[LINK] IPv6 vs. Human Security [Was Re: smartphone privacy problems]

Paul Brooks pbrooks-link at layer10.com.au
Mon Jan 31 22:43:25 AEDT 2011 

On 31/01/2011 5:14 PM, Roger Clarke wrote:
> At 16:29 +1100 31/1/11, Paul Brooks wrote:
>> I'm curious - what "natural protections of this nature" are you talking about Roger?
>> There are no such "natural protections" - not for TXT messages, phone calls, even
>> driving around.
>> Not for IPv4 addresses either - so what 'natural protections' are you referring to
>> here, that IPv6 is supposed to emulate out-of-the-box?
>
> IPv4 addresses do not enable any party to infer any identifier for the device that's
> using the IP-address.
>
> It's possible for a gatherer of data (ISP, marketer, spook-agency, other
> eavesdropper) to associate all messages with an IP-address. But that doesn't in
> itself associate the stream of messages with any particular device.

Roger - I realise you've spent far more time thinking about this, so in a sense I'm
playing devils advocate in order to explore this more deeply.

Is it really the device that is important, or the user of the device? - especially in
the context of this thread subject on smartphones.

I was actually thinking more broadly beyond IPv4. There is no natural protection for
TXT messages or telephone calls - all can be trivially linked to the phone device,
through the phone number, and through the IMEI if the user thinks to change SIMs.
There  is no natural protection when driving around - the authorities can track your
whereabouts from your number-plates. Unless you change your device, you can be tracked
and correlated over time.

That IPv4 does change the source address when a user changes location is an accidental
byproduct of the way IPv4 works, and not a deliberately designed-in feature that the
original architects had as one of the design criteria. For a long time this has been
seen as a flaw because it causes ongoing sessions to drop while moving between
networks, with many proposals for IPv4 mobility to "fix" the situation.
It might be convenient for those wanting to not be correlated, but it wasn't
deliberately made so.

I'm not convinced its actually significant, because it doesn't actually prevent the
device, or the user of the device, from being correlated by the authorities, for two
reasons that spring to mind:
1) in the context of a smartphone, whether it changes IP address or not as it moves
around, it stays on the same carrier network, or roams under carrier control - the
carrier maintains a log of IP address, base station and device identifier, and the
authorities can track the user across IP address changes, if they occur at all while
travelling across the network. Even if  the user changes SIM cards to change networks
and hence address, the device identifier can still tie everything together.

 
2) Because the device - and the user - has an indeterminate IP address, it can't
directly receive messages destined for it. Someone that wants to communicate with the
user of that device has to leave the message at an intermediate, known location, and
the device has to periodically poll that location to check if there are any messages
to be dragged down or not - an example being email, via POP3 or IMAP or similar.
Authorities that care about the device - or the person using the device - only have to
camp monitoring the intermediate location. As soon as the device - or the person
behind any device - checks in, they then have the communication, and whatever IP
source address the user is using at the time. The user doesn't even have to use the
same device.

Dynamic DNS doesn't help, because monitoring the current value of the DNS entry gives
away the address as well.

I can certainly understand that commercial interests, behaviour-trackers associated
with websites for example, might be foiled by the privacy extensions, and for this
alone perhaps the attention is warranted.
However, even with the privacy extensions implemented and the smartphone chosing a
different IPv6 source address often, the carrier can still maintain a log of the
series of IP addresses tied to device number, so while commercial interests might be
thwarted, authorities with access to the phone carrier logs won't have any problem at
all tracking the holder of the device.

P.



>
> To do so requires access to additional data held by other organisations, and hence
> powers and resources.  So it isn't done casually.
>
> There are accordingly 'natural protections' in place, in such forms as
> organisational barriers (not least jealousies) and costs.  [Legal protections are
> out-of-scope for the moment.]
>
> Further, a message-stream to and from a device that connects via one IPv4-address is
> not able to be directly associated with message-streams to and from the same device
> when it's connected via other IPv4 addresses.
>
> It may be feasible to achieve that by other means (including content within the
> data-streams, e.g. using 'deep packet inspection'), but that requires capabilities
> and the investment of resources.
>
> Once again, these are a deterrent, or a 'natural protection'.
>
>
> IPv6 in its default mode (or whatever adjective it is that Karl wants me to use)
> makes an identifier of the device readily computable from the IPv6-address.
>
> The organisational and costs barriers are removed, and:
> (1)  every data-stream is directly associable with a device
> (2)  the multiple data-streams arising from a portable device's
>      connections over time with multiple sub-networks are directly
>      associable with one another
>
> So the 'natural protections' are demolished.
>
>

More information about the Link mailing list