Yet again there has been an attack on innocent people, this time in Manchester. Police and intelligence services have identified the attacker as a British man. And again the perpetrator ‘was known up to a point’ by these same intelligence services.
You can picture the next step in their investigations: checking his Internet history, analysing metadata they have obtained over time to see if his name or motive pops up and who he has been in contact with, and if his IP address was linked to any specific websites.
For some reason, there is a firm belief in the intelligence community that by recording all the communications’ metadata, you can understand what someone is up to. It is the same tactic the Dutch government uses to track potential suspects here. Their belief in this principle is so big, that they want access to encrypted data, such as from messaging apps, to better understand what people are talking about.
But I think their mistake is to see the IP address as the Holy Grail. ‘When you have that, you can tie a suspect to everything’, seems to be the mindset of police and intelligence services.
The problem with these ideas is that you are always one step behind. You can sweep all the metadata you want, but first you have to identify it, then analyse it and then investigate to who or what it links. By the time you have done that, you are always too late. And to come back to the desire to want access to the encrypted data on the messaging services: You already know who a suspect is communicating with. You don’t need the metadata for that.
What really strikes me, is how much faith there is in the IP address. It happens to be one of the easiest things you can mask on the Internet if you really wanted to. DDoS attackers make a living off of it, by hijacking or spoofing IP addresses to execute an attack. If the police only search for the IP addresses “used” in such an attack, they will find that the users behind them most of the time don’t even know what a DDoS attack is, let alone participate in one.
Yes, ISPs are obliged to send all their subscribers personal information to a secure database, so that the government knows who is behind what IP address – at least, in the Netherlands they are – but big companies and Internet cafés have more than one workstation on the same IP-address. And what’s more, with IPv4 coming to end of life, ISPs are starting to share IPv4 addresses under multiple users. So now how trustworthy is “the IP address” still?
Our lives are all over the Internet, so it is obvious that you use tools to investigate data and IP addresses if you suspect something. But usually you will only find things after the fact, especially if you are dealing with ‘lone wolves’, who seem to be more and more common these days. If you really want to stop these people, the best way in my opinion is by offline, human intelligence. Don’t rely on IP addresses. Believe me, they are not the Holy Grail of online identification.