
IP address errors lead to wrongful arrests - alphabettsy
https://nakedsecurity.sophos.com/2018/01/02/ip-address-errors-lead-to-wrongful-arrests/
======
kogepathic
At what point will law enforcement ever come to accept that an IP address does
not map directly to a person?

As outlined in the article:

* most residential IP addresses are dynamic

* more and more carriers are using cgNAT as they exhaust IPv4 addresses

I'd like to add a third case that I feel is often overlooked:

* most consumer or ISP provided routers never have their firmware updated (unless the ISP pushes the update themselves) and are probably vulnerable to mirai, KRACK, and many others.

Taking a these into account, even if LEO is able to get the correct
information for an IP address, there's a non-zero chance that the people
had/have a compromised device.

No average consumer is going to be able to prove to LEO or a judge that their
device was compromised, and I somehow doubt doing forensic analysis of the
person's network is top of LEO's list of evidence to gather. Additionally,
many compromises can be ephemeral so by the time the deed is done and the
police show up, the router has been rebooted and evidence of the compromise is
gone. There is zero chance that LEO is dumping RAM of the router before
seizing it as evidence.

Combine this with the fact that people may have an encrypted device and may
legitimately forget the password before being requested to decrypt the device.
I'm sure this can happen, as being arrested and going to trial can be quite
stressful.

The US government is already indefinitely detaining people for not decrypting
their devices. [1] I'm not saying the suspect in this case is innocent or
guilty, but consider what precedent is being set there.

I don't see heading anywhere good...

[1] [https://nakedsecurity.sophos.com/2016/04/28/suspect-who-
wont...](https://nakedsecurity.sophos.com/2016/04/28/suspect-who-wont-decrypt-
hard-drives-jailed-indefinitely/)

~~~
lima
You will be happy to hear that some countries got it right.

Here in Germany, authorities treat IP addresses as very weak forms of
circumstantial evidence due to the issues you mentioned (CGNAT, compromised
devices). Nobody is going to be convicted purely based on an IP address.

~~~
peeters
You don't have to convict someone to do irreparable damage to their life. See
Nigel Lang, the man referred to in the article.

~~~
lima
Yes, but getting arrested requires "dringenden Tatverdacht" (strong suspicion)
here. An IP address isn't sufficient without any additional evidence.

(Disclaimer: I'm not a lawyer, exceptions apply)

~~~
chroem-
For future reference, there is no legal requirement that says you need to
formally announce you're not a lawyer on internet forums.

~~~
stordoff
It can still be useful to do so thought, as a shorthand for there potentially
being nuances or exceptions to the claim you are making of which you are
unaware.

~~~
thomastjeffery
> for there potentially being nuances or exceptions to the claim you are
> making of which you are unaware.

Making a statement just to avoid an edge case is what we hackers like to call
"boilerplate". We don't find it useful, and generally prefer to avoid it, both
for the writer and the reader.

------
patcheudor
A natural progression of the ten immutable laws of computer security:

[https://technet.microsoft.com/en-
us/library/hh278941.aspx](https://technet.microsoft.com/en-
us/library/hh278941.aspx)

"When you attach your computer / computing device to the Internet it's no
longer yours."

and from that:

"There is no such thing as nonrepudiation on any computing device which is not
actively monitored by an outside, independent, air-gapped system under the
strictest of operational control."

Which takes us here:

"No credible forensics expert can tie user interaction to any specific event
or file on a computing device with any certainty as no forensics expert can be
aware of all attack surfaces and vectors over time available through the
platform they are reviewing. Nor can they be aware of attack motivations and
the capabilities of an attacker to obfuscate said attack."

------
otakucode
The mindset of "This resolved to a house with kids, we need to move now" cuts
both ways. When they screw it up, they vastly, _vastly_ increase the amount of
time it takes before they actually go after the correct location - which might
very well have children as well. By cutting corners, they do nothing but
inflate their own egos and feed their own lust for persecution, destroying
innocent lives in their wake. They do not help abused children. At all.

Since the 1990s I have been very bothered by the practice law enforcement
follows of using IP addresses as evidence against people. I can't imagine how
many fathers have had their lives ruined because their young teen son went
searching for something they shouldn't have, or because someone used their
open wifi connection, or routed through them via malware, or spoofed that IP
address, etc. There are multitudes of ways in which it might not point to the
right person.

And it is very important to remember that when you act on information that
points at an innocent person - you are protecting the actual offender. You are
shielding them from prosecution. You are guaranteeing that they remain
available to continue to commit the crime you are investigating. I would
think, just generally, police would be motivated to not be providing that sort
of shielding... but getting those headlines seems to just be so damned
tempting...

------
dsfyu404ed
When you consistently let an organization off the hook for bad or sloppy
performance "because law enforcement" or "because government" you will
consistently get

The stakes are low. Nobody in law enforcement (or government in general)
stands to lost their job or have their career ruined if the organization they
run ruins someone else's life in error. It's no surprise that they play fast
and loose when it comes to anyone who isn't part of their in-group.

------
coding123
Also if this is so error prone, what time window do they consider appropriate
for matching logs to usage? Are they accounting for time-zones or are they
just going to court and saying "5pm" blah blah blah.

What percentage of the victims of this kind of error are also getting their
hard-drives tampered with fake evidence like child porn. There is an incentive
on the police department to not back down if they arrest someone - they can
get sued - a hard drive full of that would have that lawsuit thrown out very
quickly and likely without anyone wanting to pay for an external
investigation.

------
k33n
Why are people who have no idea how the Internet works conducting
investigations related to Internet crime?

~~~
thomastjeffery
They are also the ones defining "internet crime" and "evidence".

Those of us who _do_ understand don't have an appealing alternative, because
the entire thing is nonsense.

We have the same problem with DRM and software patents.

------
conbandit
How do we convince courts/LEOs that ip address != identity?

~~~
jstarfish
It's unlikely to happen. The incentives for both detectives and prosecutors
both align with putting someone behind bars. They do know damn well that IP
addresses != identity, but if the circumstances are convenient enough they'll
press forward with cases regardless to keep their case closure/conviction
rates up.

It's the public, the yokels on the jury, that you need to correct the
perceptions of. When most of them get their CS understanding from daytime
television crime procedurals, you have a lot of work ahead of you.

~~~
Buttons840
Ah yes. The final layer of protection, a jury of my "peers", none of which
work in the same industry or understand the most basic principles of what I do
(as a programmer).

~~~
jstarfish
It doesn't help that people specifically like yourself tend to be weeded out
of jury pools under voir dire.

An educated person such as yourself might be able to influence the other
jurors (or at least hang it), and we can't have that. It's much easier if
everybody simply accepted the prosecutor's explanation of how IP addressing
works.

------
Feniks
IP adress should be used as the START of an investigation. Not evidence at a
trial.

Still I understand the prosecution. Pedophiles and other assorted scum know
OPSEC and society wants criminals off the street. So just letting people walk
because they were clever enough to encrypt their HDD is not an option.

