Can You Really Be Traced From an IP Address?

Barence writes "Identifying individuals using nothing more than their IP address has become a key part of anti-piracy and criminal investigations. But a PC Pro investigation casts serious doubt on the validity of IP-based evidence. 'In general, the accuracy of IP address tracing varies depending on the type of user behind the IP address,' Tom Colvin, chief technology officer with security vendor Conseal told PC Pro. 'Whilst big businesses can be traceable right back to their datacenters, standard family broadband connections are often hard to locate, even to county-level accuracy.'"

Sure. Don't be paranoid!

[Chas]

Depending on what data is being captured by the ISP for management purposes, this COULD be true.

But, if they can track you well enough to meter you (Comcast, AT&T, etc), they can track you down to your IP too.

Re:Sure. Don't be paranoid!

[rolfwind]

Apparently they can't meter you too well.

http://www.digitaltrends.com/computing/att-vows-to-improve-inaccurate-broadband-metering/ [digitaltrends.com]

As to the tracking, I'm sure it can be done, however, unlike DNA, spoofing is completely trivial, so I would never be comfortable having it as the only evidence in some type of trial.

Re:

[ZonkerWilliam]

Throw in this that a lot of people have wireless routers, it would be impossible to tell, even if you track down the IP address to the physical address, that it was being used by you or your family. One could always say "I had an open wi-fi connection", and it would impossible to say who was behind that IP address.

Re:

[Vanderhoth]

I'm under the impression this is already done. At least in Canada.

I've read that if a router has an open connection and someone out war driving connects to the unprotected router to look up child porn (CP). The owner is responsible because they negligently left the connection unprotected. In the city live in there are free connections all over the place. If you live in an apartment building guaranteed there is an open connection. I've only ever heard of one case where some one tried to use the, "But my ro

Re:

[rikkards]

Wouldn't surprise me if this is true but do you have a link that proves this?

Re:

[networkBoy]

cantenna

Re:

[DavidTC]

The owner is responsible because they negligently left the connection unprotected.

That is a misuse of the word 'negligent' if I've ever seen one.

It is negligent to do things that you should have knew people might get harmed by, like leaving a broken board on your front porch that people step through.

It is not negligent to leave things laying around that other people deliberately use to harm others. If an adult picks up a hammer I left on my porch, and attacks, someone, no, that is not negligence.

It's

Re:

[anyGould]

Will law enforcement treat this like the photo systems that capture speed/red light infractions eventually? The infraction is not associated to the user but rather the connected device. Having received a speed violation (sent to me, but my wife was the operator, given the location), I dislike the fault association with the owner, but it seems that someone would likely create it to stop people from using the "open wifi" defense.

The flip side is that getting a photo-radar ticket is substantially less expensive than getting pulled over. Since you (as the driver) aren't charged, you don't get demerits, for instance. (At least up here where I am - they define photo radar speeding as a "non-moving violation". Yes, the irony is stunning.)

I think the current IP tracing does make a few assumptions, not the least of which is that there is only one user who is ever on that address - no roommates, visitors, people hacking your wireless, and

Re:

[Attila Dimedici]

Actually, current DNA identification isn't all that good either. Most DNA identifications are "1 in 100,000", those that I have seen claiming higher reliability have proven to be hyperbole. This does not mean that higher reliability is not possible, just that current techniques that I have heard referenced are not very reliable identifiers.

Re:

[JasterBobaMereel]

Most DNA tests are done to the 1:100,000 level because this is a) quick and b) cheap

DNA testing can be done reliably and accurately to 1:1 billion but this is very expensive and takes a long time ....

But if you are relying on DNA evidence alone then you have a very unsound case, if you test everyone you will find at least 6 matches even at 1:1billion ...

Same goes for IP tracking, you can do it quickly and cheaply and it is often inaccurate, or you can do it properly and it can be made very reliable but thi

Re:

[Attila Dimedici]

Absolutely, the way that IP and DNA evidence are used today, they are useful for two purposes. First, take a specific group of suspects and eliminate those that it could not be because of this evidence (more reliable for DNA,than for IP). Second, obtain a potential suspect or two who are worth more in depth investigation. Unfortunately, the press, TV shows and movies make it seem like both IP and DNA evidence identifies someone much more reliably than it actually does.

Re:

[SomePgmr]

I'd think that for the purposes of a file sharing case, ISP logs would be sufficient if they can compel them to turn over the relevant bits. No doubt they keep traffic details of some kind from the session layer on down, which would rule out a 4th party spoofing scenario. I could be overlooking something there. Seems to me the problem with tracking traffic back to a user is if you're required to do it blind from an IP in a server log. But if you can take that hint and get the information from the ISP-on

Re:

[datapharmer]

DNA is better at proving people not guilty than guilty. Sure, it is used by prosecution along with other evidence, but DNA alone can't prove someone guilty (not to say someone won't be convicted by an uneducated jury, but you won't hear a properly trained forensic scientist claim proof, they will claim only a correlation usually by saying it is indistinguishable). On the other hand, if you analyze the DNA and find that the markers don't line up at all, it assures that the sample the lab was given doesn't m

Re:

[delinear]

It's not just that it's difficult to track the IP back to your household, but that that's not the full extent. What if it's a shared account in a student accomodation, or you're running your PC as a node on a TOR network (so in both cases the "infringing" traffic might look like it's coming from your IP but you aren't the one committing the act). With difficulty in ensuring the IP was assigned to you at the time it was used on one side, and then in proving that it was you downloading the file on the other (

Re:

[pixelpusher220]

From a legal standpoint, only one person signed the contract. That person is liable for anything done with the connection. And yes, as the legally assigned person have to 'prove' it wasn't they who committed the act that was traced back to their 'address'.

and for the old world analogy:
If your car is seen and photographed robbing a bank and everybody in the house had access to keys, who do you think they are going to look at first?

Re:

[cheekyjohnson]

And yes, as the legally assigned person have to 'prove' it wasn't they who committed the act that was traced back to their 'address'.

Forget innocent until/unless proven guilty! You're guilty unless you can prove otherwise!

Re:

[pixelpusher220]

You're not convicted of anything until you're in court hence you're not guilty of anything. However, they *are* going to bring you into court if your car was seen robbing a bank and you can't reasonably explain who else might have been driving it.

Re:

[JasterBobaMereel]

It is quite reasonable to ask you first .... but it is still up to them to prove it was you ...

Re:

[pixelpusher220]

but it is still up to them to prove it was you ...

which happens in court. You don't have 'prove' anything to charge someone and hold a trial. There are some checks along the way but they don't require 'proof' of anything, just some semblance of reasonableness that you could be the guilty party.

Re:

[DavidTC]

Dude, you can't sign a private contract making you liable for other people's criminal activity. That simply is not possible under any sort of American law. You could sign one with the government, possibly, and that's sorta what it means be 'released into the care of...', although not to the extent of making a criminal out of anyone. But private actors can't just magically sign things making them liable for criminal actions by someone else.

Likewise, a contract between you and second party (your ISP) cannot

Re:

[pixelpusher220]

Dude yourself. If you make available the tools by which crimes can be committed, you damn well can be held liable for their use in such crimes.

If you allow someone access to your computer and they do something illegal with it, *you* are the one they are going to talk too since it was your computer and connection. They don't know anything about anybody else, nor frankly, do they care. You can explain your alibi, but if you say nothing, trust me, you are ending up in court.

There are certainly mitig

Re:

[zach_the_lizard]

It's not amazing to me. History is full of business models being propped up by legislation and cronyism, copyright laws being no exception. Benjamin Franklin lobbied for paper money so that he could get a job printing it (decades before the American Revolution), so it's a time honored tradition in this country.

Re:

[pixelpusher220]

> or that you initiated the act knowingly

I think the poster's meaning was that you actively participated in the download; rather than a virus doing the downloading so to speak.

Re:

[satch89450]

But, but, but...the meter is by account, not by "person". It's like a water meter: it doesn't matter who is using the water, all that the water company wants to know is how much is flowing out of its pipes to the customer of record. Take a WiFi access point: one IP address with NAT can be used by hundreds of people at the same time. (I know this because every year I run a WiFi network at a show with 300 people...and roughly 700 devices -- so tracing activity to just one device is a real needle in a hay

Re:

[VolciMaster]

gets worse if the ISP is monitoring ATM packets instead of IP traffic...

Why is the ISP monitoring my banking?

Re:

[Aqualung812]

I hope this was a lame attempt at a joke, but if not, read this: http://en.wikipedia.org/wiki/Asynchronous_Transfer_Mode [wikipedia.org]

Re:

[Ephemeriis]

Depending on what data is being captured by the ISP for management purposes, this COULD be true.

But, if they can track you well enough to meter you (Comcast, AT&T, etc), they can track you down to your IP too.

The problem is that Charter assigns one IP address to my router, and everything behind it is sharing that one IP.

So... Who generated that traffic you're interested in? Was it me? My wife? My kid? One of the few people I've given wireless access to? Somebody who cracked my wireless network?

Re:

[poetmatt]

The "you" here is the wrong focus.

Can you be traced to an IP address? The answer is and will always be, no.

Can an IP address be traced to a MAC address and/or general geolocation? Yes. Is that data accurate? Not necessarily, and there's pretty much no guarantee of accuracy. Do ISP's give a shit who is using their cable modem as long as it's paid for? No.

Just because "I found an IP address accessed at X time and Y cable modem" does not mean that you can truly verify anything beyond the cable modem without fa

Re:

[tibit]

LOL. And the "abuse tool" works by magic and fairy dust, right? The "tool" was probably just a website front end to a database. If the database contained junk, you got junk, without knowing any better.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[MokuMokuRyoushi]

Interestingly, the article says much the same. If you're going to get pissed off about an article, shouldn't you at least read it first?

Re:

[VolciMaster]

If you're going to get pissed off about an article, shouldn't you at least read it first?

you must be new here...

Re:

[Snarfangel]

Interestingly, the article says much the same. If you're going to get pissed off about an article, shouldn't you at least read it first?

But I'm angry now!

Re:

[AHuxley]

Thats where a phone tap and sneak and peek can be so useful. A "plumber" at 12.03 on the afternoon you expected.
Just before they touch your tap something sets up a few lines about a mix up at the office.

Re:

[mark-t]

But an IP address (at any specific given time) does have a direct correspondence to a customer of the ISP, a specific person who has agreed to (often in writing) the ISP's terms of service, and would have already had to be prepared to assume accountability for how their connection to their ISP was utilized, even if it wasn't by them personally.

Re:

[cheekyjohnson]

Who needs evidence!? If they were innocent, they'd be able to prove it! Being a civil suit changes everything and innocent until/unless proven guilty should no longer apply! That also goes for proof beyond a reasonable doubt. Forget them all!

Re:

[Score Whore]

File-sharing lawsuits are typically civil actions, which has a completely different burden of proof. Preponderance of the evidence is the standard and that means >50%.

Re:

[mark-t]

You *CAN* map an IP address to the person who has the account with the ISP... and I have no problem whatsoever with people being civilly responsible (not criminally) for any illegal activities that occur on their internet connection. If they can provide reasonable evidence that they aren't likely to be personally responsible, then insurance could cover most of the costs involved.

Re:

[mark-t]

I'm suggesting that a person be held civilly (not criminally) responsible for any illegal activities that occur on their own internet connection. If something happens that's not their own fault, then they might be able to plead a case for a repayment plan that won't bankrupt them, or, even better, cooperate with law enforcement to find the actual perpetrator, but to be frank, life sucks for pretty much most of the planet - if somebody even *HAS* a internet connection, they are already ahead of most of the c

Re:

[mark-t]

I'll cross that bridge *IF* I ever come to it... which I'd be prepared to stake my life that it won't ever happen.

Re:

[andrea.sartori]

You are right. The depressing thing in TFA is: "Unlike anti-piracy cases, however, IP tracking is only ever used as supporting, rather than primary, evidence in a criminal prosecution." (This said by a police detective constable.) That is, an IP address is apparently enough to bust you for downloading a song, but not enough to download CP... :/

Re:

[Wrath0fb0b]

You have no idea and you never will unless you can find 1) evidence on a computer and 2) evidence that the suspect was using said computer at the time.

No one is convicting based on IP addresses. But "the Comcast account at 215 Pine St was used to dl kiddie porn" is probable cause to get a warrant for the computers at that address. Probable cause is not proof beyond a reasonable doubt --- it's possible that it was a guy in a van in a laptop -- but there's still very good reason to believe that evidence will be found. See, e.g. http://en.wikipedia.org/wiki/Illinois_v._Gates [wikipedia.org]. So the idea is that IP evidence is a good 'lead' to justify further searches for ev

Re:

[Planesdragon]

If all the info you have is that someone/something at IP 12.34.56.78 downloaded kiddie porn, that's no evidence at all.

See:

1: Probable Cause
2: Personality Profiling
3: Jury trials.

A DA doesn't need to prove your kiddie porn habit to a geek-fandom level. He just needs to convince 12 more or less random strangers that it's very likely you traffic in child porn. And that's only if he wants to throw you in jail. If he just wants to harass you, he just needs to show a judge that IP address -- and he's got "probable cause" to bust down your door and take your PC from you. (Hell, if we're talking about a vice squad geek and not

Re:

[TheSpoom]

Proof is not necessary in a civil suit, and the IP -> computer link is probably enough for the court to authorize seizure and examination of the computer in question.

Re:

[anyGould]

strangely this doesn't seem to stop the authorities from charging many people and ruining their lives in the process before dropping the charges

That's because some areas score their law enforcement like they do sports teams - how many times did you "win"?

reverse dns + office workers = trouble

[jaymz2k4]

I'm often having to remind users in the office that a simple reverse lookup on our IP and there's the company name sat right there, a few clicks and you've got the building address. Go onto linked in and you've probably got half the employees full names. A lot of people forget just how much information you can get from work IP's. It's not CSI style VB GUI interface level but if you're about to go make some stupid edits on wikipedia don't do it from your office connection.

Re:

[Frosty Piss]

if you're about to go make some stupid edits on wikipedia don't do it from your office connection.

Making stupid Wiki edits from work is far better for me than from y own IP. If our IT department was the recipient of some screed from some Wiki uber-Editor having a cow over some stupid edit, they would roll their eyes and hit the Delete key...

Re:reverse dns + office workers = trouble

[value_added]

I remember doing a reverse lookup on my ATT (then SBC) DSL account years ago. When I discovered my name was shown (for all the world to see), I called ATT to complain and they replaced my name with "Private Customer".

A year or so later, I upgraded to a 5 static IP account, had ATT delegate the /29 to me, and started hosting my own DNS, mail, web, etc. services. Now, a simple WHOIS not only listed my name, but my address and telephone number as well!

Somehow, the new setup made more sense, and felt more acceptable.

Depends if someone...

[mario_grgic]

has written a Visual Basic application to track your IP.

Re:Depends if someone...

[danhuby]

I had no idea what you meant until I saw this: http://www.youtube.com/watch?v=hkDD03yeLnU [youtube.com]

Made me cringe!

Re:

[TheRaven64]

And, in spite of that, their portrayal of IT is still more accurate than their portrayal of forensics...

Re:

[Tolkien]

Enhance!

Re:

[pyrr]

That...wow. I heard the words, but it was like she was speaking a different language.

I think some studio must have a random IT jargon generator.

Re:Depends if someone...

[L4t3r4lu5]

The problem is that the real thing is so much more time consuming and boring. You remember one of the Matrix movies showed Trinity using nmap? It was on screen for about 0.75 seconds, because using nmap is really, really tedious if you're not into that kind of thing.

How does this sound for action packed fun: "We need to get hold of his laptop and pull out the hard disk drive. We can then mount it as a slave and wait for 6 hours while it takes an image of the entire contents, then put it back in his laptops. From there, we can mount the image in a read only state and use a tool to brute force the encrypted partition key. It should take around 8 years."

Or "He has a 2048 bit encryption! We need to hack all of the code walls with a GUI worm!"

Re:

[tnk1]

You're right about the tediousness of certain real-life tasks, but there's no reason that they can't tell someone to get to work on it, and then move to other scenes and then come back to the computer lab 8 hours later. I mean, they seem to be able to accept that it takes time for blood test results to come back, there's no reason that they can't assume that computer results will take just as long.

Additionally, despite the fact that it takes forever to use certain apps, like nmap, to do an analysis there c

Re:

[Idbar]

Which is particularly easy when someone is using IP addresses in the 300 block.

Re:

[N0Man74]

It doesn't take a full blown VB application... just a VB GUI.

They need to learn from the ad muppets.

[EasyTarget]

standard family broadband connections are often hard to locate, even to county-level accuracy

Advertisers rarely seem to be affected by this; every time I plug my laptop in while abroad the adverts change to the current locale..

Re:

[lennier1]

Sure you didn't misread "county" as "countRy"?

Re:

[EasyTarget]

Fair point; it's the language that gets my attention.

Sued

[Anonymous Coward]

In 1997 a company threatened to sue me for breaking into their system (which I didn't do). Due to my good contacts with the ISP at the time I was able to get my hands on 6 months worth of packet logs related to my cable modem. This was a Dutch, but American owned, cable ISP. If they were logging things to that details at the time, I doubt it has gotten any less today. If you're with one of the bigger ISP's, rest assured, your packets are safely logged.

Well Yes and No

[trollertron3000]

Well yes and no. In the case of someone like the RIAA claiming they traced it back to a user -yes there is some room to say it's not foolproof. Far from it. But with someone like the FBI? That's not going to work. They will catch you in the act using a "man in the middle" sniffer like Carnivore to ensure the evidence chain of custody can be proved correct in a court room. Considering almost every piece of networking equipment made has LEO intercept capabilities built in, it's not hard.

Alas! I agree with the premise

[bogaboga]

'In general, the accuracy of IP address tracing varies depending on the type of user behind the IP address...'

I whole heatedly agree with this statement. This is one of the few times this has happened with a Slashdot premise.

As a young graduate more than 10 years ago, I NATed a few of my employer's computer IPs, including the internal 192.168.X.X up to 3 levels and asked the then ISP support dude to find out what was going on. He could not, despite having the 'latest' software.

This gives defense lawyers one item they could use to challenge the DA. Trust me on this.

Quote in summary is misleading

[Coopjust]

RTFA and you see that, as many of us already know, you can get a court order to get the exact identity of the account holder, so the problem as described by the summary quote is not the real issue. Rather, just because you know the account holder does not mean that you can prove that the account holder, or whoever you have on the stand, is the one that infringed.

Despite rear-end covering clauses in the terms of most home ISPs that state that the account holder is liable for everything that goes across their connection, most courts won't accept that. I wouldn't be willing to test it, but it's a very valid point of defense. The number of people with open Wi-Fi is staggering, and even then there are attacks which work on WEP (a ton) and WPA (GPU accelerated attacks can get passphrases in under a minute on many routers), which is the maximum security many home routers in use are capable of. That makes this point even more valid.

Re:

[mark-t]

While you can't prove the account holder is the one who infringed, he can likely still be held accountable for how his own internet connection is utilized... in fact, he probably agreed to something along those lines when he signed up with the ISP.

Re:

[Combatso]

but that 'contract' the end user agrees to does not trump law. so there may be valid loop-holes and precedents. im not a lawyer or a criminal, so I havent got any references,

Re:

[rgviza]

If the acct holder is not responsible for the activity that happened over their wi-fi, eventually they'll be cleared. The burden of proof is still on the government and they need to prove you did something. Traffic to your IP only leads them to your cable modem. It doesn't prove you downloaded anything. They still need to prove you possess(ed) whatever they are looking to nail you for. Only problem is in the mean time the feds will have confiscated every electronic device in their possession to do forensics

Re:

[corbettw]

Being responsible for billing purposes to your ISP is one thing; being responsible for all criminal activity that occurs on your network is quite another.

yes, you can be, but not instantly.

[gl4ss]

if they're billed, authorities can get the information, provided that they go through the hoops necessary. it's not instant and movie like, of course. even pre-paids get tied to a name when they're charged(and cellinfo is logged, for a time). so it's mainly used to find a place of evidence and then to raid that place for said evidence. it's not evidence by itself but a clue about where to maybe get evidence. by itself it's just a phone number and about as useful as that.

of course if there's been proxying an

Re:

[moonbender]

Got any significant data to back up your claim that IP geolocating doesn't work? It doesn't have to be perfect to be useful for many applications. In my own experience, it works exceedingly well.

Re:

[T-Bone-T]

My IP currently points to a city about 40 miles away from my actual location. A city of millions falls within that circle.

Re:

[moonbender]

That's great. It's not significant data, though.

Re:

[swilver]

even pre-paids get tied to a name when they're charged(and cellinfo is logged, for a time)

When what is charged? You just pay with cash, and of course, you donot fill in the form to get "double credits".

Relakks

[cerberusss]

You know what is even harder to identify: me sitting behind my Swedish Relakks> VPN connection. [relakks.com]

Yes and no...

[_Shad0w_]

It's unlikely you can trace an IP back to a single user. You can, however, almost certainly trace it back to who it was assigned to, either statically or dynamically. The problem is that can be anything from a single home user to a small to medium sized company behind a NAT. Hell it could even be a large company - although they're more likely to be behind a many-to-many NAT, rather than one-to-many.

The only place I can see you being able to track back a single user would probably be in cases where you ac

I'd definitely be asking these questions...

[Eggplant62]

...which of the 4 people living here and on which of the 9 computers (7 physical, 2 virtual) behind my NAT firewall committed the act based on the evidence you have already? Which subnet of my internal network were they using (the virtual machines are subnetted away from the rest of the network)? Is it possible that someone outside my home cracked my wireless security, joined my network, and committed the act in question?

You wouldn't like the answers....

[Dcnjoe60]

...which of the 4 people living here and on which of the 9 computers (7 physical, 2 virtual) behind my NAT firewall committed the act based on the evidence you have already? Which subnet of my internal network were they using (the virtual machines are subnetted away from the rest of the network)? Is it possible that someone outside my home cracked my wireless security, joined my network, and committed the act in question?

If you have 9 computers in your possession, the authorities really don't care which is infringing, they are still in your possession. Subnets don't really matter, nor does your NAT firewall, as all they have to do is show that the content in question was transmitted to whatever device you have that is connected to your ISP (usually a router). That is enough to give probable cause for a search warrant (at least in the US). From there, they can confiscate said computers and analyze them looking for signs of the data in question.

It may be possible that somebody outside your home cracked your security. You could try to use that as a defense, it wouldn't be up to the prosecutor to show that it didn't happen, anymore than they would need to show that somebody broke into your home or business and used your computer. That would be your burden to disprove the prosecutor's case. Besides, a good prosecutor would point out that if you have the smarts to create the network you have described, then you have the smarts to adequately protect it. Negligence usually is not a good defense at a trial.

Here is an analogy for you. If you loan your car to somebody and they commit a crime with it, the authorities are coming after you. If you have an alibi, that is great, otherwise, you'd better be ready and willing to turn over who borrowed your car. Even with an alibi, if you don't want to be an accomplace, you'd better be ready and willing to turn over who borrowed your car.

So, back to your 9 computers. If it wasn't you who did whatever, which of your family or users (depending on whether this is a home or work system) did? That is the information they will find out when they confiscate your equipment. Happens every day, all the time.

Re:

[Provocateur]

Good to know. Are you a lawyer, or is it because you've seen it happen, or you've been through an incident like you described? It is an honest question...

Re:

[Dcnjoe60]

Good to know. Are you a lawyer, or is it because you've seen it happen, or you've been through an incident like you described? It is an honest question...

Let's just say strong ties to law enforcement. Really can't say much more than that.

Of course no!

[VincenzoRomano]

You should have the exact IP assignment time table from the ISPs.
Then you need to be sure about the exact time drift among all the involved systems.
And finally you need to be sure about the person using that vey device using that very IP.
And even so, you still need to make sure about another dozen of constraints like NAT and open/broken WiFi access points.
So, of course you cannot. Apart of a very limited number of cases. Very, very limited.

ISPs keep track of the IPs that they give out

[trparky]

Wheneven you connect to the Internet via your ISP and they give you an IP address, they record the time you connected and your account username (or cable modem's MAC address which can be traced back to your billing account). All, all someone needs is your IP address and the time the offense took place (has to be a specific time frame) and all the ISP needs to do is look in their database of addresses they gave out and they have you.

Yeah, you could have an open WiFi router but usually the company attempti

Question

[ledow]

Can you trace the final connection endpoint (i.e. the part that contacted the observed target as the last link in the chain)? Yes. Even if they fake the IP you *could* in theory do work to discover where that connection originated from. This assumes greatly that the IP you recorded isn't forged, random or nonsense and that you haven't just been "given" a list of IP's from a third-party who didn't do the correct analysis to determine where those IP's are gathered from.

Can you get from an IP to a physical location? Almost certainly. Usually to the campus, home address or business telecoms line that the IP is associated with. But it will be the IP of the other endpoint of the connection, not necessarily the origin of the user's actions. E.g. proxies, hacked routers, etc. And even that can be extraordinarily tricky to arrange over international borders.

Can you trace back through proxies and other hindrances to get to an actual connection origin. Yes. Doubling the work necessary at each stage and if you can force physical access to each of those origins in order to trace back where the source came from.

Can you get from a confirmed IP-packets physical origin to an actual person? Depends. Not automatically, and probably not at all without an admission of guilt or other concrete evidence and almost certainly it would only be "coincidental" rather than anything else (otherwise it would be like arresting everyone who used an Acer laptop because the connection originated from an Acer laptop)

Can you do "hacker-work" to knock on the door of Hacker 1 who lives in an uncooperative country who was trying to hide their tracks (i.e. someone you actually WANT to trace using police resources and raiding datacentres)? Probably not.

Can you do some simple police investigations to get from an abusive IP address to a home address that you can raid for more evidence in a co-operative, or your own, country (i.e. someone stupid enough to do something incredibly illegal and traceable from their home Internet connection)? Yes.

Can you then prove it was them that used that IP? Not without taking their computer and ISP logs and all sorts of other evidence and doing a full "ordinary" investigation.

Can you determine who random user X was who piggybacked on a wifi connection that you *can't* prove the owner used himself but can only trace to that IP? Not without some other evidence (e.g. spotting the car that was sitting outside).

Can you tie an IP address on the general Internet to a single person unequivocally? Not to the standard of any court that I know, no.

Can you tie an IP address on the general Internet to a single person enough to make you suspicious. Usually - yes.

Will it stand up in court? Not without a shit-ton of other evidence that's much more convincing.

No they can not

[Charliemopps]

Having worked for several large ISPs in their "Copyright infringement" department (ironic I know) I can tell you that no, tracing an IP address back to its original user is not likely and shouldn't be admissible in court.

The way the system works is this:
The ISP gets an email claiming copyright infringement on a certain date and time by a paticular IP.
It's important to note, the ISP has no way of verifying any of the following:
          The email came from the person it's claiming to come from
          That person is the copyright holder
          There is even a copyright on the file in question
          The person sending the email did anything to confirm what they were downloading was a copyrighted file (is batman.zip the new or fan fiction?)
          The ISP can not even confirm that anything at all was downloaded.
The ISP then takes the IP address provided and the time claimed and compares this to their DHCP server and looks for lease statements before and after the time the file was claimed to be downloaded. So if the complaint was at 10pm and we had that IP time stamps at 9:30pm and 11:00pm for Jim, then Jim gets a letter.

As you can imagine there are all kinds of holes in this. There are a zillion and one ways that could be inaccurate inside the ISP alone. This doesn't even include all the failures on the part of the copyright holders. We had one that was so inaccurate they were sending us multiple complaints on a daily basis against IPs we hadn't had leased out to anyone for days surrounding the times of their complaints. We made repeated inquiries with the "Company" to try and clarify their problem. But in the end just blacklisted their email accounts. We had other incidents in which the complaint was that the user downloaded a dozen or so movies... but a quick check of their usage logs showed they were using less than a couple hundred meg a month.

It was clear that the copyright holders were using automated scripting software to flood us with complaints with no real checks and balance on their part and then expected the ISP to do the heavy lifting when it came to investigation.

Re:

[TheDarkMaster]

Big thanks for the info.

Re:No they can not

[Charliemopps]

They are not "helping" the copyright holder, no information is returned to the copyright holder. In every case that I'm aware of they did not even acknowledge receipt of the emails.

OCILLA (part of the DMCA) gives ISPs safe harbor against litigation for copyright infringement if they take "some action" to prevent the copyright violations. What that "action" is, isn't really defined by the act. In most cases, ISPs send a letter to the customer informing them of the complaint, request that they desist and threaten to disconnect them if they do not. I think disconnections are ebcoming increasingly rare. Most companies do not want to lose customers over this. The entire process is a waste of resources and money to them... and they certainly don't want to be disconnecting paying customers when they really have very little proof that the customer had done anything that would put the ISP in legal jeopardy. Add to that the fact that no lawsuit has been filed against an ISP much less won... and you have a situation in which ISPs are doing the very bare minimum to comply with the law. I've seen this at 2 major ISPs and have a friend working at a 3rd that confirms the same things happen there. Yes, if you're using some antiquated service like limewire, are hosting 50 of the most popular movies in release atm, have a 20mb connection and are uploading gigs and gigs of data a night... Your ISP is probobly going to get a FLOOD of complaints about you and will likely have to do something. But that's your own dumb fault.

Neither identifiable nor anonymous

[gordguide]

Users of standard home IPs (via ISPs) are neither completely, or even significantly, anonymous nor identifiable. The line is grey and moves, possibly by the minute.

However, the article refers to two legal situations, and doesn't discriminate between then sufficiently. With regard to a lawsuit, the test is often stated as "a preponderance of evidence" while when the article referred to a police investigation, it's often described as "beyond a reasonable doubt". The two are not interchangeable.

The copyright lawsuits that the article refers to are probably attempting to show "enough" evidence to get a settlement or a judgement. Taking the evidence collection to the point the police would want would certainly be an asset to the case and would probably be in the "lead pipe cinch" category, taking into account the lesser evidentiary need.

Without that ... well, they will certainly try to get the judge to agree with them. It may be enough in some cases ... we have a few examples where a Judge or Jury in a civil suit did accept it ... but at the same time by itself it's also probably grounds for appeal as well.

With regard to even national-level geolocation, occasionally at work, due to remoteness, I connect via a sat feed. When I'm on that feed I'm in the arctic; when I see certain ads while browsing and those ads include a city or region as part of the targeted ad, they think I'm in New York state (which is where the ground sat link is with the ISP we happen to use).

But, there are probably cases where there is strong evidence, similar to a corporate IP address ... for a few dollars a month, I could have a static IP at my ordinary (home) ISP as well (although it's dynamic currently). So, it's neither here nor there ... it will vary depending on the unique circumstances of the case.

Essentially, that's also what the judge quoted in the article says ... he's hinting that he would be willing to accept the IP as part of the evidence provided there was corroborating evidence to back it up; otherwise not good enough by itself.

This is simply not true

[tom229]

All ISP's keep logs. Knowing the IP immediately identifies the ISP. From there it's just a petition away to find the account/modem MAC that was using that IP at that time.

Proving exactly who was on the computer at that time would be impossible. But you could easily narrow it down to the household.

How do you prove a timestamp is correct anyway?

[Boss, Pointy Haired]

Surely the validity of any evidence citing party x having IP address a.b.c.d at time t comes down the accuracy of the clock on the server that logged the IP address allocation.

How do you prove in court that clock on a logging server was correct.

I don't think you can.

Re:

[gknoy]

How often is the timestamp off by enough to matter? Wouldn't that mess up network traffic that those machines stamp, and thus have been already fixed by the ISP?

My ISP knows

[hawguy]

Even though I have a dynamic IP, it's effectively static since it hasn't changed in 9 months, so if someone asked Comcast who my IP belonged to, Comcast could say with quite some certainty that it was me.

But, I wonder what would happen if I was running a public access point (aside from facing the wrath of Comcast since I'm sure it violates their ToS) - could I blame any illegal activity on my "customers"? How can I shield myself from liability from actions by my users?

Dial-up and open wifi?

[antdude]

Isn't it harder with dial-up and open wifis?

Re:

[Anonymous Coward]

I would say if your address is static OR you ISP is happy to cooperate; only takes one for you to be quite trackable. What worries me a bit is that this article seems to advocate for legal precedent to be based on this idea, which is quite short sighted. Yea, right now it might be a bit hard to authoritatively determine the end user of a dynamic IP, but IPv6 is coming and when it does, everything and everyone will have their own, easily traceable IP address. Privacy laws need to be based around that assu

Re:

[dogsbreath]

It also depends on the accuracy of the ISP dynamic IP records.

The IP records, if they keep them, are subject to a number of accuracy issues. So much of the ability to trace the given IP at a given time back to a particular subscriber line or dataset depends on accurate configuration of many devices and databases... and on the people that manage all of it.

eg1: Allocation of routable IP address ranges to DHCP servers changes more often than you might think, primarily due to the scarcity of IPV4 addresses.

Re:

[karnal]

You bring up excellent points. This also spiked me to think about my last interaction with my local Cable provider regarding an internet service outage. Each time I would call a Level 1 technician, they were always asking for my MAC address on the modem. Why wouldn't they just have this tied to the customer record? It's possible they were just verifying, but the tone of their voice made me feel otherwise....

Re:

[dogsbreath]

Even MACs are dynamic. There are very few hard coded MAC addresses in devices anymore. Probably he wanted to make sure that he was looking at the same thing that you were.

The stuff I mentioned above are just on the ISP side. Unbelievably (tongue in cheek here), subscribers do all kinds of odd and unauthorized things. Neighbours and friends will swap, trade, loan and sell their set top boxes and modems. The curious sort will install custom firmware on the ISPs device, or they'll stick a transparent

Re:Happy

[TaoPhoenix]

I'll conclusively say right now: the ISP is happy to cooperate. It's only When, not If. They get a cut of the resulting lawsuits.

Re:

[camperdave]

That's the way DHCP works. When the IP address lease is eligible for renewal, the client will ask the server if it can keep the existing IP address. If the server okays the request, the client keeps the same address. For continually connected networks, such as DSL and cable, you're typically not going to see a lot of change in the DHCP assigned IP address.

Re:

[TheLinuxSRC]

That is unless your DSL provider is Windstream. My IP changes almost daily with no service interruptions. It got so bad that I wrote a script that grabs my public IP every 5 minutes and scp's that to one of my servers every 5 minutes.

Re:

[pyrr]

Perhaps they couldn't earn a conviction on an IP address alone, but unless the courts stop granting the MAFIAA things like search warrants and subpoenas based on IP addresses, I'm thinking for the purposes of going on a fishing expedition, it would work well enough. As it seems to work now, just having their private investigators log an IP address allows them to get a subpoena to force the owner of that IP address to open-up its records (if they do any logging of customer/MAC against timestamp against assig

Re:

[magamiako1]

The RFC for IPv6 provides for temporarily assigned addresses. The original spec required a MAC to be used to generate the 64-bit host address, but that has since been sort of ditched. The best they could trace to is your network ID (either a /48, /56, or /64, or whatever they otherwise decide to do with host networks--right now Comcast provides /64's to their IPv6 testing customers).

That /64 should ideally never change, and will be assigned per customer. So while the specific device can not be found, the ne