Recent discussions in the community have suggested there is ongoing “misuse” of the IPv4 transfer market – an assertion apparently being driven by the fact that some participants receive Internet number resources via the market and then use the resources to engage in criminal or otherwise unlawful activity. However, it is not clear that the occurrence of these criminal activities is attributable to any actual misuse of the Internet number registry system, and ascribing these acts to “misuse” of the Internet number registry system makes no more sense than considering them the consequence of network equipment suppliers or the electric power industry.
It requires a fundamental misunderstanding of responsibilities in the Internet number registry system to categorize valid transfers as “misuse”, and it appears to stem from confusion about the role that the registry system (and Regional Internet Registries “RIRs”) serves in inter-provider coordination. This article will explore the issue of criminal activity in more detail and hopefully help clarify some possible paths forward for addressing the growing issue of network abuse.
Properly allocating and transferring Internet number resources does not, by itself, stop the ability of the recipient of those resources from using them in criminal activity in violation of national laws. If prosecuted, and judgements are obtained, ARIN’s Registration Services Agreement, to which all recipients in the ARIN region must agree, permits ARIN to follow such orders and revoke the resources. Preventing improper criminal use of number resources is not the registry’s primary duty, since ARIN, as an RIR, lacks the subpoena power to investigate, and legal authority to prosecute, such crimes. The inappropriate use of Internet number resources to conduct illegal activities continues. Inappropriate use is not a new problem and has been an issue since the beginning of the Internet, though there are some marked differences about this problem today:
- The ever-increasing number of new users on the Internet together with the rapidly increasing number of new online applications and services has created an environment that is easy to exploit for those individuals who are willing to conduct illegal acts for financial or malicious purposes. As a result, spam is prevalent, as is network abuse, and illegal activity online continues to grow.
- The methods for obtaining IP address space have changed. The Internet number registry system has advanced and evolved its delivery mechanisms in several ways over the last ten years. We have seen an increase in IPv6 registration activity as well as the number of organizations using autonomous system numbers. In the IPv4 protocol, we have transitioned from an available pool of previously unregistered blocks to a system of transferring previously registered blocks using registry policies brought on by the depletion of the IPv4 address space unregistered pool. Together with that change, we have seen a significant reduction in needs-based requirements in the policies set by the community, which in turn makes it far easier for organizations new to the Internet number registry system to qualify for blocks of IPv4 address space. Unfortunately, some of these new organizations may be operated by bad actors on the Internet.
Fortunately, law enforcement agencies are paying attention. The problem of bad actors on the Internet has shifted from monitoring traditional issues such as spam and various identity theft crimes to investigating ever more complex issues including continued elaborate phishing schemes that lead to financial theft or corporate intellectual property crimes. Acts of criminality and/or espionage conducted by state actors on the Internet continue to grow. Law enforcement agencies at the local and national levels have seen crime increasingly shift from the traditional in-person environment to now include the online environment. These agencies have made needed adjustments over the years to adapt to the online environment and now appear to be accelerating those adjustments to aid their enforcement activities.
Furthermore, change of authority requests, or transfers, are heavily scrutinized at ARIN. They receive multiple levels of review, to include management and legal staff, prior to approval of the request. All transfer requests are reviewed to ensure the entity acting as the source of the transfer is the correct organization, or legal successor, that holds the registration rights. This verification is conducted using many different tools, including public court records, bankruptcy documents, Securities and Exchange Commission records, and other sources. Careful due diligence and great care is given to verify an organization is the original legal entity, and not a recently registered entity with the same organization name. In addition, we require copies of fully executed legal documentation for any transactions related to the conveyance of assets tied to the transfer of registration rights. Any request that does not meet our due diligence tests or comply with community-developed policy is denied and subject to revocation. In some cases, our findings are referred to law enforcement authorities.
ARIN implements and enforces the policies set by our community to manage the registration of Internet number resources. When we discover activity that does not comply with community established policy, or observe clear acts of fraud against the registry, we take action that is appropriate for a registry. This includes suspending service, denying requests for resources, and when appropriate, the revocation of resources. Incidents of fraud against the registry are reported to law enforcement agencies in circumstances of suspected criminal conduct. We also cooperate with law enforcement and courts when they make inquiries about registration activity. More information about ARIN’s ongoing cooperation with law enforcement agencies can be found on our website.
(You can find information about a recent example of ARIN’s cooperation with law enforcement from one of our blog entries published in 2019.)
It is the inherent responsibility of network operators to know their customers and how their networks are being used, particularly since the legality of network usage can vary significantly over time. Ultimately, ARIN does not operate, control, or monitor the networks that use the IP addresses registered in our public Whois database, and it is not our role to act as a law enforcement agency regarding parties who are suspected of committing crimes on the Internet. If you suspect criminal activity on the Internet, we suggest that you reach out to the appropriate law enforcement agencies in those cases, as legal prosecution of criminal acts provides far more meaningful deterrence to future incidents than simply blocking traffic from specific Internet identifiers. As noted above, an accurate Internet number registry system can provide information that aids the enforcement of laws, but that is a distinct role for law enforcement itself.
That being said, if you are aware of any violations of Internet number resource policy or of fraud specifically committed upon the ARIN registry, we would like to hear from you. You can find more information on that topic on our page dedicated to abuse.
ARIN’s focus is to maintain accuracy and accountability in its database and service offerings. While there will always be those that seek to circumvent or abuse the registry for criminal or nefarious purposes, the community-developed policies continue to evolve to address the ever-changing online landscape. The community’s ongoing work regarding transfer policies has created an environment that supports a much higher degree of accuracy and accountability in transferred registry entries than if there had been no policies at all. As part of the Internet number registry system, ARIN’s role is administering unique Internet number resources to help keep the Internet running, and having effective transfer policies improves overall availability and helps fulfill this important role in inter-provider cooperation.