By Alex J. Brown
I was speaking to a friend of mine the other day who is convinced that the entire Internet is housed in one big shed somewhere, which brought to mind the episode of South Park where the Internet is represented by a gigantic Linksys router. And you know what? That’s fine. There are plenty of people who use all sorts of things every day without much knowledge of how they work.
David, Shaun and I had a long discussion the other night about the recent case of Hannah Smith, the 14 year old who took her own life after having received bullying messages via her account on the social networking site Ask.fm. A quote from The Daily Mail, is as follows:
A source at the firm based in Riga, Latvia, said: ‘With the Hannah case, the company have looked at every identity – the [computer] IP addresses are trackable. She posted the anonymous things herself.’
Ask.fm have claimed that the vast majority of these anonymous posts (all but four of them) were sent from Hannah’s own IP address. Shocking, but certainly a claim based on what we can assume is hard evidence. What they have also claimed, though, is that, because the posts have come from her IP address, she was the one that posted them. And it is at this point, dear readers, at which I’d like to begin.
In order to understand this properly, you might need a bit of technical background; an Internet 101, if you will. What follows is an explanation of what an IP address is and how information gets from one part of the Internet to the other. Please also bear in mind that pretty much everything below comes with the caveat of, “It’s a bit more complicated than that…”
What is an IP address? (go to “On with the story” to skip the technical bit)
An IP (Internet Protocol) address is a unique code that points to a specific location on a network. It comprises of four numbers between 0 and 255, separated by dots. For example:192.168.0.1
IPs are interpreted by a computer from left to right in a similar way to us reading a postal address from bottom to top; the most general point comes first, then it keeps going until the last most specific number, which is a bit like a house number.
When you type in an address into your web browser (say, http://www.skeptical.gb.net/) your web browser will translate that into an IP address (in this case, 188.8.131.52). It then uses that to talk directly to the server in question and download the number.
In order to communicate on the Internet, when you turn on your broadband router, it asks your Internet provider for an IP address. Once it has that, it can communicate with other computers which are also connected to the Internet.
Think of the Internet as one big postal service. In the same way that a parcel can get from one place to another on the other side of the world using a postal address, it is possible for a web page to get from the California coast to a cottage in the Cotswolds, passing through maybe hundreds of network devices before it arrives.
Say you wanted to send a letter from here in the UK to an address in Russia. You take it to the Post Office and hand it over. The Post Office then sends your letter to the local sorting office. Now, the sorting office can’t deliver the letter directly to the Russian address – in fact, the workers in the sorting office might not even know how to interpret a Russian address. But because they know that it’s a letter for Russia, all they have to do is pass it to the department which collates all the post for Russia. That department then puts all the post to Russia on a plane. When the plane arrives in Russia, your letter is offloaded and then sorted based on its postcode. Finally, a local sorting office delivers it to the address in Russia.
Now, think of your broadband router as your local Post Office, and your letter as a request packet to download a web page from Russia Today’s website. Your router isn’t connected with one long cable straight to Russia Today’s web server, so it has to find another router somewhere nearby which will be able to forward on your request. In this case it’ll be a router at your Internet Provider. That router might then pass your request on to another router, and then another, each time further along the journey towards its destination. Once the request gets to a Russian router, it is passed on to Russia Today’s Internet Provider, which then passes it on to Russia Today’s own router, and then finally to their web server. And all this happens in a matter of milliseconds.
So, how does each router know where to forward your packet on to? By using its routing table. Based on a proportion of the first half of the destination IP address (where you’re sending the packet to), or sometimes even the whole address, a router can use its routing table to find another nearby router which it thinks will be able to handle your packet.
At home, your public IP address (the one your Internet Provider gives your broadband router) is unique. It can change depending on your Internet Provider, but at any one time it is unique to you. When you go to a web page, the web site you’re accessing will use your IP address to send the web page you’ve requested back to you. Using logs from a web server alongside logs from an Internet Provider of assigned IP addresses, it is possible to work out that someone in your house requested a web page at a certain time.
On with the story
So, Ask.fm are claiming that, because they have the IP address logged against these posts, they have come to the conclusion that Hannah must have written them. On the face of it, it seems convincing enough.
But there’s a complication. Consumer broadband routers use a technology call NAT (Network Address Translation). This allows multiple PCs on a private network to be presented to the world behind a single public IP address.
For example, where I work we have 100 PCs, servers, mobile devices and other bits of network kit, all sitting behind a NAT router. As far as the outside world is concerned, any Internet traffic going into or coming out of our network comes from one IP address. This is done for two reasons. First, it allows private networks to use a range of IP addresses reserved for home use. And second, it makes it harder for a hacker to get to your PC.
This is where Ask.fm’s argument fails.
The only thing that their IP logs show is that their website was accessed by a device in the household, not which device they came from. This opens up a number of possibilites as to where the messages were sent from.
1. A network device inside the house. While this could have been Hannah’s PC, it could also have been any other PC or wireless device, such as a mobile phone or a tablet.
2. On a wireless device very near the house using the Smiths’ WiFi.
3. Something installed on a PC in the house that either allowed the person to remotely control the PC or, more likely, use a PC as a router, forwarding on information as though it had come from the PC itself. As any activity using this method would have been from behind a NAT router, only the public IP address of the router would be visible to the web server at the other end.
Out of these three options, the last one is by far the least likely. It would have to be a very dedicated, particularly tech-savvy and decidedly sadistic bully to have gone to this sort of length to mask their tracks and make it look like the bullying was being done from inside her own house. But considering this does bring up a significant point: it’s not actually possible for Ask.fm to definitively say that the posts even originated from the same physical location, let alone from a specific PC.
The first two seem to me to be the most likely. The commonality between these two is the WiFi. Could someone have hacked their WiFi? Yes, absolutely, although I’d say that it’s unlikely. Although in the past wireless routers were generally left open, nowadays the major ISPs (BT, TalkTalk, Virgin, Sky) all supply their routers with pre-secured WiFi. But would a bully of this sort really take the time to stand outside someone’s house to hack their WiFi? Even for a close neighbour, safely ensconced in their own home but still within reach of their WiFi signal, it seems like too much work. But this could be a simple case of social engineering – someone could have visited the house and simply asked for their wireless key. Not only that, I know that BT’s and Sky’s routers have a colourful sticker with the default wireless key stuck to the bottom. Although it is possible to set your own wireless key, people rarely do. And it really doesn’t take much to find the router in someone’s house and quickly take a photo of the sticker.
A WiFi connection can have a range of 400 feet when unencumbered by other wireless networks or physical obstructions, like walls. But that rarely happens in the suburban jungle – normally there’ll be many wireless networks all jostling for the same small set of frequencies. On my small estate I can see 13 different wireless networks, all from neighbouring houses. Because of all this interference, the range is dramatically reduced – sometimes down to as low as 30 feet. If someone had made these posts from outside the house, they would have to be very close nearby, preferably out in the open.
Strictly speaking, there is an outside possibility that both the Smiths and the bully happen to use the same Internet Provider and, coincidentally, they’ve been given the same IP address at different times. But this is highly unlikely to the point of freakish proportions! A large Internet Provider would have hundreds of thousands of IP addresses ready to be leased to their customers. Also, because most people rarely turn off their broadband routers, an IP address could be held on to for weeks, maybe even months. Some ISPs offer broadband packages with a static IP so that you always get the same IP address, even if you restart your router, but this is definitely the exception rather than the norm. An ISP would have a log of which IP addresses have been assigned to which customer, and when they were assigned.
All this goes to show that, using the IP address along, there really is no way that Ask.fm could say that these definitely all came from the same PC, let alone Hannah’s. In fact, they can’t really even say with certainty that they came from within the same building. So, what could be used alongside an IP address to truly pinpoint a PC?
Although Ask.fm haven’t said as much, it is feasible that they are using other methods to monitor exactly which PC is using their site. For example, they could be using an identification cookie similar to what is used with many Internet advertising networks, not deleted when a user logs off from a site. This would have a randomly generated code, unique to the PC in question.
Another way of differentiating PCs is to look at something called the User Agent. This is a long string of text which includes information such as the type of browser, the type of device (PC, Mac, iPhone, etc), and the type of operating system. This is regularly used by web developers to make sure that a web site is displayed correctly on your device. Although this could be recorded alongside the IP address, it doesn’t always happen. When it is recorded, it can serve to work out whether a series of requests have come from the same device. This, again, isn’t a perfect way to identify a PC — on a larger network it is more likely that there would be multiple PCs with the same setup — but in the average home with a mish-mash of only a few devices, that could help to narrow down the search.
Let me get to the point
So, after going through all the technical bits and bobs, we have to conclude that looking solely at the IP address can’t explain the whole story. That Ask.fm can’t say for certain that Hannah did anonymously post attacking messages on her own account.
In fact, even if they could say with any certainty that the posts came from her PC, there is one thing for sure; they can’t say that it was actually Hannah using the PC when the messages were posted. Or that it was Hannah using any of the network devices connected to that IP address, posting those messages.
It could be a family member, a family friend, a neighbour. I am absolutely not making any accusations. I have absolutely no opinion on who might have posted these bullying messages. I am looking at this from a purely technical point. I know only as much about the family as has been reported in the media. But neither do Ask.fm. And that’s my point.
Of course, if it does turn out that Hannah did post these messages, then that would be incredibly tragic. If this tale is used for anything by the media (and it will be) it should be to raise awareness of teenage mental health issues, a subject which people still seem to dismiss more often than not as growing pains. It certainly shouldn’t be treated as some sort of smear campaign against a clearly troubled teenage girl.
For the Daily Mail, the Mirror and The Sunday Times to all report Ask.fm’s claim that it was definitely Hannah who posted these anonymous, bullying messages on her own page based on the IP address alone is disingenuous.
But you would have thought that just one person at the Daily Mail, or the Mirror, or the Sunday Times, would have had a basic grounding in networking. Because, if they did, unchecked claims such as these wouldn’t be published without the correct context.
And surely a reputable publication like the Daily Mail wouldn’t have ignored evidence? Surely?