Mohammed Merah, the culprit of the killing of 7 people in France last week, was found using a mix of traditional and online forensics. This case highlights that online attribution/identification is possible with a sound Internet governance model, but it also raises a few questions.
On Sunday 11 March, a military official, Imad Ibn Ziaten, was killed in Toulouse. Four days later, on Thursday 15 March, two other military officials were killed following a similar method (one man on a black motorbike and the same calibre of weapon).
By Friday, the police suspected that Imad Ibn Ziaten was lured into a trap after Merah responded to Ziaten’s advertisement on the French website LeBonCoin.fr to sell his motorbike.
Obtaining the IP addresses
With a court order (réquisition judiciaire), eight policemen from the OCLCTIC (central office against cyber criminality) requested LeBonCoin.fr to give them all the IP addresses that visited the ads for the motorbike. By Friday, LeBonCoin had complied and provided the police with the 576 IP addresses that had visited the website. Any web intermediaries are required to keep this information for a year under a law from 1 March 2011 (following the EU data directive 2006/24/EC). This was facilitated by the fact that LeBonCoin was hosting its services in France (more on that below).
From this, we can deduct that the police didn’t have access either to Ziaten’s computer, or to his e-mail account, as opposed to what The Telegraph previously stated. This would have greatly facilitated their work as e-mails must have been exchanged between Ziaten and his killer for the sale of his motorbike.
From the IPs to the ISPs to the names
The same law mentioned above (enacted for the fight against terrorism, NOR: JUSD0805748D) also requires Internet Service Providers (ISP) to keep trace of IP allocations to users (generally referred to as call detail records).
Regional Internet Registries (part of IANA) allocate IP addresses to autonomous systems. In Europe, the Réseaux IP Européens Network Coordination Centre (RIPE NCC) is the one responsible for this task. By using their database query, anyone can link an IP address to an Internet service provider. As a consequence, the police did not have to contact every service providers available in France to know if they had allocated a specific IP address. This can be quite practical, as RIPE lists 760 local Internet registries capable of providing IP addresses in France. (This is just an assumption – the police might have as well just given the whole bunch of IP addresses to the eight largest French service providers and ‘hoped for the best’).
Once the the service providers answered, the police was able to identify the names behind the IP addresses and cross check them with their list of suspects. Zoulikha Aziri, Merah’s mother’s name, happened to be on the suspect list. They had identified the lead by Sunday but didn’t manage to make a formal connection between Ziaten (the first victim) and Merah before Tuesday 20 March, one day after a third series of shooting killing four other people.
At least two positive lessons about the impact of Internet governance on attribution can be highlighted with this case: one concerns data retention and the other country code top-level domain sound practices.
Data retention always receives its fair share of criticisms from freedom of speech and privacy advocates. In France, the law for data retention was adopted primarily against a backdrop of increasing surveillance justified by the fear of terrorism. Yet, this case proves that data retention can be effective and is not used only in shady non-public cases by intelligence services. As putting the data all together to identify a specific individual is resource intensive (200 policemen involved at the highest peak for 7 millions of telecommunication data checked), keeping call details record may not constitute a breach of privacy as important as feared by its opponents. The police were also lucky enough that 1) the service providers answered quickly and were located within the French jurisdiction 2) the criminal was not behind a NAT-type network 3) the criminal was not using any anonymisation services (IP spoofing, proxy, onion routing, etc.).
Had eBay, or any other non-French based company website been used for the ad, would the same procedure have been possible? The law for call detail records does not specify a restriction for services hosted outside France and could have also been applied with signatory countries of mutual legal assistance treaties with France. On top of that, there exists a clause requiring any websites that register for a ‘dot fr’ to possess an address in France in case legal proceedings must take place (art. 5 of the Afnic’s charter). Hence, a similar but more lengthy and tedious process could have been followed to retrieve such data. But only because existing mechanisms ensure that attribution is not only left to ‘good luck’.
Yet, instead of having to sieve through 576 IP addresses, the police could have just retrieved the IP address from the header of the e-mail setting up the place and time for the selling of the motorbike. This would have required only a court order to access Ziaten’s computer and not much more bureaucracy.
Why didn’t this happen? It would have permitted the identification of the IP address straight away (providing that the e-mail was stored on the computer or on a server located in France) and would have also formalised the link between Ziaten and Merah, allowing the police to act on time before the third killing took place.