Slashdot Mirror
Can You Really Be Traced From an IP Address?
Barence writes "Identifying individuals using nothing more than their IP address has become a key part of anti-piracy and criminal investigations. But a PC Pro investigation casts serious doubt on the validity of IP-based evidence. 'In general, the accuracy of IP address tracing varies depending on the type of user behind the IP address,' Tom Colvin, chief technology officer with security vendor Conseal told PC Pro. 'Whilst big businesses can be traceable right back to their datacenters, standard family broadband connections are often hard to locate, even to county-level accuracy.'"
Depending on what data is being captured by the ISP for management purposes, this COULD be true.
But, if they can track you well enough to meter you (Comcast, AT&T, etc), they can track you down to your IP too.
Chas - The one, the only.
THANK GOD!!!
This is not the problem with IP tracking. In most instances the ISP will have logs linking IPs to customers, and people can be easily traced. The real problem is that AN IP IS NOT A PERSON. You cannot trace a person through an ISP (except through strong circumstantial evidence such as someone using their email account from that IP). If all the info you have is that someone/something at IP 12.34.56.78 downloaded kiddie porn, that's no evidence at all. Was it the suspect? Was it a family member or friend? Was it some random on the street who cracked the WEP key or accessed an open network? You have no idea and you never will unless you can find 1) evidence on a computer and 2) evidence that the suspect was using said computer at the time.
I'm often having to remind users in the office that a simple reverse lookup on our IP and there's the company name sat right there, a few clicks and you've got the building address. Go onto linked in and you've probably got half the employees full names. A lot of people forget just how much information you can get from work IP's. It's not CSI style VB GUI interface level but if you're about to go make some stupid edits on wikipedia don't do it from your office connection.
jaymz
has written a Visual Basic application to track your IP.
As the island of our knowledge grows, so does the shore of our ignorance.
standard family broadband connections are often hard to locate, even to county-level accuracy
Advertisers rarely seem to be affected by this; every time I plug my laptop in while abroad the adverts change to the current locale..
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
In 1997 a company threatened to sue me for breaking into their system (which I didn't do). Due to my good contacts with the ISP at the time I was able to get my hands on 6 months worth of packet logs related to my cable modem. This was a Dutch, but American owned, cable ISP. If they were logging things to that details at the time, I doubt it has gotten any less today. If you're with one of the bigger ISP's, rest assured, your packets are safely logged.
Apparently they can't meter you too well.
http://www.digitaltrends.com/computing/att-vows-to-improve-inaccurate-broadband-metering/
As to the tracking, I'm sure it can be done, however, unlike DNA, spoofing is completely trivial, so I would never be comfortable having it as the only evidence in some type of trial.
I would say if your address is static OR you ISP is happy to cooperate; only takes one for you to be quite trackable. What worries me a bit is that this article seems to advocate for legal precedent to be based on this idea, which is quite short sighted. Yea, right now it might be a bit hard to authoritatively determine the end user of a dynamic IP, but IPv6 is coming and when it does, everything and everyone will have their own, easily traceable IP address. Privacy laws need to be based around that assumption now.
RTFA and you see that, as many of us already know, you can get a court order to get the exact identity of the account holder, so the problem as described by the summary quote is not the real issue. Rather, just because you know the account holder does not mean that you can prove that the account holder, or whoever you have on the stand, is the one that infringed.
Despite rear-end covering clauses in the terms of most home ISPs that state that the account holder is liable for everything that goes across their connection, most courts won't accept that. I wouldn't be willing to test it, but it's a very valid point of defense. The number of people with open Wi-Fi is staggering, and even then there are attacks which work on WEP (a ton) and WPA (GPU accelerated attacks can get passphrases in under a minute on many routers), which is the maximum security many home routers in use are capable of. That makes this point even more valid.
Wheneven you connect to the Internet via your ISP and they give you an IP address, they record the time you connected and your account username (or cable modem's MAC address which can be traced back to your billing account). All, all someone needs is your IP address and the time the offense took place (has to be a specific time frame) and all the ISP needs to do is look in their database of addresses they gave out and they have you.
Yeah, you could have an open WiFi router but usually the company attempting to sue you (*cough* RIAA, MPAA *cough*) doesn't care. They want their own twisted version of justice and they want money now. They don't care if you have an open WiFi router and that the neighbor may have downloaded music on your network, they see that your account was responsible for the act and they want money!
Can you trace the final connection endpoint (i.e. the part that contacted the observed target as the last link in the chain)? Yes. Even if they fake the IP you *could* in theory do work to discover where that connection originated from. This assumes greatly that the IP you recorded isn't forged, random or nonsense and that you haven't just been "given" a list of IP's from a third-party who didn't do the correct analysis to determine where those IP's are gathered from.
Can you get from an IP to a physical location? Almost certainly. Usually to the campus, home address or business telecoms line that the IP is associated with. But it will be the IP of the other endpoint of the connection, not necessarily the origin of the user's actions. E.g. proxies, hacked routers, etc. And even that can be extraordinarily tricky to arrange over international borders.
Can you trace back through proxies and other hindrances to get to an actual connection origin. Yes. Doubling the work necessary at each stage and if you can force physical access to each of those origins in order to trace back where the source came from.
Can you get from a confirmed IP-packets physical origin to an actual person? Depends. Not automatically, and probably not at all without an admission of guilt or other concrete evidence and almost certainly it would only be "coincidental" rather than anything else (otherwise it would be like arresting everyone who used an Acer laptop because the connection originated from an Acer laptop)
Can you do "hacker-work" to knock on the door of Hacker 1 who lives in an uncooperative country who was trying to hide their tracks (i.e. someone you actually WANT to trace using police resources and raiding datacentres)? Probably not.
Can you do some simple police investigations to get from an abusive IP address to a home address that you can raid for more evidence in a co-operative, or your own, country (i.e. someone stupid enough to do something incredibly illegal and traceable from their home Internet connection)? Yes.
Can you then prove it was them that used that IP? Not without taking their computer and ISP logs and all sorts of other evidence and doing a full "ordinary" investigation.
Can you determine who random user X was who piggybacked on a wifi connection that you *can't* prove the owner used himself but can only trace to that IP? Not without some other evidence (e.g. spotting the car that was sitting outside).
Can you tie an IP address on the general Internet to a single person unequivocally? Not to the standard of any court that I know, no.
Can you tie an IP address on the general Internet to a single person enough to make you suspicious. Usually - yes.
Will it stand up in court? Not without a shit-ton of other evidence that's much more convincing.
Having worked for several large ISPs in their "Copyright infringement" department (ironic I know) I can tell you that no, tracing an IP address back to its original user is not likely and shouldn't be admissible in court.
The way the system works is this:
The ISP gets an email claiming copyright infringement on a certain date and time by a paticular IP.
It's important to note, the ISP has no way of verifying any of the following:
The email came from the person it's claiming to come from
That person is the copyright holder
There is even a copyright on the file in question
The person sending the email did anything to confirm what they were downloading was a copyrighted file (is batman.zip the new or fan fiction?)
The ISP can not even confirm that anything at all was downloaded.
The ISP then takes the IP address provided and the time claimed and compares this to their DHCP server and looks for lease statements before and after the time the file was claimed to be downloaded. So if the complaint was at 10pm and we had that IP time stamps at 9:30pm and 11:00pm for Jim, then Jim gets a letter.
As you can imagine there are all kinds of holes in this. There are a zillion and one ways that could be inaccurate inside the ISP alone. This doesn't even include all the failures on the part of the copyright holders. We had one that was so inaccurate they were sending us multiple complaints on a daily basis against IPs we hadn't had leased out to anyone for days surrounding the times of their complaints. We made repeated inquiries with the "Company" to try and clarify their problem. But in the end just blacklisted their email accounts. We had other incidents in which the complaint was that the user downloaded a dozen or so movies... but a quick check of their usage logs showed they were using less than a couple hundred meg a month.
It was clear that the copyright holders were using automated scripting software to flood us with complaints with no real checks and balance on their part and then expected the ISP to do the heavy lifting when it came to investigation.
...which of the 4 people living here and on which of the 9 computers (7 physical, 2 virtual) behind my NAT firewall committed the act based on the evidence you have already? Which subnet of my internal network were they using (the virtual machines are subnetted away from the rest of the network)? Is it possible that someone outside my home cracked my wireless security, joined my network, and committed the act in question?
If you have 9 computers in your possession, the authorities really don't care which is infringing, they are still in your possession. Subnets don't really matter, nor does your NAT firewall, as all they have to do is show that the content in question was transmitted to whatever device you have that is connected to your ISP (usually a router). That is enough to give probable cause for a search warrant (at least in the US). From there, they can confiscate said computers and analyze them looking for signs of the data in question.
It may be possible that somebody outside your home cracked your security. You could try to use that as a defense, it wouldn't be up to the prosecutor to show that it didn't happen, anymore than they would need to show that somebody broke into your home or business and used your computer. That would be your burden to disprove the prosecutor's case. Besides, a good prosecutor would point out that if you have the smarts to create the network you have described, then you have the smarts to adequately protect it. Negligence usually is not a good defense at a trial.
Here is an analogy for you. If you loan your car to somebody and they commit a crime with it, the authorities are coming after you. If you have an alibi, that is great, otherwise, you'd better be ready and willing to turn over who borrowed your car. Even with an alibi, if you don't want to be an accomplace, you'd better be ready and willing to turn over who borrowed your car.
So, back to your 9 computers. If it wasn't you who did whatever, which of your family or users (depending on whether this is a home or work system) did? That is the information they will find out when they confiscate your equipment. Happens every day, all the time.
It's not amazing to me. History is full of business models being propped up by legislation and cronyism, copyright laws being no exception. Benjamin Franklin lobbied for paper money so that he could get a job printing it (decades before the American Revolution), so it's a time honored tradition in this country.
SSC
It also depends on the accuracy of the ISP dynamic IP records.
The IP records, if they keep them, are subject to a number of accuracy issues. So much of the ability to trace the given IP at a given time back to a particular subscriber line or dataset depends on accurate configuration of many devices and databases... and on the people that manage all of it.
eg1: Allocation of routable IP address ranges to DHCP servers changes more often than you might think, primarily due to the scarcity of IPV4 addresses. Depending on how the ISP handles these changes, you could easily have a situation where a subscriber endpoint is returned that is no longer correct.
eg2: Say we're talking about DSL. In all of the millions of pairs of wires that have been connected by hand, there are bound to be errors, either in the actual jumpering or in the record keeping about the jumpers and the end points. Believe me, this happens and it can go undetected for a long time.
eg3: Systemic errors in the provisioning software that manages the DHCP servers. As long as the billing records don't come into question and the subscribers get their service, it is unlikely that anyone is going to notice that there is a problem with the generation of the reverse lookup name. If the dynamic IP to dynamic name relationship is not always correct, who is going to notice? This one in particular can be a real bugger to find.
eg4: You would think that everything is kept straight by monolithic, standardized allocation software and methods that are tried and true, but all you need is one manual step in a process to throw everything into question. Excel spreadsheets crop up in the most unexpected places.
Basically, IP tracking by an ISP is an inventory management issue and even with relatively static warehouses it is nigh on impossible to get two counts to agree. The larger the inventory and the more dynamic the flow, the more likely there will be problems.
Users of standard home IPs (via ISPs) are neither completely, or even significantly, anonymous nor identifiable. The line is grey and moves, possibly by the minute.
However, the article refers to two legal situations, and doesn't discriminate between then sufficiently. With regard to a lawsuit, the test is often stated as "a preponderance of evidence" while when the article referred to a police investigation, it's often described as "beyond a reasonable doubt". The two are not interchangeable.
The copyright lawsuits that the article refers to are probably attempting to show "enough" evidence to get a settlement or a judgement. Taking the evidence collection to the point the police would want would certainly be an asset to the case and would probably be in the "lead pipe cinch" category, taking into account the lesser evidentiary need.
Without that ... well, they will certainly try to get the judge to agree with them. It may be enough in some cases ... we have a few examples where a Judge or Jury in a civil suit did accept it ... but at the same time by itself it's also probably grounds for appeal as well.
With regard to even national-level geolocation, occasionally at work, due to remoteness, I connect via a sat feed. When I'm on that feed I'm in the arctic; when I see certain ads while browsing and those ads include a city or region as part of the targeted ad, they think I'm in New York state (which is where the ground sat link is with the ISP we happen to use).
But, there are probably cases where there is strong evidence, similar to a corporate IP address ... for a few dollars a month, I could have a static IP at my ordinary (home) ISP as well (although it's dynamic currently). So, it's neither here nor there ... it will vary depending on the unique circumstances of the case.
Essentially, that's also what the judge quoted in the article says ... he's hinting that he would be willing to accept the IP as part of the evidence provided there was corroborating evidence to back it up; otherwise not good enough by itself.
All ISP's keep logs. Knowing the IP immediately identifies the ISP. From there it's just a petition away to find the account/modem MAC that was using that IP at that time.
Proving exactly who was on the computer at that time would be impossible. But you could easily narrow it down to the household.
If it ain't broke, don't fix it.
I'd think that for the purposes of a file sharing case, ISP logs would be sufficient if they can compel them to turn over the relevant bits. No doubt they keep traffic details of some kind from the session layer on down, which would rule out a 4th party spoofing scenario. I could be overlooking something there. Seems to me the problem with tracking traffic back to a user is if you're required to do it blind from an IP in a server log. But if you can take that hint and get the information from the ISP-on-out, that seems pretty concrete (aside from cases of a compromised machine or AP).
Most DNA tests are done to the 1:100,000 level because this is a) quick and b) cheap
DNA testing can be done reliably and accurately to 1:1 billion but this is very expensive and takes a long time ....
But if you are relying on DNA evidence alone then you have a very unsound case, if you test everyone you will find at least 6 matches even at 1:1billion ...
Same goes for IP tracking, you can do it quickly and cheaply and it is often inaccurate, or you can do it properly and it can be made very reliable but this is very expenside and time consuming and does not usually prove any more than the quick test ... the defense lawayer first question should laways be what other evidence do you have linking the person to the crime?
Puteulanus fenestra mortis
Even MACs are dynamic. There are very few hard coded MAC addresses in devices anymore. Probably he wanted to make sure that he was looking at the same thing that you were.
The stuff I mentioned above are just on the ISP side. Unbelievably (tongue in cheek here), subscribers do all kinds of odd and unauthorized things. Neighbours and friends will swap, trade, loan and sell their set top boxes and modems. The curious sort will install custom firmware on the ISPs device, or they'll stick a transparent BSD box on the wire to see what fun they can have.
The IP allocation system will include a lot of devices that the end user may be surprised about. Of course there are the DHCP servers and the systems that mange them (set and query), but configuration of routers is often involved even to the provisioning of a single subscriber for access control, QoS, virtual circuits, etc etc. It is one big state machine and if someone monkeys with it (er... sets an illegal or unforseen state) then all bets are off as to how it operates.
This stuff is only simple on a small scale or from a distance.