At what point will law enforcement ever come to accept that an IP address does not map directly to a person?
As outlined in the article:
* most residential IP addresses are dynamic
* more and more carriers are using cgNAT as they exhaust IPv4 addresses
I'd like to add a third case that I feel is often overlooked:
* most consumer or ISP provided routers never have their firmware updated (unless the ISP pushes the update themselves) and are probably vulnerable to mirai, KRACK, and many others.
Taking a these into account, even if LEO is able to get the correct information for an IP address, there's a non-zero chance that the people had/have a compromised device.
No average consumer is going to be able to prove to LEO or a judge that their device was compromised, and I somehow doubt doing forensic analysis of the person's network is top of LEO's list of evidence to gather. Additionally, many compromises can be ephemeral so by the time the deed is done and the police show up, the router has been rebooted and evidence of the compromise is gone. There is zero chance that LEO is dumping RAM of the router before seizing it as evidence.
Combine this with the fact that people may have an encrypted device and may legitimately forget the password before being requested to decrypt the device. I'm sure this can happen, as being arrested and going to trial can be quite stressful.
The US government is already indefinitely detaining people for not decrypting their devices. [1] I'm not saying the suspect in this case is innocent or guilty, but consider what precedent is being set there.
You will be happy to hear that some countries got it right.
Here in Germany, authorities treat IP addresses as very weak forms of circumstantial evidence due to the issues you mentioned (CGNAT, compromised devices). Nobody is going to be convicted purely based on an IP address.
It can still be useful to do so thought, as a shorthand for there potentially being nuances or exceptions to the claim you are making of which you are unaware.
> for there potentially being nuances or exceptions to the claim you are making of which you are unaware.
Making a statement just to avoid an edge case is what we hackers like to call "boilerplate". We don't find it useful, and generally prefer to avoid it, both for the writer and the reader.
Thats totally absurd; are they going to fine you for driving too, because cars are often used for robbery getaways? How about a fine for ftp? You can torrent over browsers too, so a fine for that? A fine for booting up a computer that might torrent illegally?
Obviously, you can open a torrent client just fine in Germany.
However, there's bunch of companies monitoring popular torrent trackers and since it's all peer-to-peer, they can easily figure out your IP address as soon as you start downloading a torrent they're monitoring (they usually work for a particular distribution company and have a list of files they're interested in). Popcorn Time and similar apps are a common and obvious target.
Once they know your IP address, ISPs are required to disclose your personal data (§ 101 UrhG) and they'll send you a nice letter requesting a payment (Abmahnung). If you do not pay, they might sue you (but probably won't).
If they do sue you, it's on them to prove that it was indeed you who used the IP address at the time, which is - in most cases - an impossible feat.
So, yes, you're highly likely to get in trouble if you torrent in Germany, but you'd probably win of you fight it.
It doesn't matter: torrents hardly enables it to exists, any more than ftp does; its just the current tool of choice for piracy.
You ban it, and they'll switch to something else, and you'll have done nothing but make things slightly less convenient but with relatively large cost to enforce. Why not just do the job properly and ban general purpose computers, limited to government approved and locked down hardware, os and apps?
Add that inside a home, the IP is again behind a NAT because the whole family is using the wi-fi. Including people who drop by to visit you, to have a dinner, to watch a game.
Ah, I didn't realize that. I've got my own modem + router, I've only ever used my neighbors' xfinitywifi when I ran through my own data cap (that's a useful trick if you've got a data cap).
You can't for AT&T U-Verse. They won't assign an IP address to a 3rd party device. I've been meaning to get some cards and do some raw frame dumps to try to figure out how their Fiber modems work and see if I could get it to assign my own device an IP address. It's on the long list of things to do.
I've read how all you need is put the AT&T router behind your firewall and proxy the 802.1x packets to/from the AT&T device, thus faking out the upstream gateway.
Sure, but it's going through your router, right? So if you were torrenting and someone else jumped on the xfinity wifi and started torrenting, it would affect your ability to use your bandwidth, right?
As another post said, only jitter (and only minorly).
Bandwidth would be unaffected. Or more exactly, on WiFi (but not Ethernet): as affected as if your close neighbor used that amount (since WiFi itself has limited bandwidth). The connection from the router to the cable modem has lots of headroom, so that would be unaffected, as would wired connections.
You can forget convincing a judge, by the way. While there is a razor-slim chance that the judge might understand technical matters and wish to let you present your case, they can't. The prosecution will accuse the defense of attempting to 'bamboozle' the jury with confusing technical details. This is used in DNA evidence cases to prevent lawyers from pointing out that 1 in 100 DNA tests are in error due to lab errors or sample contamination. The ability to present technical information in a courtroom is basically nil in the USA. The standard used is a 'reasonable person' and it is assumed that no reasonable person has the ability to understand technical nuance. If the police say your IP address did something bad... you're just screwed, as far as I can tell.
Why can't you ask your lawyer to subpoena the records from the ISP? If you're innocent the ISP's records should indicate you've never interacted with the servers you're being accused of accessing. Just alleging that something could be wrong isn't enough, reasonable doubt has to have a boundary line somewhere. Now if there are cases where defendants are prevented from admitting exculpatory evidence that would disprove circumstantial evidence, then that's a separate problem (i.e. when prosecutors hide evidence).
To be clear about [1], he isn't being held because he forgot the password to the device, he's claiming he doesn't have to decrypt the device even with a warrant. If he claimed he forgot the password, the government would have to prove he really knows the password to keep him in jail. But because he is refusing to respond to the order, he has to stay in jail until either he complies or he can prove in court the government doesn't have the right to demand it. Whether the government can compel you to decrypt a device is still a bit of an open question, with conflicting decisions from appeals courts. It's not nearly as cut-and-dry as you would suppose. The fifth amendment says you can't be made to testify against yourself, but you can, for example, be made to provide documents via subpoena that may prove your guilt.
Maybe this guy is trying to set a precedent, but can't he just say he forgot? It's not like the government can prove he remembers the password when if he claims he does not.
In theory perhaps, but in practical terms your mileage may vary widely. I'm not sure about the rest of the USA, but in the Chicago area Comcast appears to have pretty much abandoned rotating dynamically-allocated IPs, and I suspect many other carriers have something similar. On the other hand, experience last year with attempting to whitelist a remote user living in Germany showed that at least one ISP there appears to rotate home IPs every few days.
> You can ask the ISP. They are supposed to store metadata.
What you say is true, but prosecutors/investigators have little incentive to jump through another hoop. If they are willing to prosecute someone with just circumstantial evidence of an IP address, they aren't really looking to find the perpetrator, only a fall guy.
It's not ridiculous. Some countries (and States, iirc) require that speeding and red light tickets have to be issued to the driver of the car, so traffic cameras capture both the licence plate and the driver's face.
Similarly, if I torrent pirated media in a Starbucks, should the store be charged?
Yes, but that's only partially the reason, or rather, in some cases.
In my state, that was specifically to cover "well, if you deny driving the vehicle..." situations, where people would say "Oh, it wasn't me, I lent my car to someone/my kids drove/whatever", and law enforcement replying "Who?" "Oh, I don't know. Sorry."
Now it's to increase the burden of proof. It's reasonable to assume that if you own a vehicle, you were driving it. It's furthermore reasonable to assume that you should be able to identify who was driving the vehicle, from the face, even if you do have multiple people driving.
If you then refuse to identify the person, or "I don't know", then it's tantamount (in the law's eyes) to saying you weren't taking due regard to the care of operation of your vehicle (after all, if you don't even know their name, how do you know they're licensed?).
The assumption that the owner of a piece of equipment (be it cars or computers)know is always responsible for how it is used is not valid. Cars are stolen with significant frequency, for example. People also drive them without permission (e.g. a spouse gives the keys to a visiting in-law). There are plenty of situations where somebody may not be able to identify who was using the car.
Computer crimes are the same way. It may be possible to prove what equipment it's implicated in a crime, but that's rarely sufficient to make any individual responsible without other evidence. People give WiFi passwords to their guests, equipment is hacked, etc. Establishing that an owner of a router or computer is responsible for anything it is used for unless proven otherwise opens a massive attack surface for blackmail, extortion, etc.
> Cars are stolen with significant frequency, for example.
Presumably you'd report your car stolen, no?
> People also drive them without permission (e.g. a spouse gives the keys to a visiting in-law).
Then you'll be able to identify the person via a picture of their face, most likely, no?
> Establishing that an owner of a router or computer is responsible for anything it is used for unless proven otherwise
I'm not trying to say any different, in fact I'm saying that it is a "reasonable" assumption, and as with any reasonable assumption there are notable exceptions, by which showing the driver's face is a reasonable method by which saying "No, Your Honor, the person driving my vehicle is not me". In some states you may not even be obliged to identify the driver, only show that it "is not you".
To tie a request made over CGNAT to the ISP's customer you need both the IP address and the port number of the connection. In my experience, most software that logs IP addresses doesn't bother to log the port number. (Probably because it wasn't relevant before CGNAT came along.)
As outlined in the article:
* most residential IP addresses are dynamic
* more and more carriers are using cgNAT as they exhaust IPv4 addresses
I'd like to add a third case that I feel is often overlooked:
* most consumer or ISP provided routers never have their firmware updated (unless the ISP pushes the update themselves) and are probably vulnerable to mirai, KRACK, and many others.
Taking a these into account, even if LEO is able to get the correct information for an IP address, there's a non-zero chance that the people had/have a compromised device.
No average consumer is going to be able to prove to LEO or a judge that their device was compromised, and I somehow doubt doing forensic analysis of the person's network is top of LEO's list of evidence to gather. Additionally, many compromises can be ephemeral so by the time the deed is done and the police show up, the router has been rebooted and evidence of the compromise is gone. There is zero chance that LEO is dumping RAM of the router before seizing it as evidence.
Combine this with the fact that people may have an encrypted device and may legitimately forget the password before being requested to decrypt the device. I'm sure this can happen, as being arrested and going to trial can be quite stressful.
The US government is already indefinitely detaining people for not decrypting their devices. [1] I'm not saying the suspect in this case is innocent or guilty, but consider what precedent is being set there.
I don't see heading anywhere good...
[1] https://nakedsecurity.sophos.com/2016/04/28/suspect-who-wont...