Websites can’t function without them and a user must be allocated one before he or she can begin using the Internet. Without doubt, IP addresses one of the most important elements underpinning today’s online experience.
While website IP addresses are necessarily public information, IP addresses of individual users are by their very nature a lot more sensitive. Rather than identifying a web server designed to attract traffic, IP addresses operated by regular Internet users are often considered personal information.
Of course, it’s fairly common knowledge that the IP addresses of file-sharers become publicly visible when they enter BitTorrent swarms for example, but matching those IP addresses to real-life identities is a complex process wrapped up in privacy laws designed to protect the consumer. During the past week, however, it became evident that users of a Scandinavian ISP could be traced back to their real-life identities simply by using their IP address.
Discovered by Norwegian site Dinside, this privacy disaster stems from the software installed on routers supplied by local ISP NextGenTel. By simply entering the IP address of another NextGenTel user into a standard web browser, users were presented with a webpage containing router status information. The page also revealed the telephone number of the user behind the entered IP address.
Armed with a telephone number and a directory site such as 1881.no, all it took was a few clicks to find out the name and address of the person behind not only the telephone number, but also the original IP address.
After being alerted to the issue NextGenTel took action to fix the security hole by updating the relevant software, but the episode is a shining example of how years of care over personal information can be undone in an instant.
One of Norway’s biggest privacy cases in recent times involved a BitTorrent user who allegedly leaked a hit local movie to The Pirate Bay. Law firm Simonsen had the IP address of the leaker but desperately needed to convert that into a real-life identity in order to pursue legal action. That case went all the way to the Supreme Court when the ISP behind that IP address refused to hand over its customer’s private details.
Needless to say, that lengthy process would have been endlessly easier if that customer had been a NextGenTel customer. Simonsen could’ve accessed the Internet via NextGenTel, entered the IP address into their web browser, and used the telephone number to reach their target there and then – or called round for a visit, whichever was easier.
In a comment to Dinside, NextGenTel CTO Jørn E. Hodne said his company were taking the matter seriously and were attempting to put things right by fixing software and reporting themselves to the country’s Data Inspectorate.
“We’ve started the [software] update and even reported the matter to the Inspectorate,” Hodne said. “The world we live in is very complex, but this is our responsibility.”