Police Agencies Want an Easier Time Serving Warrants to ISPs

Because finding IP address registration is exceedingly convoluted, various law enforcement agencies have presented a proposed policy for how WHOIS information should be retained.
November 2, 2016, 2:00pm
Police seize servers during a 2015 fraud investigation in Orange County, CA. Image: Gregg Felsen/Getty

For pretty much any crime involving the internet, often the first step in an investigation is trying to figure out who is behind an IP address. But, according to the FBI and other law enforcement agencies, there is a problem: often it's unclear which organisations are actually in a position to respond to legal orders for information, because of the way that IP addresses are distributed by internet service providers (ISPs).


In response, several law enforcement agencies are pushing for a change in how WHOIS data, the basic contact information of who is affiliated with an IP address, is recorded. Although likely not a privacy risk, the move, which will probably come into effect sometime in 2017, still presents a significant shake-up in how ISPs retain information.

In the most innocuous cases, this problem can just be a waste of time, but in others it can present an urgent dilemma, FBI Supervisory Special Agent Robert Flaim told Motherboard in a phone call. According to a presentation from Flaim and other staff from the DEA and the Royal Canadian Mounted Police (RCMP), one case involved the online sexual extortion of a young girl. Because the WHOIS information was inaccurate, it took three months before law enforcement found the right ISP, all the while the girl was continually victimised.

The issue is that it can take several attempts for agencies, including public safety and law enforcement, to find the right ISP to serve that court order on, because of how IP addresses are handled and allocated down a long chain of companies and organisations.

At the top sit the five Regional Internet Registries (RIRs) which manage the allocation of IP addresses within different parts of the world. There's ARIN, or the American Registry for Internet Numbers; LACNIC, or the Latin American and Caribbean Network Information Centre; and so on.

The FBI, DEA and RCMP have proposed a solution: each time an ISP sub-allocates some addresses, that is recorded in the WHOIS.

RIRs allocate IP addresses to different ISPs. Then these ISPs may pass on those IP addresses to more local ISPs or other services. It's these smaller organisations that are typically the issue.

"As you continue to get further down the chain with sub-allocations, many are not putting that information in the WHOIS," Flaim told Motherboard.


What this means, according to Flaim, is that agencies end up getting bounced from one ISP to another before they eventually find the right one to start the legal process with: law enforcement don't know exactly who will actually be able to help from the outset.

"Sometimes it may be one layer down, sometimes it can be four, five," Flaim said.

Sub-allocation of IP addresses and unreliable WHOIS information can also allow cybercriminals to hijack blocks of addresses, and send spam.

So the FBI, DEA and RCMP have proposed a solution: each time an ISP sub-allocates some addresses, that is recorded in the WHOIS. This way, agencies won't have to go asking around trying to find the ISP that just happens to have this data. They can just go to whoever is actually handling the respective IP address.

Most of the RIRs declined to comment for this story, but RIPE NCC, which handles IP addresses for Europe, was supportive of the proposed policy.

"The RIPE NCC applauds law enforcement for approaching RIPE and the other Regional Internet Registry (RIR) communities to find a solution to this issue. Accurate WHOIS data is crucial to effective Internet operations as well as criminal investigations," Marco Hogewoning, External Relations Officer, Technical Advisor with the RIPE NCC, told Motherboard in a statement.

According to Flaim, after each of the RIRs hold their spring 2017 meetings, and if the policy is accepted, which may only be slightly different for each region, it could come into effect by the end of next year.