Connect with us

Hi, what are you looking for?



Europol Looks to Solve IP-Based Attribution Challenges

Europol Calls for a Solution to the IP Address Attribution Problems Caused by CGNs

Europol Calls for a Solution to the IP Address Attribution Problems Caused by CGNs

Europol has called for the end of carrier grade NAT (CGN) to increase accountability online. This is not a new campaign from Europol, but it now seeks to gain public support: “Are you sharing the same IP address as a criminal?” it asks.

“Law enforcement is using the ‘distinguish yourself from a criminal’ tactic in order to provoke the ‘nothing to hide’ scare tactic,” Tom Van de Wiele, principal security consultant at F-Secure told SecurityWeek, “which is unfortunate, because as far as our privacy is concerned it’s about protection. Privacy is the right to select which people to share what information with. But when it comes to the push of Europol in this case, there is more to it than that.”

Van de Wiele sees the call as symptomatic of law enforcement’s desire to remove anonymity from the internet, which is effectively an attack against privacy.

Everybody with home computers uses network address translation (NAT) within their routers. The ISP allocates an IP address for the router (usually on a temporary basis), and the NAT ensures incoming traffic to that IP goes to the right computer. It allows one IP address to be used for multiple home computers. 

NATs are not a problem for law enforcement — the problem comes with the carrier grade NATs (CGNs) used by the ISPs. These allow dozens, hundreds and perhaps even thousands of routers or computers or mobile devices to share a single IP address simultaneously. The problem for law enforcement is that the ISP is currently unable to say which computer is being used by a particular IP address at a particular time.

For law enforcement, it means that it is virtually impossible to trace the physical location of an IP address under investigation. “This is relevant as in criminal investigations an IP address is often the only information that can link a crime to an individual,” said Europol in an announcement yesterday. “It might mean that individuals cannot be distinguished by their IP addresses anymore, which may lead to innocent individuals being wrongly investigated by law enforcement because they share their IP address with several thousand others – potentially including criminals.”

Advertisement. Scroll to continue reading.

There is some irony in this since in October 2016, the Court of Justice of the European Union (CJEU) ruled that IP addresses can in some circumstances qualify as personal data under European law. Europol is now implying, however, that an innocent user could be investigated by law enforcement solely by the accident of sharing the same IP address as a criminal.

Van de Wiele sees something verging on sinister from this latest push by Europol. “This is another attempt by law enforcement to try and single out individuals and to reduce the possibilities of anonymity to get closer to their active targets while increasing their success of traffic analysis for all traffic they are vacuuming up.” He points out that it was law enforcement that forced Facebook into the policy of all users using their own identity, and getting ‘friends’ to confirm whether profiles are accurate. “These are cold war tactics and they are troubling,” he says.

Europol’s concern over the growing use of CGNs is not new. It raised the issues in its Internet Organised Crime Threat Assessment (IOCTA) in both 2014 and 2016. A study it conducted in summer 2016 showed that 80% of surveyed European cybercrime investigators had encountered problems in their investigations relating to the use of CGN, causing them to be either delayed or stopped. These cases concerned investigations of offenses including online child sexual exploitation, arms trafficking and terrorist propaganda.

Europol’s Executive Director Rob Wainwright said yesterday, “CGN technology has created a serious online capability gap in law enforcement efforts to investigate and attribute crime. It is particularly alarming that individuals who are using mobile phones to connect to the internet to facilitate criminal activities cannot be identified because 90% of mobile internet access providers have adopted a technology which prevents them from complying with their legal obligations to identify individual subscribers.”

Steven Wilson, Head of Europol’s European Cybercrime Center, added: “The issues relating to CGN, specifically the non-attribution of malicious groups and individuals, should be resolved.”

This will be difficult. ISPs introduced CGNs, ostensibly as a temporary technical measure, to bridge the gap between the depletion of IPv4 addresses and the uptake of effectively limitless IPv6 addresses. But IPv6 uptake has been far slower than expected. “This was supposed to be a temporary solution until the transition to IPv6 was completed,” says Europol, “but for some operators it has become a substitute for the IPv6 transition. Despite IPv6 being available for more than 5 years the internet access industry increasingly uses CGN technologies (90% for mobile internet and 50% for fixed line) instead of adopting the new standard.”

Indeed, it could be said that the use of CGNs is actually delaying the transition to IPv6. The 2016 study, ‘A Multi-perspective Analysis of Carrier-Grade NAT Deployment’, concluded, “CGNs actively extend the lifetime of IPv4 and hence also fuel the demand of the growing market for IPv4 address space, which in turn affects market prices and possibly hampers the adoption IPv6.”

“Most peering companies and ISPs are nowhere near being ready when it comes to IPv6,” says Van de Wiele; “and with it, we will also see a whole slew of security issues when the SOHO and home users get IPv6 in the process. Having a unique IP address for every user or device without NAT offers tremendous possibilities technically, but that also means you can be tracked more easily by ad companies and other entities such as law enforcement.”

In the meantime, what was introduced as a temporary fix has become entrenched. In most cases the use of CGNs is unnoticed and unknown by the user — and hence, perhaps, this new appeal to public opinion by Europol. However, even if Europol solves the CGN issue, it i
s not at all clear that it will solve the problem of attribution.

“Unfortunately, CGN is not the only challenge when enforcing enacted laws and prosecuting cybercrime,” commented Ilia Kolochenko, CEO of High-Tech Bridge. “A great wealth of currently available VPN service providers that you can purchase for bitcoins open up new opportunities to all kinds of digital offenders and predators.” Without backdoor access to the VPN concerned, law enforcement will not have access to the IP address at all.

Furthermore, Kolochenko points out that the ability to tie a particular IP address to a particular physical computer will still not solve the problem. “The new trend in cybercrime,” he said, “is to compromise a third-party with a motive to commit crime (e.g. a competitor) and conduct the attack from its infrastructure. On the Dark Web, you can buy compromised machines of law enforcement and judicial officers to be used as proxies for attacks. Most cybercrimes become technically uninvestigable or the price of their investigation outweighs any public interest.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...