The Interception of Communications Commissioner (IOCCO), Sir Stanley Burnton, has warned that police and security services are getting IP addresses wrong in their investigations too often, leading to the wrong people being accused of serious crimes.
The Commissioner made the claim in the organisation's final annual report before its functions are merged with the Investigatory Powers Commissioner.
Inaccurate IP address resolution by the authorities conducting investigations into crimes, particular involving child abuse, "are far more common than is acceptable", Burnton told Prime Minister Theresa May in an open letter accompanying the report. As a result, the last annual report from the organisation included a whole chapter covering the issue.
He added that the impact on people falsely accused by the authorities had been "appalling".
Where an IP address resolution shows a property at which children are living, some of the usual investigative work, which would corroborate the resolution but takes time, is not always done before executive action is taken
In the report, he added: "I am concerned by the increasing number of errors that occur when public authorities try to resolve IP addresses. These have resulted in the wrong people being arrested for extremely serious crimes."
A combination of dynamically assigned IP addresses and a big variations in time-stamping online makes resolving IP addresses a challenging issue in its own right - but often, police forces simply transcribe the wrong IP addresses, either in investigation or when information is passed on, or make other elementary mistakes.
That was the case for Nigel Lang, a youth worker wrong accused of downloading images of child exploitation when Hertfordshire Police noted down the wrong IP address and passed it on to South Yorkshire Police. The police initially denied any wrongdoing and were only compelled to confess when Lang's solicitors teased the information out of them. Lang was awarded £60,000 compensation, but has been unemployed ever since.
Furthermore, when images of child abuse are involved, social services will typically swing into action before someone is even charged and, the Commissioner implies, may not backtrack if the information is proved to be false.
"People have been arrested for crimes relating to child sexual exploitation. Their children have been taken into care, and they have had to tell their employers. On confirmation of the error, all the power of the state, which comes into force to protect children, needs to be turned around and switched off."
Startlingly, perhaps, the Commissioner indicated that the authorities typically circumvent the normal checks they would undertake when they uncover what they believe to be evidence of online child abuse at addresses where children live.
There needs to be a change of mindset away from the assumption that technical intelligence, such as an IP address resolution, is always correct
"Public authorities are understandably unwilling to take the risk of exposing children to paedophiles. As a result, where an IP address resolution shows a property at which children are living, some of the usual investigative work, which would corroborate the resolution but takes time, is not always done before executive action is taken.
"There needs to be a change of mindset away from the assumption that technical intelligence, such as an IP address resolution, is always correct."
The report references a number of cases where the wrong dates were supplied in an application to an internet service provider, meaning that the wrong IP address was identified and the wrong address raided by police. In addition:
- IP addresses being mis-heard or mis-stated during an urgent oral application;
- IP address numbers transposed;
- Failures to take account of time zones in date/time stamps;
- Failures to convert from US month-day date formats to UK day-month date formats;
- A misinterpretation of communications data; and,
- Incorrect house numbers entered when setting up account details.
In addition, in one case it was the communications service provider (CSP) that was at fault: "Following a system upgrade, a CSP noticed that it had been providing incorrect data to public authorities from its previous system."
In response to this catalogue of serious errors, the Commissioner has made a number of recommendations, including making it easier for police forces to copy-paste critical information and transfer it electronically, rather than relying on human transcription, and making it easier for those charged with processing applications to check the source of the information on which an application might be based.
In addition, the Kent Internet Risk Assessment Tool (KIRAT), originally developed by Kent Police, has also been further developed and adopted by other police forces. It is now part of an EU project called Fighting International Paedophilia, but the Commissioner believes it, and other tools, need to be more widely adopted.
"Errors are still occurring in part due to lack of awareness of the availability of systems and other processes that will help avoid them," the Commissioner concluded.
He added: "Ultimately, there remains every likelihood that more innocent people will suffer a catastrophic event similar to Mr Lang's experience… I [have] put public authorities on notice that I am unhappy about the number of these errors, and that I would have no hesitation in using my powers of notification to enable victims to make applications to the Investigatory Powers Tribunal."
Burnton did note, though, that the rate of errors identified by his organisation was relatively low at 0.004 per cent.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software