The need to Standardize Internet Services through CyberLaw

As we manage daily ISP services for our customers, we are sometime affraid of something. What? Our IP addresses can be used for criminal activities. And, it just happened.

As we focus on providing the internet bandwitdh for corporate, we do not deal with retail customer. However, at the end corporate customer is sometime a customer that give access to the public. Say for example Warnet (CyberCafe). The chain is: the Internet, we (as the ISP), Warnet, and the end user (the customer of the Warnet).

Now, suppose, the end user of a Warnet conduct a criminal act (such as carding), then a big problem may arise. The victim of the carding act would trace the transaction by the IP address used in the e-commerce transaction. It is very normal for every e-commerce provider to log every transaction. So, the victim would observe the transaction log, then find the IP address used in the transaction.

There is a database in the internet regarding who own the IP address. However, this database is not so granular, in which it is sometime (and most of the time) pointing to the ISP (not the customer's of the ISP that uses it). Having information the police or the victim then can request to the ISP regarding who is the customer of that ISP that use the IP address.

Now here is the problem. The ISP is absolutely able to inform the police or the victim regarding the detailed information of the IP address in question. There are 2 possible usage of the IP in question, namely:
1. The IP address in question is given to a corporate, or
2. The IP address in question is being used by the ISP itself for shared services (such as email service).

In the case of 1, the police or the victim can chase the corporate and ask for more information. In the case of 2, the ISP can provide the information to the police rot the victim, regarding more information on the IP in question (for example: is it used for an email server?, etc).

The police or the victim may simply think that data traffic is similar to data traffic. In which all the operators (the ISP, the Warnet, or the corporate) that are providing services to the end user must be having a complete CDR (Call Data Record). This is the problem. In the data world there exist some technology limitation that make the tracking down of the perpertrator no easy. Say NAT (Network Address Translation), or PAT (Port Address Translation). Using this technology, one IP address can be used for almost unlimited number of users. Imagine one public IP address is used by 200 employees in a corporate. Then, how to track down who is the perpetrator out of this 200 people? It's hard to tell.

The bottom line is to chase the perpetrator. How to do that? The simple way is that for every service whoever uses the Internet must at minimum provide a logging system. What are the internet services? Some of which are the following:
1. DNS Service
2. Email Services
3. Web Hosting Services
4. NAT/PAT Services

Now not all of the application to provide the abovementioned services have their own logging systems. So, there is a technology limitation for this. The second problem is that, if the provider must provide logging system this may lead to two problems: (i) investment issue (cost would be significant), (ii) degradation in the technical performance (the delay in accessing the service will be noticeable). The technology limitation can be solved as the technology keep growing to a better stage.

The third problem is the ISP feels that being an ISP the only business he deals with is to provide the access. It is the responsibility of the customers to use it at their own risks. It is like a paper producing company. The company produce the paper and sell it to the customer. It is the responsibility of the customer to use it for good things or for bad things (for example, to print phornographic items onto the paper).

So, it very obvious that tracking down the perpetrator on the Internet is no trivial task.

I think one of the solutions is to compose a good CyberLaw in which it mandates for all of ISP, Warnet, and Corporate to follow and implement a "tracking" system. So in case of criminal acts happen the police can retrive the data from that tracking system. And for sure, the perpertrator must have a severe punishment.