Shared IP addresses are making it hard to track cybercrime, says Europol

Carrier Grade CGN mitigates IPv4's address exhaustion but makes criminals harder to track

Europe's law enforcement agency, Europol, has issued a warning about and called for an end to Carrier Grade Network Address Translation (CGN) technologies, which make it difficult to identify internet users through their IP address.

CGN technologies are used by ISPs to assign a single IP address to multiple subscribers. It is used to mitigate the problem of IPv4 address exhaustion, with as many as several thousand subscribers sharing an address.

While CGN is good news for ISPs wanting to serve more customers, it has made it difficult for them to comply with their legal obligation to identify individual subscribers; IP addresses are often the only information that can link a cybercrime to an individual. Europol says that this can lead to innocent individuals being mistakenly investigated.

The EU Presidency, currently held by digital-prioritising Estonia, has identified CGN and online crime attribution as an issue. It will bring the results of a workshop it held recently in front of the Standing Committee on Operational Cooperation on Internal Security (COSI) as a contribution to improving the EU´s cybersecurity.

Rob Wainwright, executive director of Europol, said that CGN "has created a serious online capability gap in law enforcement efforts to investigate and attribute crime." Mobile phones, he added, are of particular concern: "It is particularly alarming that individuals who are using mobile phones to connect to the internet to facilitate criminal activities cannot be identified because 90 per cent of mobile internet access providers have adopted a technology which prevents them from complying with their legal obligations to identify individual subscribers."

Participants in the recent workshop reviewed criminal investigations that failed because of CGN, and discussed existing solutions that could be adopted at a Europe-wide level; for example, a voluntary code of conduct for ISPs to reduce the technology's use.

Marco Hogewoning, external relations officer - technical advisor at the Réseaux IP Européens Network Coordination Centre (RIPE NCC), told us:

"Large-scale sharing of IPv4 addresses via CGN or similar technologies introduces a number of drawbacks, including making it more difficult to attribute online actions or transactions to specific individuals. CGN also introduces other challenges in terms of scalability and cost, and importantly, it can limit the open innovation that has made the Internet the success it is today.

"It's important to note that while the industry is currently deploying IPv6, this process will continue for at least the next decade, and there is a need to support legacy IPv4 services and applications in the meantime. With the pool of available IPv4 addresses severely depleted, address sharing is unavoidable if the internet industry is to support short- and mid-term growth and allow everybody to access the full range of internet products and services.

"As an agency, Europol has been quite forward-thinking in terms of engaging with the internet community to share its concerns (the RIPE NCC and Europol actually signed an MoU last year to develop knowledge sharing between our organisations) and also in seeking to understand the technical pressures that network operators face. This kind of community engagement is essential when looking at an issue as complex as the use of CGN."

The European Union Cybercrime Task Force adopted a joint declaration in July this year to warn about the negative impact of CGN technologies on online crime attribution.