Following on from yesterdays post regarding fresh proposals planned over cyber-monitoring our attention has been drawn to a new posting on out-law.com which you can read here.

BT has claimed that the use of Internet Protocol (IP) address sharing technology will not prevent individuals from being identified as the perpetrators of illegal online activity, the article goes on in detail to describe the new technology that BT are using to backup this claim.

So why are BT wrong?

Simply put, this technology can at best uniquely identify a device or network endpoint NOT a person. It uses IP address, port and time to identify a 'customer' who is in control of that IP address at the given time. This does not identify a person, it identifies an account holder, this is normally the person who is paying the bill, but it does not mean that this is the person using that connection at the given time (unless they live alone, don't share the device with anyone else and have a completly secure network).

Even with this technology deployed, it is still a trival matter to get around, the use of internal gateway servers, squid proxies and other technologies will all show traffic coming from the same IP and as such make it impossible to distinguish between different people.

Imagine the example where a company has a server which a user must SSH to in order to connect to servers outside of the office network (Yes companies do this, I have worked for ones that do, in order to minimise the firewall rules), then all traffic out of this server appears to be the same person no matter how many users are connected.

Another simple example is a home connection where there is one PC in the house that everyone shares, so that parents can supervise their childrens internet usage, then all traffic from that device will be seen as one person, even if a friend comes over and 'borrows' the computer. On top of this you have internet cafes, free and open WiFi hotspots.

The use of the word 'individual' is at best ambiguous and at worse misleading and wrong. CGNAT is only capable of identifying account holders nothing more, this type of identification has been available for many years, and any ISP that implements any level of capping or usage metering already has this ability in their network, so this is not a new or impressive claim to make.

The long and short of the matter is, there is NO technological way to identify a REAL person correctly on the internet, there are too many work arounds, open or compremised WiFi hotspots, anonymous proxies and other solution available to all internet users.