual Meeting of the Internet Governance Forum (IGF) in Jalisco, Mexico, from 5 to 9 December 2016. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 


>> ROBERT GUERRA:  Two-minute warning.  We are going to be starting in two minutes time.  AV team, we'll be starting in two minutes.  Thank you.


>> ROBERT GUERRA:  One minute.  We'll be starting in one minute's time.


>> ROBERT GUERRA:  Good morning, everyone.  I'm here with my co-moderator, Jeff Bedser.  We welcome you to Session 6, Can Law Enforcement Catch Bad Actors Online Anymore?  Catchy title. 

What are we going to be talking about?  A variety of different things.  Our focus and premise to our conversation is about the exhaustion of IPv4 addresses, what it means as we move to IPv6 and specifically what does it mean in regards to law enforcement and catching bad behavior online and acting on it in one way or another.

The bios are online.  I want to get to the materials.  The speakers that are here and some of the speakers that are remote.  I will talk to you about the format we are going to be using and we'll get started.

Alphabetical order, the bios again online is Jeff Bedser from iThreat Group; John Curran from ARIN.  Laura DeNardis could not join us but gave me questions.

Anitha Fragkouli is online, for cyber security and also with ICANN Committee.  She will be connecting and participating remotely.

We have Iranga Kahangama with the Federal Bureau of Investigation who will be participating remotely.  Dick Leaning is with us today from RIPE ICC.

The format for today is we are going to have in a way two sessions in one.  The first session or the first part of our workshop today is going to be an overview in regards to the IPv4 depletion issue.  Kind of a kick-off and general information in terms of where we are in law enforcement.  John from ARIN will be giving that.  I will go to the speakers, the experts that are with us today.  I will give them all a question in regards to the space of IPv4 depletion in law enforcement.  What is their role, what do they do from day-to-day.  We'll go around the table and with our virtual speakers as well.  So everyone here in the room can get a sense of what their perspective, their stakeholder group brings to the table.

Then what I will do is go to you, the audience.  If you have any questions or comments in regards to that first part we're talking about.  Then my colleague Jeff is going to get into something concrete.  He will in a way set up a scenario, get a bit more specific from his perspective.  And then we will go around as well in terms of everyone who is here and virtually for that case, how would they respond, how would they react to that and open it up to you.  In a way an introduction to everyone, a scenario and then a discussion.  That is my proposed format.  I'm happy to have it evolve as need be.

I've spoken a lot today.  I really want to promote a conversation.  So I'm going to pass it over to John who is going to kick off and give us background on IPv4 depletion and law enforcement.  John, over to you.

>> JOHN CURRAN:  Thank you very much.  I have a brief slide presentation to introduce the topic of IPv4 depletion and law enforcement.  So as a sort of background to bring everyone up to the same position, I am going to talk a little bit about IPv4 and IPv6.  We'll talk about IPv4 who is, who is data and NAT, Network Address Translation, talk about IPv4 depletion, IPv6 deployment and law enforcement implications.

So let's see.  There's this thing called the Internet that everyone knows.  And it was developed actually, one of the speakers earlier this week.  Vint Cerf and others were responsible for the protocol which made the Internet, IPv4 is what we built the Internet on.  It allows for about 4.3 billion addresses.  There's a number of reserved ranges so about 4 billion, which is a big number but not really that big when you think about a planet approaching 8 billion people.

It is deployed globally.  We issued IP addresses based on the need.  So in other words, we didn't give them all out at once.  It was as each ISP needed addresses to connect new customers it came and got additional IPv4 addresses.

Back around 1993 the group that is involved in doing these standards, the IETF, the Internet Engineering Task Force, did a study that did depletion estimates.  We realised we were going to run out of IPv4 addresses sometime between 2012 and 2017.  It turns out that was pretty much right on track.  As a result we created a new version, IP Version 6.  You'll hear about it.  IPv6 has a much bigger address space.  340 undecillion, 340 trillion trillion trillion.  It is standard since 1999 and deployed.  It's in your laptops, cell phones and servers.  People are enabling it, but the technology is already out there in all the operating systems.

And it is very similar to IPv4.  We issue it based on need.  You actually have to need an IPv address book to get it.  These are necessary to keep the Internet running, only it's larger blocks we give out because we have much more space.  We don't want to put people through the onerous task of getting an address space over again.

Every device talks to the IP address through packets.  Simple stuff.

Regional Internet registries.  Each one of us has a region.  You'll see it up on the screen.  Whoops.

Each region is based on a certain part of the globe.  ARIN handles parts of the Caribbean, LACNIC handles the rest of Latin America; RIPE NCC handling Europe, and APNIC handling the Asia-Pacific region, and AfriNIC for Africa.

So countries go to them to get assignment blocks.  The addresses have been created through the protocol standard and the group that does that within ICANN is called IANA.  They follow the direction of the IETF.  They allocate blocks out to the Internet registries.  There's a global policy that sets how those blocks are managed.

RIRs assign addresses to users and zips.  We give blocks to ISPs, Internet service providers, they reallocate those to Internet users and others.  An address block gets subdivided.  This is important to remember.  With IPv4, everyone was getting address blocks, using them and coming back and getting another.  With IPv6 we give out very large address blocks.  People don't necessarily come back to get another one.  There is not the same rigor of updates.

So in the past people assigned addresses dedicated addresses predominantly to businesses and dynamic addresses for broadband customers and mobile customers.  When they assign them, they put an address in who is.  There are two who is databases.  There is the who is for domain names and a who is for IP addresses.  Very similar but a separate database.

So the IP who is database is a record of every organisation that has been assigned an address block.  Over time when people need more address blocks they go to the RIR.  With IPv4 they show that they used and assigned all those addresses.  We looked at all the sub-assignments for who is, and all the organisations that ISP assigned to was reflected in the public database.  Then we issued them another address block.  Obviously they used the last one.

And this worked really well.  And it is sort of the basis for the information in the who is registry today.

There is a little bit of nuance.  That is not the only thing that is involved in IP addresses.  In a lot of cases organisations would assign a single address to a business or home.  Then they would use private addresses inside and use NAT, Network Address Translation, to map between them.

As a result of this when you actually look at a log of what is on the web or mail server you might not see a public address.  You may see a private one.  You need to know where the NAT translation was done and what the mapping was.  Because only one address public may have hundreds of private addresses behind it.  Those private addresses may be assigned to different parties at different point in times.

We have run out of IPv4 space.  In 2006 through 2011, the central address pool for IPv4, the one managed IANA went to zero.  There is no central IPv4 pool.  Each region runs out at their own rate.  In the ARIN region we ran out in September 2015.  We literally have no more IPv4 addresses.  We are telling people to use IPv6 because we don't have IPv4.  IPv6 is happening.  In the US a third of customers connecting to Google are using IPv6, up from 10 percent a year and a half ago.  Google says 15 percent of all accesses are coming over IPv6.  An interesting thing going on here.  When you use IPv6 to access Google, if you use your mobile phone if it accesses a Web site that is before, there's NAT involved and the ISP or mobile provider has to translate IPv6 addresses to IPv4, that is a conundrum for law enforcement.  They see a Web site at an IPv6 address but it's a phone speaking IPv4. 

Where does this leave us?  With the depletion there is increasing use of NAT as people try to get more out of IPv4 and as people make use of IPv6.  Both involve the use of NAT.  It is a challenge for law enforcement to reliably determine the actual source because you don't have a unique address at each end that doesn't change.  You need to have the mapping between whoever was using the public address and whatever was on the device, which may be private or IPv6.  Those logs and the correlation are necessary to get back and understand where is the responsible party.  The other one is law enforcement has to probably be able to find that ISP to even have the discussion about their logs. 

In some cases the ISP, since we are using v6, you can have allocations, sub-ISPs.  They may not make it into who is.  We don't need to worry about utilization as much.  The allocation are not in the database unless someone updates them.  It is possible that the ISP you are talking to is using a V6 address that hasn't been put in who is, because they got them from their ISP, but they are using a v4 address that was someone else's, but they have taken responsibility for.  That hasn't made it into who is.  All of these make it complicated for law enforcement, who is trying to actually when someone's rights are violated, when the privacy and security is violated and law enforcement needs to provide recourse, they need to be able to find out the other end, the party that was involved.

We can't provide people the security me want unless we can provide law enforcement the tools they need to understand the party involved and the jurisdiction.

That concludes my presentation.  I'll turn it over.

>> ROBERT GUERRA:  I would like to get a sense of everyone in the room understanding what everyone on this side of the table is doing.  I have a set of questions for everyone.  First round, Jeff,in regards to the ecosystem, IPv4, IPv6, what do you do in your day-to-day work in a minute or less?  You will get into this more later, but how does this affect what you do?

>> JEFF BEDSER:  So my involvement with the entire issue of infrastructure is on investigative standpoint.  Trying to determine at the end of the day who is the end user responsible for an act, a criminal act, fraudulent act?  Who perpetrated this crime?

The issues come down to two.  One, there has to be enough information available to allow an investigator to know where to go to a viable criminal process or court to get a state party process or writ to find out from the provider the ISP who is behind that infrastructure.

Secondarily, it's an issue of perishability.  Will the data about that transaction be stored long enough for an investigator to figure out where to ask the question to get a prosecutor or a solicitor to agree that there's a crime and to support getting a court order, so that the process of the investigation and the legal processes taking place, the information is still available on who committed the crime.

>> ROBERT GUERRA:  Thanks, Jeff. 

Ben, you're at Go Daddy.  Domain name registrar, IP addresses, does it affect you at all?  What is your role in this?  And how is it important in regards to IP 4 and IPv6?  From your perspective why is this important to you?

>> BEN BUTLER:  So, as Robert said, I work for Go Daddy in the IPv security and have been leading the digital crimes unit for the last 15 years.  My role is primarily one of being on the receiving end of the legal process and trying to help law enforcement when they actually are trying to identify who the bad actor is at the end of an illegal transaction online.

So our involvement with IPv4 address depletion and IPv6 adoption is often times one of helping to train law enforcement on what to ask for, how to interpret the results they would get, since the results of a state party might come back v6 or v4 or some combination of the two and what questions to ask to give them the best chances of success.

The other part of that is helping work with other content providers, registrars and hosting providers to help them see the benefit in having more robust logging and the longest possible data retention, which has the side effect of making these investigations more possible and fluid.

>> ROBERT GUERRA:  Great.  Thank you, Ben.

Iranga is virtual.  I want to check if -- we are going to get into the scenario in the second part.  The first part, the same questions I asked, why are IPv4 and IPv6 addresses, why are necessity important for you and, law enforcement and the FBI?

>> IRANGA KAHANGAMA:  Thanks, Robert.  I hope you can hear me.  I want to concur especially with what Jeff said.  From an investigative standpoint and the FBI attribution, that's usually the biggest priority and the first step that kicks off all of our investigations.  Without that, it either delays or cancels out the process for moving forward.  Like we said, we are often trying to find where to serve the legal notice in terms of jurisdiction and proper identification of that IP address is the key to that.

Not only that, but to add for the FBI, when conducting legal wiretaps as well, there is a significantly high burden in terms of the paperwork when you're writing the warrant for the court.  A lot of investigators have to waste a lot of time trying to make sure that they are not over writing that and that they are getting very specific.  Without the correct information it is difficult for them to apply for those court orders because they don't have enough information to get specific enough in order to have those types of things added to them.

One other thing I will say is that as the FBI we have a tremendous amount of resources, but often times we are still dependent on commercial products.  But that is not to say we also advocate for lots of our state and local partners.  A lot of these are small shops, small guys in small cities.  They may not have the resources or educational materials that we as the Bureau may have.  A lot of times that initial IP who is identification is all they can afford to do at this point.  It's even more critical that we have accuracy in those resources.  Thanks.

>> ROBERT GUERRA:  Great.  Athina, if you are online, you are an RIR as well.  A question for you is, and we'll go to some of the other RIRs in the room as well.  What are the policy issues related to this that you have to deal with, that you can talk about before we get into the scenario?  And so just tell us a little bit, kind of your role -- we have you and your colleague, Dick.  What are your day-to-day issues regarding this that you have to deal with.

>> ATHINA FRAGKOULI:  Hello, everyone.  I hope you can hear me.  My name is Athina Fragkouli.  So yes, I can tell you about some of the challenges that RIPE NCC as a registry, regional registry basis.  To start with I would like to bring another aspect to the table.  RIPE NCC and the other RIRs have a unique position.  We are the only organisation that provides registration services.  In that case we are the upper level because no one else can provide the services that we do.

Although this doesn't change with IPv4 depletion, it is important to keep in mind especially in our discussion with the LEAs.  The law enforcement authorities come to us and tell us, this resource holder is involved in criminal activities.  Why don't you do anything about it?  Why do you keep offering services to them?  It is important to highlight because of this unique monopoly position, we can not deny services unless we have a very good reason that is known before hand and well documented before hand.

Of course on the other hand, as regional registrar, we have a responsibility to our community to maintain a good registry.  A good registry, of course, is an accurate registry.  Part of this responsibility is in performing due diligence checks, to ensure that who we distribute addresses to, they are who they say they are.

We have the inability to deny services because of our monopoly position and our responsibility to maintain a good registry on the other hand, we have documented procedures that describe all the due diligence checks we perform.  Also under what circumstances we would deny services. we would terminate a contract or we would deregister resources.

So according to this documented procedures, submission of fraudulent information to RIPE NCC is a reason to stop offering services because fake information would reflect badly on the registry so we wouldn't have a correct and accurate registry.

Updating the publicly available database with correct information is, of course, another reason to stop offering services.  A Dutch order stopping us to stop, I'm saying Dutch order because this is a requirement for us as we are incorporated under Dutch law.  So additionally, we do have the mandate to report to the authorities the submission of fake and fraudulent information from a resource holder to us, but we have no mandate to share nonpublic information on a voluntary basis.  I believe that law enforcement authorities appreciate our inability to do so.  So instead we follow the official legal process.  This is a challenge that already exists there.

Now, as I mentioned, our mandate is to maintain an accurate and correct registry.  And we do realise that the public registry or database is a very useful tool for law enforcement authorities.  And an accurate and up to date registry is crucial for their investigations.

So before the depletion, law enforcement -- before depletion, the law enforcement authority could expect that the distribution of IPv4 addresses, at least at the first level distribution of the resources we directly distribute as, to resource holders as John explained just now, this hierarchy bit.  The first level of the distribution would be accurately reflected in the right database.

However, would that before depletion?  We don't have much IPv4 to distribute.  Alternatively the community policies allow network operators to transfer IP addresses between themselves.  It is a requirement that such transfers are reported to us so that they are reflected in the registry, but here is the challenge.  Our community policies do not allow transfers with no limitations.  In fact, they are quite restricted in order to avoid IPv4 speculation.  So the community policy wants to make sure that IPv4 will be transferred to those that will use IPv4 and not to those who want to collect resources in order to make money out of them.

But as you can imagine, some not allowed transfers may are angry.  Since they are not allowed, they take place under the table.  They are not reported to us because we would not approve them.  Because they are not reported to us, they are not reflected in the registry.

Our community is aware of this risk an discussing this risk, but they haven't come up with an accepted solution, an accepted approach.  And roughly speaking there are two main opinions that are expressed.  On the one hand, part of the community wants to allow transfers.  These are not just people who are in the IPv4 transfer business, not just brokers and so on.  But there are also people who want to stop any discussions about IPv4.  They want to move on and develop IPv6.

Another part of the community wants to keep the restrictions for the reason I mentioned before.  They believe the resources should be kept for those who actually use them.  In any case, the challenge is there.  Before IPv4, because of the depletion and because of the restrictions in place that are there to manage actually IPv4 depletion, the registry may not be always accurate which may jeopardize law enforcement authorities' investigations.

With that I will stop and come back for the discussion.  Thank you.

>> ROBERT GUERRA:  Great.  Thank you so much, Athina.  We have other RIRs here.  John, you gave us an overview.  We have Dick as well and Carlos.  Before we get into setting a scenario, in addition to setting the scene for us, the question -- at ARIN, your role in this, what I would ask is maybe a specific question.  In regards to law enforcement and ARIN, do they interact with you all the time to get the requests?  How does that work?

>> JOHN CURRAN:  Excellent question.  Recognize that much of the information that law enforcement would seek from a regional Internet registry is actually in the who is database because that's what we are maintaining is the who is database and it is publicly published.  They can generally go to who is.  As long as the information is reliable, they can use that to further their investigation.

There are some cases where we may have a circumstance where a party has, they are at a dead end, they can't find the party.  We may have additional information from our correspondence that is helpful.  That is actually quite rare because generally they are trying to get to someone who is doing something on the Internet, not someone who is providing Internet services.  Our records are predominantly the parties providing Internet services.  Most of the ISPs are good about keeping contact information up to date.  They are technical, admin and abuse contacts.  We don't get involved heavily in that.  The engagement between law enforcement and at least in the case of ARIN's registry, is more making sure the ISPs understand law enforcement's expectations about them keeping their records up to date and them tending to sub-records when they allocate or assign.  It is crucial for law enforcement to be able to get to the edge ISP.  If you've sub-assigned to an ISP it doesn't do law enforcement any good to reach out to you when it is not in the ISP's interest.  No one wants to get a state party to say that we are not serving that customer, we are serving an ISP who serves that customer.  If you have the records up to date they'll go directly to the ISP serving the customer and save your legal abuse and response desk the work.

We have law enforcement processing in the multi-stakeholder process in ARIN on our policies and they talk at length to those, it is crucial to make sure that the sub-publications make it to the database unless the ISPs want to respond to each request directly.

>> ROBERT GUERRA:  Thanks, John.  Carlos, you're from the region.  Do you see it the same as John just mentioned?  Is your relationship in regards to law enforcement and LAC the same?  Are you in your role at LACNIC doing something different in regards to helping catch bad actors?  Tell us a little bit about that.  If you can be brief so we can get to Dick and then the scenario.

>> CARLOS:  Thank you very much, Robert.  The situation in our region is a bit different.  We don't get many requests directly from law enforcement.  And most of those requests that do -- I mean, we do get in many cases due to failure of investigators to properly interpret the result.  Which is a very bad thing in my opinion because it delays investigations a long time.  So this has been going a long time, we have police officers in uniforms demanding things that are not there and are subject to interpretation error.

This convinced us as LACNIC that we need to do outreach to the law enforcement community and provide training in how to make good use of the sources of information that are out there.

>> ROBERT GUERRA:  Thank you, Carlos.  Dick, you bring a unique perspective to the table.  You were from law enforcement, and we have Iranga who will be talking more when we get to the investigation scenario, but I'm curious for the audience here, what perspective do you bring to RIPE and perhaps the community as a whole as someone who understands law enforcement, what insight do you bring to RIPE and your role there?

So people here can understand when we get to the scenario, people understand where your perspective is coming from.

>> RICHARD LEANING:  Thanks.  The perspective I bring to it is law enforcement and the RIPE community want a safe and trusted Internet.  Sometimes they don't speak to each other in the same language, but they want the same thing.  It is bridging that gap between law enforcement and by extension the governments and the community that basically want the same thing but don't understand what it is they actually want, apart from a safe and secure Internet and how to get there.

What we do at RIPE NCC and echoed in the RIRs, we do a lot of training of how to look through our database to get the information that they want because the who is is more of a technical database and not law enforcement.  There is a lot of information in there that isn't obvious to law enforcement.

We try to make that, demystify what the database is.  We get the law enforcement to our communities to engage with our members at the RIPE meetings and the ARIN meetings, because that's the only way they will all come together and understand where there are issues and challenges are and how they can work together to solve those.

The other thing that I do, and not just be, but we are members of many international and national law enforcement working groups and high level governance groups like Europol, Interpol, others around the globe.  We have a perspective on the challenges that law enforcement have now.  We can tell them what can be done and what can't be done as an RIR.  Because that's just as important.  We can take those issues and concerns back to the members and have a proper dialogue because at the end of the day we all want the same thing.  That is the perspective I bring.  I want to emphasize, it is not just RIPE NCC that does that.  It's all the RIRs.

>> ROBERT GUERRA:  Thanks so much, Dick.  Before we get into the more hands-on, what does everyone do, what are some of the challenging issues, technological, privacy and otherwise, and also tap into the great expertise in this audience.  I'm seeing people come in who have worked on this a lot.

Before we get to that setting up the scenario, I don't want the panel to be talking all the time and the experts to talk all the time.

I'm wondering -- I will have a few minutes for comments from the audience.  Does anyone want to just say something that they might bring to the table?  We see APNIC is also here.  Paul, I'm wondering, in terms of law enforcement in your region, what do you do?  And keep it short.

>> PAUL WILSON:  I'm Paul Wilson, Director General of APNIC, registry of IP addresses in the Asia-Pacific.  In the Asia-Pacific we are working as actively as we can with agencies like the Interpol Centre in Singapore and others, particularly on training of LEAs and justice sector folks, in terms of what you can't and do with who is, what it means in terms of the addresses you might find and what might be behind them when it comes to private addressing, technical issues like that, trying to provide a level of technical understanding or to ensure there is a understanding of technical understanding that helps people do the jobs that they need to do.  That's it.

>> ROBERT GUERRA:  Is there anyone here from any ccTLDs, country code TLDs, that they may want to flag what they do in investigation?  Okay.

In the room are there any people from civil society that are involved sometimes in investigations on line and bring a particular perspective?  There have to be people from civil society in the room.  I assume you are just shy today.  Definitely there's privacy issues.  Is there anyone here in the corner?  If you are following this, just get a mic and say either what you are involved in this or your perspective.  Just so we have a sense of who is in the room.

>> AUDIENCE:  Okay.  I'm Nick (Soraia), and I work for .UK, the ccTLD for the United Kingdom.  I want to echo some of the points about the accuracy of the register database.  We spend a lot of effort trying to make sure that the who is are registered to people who are accurately reflecting the person for a Web site or email address.  Cooperation with law enforcement, absolutely the key is to have a good dialogue with your domestic law enforcement agencies to help educate them so they are smart in the way they go about their investigations.  It is less resource intensive on the registry to deal with people when questions are requested in the right way through a proper process that we can organise.

And it is an ongoing effort.  I think there's a huge amount of unfortunately criminality online, but it is a minority.  We need to do things in a proportionate way that doesn't disadvantage the vast majority of totally legitimate users.

>> ROBERT GUERRA:  Great.  Thank you so much.  Very key player that has been mentioned multiple times.  Do we have anyone from ISP?  Perhaps from the region?

That's here?  Do we have any IST representatives in the room?  Don't be shy.  I know you're here.  You're probably telling me you want to get to the fun stuff.

Now we have a sense who is here.  Their perspective.  What does it mean when we have an actual situation.  Jeff, I'll turn it over to Jeff and Jeff will talk about, let's get into an investigation and go in terms of working it through with not only the experts here, our great participants that are remote that I will go to as well, but also to you here in the audience.

Jeff, set up the scenario.

>> JEFF BEDSER:  Thank you, Robert.  Slide, please.

A little perspective.  I find perspective is good when understanding investigations with the old American analogy of the needle in the haystack.  With IPv4, the haystack was big.  In a moment we'll see how big that has become with IPv6 deployment.

For some perspective of scale, 16 million Internet users in 1995, 5.5 billion people on earth.  Less than 2.9 percent of the globe are Internet users.  2015, we have 3.3 billion Internet users, 7.5 billion people on earth, 44 percent of the people on the Internet are connected to the Internet.  15,000 increase in ten years.  Anyone saving for their retirement, I would loof to see that return on my retirement account.  It's okay to laugh even if I'm not funny.

IPv4, 5.3 billion addresses.  For perspective if you salt down and counted one to four bill, you would be counting for 380 years.  More planet owe Poe more people on the planet than in IPv4 when it was created.

You could trace IP to a carrier and usually down to consumer subscriber through court order.  Logging IP to carrier was necessary to identify the end user.  Investigatively you always need to come back into the past to find out what happened in the past.  If that data is not logged, you don't have access to it.

As exhaustion of IPv4 space started looming on the horizon, many of the ISPs started stretching their answers using dynamic IPs and carrier grade, as John spoke about.  That did quite a bit to expand the use of IPv4.  You would have more users on the network.  At the end of the day, the more that happened, the more there was extra steps of routing to understand who is the end user behind that transaction and more of the complication.  It meant more storage was necessary for the data, which meant the perishability of that data became shorter.  ISP stored it for a shorter period of time.  It is imperative to go back and determine what you have.

How have investigations changed?  Finding IPv4 to individual users was relatively easy in the mid '90s.  You could investigately, for law enforcement or private, you could track it to an IP.  You knew IP was within a particular ISP.  If you got to the ISP within their perishability sperred, say it was set at 30 days, inability days, you could get an answer through the state party of who that user was.

Smaller pools of users, limited Web site, limited tools and methods.  At the end of the day, it was a relatively simple process to those who understood the infrastructure.

Next iteration of IPv6 gives you ridiculously large number.  I like the way John phrased it.  I envision it, this number is estimated to be roughly the same number of grains of sand on this planet, is the number of IPv6 addresses out there, to give you some scale.

The Internet of Things is expected to deploy over 15 million devices on the Internet by 018.  The majority of these being IPv6 deployments.

These don't expose geolocation on the IPv6 addresses.  Most of those are consumer driven.  They are based on companies that gather that data from consumers based on e-commerce and such and other information from who is.  Right now because of scale and size, there is not much geolocation to be inferred.

The good and the bad news.  There is no end date to IPv4.  It has been gran fathered.  IPv4 is not going to go away.  Thus it is going to give a bit of a grandfathered period for understanding.  But at the same time based on the huge volume of available IPv6 there are already strong indicators that bad actors are buying up significant blocks of IPv6 space with the intent to use it for criminal and fraudulent purposes.

Let's get a couple of quick case studies now that I set the stage.  Three scenarios for investigative processes for IPv4 that has been NATed or carrier grade NATed and IPv6.  IPv4, sends a death threat to an executive.  Spun examines the headers, including the origination IP address.  Up trace route the IP, do a who is lookup through ARIN to see what RIPE or RIR was appropriate at the time to find out who owns that IP address.  You know where it's geolocated, by the RIR you know what region of the world it is in.  You get down to the country and city beyond that in the who is.  And then you know who the ISP is.  You know where to send any court order you need to to find out who the person is for this transaction.  You assume you get to it early enough before the perishability, in time for the court order.

Modern IPv4 investigation, current, there is a scenario where a bank received a harassing anonymous email from a Gmail account.  Many of the primary large free email providers strip the or remove the originating IP address out of the headers.  There is no longer a source IP address to go to, that's different since the '90s.

This case, they were running a blogging post.  They had misleading information about the bank and the bank needed to know who is behind these attacks.  So Gmail does replace the originating email address with one of its own.  You can send them the link.  The link was sent to the NGO by the email account which they clicked on.  Clicking on the link gave us several ISP addresses from two U.S. ISPs, Verizon and Comcast.  Because they were back to ISP, they had who is data and geolocation was available for the IPs, it was a residential, tied to Fios in the U.S. in the New York area and geolocated to some area outside of New York City.  They had a domain affiliated with it configured for their connection.  By a space adjacent by that IP address.  We found other domain names for that could.  The who is gave up the registrant and location.  In this particular case the client was foreclosing on a business loan on this registrant.  Obviously giving motive for the attacks on the bank.

The point here is all of this is available from public information.  This is all information about routing and infrastructure that is available to determine.  This wasn't about someone sending a state party directly to Gmail and sending who sent this email.  And Gmail and Google may not have the information available.  Other steps had to be done based on correlation of other public information to determine the situation, to know where the state party needed to be sent.

And IPv6, what is needed, IPv6 does not lend it sell well to geolocation.  Most of that data is from third-party database providers.  The market should respond to this as deployment continues to expand, but there aren't many data sources yet that give you good geolocation on IPv6.  Adjacent addresses can take days or years.  There is a not for profit running locally called shadow server, looking for vulnerabilities on servers and provide it to those who control the networks.  They are able to scan the entire IPv4 source.  A conversation I had with reps in London, I asked how long it would take to illuminate all the IPv6 space for vulnerabilities.  They said sometime between now and when the sun burns out plus 100,000 years.

They are not able to scan for and look for vulnerabilities in that space.  In court when you take the evidence forward, if you don't have good correlation as to why you believe this evidence to have led this direction in an investigation, it does provide a slightly weaker case.  That can be a problem.  Because you have to definitively rely on court orders to prove ID, there's a problem in that legal process takes time and we have a perishability issue with data.  If you have to do a court order at each step of the investigation to get to the next step, by the time you get to the source of the crime you are well past the point of perish interest and have no data left to investigate.

I am going to skip that slide.  It is not necessarily relevant.  I covered most of that.

The other example, many of you heard about the botnet that was used for one of the largest denial of service attacks on record within the last several months.  This particular botnet, it was it where witnessed at IoT devices using IP addresses where as the botnet was able to take down major sites such as Twitter and several others by attacking the DNS provider Dyn in the United States.

So used and old botnet, a new code that compromised Internet of Things devices and basically it was programmed to take over and lock out other botnets from taking over so it could be used exclusively by this user.  In late October it had 3,500 infected devices that it took five days to a mass.

This botnet was thoroughly investigated by malwaremustdie.org.  I think they are clear about their motive.  They required extensive review of code and reverse engineering but due to address space and quantity of infected devices it isn't easy to map and find them.  It is believed that the creator might be Italian but it is too expansive to know.  None of the techniques used for IPv6 deployment is available for those to be understood.

That's all.  Robert, back to you.

>> ROBERT GUERRA:  What I'm hearing from you, if I buy a new toaster it can be used in a botnet and can be used to take down websites?

>> JEFF BEDSER:  Depends on the toaster.

>> ROBERT GUERRA:  That paints a scary scenario.  We are running out of IP addresses.  The force has gotten so much bigger, it's easy to hide and detect this activity.  It is scary.  Is it scary or not?  Let's ask Iranga from the FBI.  Is IPv 6 scary to the FBI?

>> IRANGA KAHANGAMA:  Yes, I would say it's a world that we are not used to.  I don't know about other governments, but ours, sometimes we can be very slow to catch up with the pace, especially the pace at which technology moves.

We haven't seen widespread IPv6, but we have seen it in our investigations.  It does create a bit of a problem.  Internally we still have problems with IPv4.  I would like to demystify the thought that the FBI has magic tools where they are able to figure everything out.  I don't think we are as savvy as people think sometimes.  We are relying on a lot of commercially developed tools.  We have internal tools as well and try to use our data that we have, but a lot of the times investigations, we have to use other techniques in the sense that we have run surveys in the past of where NATing and CGI were an issue.  Cases are not always strictly cyber cases.  They tend to be child exploitation cases for sure.  They also involve kidnapping, they've involved fraud, banking issues, things like that.  And a lot of the times because we have blocked on a lot of the online attribution things, we bring charges based on other things.  We build cases the old traditional way and then maybe the charges from the cyber component may not get through.  That may have an effect on the sentencing that is recommended.  But yeah, it is definitely a very scary thing.  We can't scale.  We have very limited resources, not to mention, like I said before, state and locals.  If we are having an issue, I can only imagine what it would be like for state and local.

Our cyber guys are good, but with IoT and everything becoming more global we are hindered by the NLAP process, when we need to get legal process in other countries we have to work with respective ministries of justice.  That adds weeks an months, and speaks to Jeff's perishability issue as well.  We don't know if servers are moved by the time we get to them, if people have moved on, things like that.  It is a scary scenario that we only see getting worse.  Thanks.

>> ROBERT GUERRA:  Thank you for those comments.  A lot to reflect on.  Paul, you had a comment you wanted to make?

>> PAUL WILSON:  Yes.  I'm sorry, I didn't catch your name.  That's an interesting presentation.  Thank you.  I had a couple of questions about a couple of things that you said there, particularly in relation to IPv6.  You drew a distinction between v6 and v4 with respect to geolocation.  From a technology point of view and registry point of view, there is actually no difference between the two.  In terms of geolocation that I am aware of.  So I'm interested to know more about what you meant there.

And the other thing is on port scanning, on scanning through IPv6 address space, let's remember that the bad actors who are building botnets are also using scanning in many cases to look for vulnerable devices and add those to their botnet.  If there's a disadvantage for law enforcement in finding them, then the bad actors are suffering the same if they are using address space scanning as well.  I'm interested in your thoughts about that as well.  Thanks.

>> ROBERT GUERRA:  Thank you, Paul.  So.

>> So back to the geolocation issues.  As far as the providers of infrastructures, I agree.  The geolocation data is really the same.  The augmented geolocation services that most investigators use are provided by private companies that correlate e-commerce data.  So they have, they know who the consumer is that bought from this IP address, et cetera.  And because they have been doing that mostly based on IPv4 as consumers versus IPv6 as IoT machines, et cetera, there is the correlation is not there to necessarily give you geolocation beyond what is required in an RIR IP.

>> ROBERT GUERRA:  Someone else here from the floor?  Andrew, please.  Tell us where you are from and your question or comment.

>> Sure.  Andrew Sullivan.  I work for Dyn, which is why I have this microphone.  I currently Chair the Internet Architecture Board, but I don't speak for them.  I live in Canada.  My company is in the United States.

So on the attack in October against the Dyn infrastructure, I want to slightly disagree with your description of that because we did not see an enormous amount of v6 traffic in that attack.  That was not the basis of that attack.  There were some unusual issues about that, but v6 was not among them.  I agree with the general point that v6 makes these things harder because the space is much larger.  I think the real lesson here, the strategy by which we were going to use brute force in order to map the entire Internet was a losing strategy all along.  The fact is we happen to have invented an addressing space that makes that point sort of self-evident to you.  You realise that grains of scan is not a scannable space, but the problem actually was there before, which is the reason we were so bad at preventing to these attacks as opposed to reacting to them after the fact.

The fundamental issue is just scanning the world to try to find vulnerabilities is not really our future strategy.  What we have to do instead is try to figure out mechanisms by which these things can be localized than, and so on.

It strikes me that the analogy between the Internet space and the meat space has been broken down here a little bit.  What we need to do is tackle these kind of problems by thinking about what we do in human terms when you've got a perpetrator of this sort, and what we normally try to do in law enforcement cases is try to contain them.  You narrow them down into some area and gradually surround them.  If we can figure out how to do that on the Internet, we may move forward there.  Thanks.

>> ROBERT GUERRA:  Great.  Any other questions or comments from the floor?  There is a scary scenario that has been painted.  No comments?  Good or bad thing?

Question here in the back?

>> Adam (Steens) from the U.S. Embassy in United States.  The Budapest Convention, has it made it easier to not have to go through the NLAP process?  Is law enforcement able to move faster between Budapest Convention signees?

>> ROBERT GUERRA:  Jeff, do you want to?

>> RICHARD LEANING:  There is a difference between intelligence information and evidence.  When investigators have evidence, they have to go through NLAP.  That's the only way they can cross jurisdictional evidence is through an NLAP process.  Unfortunately that process is there and there is a lot of conversation about NLAP not working but the government is aware of that and they are trying to resolve that and put more resources into making the NLAP process more efficient than it is at the moment.

With NLAP you basically have to get a paper form and walk across to the airport and fly over and hand it over.  That's how inefficient it is.  Now we have the Internet!  Try to use that to make it slightly more efficient.


>> RICHARD LEANING:  It may sound silly, but that's the way.  NLAP is a very old piece of legislation.  That's the way we are going.  Want to jump in?  Nick is from the U.K. government. 

>> My name is Nick (Soraia) from the U.K. government.  I'm from the National Crime Agency so technically I'm still a investigator.

Great, I love it.  It provides the facility to operate quickly within a constantly shifting and changing environment which we are just hearing about.  One of the challenges I found in addition to what Dick has just mentioned is that actually some of the principles around the Budapest Convention haven't been actioned into national legislation.  So we go to a country and say under the Budapest convention, I have to first of all preserve this data to stop it being lost and then IUA would share it with us on an intelligence basis until we get you an NLAP.  That would hopefully enable us to mitigate this threat.

The problem is within national legislations they don't have the sort of legal framework to be actually able to do that.  They would require a court order in order to go to a judge, get a court order in order to go to the companies and get that information.  It is not legally, they are not legally able to do it even if they want to.  Budapest Convention is great.  I think the challenge and next step is sort of how the principles get implemented into national legislation in order to provide that flexibility, because lots of people say we want to help you but we just can't legally.  We have to have that NLAP in our back pocket before we can do that.

>> I want to add something.  I don't want to have people thinking it's doom and gloom because the IPv6 is coming on and that's the end of the Internet as we know it because it will all be full of crime and bad actors.  We all have a place, a role to play.  Law enforcement can do what they need to do to identify the person committing the crime.  They are not looking for back doors.  They're looking for someone to serve legal process on so they can find who that person is.

As an RIR we have an obligation to make sure that our databases is accurate so they know who that service provider is closer to the edge that they need to serve the local process on.  That service provider needs -- that is not for us, it is for the law enforcement to speak to service providers to make sure they retain the data they need through a NAT so they can find who it is they need to find.

It is not just one person's or one organisation's responsibility.  We have to work together to make sure that we add our little bit to the security of the Internet in finding the people that make the Internet bad.  So we just have to remember, even though IPv6 sounds horrendous and has more grains of sand, et cetera, et cetera, but the scalability doesn't matter as long as we keep a record of who has what at what time, no matter how big it is.  Let's not get carried away that IPv6 is coming across the horizon and we are lost.  Definitely not.

>> ROBERT GUERRA:  Carlos, before I go to you, let me just go to Athina and then I'll go to you for you to comment and then I have actually a question for you as well. 

So Athina, you mentioned earlier that RIPE is a Dutch entity.  You're on the legal staff I guess at RIPE NCC.  So how does RIPE deal with different law enforcement entities, if at all?

>> ATHINA FRAGKOULI:  Yes.  Thank you very much for the question.  Yes indeed we are an entity incorporated under Dutch law.  This means that we can cooperate with the law enforcement authorities from all over the world with no problem.  We can educate them.  We can show them how to use our registry and the other tools that we have.  And we can point them to -- we can direct them to the publicly available information that is publicly available.  It is there for everyone.

That also means that we have no obligation to give them any nonpublic information.  And we can only do that if we get a Dutch order.  So indeed, in this case the NLAP process is very crucial for this known Dutch law enforcement authorities.

There is another aspect I would like to bring to the discussion.  As I said before, incorrect information in the database is a reason for us to stop offering services.  So it is a means for us to enforce our order.  If you don't update your information, we'll stop offering services.

And usually they do update their information and it is accurate because the vast majority of incorrect information in the database is not on purpose.  They just forget to update their information and so on and so on.

Now, sometimes law enforcement authorities come to us and say:  Hey, this information in the database is incorrect.  Because we did issue a state party -- sorry, through the NLAP process we did issue an order and didn't help us because the entity in the database is not the entity where the actual servers are.

And they come to us asking to update this information.  So that they get their state party correct, the NLAP process correct.  And for us the information is not incorrect.  It is correct because we register the resource holders legal entity as it is officially registered by the authorities.  Sometimes this registration corresponds to a letter box company for tax reasons, for example.  And has nothing to do with the actual place and location and country where the services are provided, where the servers are.

So we understand that frustration of law enforcement authorities.  They do not know how to issue, how to use the NLAP process or which jurisdiction they should ask for an order.  But this has little to do with the IPv4, IPv6 resources or communities in general.  It has to do with motivations that make people to use other legal addresses than the ones they use for the actual services, like tax evasion aspects and things like that.

So that is also an interesting aspect.  Thank you.

>> ROBERT GUERRA:  Great.  Thank you, Athina.

Carlos, you wanted to make a comment?  Then I'll go to Ben.

>> CARLOS:  Yes.  I want to make a couple of comments on what has been said earlier about this difference between IPv6 and 4 for investigative purposes.  I agree.  I hope I have some time to get into this later, but yes, IPv6 is larger which makes things different like scanning.  Not only for law enforcement but also for others as Paul said actually.

Regarding geolocation, I wouldn't want the audience to get the idea that geolocation was something that was born with IPv4.  IPv4 wasn't born with geolocation.  This geolocation for pip r IPv4 were created over time.  IPv6 will in time get sim lash database -- similar databases.  It will take time, I agree.  IPv4 geolocation is not perfect either.  Horror stories about them are a bounding.

IPv4s, investigations in that space (audio difficulties.)

In the Internet the use of CGNs are common.  You can no longer make the same request as you did before, things like in order to, for an ISP to track a user who is behind a CGN box, they need information on the source board of the connection.  That information may not even be available as many people don't even log that.

So in a way, IPv4 space for this particular case is also larger, if you will.  You need more information, also, for example, timestamping requirements are much more stringent in the CGN world, because they rotate much quicker than IP addresses that rotate like within 24 hours or something like that.  Thanks.

>> ROBERT GUERRA:  Great.  Thank you, Carlos.

We have a remote question?  Please, Iranga, go ahead.

>> IRANGA KAHANGAMA:  It was more of a comment.  When Dick spoke, not be so pessimistic and to comment on stuff that John said.  We as law enforcement have been engaged with the multi-stakeholder process at the RIRs and are trying to work with the community to get policies.  I do think there is a lot of truth to what Dick was saying.  We are early enough in the IPv6 world, it hasn't been widespread deployed.  We can try to get ahead of it a little bit and set in place policies and things like that to put us in a better situation to handle some of these.  I wanted to appreciate those comments and mention that yes, we are working with ARIN to put forward policies and trying to tackle issues like suballocation issues that we see.


>> ROBERT GUERRA:  I have a question for you, Ben.  Then I want to go to the audience.  You mentioned that you work on the crime section at Go Daddy.  So are you seeing -- I would like to get your perspective.  Are you seeing any difference in terms of IPv4, IPv6 issues in regards to your investigations?  So you talked a little bit about that.  But particularly the more nefarious crimes online, stuff related to children online.  Is this something we have to worry about?  Or is it just, as was being said before, the space may be changing but the tools are there and we can still do things properly.  So just can you tell us in terms of are things getting better or worse?  Is IPv6  going to make a difference in the work you do to take stuff down?

>> BEN BUTLER: Thank you for the question and like any security guy, my default answer is always doom and gloom.  Yes, it's getting worse an it is going to continue getting worse.

But it is not just because of the IPv4, IPv6 issues.  I wanted to kind of echo something that Carlos said.  We are still seeing the vast majority of our internal investigations, when we look at the logs on our servers to see who connected, most of those logs are coming in in v4.  And law enforcement is going to have the same issue when they review those logs, trying to determine who is behind the Web site.  I want to thank Carlos for mentioning, one of the hurdles that law enforcement has to deal with right now, does that log contain the source port?  When they ask the question in the state party or otherwise who is responsible for this IP on this day, that is not good enough.  You can't narrow it down to a day.  You can't even narrow it down to an hour.  In some cases even a minute.  You have to have a full-time stamp down to the second with the source port before a content provider like Go Daddy or before an ISP is going to be able to pin that down to anything even resembling a suspect.

And then the flip side of that coin is how do we improve that?  How do we get more providers to log source port and date and timestamp in such a way that these logs are more beneficial to law enforcement?  At least within the United States the bad news is you can't approach it from the standpoint of, okay, let's make our logs better so that law enforcement can have an easier time finding the bad guys.  There are rules that say you can't keep stuff for the purpose of making law enforcement's job easier.  So this is something we had to do at Go Daddy years ago when we started to see this problem occurring.  We had to say okay, well, what are the benefits, the real benefits to us as a business to logging source port and date and time and all that sort of thing?  And we found that that allows us to have greater visibility on the numerous DDOS attacks that we would have on some of our hosting customers and things like that.  We now have conversations with our customers saying log everything you possibly can because it gives you a better chance to identify who the bad guys are attacking you.

As a side effect, those logs become very useful for law enforcement.  Side effects are fine.  That doesn't trigger the legal problems.

So I think that is something that is going to continue to be a problem.  It doesn't necessarily get involved with IPv6.  You still want to have as thorough and rich logs as you can without creating space and logistical problems.

>> ROBERT GUERRA:  Jeff, you wanted to make a comment.  Then I'm going to go to you, Paul and then I have a question for the audience.

>> JEFF BEDSER:  Thanks.  I want to point out while there is frustration in having a much bigger space to play in, the reality is this is a solvable problem.  It is about protecting privacy while not protecting criminals with that same privacy.

It comes down to setting up with best practices and industry standards that allow us to capture the right information that doesn't allow the criminal misuse, victimizing the users of the Internet through nefarious means.  The systems exist in ways that they can store the data in an appropriate fashion that can be used by the appropriate authorities to take care of criminals.  The issue comes down to there's the whole range of scenarios from the stories we've all heard about ISPs that only receive state parties by fax and that fax machine never has toner or paper in it.

And they won't respond until a law enforcement officer shows up at the front door and hands them a piece of paperwork because state party in responding to state parties about criminal activity on the Internet is a cost.  It doesn't make them money so many don't want to respond to it.  It is such a complicated process of logging, that if the law enforcement doesn't want know what to ask for in the right expert, it is not available.

These are all global scale, IETF, ITU, other organisations involved in this, if we can come up with standards to say if you are going to connect to the Internet and provide these services, there is a minimum you need to do so criminals don't have impunity to do crime hiding behind privacy.  Thank you.

>> ROBERT GUERRA:  Thank you, Jeff.  Paul, you had a comment?

>> PAUL WILSON:  A quick one before I need to fly, but on the another v4 to v6 comparison that is important and I am sorry to belabor this, but data retention for the sake of tracing past connections for the sake of attribution in IPv4 is becoming very, very difficult.  The log files that are needed, we need to understand that the estimated calculation for the size of those log files is one gigabyte per user of the ISP per month.  If you look at ISPs an millions of users, you're looking at terabytes of data per month which is a huge storage problem, not to mention a big data problem in actually making use of that data.

It could only be retained by an ISP if they were required to do that.  So it would have to be legit lated.  Imagine the problem of two years of that data and having to use it.  On the other hand IPv6 doesn't have that problem at all.  You have simple straightforward associations between addressers and users, which is a privacy issue, by the way.  Let's not go there in this forum.

Look, before I go I did want to mention that there are, in the RIR world we have ten conversations per year across the RIRs.  They are open meetings with multi-stakeholder event, we had increasing participation by law enforcement and associated people in those meetings over the years.  That is coming up right now towards a policy proposal that is going around the RIRs for the sake of asking our communities to take some particular actions on who is data accuracy and completeness.  That is a multi-stakeholder process and I wanted to mention it is something that is going on outside of this room and going on very actively, as I say, in potentially ten events per month.  I hope that does go on and I thank everyone, some who are here who have been involved with making that happen.  Thank you very much.

>> ROBERT GUERRA:  Great.  You touched actually on some questions I wanted to ask to the audience.  We have been talking about or it has come up that gate keeping data is important.  Logging is important.  And that raises a lot of issues in regards to the data retention initiatives that need to be developed in different countries.  What are the privacy implications?

So there are folks in the audience that might be able to speak to some of this.  I know you're here.  I'm just wondering, though privacy is an issue -- sir, state your name, where you're from, your comment on that or the session itself is welcome.

>> JAMES EDWARDS:  I'm James Edwards from Internet New Zealand.  We are the country code, we are the registry for .NZ, the New Zealand registry.  I'm on the policy team and I have regulatory colleagues.  Those colleagues in the domain name division are concerning the who is policy.  There is concern that the availability of the information in the who is database, poses personal safety risks.  They have run several rounds of consultations on getting the balance right.  They are still going to collect data, but it looks like one of the Options that is on the table now is to identify one's self when registering a domain as an individual person and to have the Option of your phone number and your geographic location being stored but not publicly accessible.

And then when people have a court order or some legitimate reason for access to that data, it's there.  Like I say, that is sort of balancing which actually improves the ecosystem.  The more confident you are that your privacy will be protected, the easier it is to say yes, I'll participate in the system and share my data.  That's the other side of the equation as well.  If you think everything is captured regardless of what you want, that's a disincentive and a reason to obscure that information.

>> ROBERT GUERRA:  Great.  Thank you.  John?  Then I've got a question.

>> JOHN CURRAN:  That's an excellent point.  The evolution of the databases that we're talking about, the who is database, both DNS and IP are public and the advantage of that is that they are relatively available to everyone.  Just for query, the down side of that is they are available to everyone just for a query.  This led to some discussion in the RIR community and with the IETF about potentially looking, who potentially as a protocol is long in the tooth.  It's an aged protocol with colorful attributes to it.

There is something coming, RDAP, remote access in a structured manner that would provide some authentication and different views for different parties.  There's work in the IETF and RIRs in working on the protocol to see if it's a viable long-term direction.  That would further support data integrity.  People can know there's information I'm making available publicly and there's information I'm only making available to the RIR or some subset of personnel based on whatever characteristics are set.

>> ROBERT GUERRA:  Thanks for that.  I have a question that is going to turn the topic of our session.  I'm going to ask the question and get to you.  You are turning the session on its head.  We are talking about catching bad actors online and who the bad actor is in the eyes of the beholder.  It could be law enforcement but I know some of in the room are investigative journalists.  They want to understand and find out who is attacking who, if law enforcement in the country isn't, and do their own investigation.

So John and others, you have mentioned that the data sources are public, that anyone can do this.  And law enforcement is doing it and that's great.  But I'm wondering for those in another community that also do investigations that are trying to discover what is going on, to what extent have there been outreach efforts to make sure that they have the technical know how to be able to use the same tools so that they understand what law enforcement is doing, if it's doing it in a legal authorized way?  And if moving towards RDAP might make it more difficult for those who aren't the law enforcement to do investigations that have been healthy for democracy.

>> JOHN CURRAN:  I can answer the first part about our engagement with other agencies that are not law enforcement.  We do do that.  At the moment normally that is done through the public safety working group of ICANN which is not just law enforcement.  It's all people who have an interest in the safety of the public.  We do similar type of engagement with the public safety Working Group.  We know that's a far bigger community than just law enforcement.  Yes, I suppose we could do more on that, but yeah, that's something we may have to think about.  The RDAP1, I'll leave it to the technician. 

The second question you raise, which is there are actors right now in the Internet who are involved in investigation who aren't properly law enforcement.  Actually, if you know anyone who does security work, DDOS mitigation, anti-spam.  There are a large number of players who need the ability in order to keep the Internet running to have access to information.  They need access to information not necessarily down to a than individual earn -- to an individual person.  When we talk about privacy, that's what we are worried about.  We are not worried about something is going back to a particular ISP or business or even a particular educational institution.  It's when someone says I want to get this tracked down to a user, we get into a challenging privacy environment.

One of the questions that comes up, right now there's informal based security forms that share information.  These are parties that have gotten together and agreed to trust one another because they are all involved in mitigation of attacks and similar.

We may end up with multiple tiers of information.  It may be that in fact someone can register something privately and know that for network operations purposes that information may be shared.  But still not down to the individual user, which would be still protected.

One of the advantages of having a protocol that allows multiple views, it doesn't have to be either or.  It can be layers of views.

>> ROBERT GUERRA:  I had one last question here.  Please.

>> You talked a lot about IPv4 and IPv6.  What about TOR?  How do you handle TOR?

>> ROBERT GUERRA:  Jeff, you put TOR on your slide.  If I recall well, you were going through a different history.  You are saying there is a period pre-v4PN where it was easier to catch people because they weren't using things to connect through other means.  I see your question as two fold:  How does TOR make investigations harder?  Is there an IPv6, does TOR -- yeah, what about the IPv6 issues?  I see TOR in investigations, does it make it easier, harder or is it a moot point?

>> JEFF BEDSER:  I regret putting the word TOR in my presentation.

There is no question, TOR can run on v4 or v6.  That is an anonymized system where you can log into TOR and come out from another IP address that anonymizes your transaction.  Your Internet connections.

Yes, TOR does make investigations more complicated.  However, TOR actually came out of a United States Navy development process and TOR has some vulnerabilities as well.  Those who know how to do it, do.

There are other systems such as there are providers that have -- actually John Curran and I were talking about it this morning.  There are providers who have tens of thousands of IP addresses, whether it's six or four, that provide v4PN services where you can buy access and log into their system and grab a fresh IP address every single transaction.  So there are many complications investigatively, not just which type of IP address you're coming from but also to obfuscate the origin of Internet transaction or traffic.

>> ROBERT GUERRA:  Before I get to you, we are wrapping up soon, but that's a question I see that is in regards to investigators.  So Jeff has his piece.  But we happen to have someone from the FBI on the panel too.  So Iranga, I wanted to get your sense from a broader scope is, in regards to the investigations, FBI or other law enforcement have been doing, what is the effect of using anonymity tools such as TOR or others. Has it made investigations more complicated?  And if you can answer it -- I'm not sure if you can -- would you say that does TOR actually make crime worse because people are using it or is it a general tool that everyone is using?

Your answer or your comments on the use of anonymity software, is it complicating the investigation of crime that the FBI does with would be most helpful.  If you can answer that, the person in the audience who asked the question would be keen to hear your response.

>> IRANGA KAHANGAMA:  Sure.  Broadly speaking, anonymity is always an issue.  The FBI buckets it under a programme called going dark.  That relates to encryption at large, both data at rest and data in motion.  They are pursuing lots of difficulties.  I can't speak specifically to any specific programme or method, but it is definitely an issue.  I think it's a problem that is only going to increase because of pace of technology is there and it is going to naturally do it an it will be a matter and if and how we deal with it.  Whether that's internal or through some sort of legislation or some other kind of solution.

Anonymity in general is a problem and something that we are seeking to address.

>> ROBERT GUERRA:  Thank you for that comment.  So John, you wanted to comment?  And I think Dick, you wanted to make a quick comment as well?  John, please, go ahead.

>> JOHN CURRAN:  Regarding anonymity, it is an interesting challenge, if you think about it.  It is really a question for the people in the room.  What I mean by that is, we are in the earliest days of the Internet right now.  The Internet works, but evolves over time.  And we've only just begun to see how the Internet affects economic and social development, how it becomes pervasive in owe so many environments.  Law enforcement is just now getting a grip on how to perform its duty, which is protection of security.  Protection of people's right to be secure on the Internet.

As we get further down the road over the next years and decades, we have to decide what the right answer is.  In other words, perfect anonymous speech means perfect anonymous speech without recourse for attribution for hate speech.  You can't have it one way or the other.

So the Internet faces a question of what does it want to look like in 20 years?  Does it want pure anonymity and the implication of what that means?  Does it want some form of mediated anonymity where there is a method for piercing the veil for someone uses it to harm?  Does it not want it at all?  It is an open question because the Internet is a very young thing and we are only now really seeing it become part of society.

But it is going to be something we deal with because you can't have it with its benefits without its draw backs.  We have to decide consciously whether we are accepting them or not as a group.

>> ROBERT GUERRA:  Thank you for those great comments.  I'm looking at the clock and we are a little bit over our time.  So I just maybe would go over to Jeff, if you had any concluding comments you want to make.  I'll make some and before I make some comments for the audience.

>> JEFF BEDSER:  I'll stand on my last comments as my concluding comments and go back to you.

>> ROBERT GUERRA:  I want to thank everyone who has come to our session today.  We invited some folks to the panel and I saw there are a lot more knowledgeable folks who also came into the room.  We have AfriNIC, we had all the other RIRs in the room.  We touched on investigations, helping people in the room understand not only the IPv4 and IPv6 transition and understanding that in a little bit of context.  The folks on the panel probably would be happy to speak to the folks in the audience if you have follow-up questions.

This is the place for dialogue.  So I appreciate too that members from private sector, the government, and some of our remote participants were also from government as well.  So it allowed for rich conversation with all the different stakeholders on this issue.  As John said, in an issue that is evolving where it is important for all the stakeholders to know, to make sure there are good checks and balances but also so we are aware of investigations that take place and how those are taking place.  I thank you all for joining us this morning.  I wish you a great rest of the day and the rest of IGF.  Thank you.


(The session concluded at 11:50 a.m. CST.)