An international law enforcement action against a large botnet will set an important legal precedent regarding regional Internet IP Address registries. At issue is the extent to which an IP address registries can be used as tools of transnational law enforcement.
DNSChanger was a piece of malware that altered the Domain Name System (DNS) settings of computers so that all web page requests coming from those computers would be redirected to nameservers operated by criminals. The illicit DNS nameservers redirected some of their traffic to domains that would generate click-based payments to the perpetrators. DNSChanger is said to have infected about 4 million computers worldwide, and to have generated $14 million in illicit revenues. The Estonia-based group running the scam provoked a complex international, multi-agency investigation, dubbed Operation Ghostclick. The operation culminated in their arrest by Estonian police in early November.
Ghostclick was a truly multi-stakeholder, transnational effort in networked governance, involving the U.S. FBI, the U.S. NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, the National High Tech Crime Unit of the Dutch National Police Agency, Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, University of Alabama at Birmingham, and members of an ad hoc group of experts known as the DNSChanger Working Group (DCWG).
Once the scam had been uncovered and the perps arrested, however, the Ghostclick operation could not simply shut down the nameservers used by the botnet to generate the clickfraud. To do so would have incapacitated millions of innocent users, whose Internet access would cease to function due to a sudden, unexplained inability to resolve domain names. This would have also resulted in a flood of service calls to many hapless ISPs. So the FBI enlisted the Internet Systems Consortium (ISC) to run clean “replacement” nameservers that behaved properly, took over the address blocks used by the botnet’s nameservers, and then assigned those address blocks to ISC’s nameservers. In order to preserve this arrangement, the FBI needed to require the Regional Internet Registries (RIRs), the institutions who allocate and register Internet Protocol address holdings, to put a hold on the address blocks for several months. To effectuate this hold, as well as other actions, it obtained a Protective Order from a U.S. District Court. Judge William Pauly, who issued the Order, made it very clear that it applied to any and every RIR worldwide.
ARIN, the RIR for the North American continent based in Virginia, seems to have cooperated with this U.S.-initiated order without any questions asked, as one might expect from an organization in U.S. jurisdiction. But the European RIR, RIPE-NCC, which is based in Amsterdam, Netherlands, has now sued the two Dutch police units and the Dutch public prosecutor’s office over the ruling. RIPE wants a judge to decide whether they had sufficient legal ground to order the “lock” of the registration information. The order was based on a very generic legal provision from the Dutch Police Law that describes the mandate of the police, something like “defend the rule of law and assist those who need it.”
It has surprised legal experts that the order was based on this generic provision. There seem to be more applicable and specific provisions in the Law on Criminal Procedure. The Dutch Supreme Court has repeatedly struck down orders based on that generic provision in other areas of law enforcement. Only orders that merely implied “a marginal encroachment” on individuals’ rights, have been upheld in court. The police will, of course, argue that the “lock” of the registration of the address blocks is indeed only a marginal encroachment of the rights of the defendants and RIPE-NCC.
The Dutch order simply states that RIPE-NCC is to comply with the U.S. court order. The latter treats the address blocks as “forfeitable property.” So not only did the Order come from a foreign jurisdiction but, ironically, RIPE-NCC, which is run by people who insist that IP addresses are not property, was served with a legal order that seems to classify addresses as property.
RIPE-NCC’s news release says, “The RIPE NCC is receiving independent legal advice and is in discussion with the appropriate authorities. It is the intention of the RIPE NCC to pursue this matter further in Dutch court to establish a precedent so that it is certain of its rights regarding such orders. In the interest of transparency, the RIPE NCC is working on full disclosure of the background documents. The RIPE NCC will update the community if and when any other publishable materials become available. The RIPE NCC is committed to acting in the best interest of its membership and will continue to inform the Internet community on this matter as it progresses. The RIPE NCC has not withdrawn, removed or reclaimed the address blocks in question; it has temporarily locked a registration of address blocks.”
Understandably, RIPE-NCC is concerned about the implications of embroiling its address registration functions in policy and governance issues. As IGP warned in a 2008 paper, it is inevitable that RIRs would become the target of those seeking to regulate the Internet, and thus the legal rights concerning forfeitures of address registrations and other types of law enforcement actions must be handled carefully, and with an eye toward due process protections and concern for human rights.
The case is especially noteworthy given that it is occurring in the context of the ongoing attempt to add security to routing (i.e., RPKI and S-BGP). In rolling out this security improvement, a major sticking point for RIPE members has been whether the IP address registry issuing the address block certificates could rescind operators’ routing rights by revoking the certificate, perhaps at the request of a law enforcement agency in some distant jurisdiction. In other words, the RPKI debate is exactly about the possibility of linking address registries to routing activity. In a future world, where every address allocation had a resource certificate and secure BGP was widely deployed, law enforcement agencies could, in theory, simply go to the RIR, have the certificate revoked so that the routes associated with that resource would no longer validate, and ISPs would not announce or accept them. The decision in the RIPE-NCC litigation may have some bearing on that possibility.
Links to relevant documents:
Victim Notification Order (FBI will notify and provide IP addresses to approximately 32,000 network operators believed to have infected hosts, ISC will collect IP addresses of infected computers querying the replacement DNS servers)