![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
Abstract
Generally, traces of Internet communications established by a citizen's computer are routinely recorded on and dated by Internet servers in so‐called ‘log files’. As far as the correct dating of the electronic offence is crucial for the potential identification of the author, convincing traces need to be date‐ and time‐stamped by a Trusted Third Party (TTP). Such a time stamp does not give any assurance about the correctness of the data and dates collected, but only proves that the traffic data were in a given state at a given date and time. If the Internet Provider (IP) address appears to be one used by the company, it is foreseeable that the system administrator within the company will be able to identify the computer owning a particular IP address. In others cases, only law enforcement agencies, in the circumstances and the conditions required by the law, are entitled to identify, with the help of Internet Access Providers (IAPs), the communication line suspected to have been used beside a given IP address. Putting together the traces left at the IAP side and in the log files of the attacked server site may lead, in the best cases, to an identified communication terminal. Nevertheless, in many cases, this will not be a formal authentication of a wrongdoer.
Notes
Correspondence: Jean‐Marc Dinant, Centre de Recherches Informatique et Droit, 5 Rempart de la Vierge, 5000 Namur, Belgium. E‐mail: jean‐[email protected]
From a legal view, the data controller is not the ‘owner’ of the data.
‘Expert judiciaire’.
The HTTP request made to get this logfile will, of course, not appear in this logfile, because the status of a transaction can only be written in a logfile by the HTTP server when the transaction has been completed (or aborted).
‘Huissier de justice’ in Belgium.
Internet X.509 Public Key Infrastructure Time‐Stamp Protocol. In this document, we will use the term TSP. This protocol can be downloaded on http://www.ietf.org/rfc/rfc3161.txt?number = 3161.
Within this paper, the wording ‘Internet’ means the use of an IP network linked to the world and embraces both the Intranet as well as the Internet. This remark is important when knowing that a substantial number of electronic offences originate from the local networks of companies.
Typically, hackers will run a Telnet session with malicious scripts on a Unix/Linux computer or use a character‐based browser like Lynx or Wget.
In order to obtain a connection, the individual has to conclude a contract and give his/her name, address and other personal data. Typically the user will receive a user identification name (UserId that may be a pseudonym) and a password so that nobody else can use his/her subscription. The authentication process during this subscription on line is usually very weak, i.e. the subscriber can give a false name and a false address. The use of the telecommunication line leaves traces at the telecommunication operator side, which are always linked to a particular phone line (unless in the context of a mobile phone functioning with an anonymous prepaid card).
Of course the duration of this period is at the heart of a debate between privacy advocates and law enforcement agencies. It seems that the legal delay may range from thee months to a year of two.
Just after having written this sentence, I have learned, by using personal and confidential contacts, that some IAPs are in fact storing the IP addresses contacted and the protocol used.
See note 7.
That is the best practice. Unfortunately, it has to be underlined that the IAP has no concrete interest for doing so. On the one hand, if an IP packet with a forged IP address escapes from their network, they may be quite sure that the police will not be able to find the origin of the packet. On the other hand, a machine issuing such a kind of packets will not cause a harmful damage to the IAP's network.
Dynamic Host Configuration Protocol. IP addresses may be attributed on a first come, first served, basis or on the basis of the MAC address, i.e. a serial number of the Ethernet LAN card that is sent in the header of each Ethernet packet on the LAN. This serial number is normally not routed outside a LAN.
The Medium Access Control number is a serial number unique at the world level that is transmitted in the Ethernet frames. Ethernet is the standard, low‐level protocol widely used to set‐up LANs.
Namely anonymizing services like www.zeroknowledge.com.
By default, many proxy servers add the field ‘VIA’ followed by the IP address in the HTTP header of the request. This is done for compliance with point 14.45 of the HTTP 1.1 specification, as published by the W3C. (see http://www.w3.org/Protocols/rfc2616/rfc2616.txt). Of course, normally, anonymous HTTP‐Proxies will not send such data.
A robust, free web server downloadable on http://httpd.apache.org.
While the IP address is directly recordable, the corresponding domain name of the visitor is not sent during an HTTP communication. It is possible for a web server to do a reverse DNS search but it is widely inadvisable to execute automatically such a search because this kind of request needs an important amount of resources from the network as a whole to be satisfied. See the notice in the configuration file of Apache ‘HostnameLookups Off; the default is off because it'd be overall better for the net if people had to knowingly turn this feature on, since enabling it means that each client request will result in AT LEAST one lookup request to the name server’.
A full view of what a browser is chattering can be viewed on a web page that the author has written: http://www.droit.fundp.ac.be/crid/privacy/WhatIknow.htm. It can be life tested by the reader of this document. A similar tool has been developed by the CNIL in France (http://www.cnil.fr/traces/index.htm).
Slight differences can be found among various browsers. In some cases, depending on the browser brand version and type, the browser chattering can be minimised by the user.
The exact URL where the netizen has just clicked in order to download the current page. The URL generally contents the keywords typed on a search engine if the current page has been found using a search engine.
Part of HTTP protocol (http://www.w3.org/Protocols/rfc2616/rfc2616‐sec10.html). Code 200 OK means that the page has been found and correctly sent. Code 404 means that the page has not been found, etc.
This is a reason why a time stamping by an TTP can be appreciated.
http://www.ripe.net/perl/whois.
This is not only the personal opinion of the author but also the opinion expressed during two interviews conducted by CTOSE.
‘Write Once, Read Many’. Typically it will be a non‐rewritable CD‐ROM (CD‐R type).
As specified in the TSP developped by the IETF cited below (http://www.ietf.org/rfc/rfc3161.txt?number=3161 , Point 2.1.6 and 2.1.7): ‘The Time Stamping Authority is required to only time‐stamp a hash representation of the datum, ie a data imprint associated with a one‐way collision resistant hash‐function uniquely identified by an OID. (note of the Author OID = Object IDentifier) to examine the OID of the one‐way collision resistant hash‐function and to verify that the hash value length is consistent with the hash algorithm’.
A joint project of the International Association of Chiefs of Police and the United States Secret Service available on http://www.secretservice.gov/electronic_evidence.shtml.