Hermes Center demands investigation of NAT-related data retention
On 27 March 2018, EDRi member Hermes Center for Transparency and Digital Human Rights filed a request with the Italian Data Protection Authority (DPA) to investigate on the widespread practice of logging Network Address Translations (NAT) by most of the telecommunication operators.
To better understand the issue, we must first study, from a technical point of view, the operation and allocation of IP addresses by telecommunications companies, in particular, the practice of Carrier-Grade NAT (CGN), an approach used by telecommunications companies – and especially mobile operators – to manage the allocation of IPv4 addresses. Due to the shortage of available IPv4 addresses, it has become necessary to assign private IP addresses to customers, and then translate them into public IP addresses through a NAT procedure performed by devices connected to the internet operator network. In this way, a single public IP address can shield several private IP addresses: the direct identification of the unequivocal user that on “that day and at that time” was assigned to that internet identifier — similar to telephone numbers identification — is more difficult.
According to the statements of law enforcement authorities (LEA), this practice complicates the operations of identification of those who commit crimes because, given a public IP address, there may be dozens of different users. A practice widely used by telecommunication operators to deal with requests for identification by the judicial authority is that of recording and storing all NAT operations between private IP addresses of its customers and public IP addresses: like this, all the connections of the various IP addresses to the internet are recorded.
The Hermes Center demanded that the Italian Data Protection Authority perform a timely verification and inspection of all the main mobile and fixed operators in relation to the practices of data collection of internet traffic, publicly reporting the results, to verify which is the information collected for the purpose of providing compulsory services to the judicial authorities.
A recently introduced Italian law on data retention has extended the retention time period by telecoms providers by up to six years. This data retention concerns both phone traffic and internet connections and clearly goes against the European data retention principles.
On 13 October 2017, Europol and the Estonian Presidency of Council of European Union organised a workshop with 35 policy-makers and law enforcement officials from all around Europe, in order to discuss the “increasing problem of non-crime attribution associated with the widespread use of Carrier Grade Network Address Translation (CGN) technologies by companies that provide access to the internet”.
The Hermes Center filed a Freedom of Information (FOI) request to Europol and the documents are available here: https://www.documentcloud.org/public/search/projectid:37909-Carrier-Grade-NAT-workshop-by-EUROPOL. In Italy, the Hermes Center has appealed to the Data Protection Authority, asking for inspection across all telecommunication operators in order to verify in great details which are the exact information elements logged to comply with data retention laws.
Italy extends data retention to six years (29.11.2017)
Europol’s FOIA on data retention with carrier grade NAT (22.01.2018)
Documents related to the Hermes Center’s FOI request to Europol
(Contribution by Riccardo Coluccini, EDRi-member Hermes Center for Transparency and Digital Human Rights, Italy)