Wednesday, 16 November 2011

One IP != One computer

Not so much a rant as an observation.

I don't know if this works differently in the UK to the US, but IP tracking on many pieces of software need to be fixed - badly.

The example I am going to use is an office building in London with six hundred people and about the same number of PCs. Because of the firewall it will display one IP (cloaked) to the outside world.

And everytime you log in, google tries to amalgamate the accounts of every user in the building. A notable vBulletin mess-up meant that if one person forgot their password and locked themselves out of their account, the forum locked the entire company out - including people who were already logged in and currently using it. Nabble was a lot of fun, if by fun you mean all posts from that address showing up as the last user from that IP...the forum certainly made it look as though there was one incredibly prolific user talking to themself a lot (we're talking six or seven simul-posts).

One competition, run by the a US individual, accused me of cheating for getting fourteen votes from one IP. When I mentioned that was the local college, they shut up. (The computer lab had 30 PCs - it was easy to prove the cookies were set by different user profiles on different machines...)

This idea that one IP equals one computer isn't true - at least for any company or individual with decent security. It might equal one gateway or one network hub, but you won't see past that.

Then you encounter the idea that one computer equals one person, and so all accounts on it can be combined, which is so wrong I am baffled. Families. Libraries. Web Cafes. Many users on each machine.

On the technical side it can also go the other way: Multiple network cards and backup ISPs mean that one machine can have multiple IP addresses. User profiles and browsers can be split down easily. It's how I finally stopped certain parties trying to combine my personal account with the ones I manage for third parties.

There used to be an option to mark a machine "shared" or "public". Many websites seem to have removed this, assuming that nowadays all the data they capture from an IP is specific to a user.

Could I suggest that they go back to the old sensible method of using what their users actually tell them? If you are logged in, then they know it's you. Otherwise it could be the janitor or the CEO at your place of work, any of a thousand college students, or anyone who uses the same webcafe. Otherwise companies are just making assumptions, and there's an old saying about people who assume...

No comments: