IPv6 good for criminals, says FBI and DEA

IPv6 good for anonymity, criminals, says FBI and DEA

On June 6, a replacement Internet address system called Internet Protocol version 6, or IPv6, began its long march toward becoming the Internet standard, dethroning the long-used IPv4. One of the main benefits of IPv6 over IPv4 is that it allows for trillions upon trillions more IP addresses, the numbers that computers use to identify each other — and that law enforcement use to help identify who performed illegal online activities.

It is this last part that has begun to cause concern among the Federal Bureau of Investigation, the U.S. Drug Enforcement Agency, and the Royal Canadian Mounted Police. As Declan McCullagh of CNet reports, these agencies have begun to grumble that the implementation of IPv6 will greatly reduce the ability to keep track of who’s who online — not because doing so is technically more difficult, but because the organization that pressures Internet service providers (ISPs) into reporting which blocks of IP addresses they assign to customers, a nonprofit known as the American Registry for Internet Numbers (ARIN), will become far more impotent.

McCullagh explains:

ARIN and the other regional registries maintain public Whois databases for IP addresses, meaning that if you type in, you can see that it’s registered to CNET’s publisher. ARIN tries to ensure that Internet providers keep their segments of the Whois database updated, and because it’s been handing out IPv4 addresses blocks every few months, it currently enjoys enough leverage to insist on it.

But for IPv6, ARIN will be handing out much larger Internet address blocks only every 10 to 15 years, meaning it loses much of its ability to convince Internet providers to keep their Whois entries up-to-date. That means it may take law enforcement agencies — presumably armed with court orders — longer to trace an IPv6 address such as 2001:4860:4860::8888 back to an Internet service provider’s customer.

The struggle to get ISPs to report which IP address they are in control of isn’t a matter of principal — ISPs are more than happy to comply with court orders and the like. The problem is simply a matter of corporate motivation — it takes resources (read: money) to report these things. And as McCullagh notes above, ARIN will now have far few carrots to dangle in front of their eyes as a way to coerce ISPs into going through the hassle of reporting IPv6 addresses to Whois databases.

Of course, if ISPs do end up ignoring this task, there’s always the option to write new laws that would require them to do so — a move the FBI and other law enforcement agencies strongly support, if self-regulation fails.