Frequently Asked Questions for Law Enforcement and Public Safety Organizations

Introduction

The American Registry for Internet Numbers, Ltd. (ARIN) is one of five Regional Internet Registries (RIR) that serves the global Internet community by distributing and managing Internet number resources (IPv4, IPv6, and Autonomous System Numbers). The RIRs are referred to collectively as the Number Resource Organization (NRO), whose mandate is to actively contribute to an open, stable, and secure Internet.

ARIN manages the distribution of Internet number resources within its defined service region, which includes Canada, parts of the Caribbean and North Atlantic Islands, and the United States.

Below are a list of questions and answers that may provide more clarity to law enforcement agencies (LEAs) and public safety organizations on some of the ways ARIN and the other RIRs may be able to support their work, and how some ARIN’s services may aid in their investigations.

What do RIRs do?

The core function of an RIR is to manage, distribute, and register Internet number resources (IPv4 and IPv6 addresses and Autonomous System Numbers (ASNs)) within their defined geographical regions of the world, and to maintain a unique registry of those number resources and their associated contact information (commonly referred to as “Whois”). Additionally, each RIR provides a wide variety of associated supporting services, tools, and public awareness and capacity building programs, typically in collaboration with industry partners from across the world.

For more information on ARIN and its services, visit our About ARIN page.

Why is the work of the RIRs valuable to law enforcement and cybersecurity organizations?

Online criminal activity requires the use of a computer and an IP address. All IP addresses can can be traced through one of the five RIRs that are responsible for issuing those IP addresses to various organizations throughout their respective service regions, and for maintaining that information in a registry database (often referred to as Whois).

The RIR’s Whois registration data can be a valuable tool for law enforcement in their investigative process as they begin their search to locate criminals through their use of an IP address. Additionally, Whois can assist law enforcement in determining which Internet Service Provider(s) (ISP) may be connected to a particular end user in order to be able to identify appropriate recipients on whom to serve legal process such as a subpoena.

More information on Whois can be found on our website.

How can ARIN support law enforcement and other public safety organizations in their investigations?

Here are some of the ways that ARIN works with and supports law enforcement, consumer protection agencies, and other public safety organizations:

  • Publicly accessible Internet number resource registry information (Whois) – ARIN’s public registry of Internet number resources and their associated contact information can be used as a first step in a criminal investigation to identify who might be using a particular IP address;
  • Case support – ARIN’s compliance with law enforcement often begins with engagement, via an email or a phone call, to answer basic questions an organization may have before a subpoena or court order is issued. ARIN responds promptly to law enforcement inquiries, subpoenas, and court orders; and ARIN can assist in the preparation of these requests in order to facilitate the process and save valuable time;
  • Capacity Building Programs - ARIN provides training, outreach, webinars, and dedicated information sharing sessions on a variety of topics including security, technical matters, and governance. Many of these training initiatives are specifically developed to address issues of interest to law enforcement and public safety organizations;
  • Global Trust Community access - ARIN supports an international community of law enforcement and related participants that are committed to collaboration and knowledge sharing on public safety issues;
  • Data Accuracy Initiatives - LEAs work to improve the integrity and accuracy of registration data via participation in the formal community policy development processes of the ARIN community as well as the communities of the other RIRs;
  • Public Policy Meetings - LEAs can attend ARIN Public Policy Meetings for free. These meetings provide valuable opportunities to become familiar with, and participate in, Internet number resource governance and policy making processes, as well as meeting ARIN members with whom LEAs could later interact.

What information can be found in ARIN’s Whois?

ARIN’s Whois service is a public resource that allows a user to retrieve information about IP number resources and their associated organizations and Points Of Contacts (POCs). Any organization that receives IP address space directly from ARIN (e.g. ISPs, network operators, business entities, universities, governments, etc.) will be registered in the public Whois. Additionally, ARIN policy requires ISPs to register most of their downstream customer reassignments in the public Whois with some exceptions (noted in the following section).

Registration information in ARIN’s Whois includes:

  • IP addresses and AS numbers issued by ARIN
  • IP addresses and AS numbers issued prior to the establishment of ARIN (legacy resources)
  • Organizations (and their associated information) that hold these resources (ORGs)
  • POCs for resources or organizations
  • Customer reassignment information from ISPs to their downstream customers (who can be other downstream ISPs or end user businesses and customers)
  • Original registration date and last updated date

What information is not found in ARIN’s Whois?

  • Domain names and any associated domain name information. Domain name information is not found in ARIN’s Whois but can be found in domain name registries’ Whois and domain name registrars’ Whois. See also https://lookup.icann.org.

  • Authoritative information for:

  • ISP customer reassignments smaller than /29 (per ARIN policy). (These are collected by ARIN during a resource request and may be available via the submission of a subpoena or court order, but are not in the Whois registry.)

  • Some privatized residential customers (per ARIN policy). (The upstream ISP may be able to provide this information.)

  • Routing information (ARIN does not incorporate routing information in its Whois. You may be able to view routing information by searching a public Internet routing registry such as Merit’s RADb https://www.radb.net/).

  • Specific geographic location of the network

    • ARIN cannot guarantee that the address associated with an Internet resource record is the actual physical location of the network itself. ARIN does not maintain any geolocation data for an IP address.

What other relevant information might ARIN have that is not publicly registered in Whois?

ARIN may have current and historical information about the items listed below. This data can be requested from ARIN through a formal legal information request such as a subpoena or court order; and ARIN will respond appropriately to the extent any of the information below is available.

  • Financial transaction records and billing contacts
  • Banking information
  • Additional contacts for ISPs, End Users and other registered organizations
  • Some ISP customer reassignment information that may not be publicly available
  • Historical registration information (WHOWAS)
  • Corporate documents including signed contracts
  • Officer attestations and copies of signed, sworn affidavits
  • Other miscellaneous information provided by customers when seeking ARIN services

Generally, more specific downstream customer/user information may be obtained directly from the customer/user’s upstream ISP. However, ARIN may be able to provide some information that can be helpful in identifying the appropriate ISP or ISP customer, which in turn may be useful in determining the appropriate recipient of legal process.

Does ARIN restrict certain data fields in its Whois to address concerns with GDPR?

The short answer is no. All registration information placed in ARIN’s Whois as part of the registration process is publicly displayed and available to query.

As a public registry, ARIN’s mission and obligations include distributing information about who administers number resources – most obviously, the Whois database, which provides technical troubleshooters, law enforcement, and the interested public with information about which network providers administer specific number resources. Distributing this information is very much in the public interest of proper functioning of the Internet, as ARIN details in its privacy practices.

What measures does ARIN take to provide accurate Whois data?

There are certain practices that ARIN employs (from both a procedural standpoint as well as a policy standpoint) that help to maintain the accuracy of the data found in Whois.

  • Contractual Requirements (stipulated in the Registration Services Agreement)
    • Registrants must comply with all policies
    • Registrants must provide and maintain accurate registration information in Whois for themselves and their customers
    • Contract may be terminated if holder violates any applicable laws, statutes, rules, or regulations
  • Policy Requirements
    • All but the smallest assignments to customers must be publicly registered in Whois
    • Annual POC validation is required for any organization who has received a direct allocation or assignment of number resources from ARIN or its predecessor registry, OR any organization that has a reallocation from an upstream ISP. Contact types that must be validated include Admin, Tech, NOC and Abuse.
    • Reallocations and certain types of reassignments will not be processed by ARIN unless the recipient organization is already registered in Whois and has at least one validated POC associated with it.
      • Direct Allocation – IP address space issued directly to an organization by ARIN for the explicit purpose of further sub-delegating that space to a downstream ISP organization
      • Direct Assignment - IP address space issued directly to an organization by ARIN for its exclusive use (typically within its own internal network infrastructure)
      • Reallocation – IP address space sub-delegated by an upstream ISP to a downstream organization for the purpose of further sub-delegation to its downstream customers
      • Reassignment – IP address space sub-delegated to an organization by an upstream ISP for its exclusive use (typically within its own internal network infrastructure)
    • ARIN may audit a resource registrant at any time, whether or not fraud is suspected
  • Business Practices
    • All organizations requesting resources directly from ARIN must have a registered legal presence in region and be in good standing
    • All new organization registration requests are vetted during the initial application and will be re-vetted again every 12 months if/when they return to ARIN to request additional services
    • All IPv4 & IPv6 requests and transfers require an officer of the company to attest to the validity of the request, or in some cases, to submit a signed, sworn affidavit

The repercussions for non-compliance of contractual and policy requirements as well as business practices could include denial or suspension of services, revocation of resources, termination of contract, and law enforcement involvement.  

What types of fraudulent activity does ARIN typically see, and what actions are taken if potential fraud or illegal activity is suspected or detected?

Much of the fraudulent activity detected by ARIN (and the other RIRs) centers around attempted hijackings of IPv4 address space in Whois.

As a result of the depletion of the IPv4 address space, the demand for IPv4 resources continues to be strong while the supply remains constrained. This makes IPv4 address space a highly desired and very valuable commodity. This high demand and high value has created an incentive for malicious actors to attempt to manipulate and falsify registration data that does not belong to them by submitting fraudulent documentation in order to obtain control over these IPv4 registrations.

There are also reports of:

  • route hijackings (often the unauthorized use of abandoned or un-routed IP addresses),
  • the buying and selling of IPv4 addresses outside the registry system, and
  • the leasing of IPv4 address space through the use of falsified Letters of Authority

Any one of these fraudulent activities can lead to inaccurate data and improper attribution in Whois.

When ARIN detects potentially fraudulent activity, there are several actions that it may take. The first step is typically to lock down the targeted registration records while internal investigations are done, and a full report of all findings is prepared. If the fraudulent activity and non-compliance of contractual and/or policy requirements are confirmed, the next steps can include suspension of ARIN services, revocation of number resources, termination of contract, and engagement of law enforcement.

What information should a subpoena or court order concerning a request for information about specific Internet number resources or associated number resource data contain, and how would one go about submitting these to ARIN?

ARIN’s General Counsel is readily available to assist law enforcement regarding the appropriate language for subpoenas and court orders. Properly served subpoenas and court orders should be directed to ARIN’s registered agent (see below), who will accept the document on behalf of ARIN and forward it to ARIN’s legal counsel.

Corporation Service Company
Bank of America Center, 16th floor
1111 Main Street
Richmond, VA 23219

Legal orders should always include:

  1. Organization and individual’s names
  2. IP address(es) or ASN(s) in question
  3. If applicable, a request for “registrant information” and not “subscriber information” (ARIN maintains registrant information and does not have subscriber information)
  4. Specific date range/timeframes for alleged activity or for information requested
  5. Specific language as to what actions need to be taken by ARIN (i.e. instructions for response, nondisclosure, etc.)

Subpoenas should not include extraneous material that is not related to ARIN’s services or business model such as requests formatted for other respondents such as telephone service providers or ISPs; requests for subscriber information, etc.

Do all of the other RIRs work with law enforcement and public safey organizations, and if so, how would one contact them for information?

Yes. All of the RIRs have dedicated staff that works with and supports law enforcement in a variety of ways. Additionally, the five RIRs working together formed the Public Safety Coordination Group, which was created for the explicit purpose of global coordination of law enforcement and public safety engagement.

More detailed information on how each RIR works with law enforcement and public safety within their respective regions can be found here:

Are there other services that ARIN provides that might help fight cybercrime and online fraud and abuse?

One of the many malicious behaviors occurring on the Internet today is referred to as route hijacking or BGP hijacking. Simply put, this is the unauthorized use of IP address space, often times abandoned or un-routed IP address space. ARIN has deployed two relatively new technologies to help secure Internet routing, both of which may aid in preventing these route hijackings.

Resource Public Key Infrastructure (RPKI) - a security framework designed to secure the Internet’s routing infrastructure by verifying the association between a resource holder and their number resources.

Validated Internet Routing Registry (IRR) - validation mechanisms added to the IRR that aid in confirming routing announcements are published by an authorized network.

More specific information on these technologies can be found here:

  • Frequently Asked Questions for Law Enforcement and Public Safety Organizations