IPv6 and the Future of Privacy

There is an increasing urgency to transition to a new infrastructure for addressing space on the Internet, and in this space all individuals and their devices could be uniquely identifiable by their Internet Protocol (IP) address(es). It is in light of this surveillant future that France’s recent ruling that IP addresses are not personally identifiable information is so serious. Further, it is with this longer temporal viewpoint (i.e. not just the here and now) that has more generally worried technologists about governmental rulings concerning binary ‘yes/no IP addresses are private information’.

Before I go any further, let me break down what an IP address is, the distinctions between versions 4 (IPv4) and 6 (IPv6), and then get to the heart of the privacy-related issues concerning the transition to IPv6. The technical infrastructure of the ‘net tends to be seen as dreadfully boring but, as is evidenced by the (possible) computer failures of Toyota vehicles, what goes on ‘under the hood’ of the ‘net is of critical importance to understand and think about. It’s my hope that you’ll browse away with concerns and thoughts about the future of privacy in an increasingly connected biodigital world.

An IP address is a number that is assigned to devices that participate in a computer network that uses the Internet Protocol (often as part of the TCP/IP protocol suite) to exchange data between members of the network. Each device on a network is assigned a unique number, which can be metaphorically thought of as the equivalent of a housing address – your IP address is where digital packets of information arrive, and where your own packages originate from. In the contemporary networking environment a house, or business, or particular government department might be assigned a single IP address that has to be shared amongst hosts of computers. In my home alone, there are at least 10 Internet-enabled devices that connect to my wireless and wired network, to say nothing of the dozens, hundreds, or thousands of devices that businesses and government find in their networks. To share that single IP address, routers that assign separate IP addresses to each member of those local area networks (LANs) have been developed. This means that in the local environment (i.e. the home, business, government agency) each computer has a unique number given to it by the router but that, once the data has passed beyond the local environment, data traffic is correlated with the single IP address assigned to the home, business, or agency. Practically all contemporary routers enable this sharing of IP addresses.[1]

It’s in light of this widespread ‘sharing’ of IP addresses that the present IP addressing system has remained operable. I won’t bore you with the details, but there is a finite number of overall addresses that can be assigned to homes, businesses, and agencies, and we’re rapidly running out of those addresses. The absolute, precise, date of when the present, IPv4, system will run out of IP addresses is subject to debate: if I link to anything, then the various technical folk who read this will immediately write to me telling me I’m off by X days/months/years. In lieu of linking to a specific number, I’m going to say that in the next few years the IPv4 addressing spacing is likely to have been used up. Think of this as the equivalent of a real estate developer always extending beyond the city core, always extending the suburbs, until eventually the various cities’ suburbs start running into each other. Efforts to ‘build upwards’ are the rough equivalent of building apartment buildings and other high rises, where such building projects correlate with the deployment of LANs that see the mass sharing of particular IP addresses.

What does it mean to shift from the present addressing system (IPv4) to the ‘new’ system (IPv6)? To begin, it means that there is a lot more of IP real-estate; whereas IPv4 offers roughly 4.3 billion addresses, IPv6 provides 340 trillion trillion trillion (!) unique addresses. One can quickly appreciate the numerical difference. More significantly, it means that the system of LANs that we have today will no longer be required because of IP address scarcity. Each of the Internet-enabled devices  in my home could have its own IPv6 address – there is no real need to route all the data through a single IP address that is provided by my ISP.

In a situation where all Internet enabled devices have a constant address, the regular refrain “we don’t know who’s IP address we’re monitoring; it is possible that a set of users are sharing the same address!” is quickly disabused. With a persistent IP address, depending on the degree of algorithmic surveillance, it is possible to develop very, very good understandings of who is presumably the agent ‘using’ the IP address. Similar to how marketers can figure out who you are with very little information, advertising companies such as Doubleclick are in a comparable situation to develop very detailed, very personal, accounts of the individuals that regularly use Internet enabled devices.[2] In a situation where all devices have unique IP addresses, this could facilitate more accurate advertising (read: better targeted and more invasive), and that government agencies and ISPs alike could more accurately identify and track particular users online.

If this sounds like a kind of ‘privacy Chernobyl’ that puts issues like Facebook’s Beacon and Google’s Buzz to shame, you would be in good (?) company: journalists have been warning of the dangers of IPv6 since Bill Frezza’s 1999 piece “Where’s All the Outrage about IPv6 Privacy?

Fortunately, the good engineers that develop Internet Protocols were aware of the potentially devastating consequences that static IP addresses for each device would have on anonymity online and, as a result, privacy. The Internet Protocol next generation (IPng) working group crafted a solution that involved creating;

pseudorandom interface identifiers and temporary addresses using an algorithm … The temporary address would not derive from a completely random generation process, which might result in two computers generating the same number, but instead would produce a temporary pseudo-random sequence dependent on both the globally unique serial number and a random component. The number would be globally unique because it would derive from the interface identifier and from the history of previously generated addresses, but would be difficult for an external node to reverse engineer to determine the source computer. [3]

In layman’s terms, this means that the engineers responsible for IPv6 were mindful of the surveillance capacities of the new Internet Protocol, and built privacy into a system that would otherwise lend itself to surveillance and authoritarian tendencies. The catch, however, is that is requires the parties responsible for assigning IP addresses to participate in the pseudo-anonymization process itself: it’s possible for ISPs to forcibly assign particular address to each and every device on their network.

(Before advancing any further I should note that I don’t know that ISPs have any such intentions: the following is ‘academic’, or theoretical, work.)

One might ask: “Chris, why would my ISP want to assign particular IP addresses to each device, instead of permitting for pseudo-anonymization? Are ISP’s privacy-haters?” No, person that I’m pretending to respond to, I’m not suggesting that ISP’s hate privacy, but instead that ISPs are in love with following the law.

In Canada, we’re looking at the re-re-re-introduction of lawful access legislation and associated electronic surveillance legislation. Presently, law enforcement claims they regularly run into challenges with monitoring presumed-criminals’ digital communications. In a domain where all devices are IP-enabled and have unique IP-addresses that are assigned by an IP provisioning body, such as an ISP, a license to wiretap a particular address would let law enforcement monitor when a particular device was engaged in the exchange of digital packets, regardless of whether the packets themselves were encrypted. The distinction between the IPv4 and IPv6 world: in an IPv4 world you can’t distinguish between users that share a common IP address (or so claims are made) as precisely as a judge might demand. IPv6 remedies this ‘worry’.

It’s a combination of the possibility to forcibly assign an IP address alongside the strong (governmental) security initiatives to ‘protect and secure’ the Internet that makes me claim that IP addresses could soon be very, very important from a privacy and security position. While the next generation protocol has reasonable privacy protections built in, various academic scholars (and, unofficially, several of Canada’s privacy commissioners) suggest that the ‘security institutions’ are better at dissolving privacy protections than the privacy community is at enshrining privacy in law. Especially worrying in the case noted at the top of this post is that France – a member of the EU – is arguing that an IP addresses shouldn’t be considered personally identifiable information. The EU is recognized as imposing privacy protections on the rest of the world, and thus if France’s decision is upheld then the EU would be seen as ‘pushing’ the position that IP addresses are not personally identifiable information. While this position might be tenable in an IPv4 world, in an IPv6 world that sees security lobbies advocate for relatively static IP addresses the privacy of individuals would be significantly put at risk.

Maybe this is just doomsday talk – perhaps the security lobbies will avoid pushing for assigned IPv6 addresses, and demand that the full privacy protections of the IPv6 protocol are implemented. Unfortunately, as witnessed in Newman’s Protectors of Privacy and Ross’ 2009 piece “Privacy in the Digital Age: States, Private Actors, and Hybrid Arrangement,” the digital era’s privacy provisions are being rapidly eroded in a post-9/11 world. Unless there is a substantial change, unless privacy protections are genuinely entrenched in law with a strong civic commitment to privacy, unless IP addresses are recognized as always potentially personally identifiable information (at a minimum), then IP addresses are going to matter a whole lot more to security and marketing groups than they already do. And when marketers are interested in particular information, you can be sure that it’s not curiosity, but because they can leverage it to invade our minds and track our actions.

************

[1] Yes, businesses and government agencies may have multiple IP addresses assigned to them. I’ve intentionally simplified things for the purposes of analytic and metaphoric clarity.

[2] Phillips and Curry have a particularly good piece, titled “Privacy and the phenetic urge: geodemographics and the changing spatiality of local practice” in Surveillance as Social Sorting that outlines marketers’ capacity to draw detailed temporal-geographic patterns of mobilities.

[3] from  Laura Denardis’ Protocol Politics: The Globalization of Internet Governance

Christopher Parsons

Managing Director of Telecom Transparency Project at Citizen Lab
I’m a Postdoctoral Fellow and Managing Director of the Telecom Transparency Project at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto. I'm also a Principal at Block G Privacy and Security Consulting. My research interests focus on how privacy (particularly informational privacy, expressive privacy and accessibility privacy) is affected by digitally mediated surveillance and the normative implications that such surveillance has in (and on) contemporary Western political systems. I’m currently attending to a particular set of technologies that facilitate digitally mediated surveillance, including Deep Packet Inspection (DPI), behavioral advertising, and mobile device security. I try to think through how these technologies influence citizens in their decisions to openly express themselves or to engage in self-censoring behavior on a regular basis.