For anyone with a verizon FIOS business account with static IP addresses, this long-winded post is for you.
Back in February, I discovered what I consider to be a blatent and potentially serious privacy concern in regards to our Verizon FIOS account. It turns out that anyone who signs up for a FIOS service that includes static IP addresses is at risk.
Some technical background
The American Registry for Internet Numbers is a regional entity that coordinates the management of internet protocol addresses for North America. To make a long story short, they keep track of who “owns” which IP addresses.
I don’t have any real numbers in front of me, but I would guess that a large portion of broadband users have dynamic IP addresses (especially residential users), which are always “owned” by their ISP. The ISP may keep an internal record of which customers are assigned specific IPs and at what times, but that information is not publicly accessible.
Most anyone hosting a server - be it a web server, mail server, gaming server, whatever - would choose to have a static IP address assigned to them. Theoretically this is less efficient from the ISP’s point of view, and therefore they charge more for this service.
So if one were to query the ARIN database by typing in an IP address, ARIN would return to you the owner’s contact information, address, etc. The smart ones amongst you are starting to see the problem here… for the rest of you, read on.
The Problem
An owner of a block of IP addresses is able to “reassign” specific IP addresses while still keeping ownership of the actual address. This is arguably useful in a business sense, but as far as individuals are concerned, no way.
The folks at Verizon have a policy of reassigning IP addresses to the actual end-user if that end-user is signed up for a service that includes a static IP address. So, if you own Bob’s Hardware Store and you sign up with Verizon and get a static IP address that you use to host bobshardwarestore.com, your business name and business address get added to the ARIN database as the “owner” of that IP address.
No big deal I suppose, if you’re a business, hosting a website. A little free advertising never hurt. But what if you’re an individual, who hosts a server or two at home and the only way to get a static IP is to sign up for business service? Now here is the part that led me to add the word “blatent” to my initial description of my concern. Verizon is more than willing to sell overpriced business-level internet access to an individual. Your name and home address become the business name and business address. At no point did the customer service rep inform me that my real name and home address would be added to a publicly accessible, non-verizon-owned, database.
I actually discovered this by going to the site whatismyipaddress.com. When I went there, I was amazed to see a google map with a tack right on top of my house.. My first impression was “wow, that’s kind of weird. How does this website know where I am?” The nerd in me wouldn’t let it go, so I dug until I found what was happening. My jaw hit the floor when I saw my name and home address associated with the 5 static IP addresses my roommates and I have been using.
I realize I’m a bit more anal about my private information than some, but let me explain why this seems like such a disaster waiting to happen. The verizon account is in my name, yet I’m not the only one who uses it. I can’t control what my roommates do on the internet - obviously I’m none too excited to have my name associated with everything they may do. Second, I own a number of domain names - all registered using a proxy so my name and address are not publically linked to my domains. Kind of defeats the purpose if the IP addresses those domains reside on have my name/address on them. Third, any owners of any websites myself or my roommates visit can go back in their logs, do a query on the IP addresses, and voila! There’s my name and address. So amazon.com can look and see that I visited their site and now they have my name and address, even if I didn’t buy anything. Not the kind of cross promotion I want going on. Lastly, one of my roommates does/did a lot of multi-player online gaming. What if he pisses someone off, they can see his IP address, and just like that my name and our address are in the hands of someone who is pissed off. (sounds extreme.. maybe not?).
So that covers most of my personal reasons for not wanting my name and address associated with my IP address. But in case you need another reason: By going to the ARIN website and querying on the term “FTTP” (fiber to the premises), one can obtain the names and addresses of everyone in North America that has a fiber internet connection! How many ISPs offer fiber internet service today? That’s right. One. Verizon. So not only is Verizon screwing their customers by violating their privacy, but they are screwing themselves by basically publishing a list of all of their FIOS customers to a public database. What business would want to do that? Try calling up Amazon and asking for their customer lists, including addresses and let me know how that goes. (The only limitation here is that ARIN only returns the first 256 hits for a query, but if you’re in that list of 256 I’m sure it doesn’t matter.)
The Solution
Luckily, this problem can be partially rectified by contacting Verizon and asking them to take your name and address off the ARIN database. OK, so that is a lie. Obviously it’s not that easy - this is Verizon we’re talking about. It literally took me a number of weeks and countless phone calls before I finally found someone who actually understood what I was saying and cared enough to fix it. And I can’t even tell you what department he was in. I tried billing, tech support, customer service.. you name it. Luckily, I’ve included his phone number below.
What I can tell you is that the solution was actually simple from his end. He sent the following email to ipmgmt@verizon.com (and even cc-ed me!):
Customer is not wanting his name and his address noted next to his ip address. [Customer] feels it is a violation of his privacy. [Customer] has called in before asking to remove his information from the ARIN’s list and did not recieve cooperation for Verizon on this matter. Any questions, you can email me at [verizon employee]@verizon.com
Thank you,
[Verizon Employee]
Dallas FSC
800-553-2555
Within 48 hours, the records at ARIN were changed to remove my name and street address. My city still shows up, but my city has a population of about 70,000 according to wikipedia so that’s not really a concern.
Bottom Line
I googled this problem and couldn’t find anything on it, hence this post. Hopefully someone at Verizon reads it and makes a permanent change. Our old ISP (MMinternet!) never reassigned the IP addresses in the ARIN database and I’d be curious to know how other ISPs handle it. Unfortunately Verizon is the only one offering fiber at this time (that I’m aware of) so switching ISPs becomes more painful.
I am naked outside your house right now, typing this one-handed. I like your new TV, tell the blonde haired one to stop watching the tentacle porn.
Aside: you think that people can’t tell who you are? And with your name, they can get your home address and anything else. Unless you just don’t want to make it too easy.
mr. stalkins (aka birdizzle)
Left by S. T. Alkins on August 25th, 2007