Hacker News new | past | comments | ask | show | jobs | submit login
After botched child porn raid, judge sees the light on IP addresses (arstechnica.com)
271 points by shawndumas on May 2, 2011 | hide | past | web | favorite | 72 comments

> One obvious takeaway: letting total strangers use your Internet connection for any purpose comes with some risk.

Really? My takeaway is: allow open access to anyone, but limit the bandwidth. This way nothing can be proven about my actions. (could be anyone) It actually reduces the risk for me if IP is not identifying people anymore.

It's a great defense during a trial, but the cost would likely be associated with being arrested, loosing computer hardware to the local officers for an unknown amount of time, and the potential cost of mounting a legal defense in the first place.

I've always wanted to mount a big electromagnet in my doorframe like in Cryptonomicon.

The main reason I haven't is that there is a 100% chance I'd forget to deactivate it and fry my own hardware. Probably within a week of installing the magnet.

spoiler :(

edit: the comment has its place, but I can only assume that an alert at the beginning would be highly appreciated by many.

What is the statute of limitations on spoiling? That is a twelve year old book.

Serious question.

Children keep coming of age for specific media..I only read it last year. My dad read it this winter, my brother will probably read it this summer...

I'd argue the statute of limitations on spoiling should be the same as murder. Not to suggest its quite as serious

At some point, spoilers have to have a statute of limitations. It's been 12 years since that book came out.

Likewise, Bruce Willis was dead the entire time; Vader is Luke's father; and Rosebud was his sled.

Well, yeah, but these are all memes wildly spread. Cryptonomicon (sadly) not so much.

I just think it would have been a nice gesture... 7 letters, not that much of an effort. Of course, it's not a crime, I wouldn't deem anyone a douche because they forgot to forewarn in the heat of discussion.

They should do a Curb Your Enthusiasm episode on this one :P

Hmm, according to this: http://en.wikipedia.org/wiki/Citizen_Kane#Rosebud Rosebud may actually be referring to something a bit more fun than a sled ;D

I don't get the rosebud reference, so...you've apparently messed up some twist for me. Thanks for that.

It's a reference to what is considered to be the greatest film of all time, Citizen Kane.

I mean, that incident is buried somewhere deep in the bowels of the book.

Nobody would know how that is applicable until they actually get right to that part, anyway.

It's not like "Dumbledore dies."

Or buy a machine with a SSD...

For me:

1) computer equipment pretty inexpensive (the more costly stuff is at the end of its life cycle anyway).

2) Important Data is backed up to the cloud

3) I am completely innocent of any Child Porn issues, and only minor issues with copyright (I do enjoy some fan sub anime).

4) Totally willing to sue for damages.

> only minor issues with copyright

Unfortunately, I don't think there's such a thing as "minor issues with copyright" in the current code.

IANAL, but I believe the current code involves requiring the owners of the copyright to sue, and if the anime isn't held by a company engaging in suing foreign nationals...minor case..

Don't forget that the police will shoot your dog.

Depends what "actions" you are taking. In the United States, if your house is raided by law enforcement acting in good faith with a warrant, valid or not, evidence they collect during the raid will be admissible against you.


Also, any family members or pets that they shot won't be unshot when you demonstrate that your router is open to everyone.

Wait a second. A well trained dog isn't getting shot, and a family member isn't getting shot...

Well, unless something incredibly hairy goes down. But I'm reasonably certain arrests for child pornography don't go down like raids on hostile gang hideouts...

Tell that to all the dogs with bullets in their backs.

Possible explanation: dog attacks officer 1, officer 2 shoots dog.

Possible explanation: Stop trying to defend trigger happy cops shooting family pets.

"In depositions, law enforcement personnel admitted that at least one of the dogs was running away when shot.[25]"

Possible explanation for your post: you are a cop apologist who doesn't know what he is talking about.

I'm not defending cops; I'm defending logic. I'm simply proposing an alternative logical explanation. Without the additional information you just provided, my explanation was equally plausible. Talk to me in a less public forum and I'll tell you exactly what I think about cops shooting pets.

The particular case I just mentioned is extraordinarily well known.. it involved a Maryland mayor. It's a decent guess that any person on internet forums such as this that is talking about police unjustly using no-knock raids and shooting family pets is talking about this particular case.

Furthermore, you shouldn't let the thugs rule you. Talk about exactly how you feel in as public a forum as possible.

The particular case I just mentioned is extraordinarily well known.. it involved a Maryland mayor. It's a decent guess that any person on internet forums such as this that is talking about police unjustly using no-knock raids and shooting family pets is talking about this particular case.

Please be reddit. Please be reddit. Please be reddit. Damn, still on hacker news.

If the actions you are taking leave no observable trace (eg simply using hidden partitions on TrueCrypt) then theres no evidence to be gathered during the law enforcement raid.

Came here expecting to see comments discussing the best way of avoiding liability if caught downloading CP.

Was not disappointed.

Plausible deniability.

"Steele's request was denied until he can name at least one specific person in the case over whom the court has personal jurisdiction—though it's not clear he can do this at all without going to the ISPs for help. But the judge doesn't care about Steele's problems."

This is the correct result. I hope it is more broadly adopted by the courts. At the moment these seem primarily driven by legal firms using extortion as a business model, we should shut that down first and then go back to working through the issues of fair use and copyright.

The courts have long recognized that one can sue someone whose name is not known at the time of filing the action and then use the court's subpoena power to find out the person's name through an ISP. This practice has been in place since ISPs came into existence and it makes sense for the situation for which it was devised.

The problem here is that the mass-infringement actions have twisted this otherwise legitimate process into something warped and grossly unfair by using the name-gathering process to target people who are then told, "pay up or you will be exposed as a downloader of porn" (or, in other cases, you will be subjected to a major infringement lawsuit that is not worth defending).

Federal judges have enormous power and this judge (and many others) have simply said, "I won't let my court be used as an instrument for a shakedown," using legal niceties about jurisdiction to justify the matter formally. In effect, they are tossing the mass-infringement lawyers out the door, telling them their model won't work in their court. This is indeed the right outcome for this sort of abuse.

OK, so the alternative is that John Doe's get subpoena'd, and without room for settlement, a civil suit will be brought. How exactly is this better?

I'm surprised that IP address mappings still have the kind of legal weight that authorizes raids. Anyone can acquire a deniable IP by walking down the street to Starbucks (better yet, drive 15 minutes) or pointing a Pringles can at a distant neighbor. I assume anyone taking part in criminal content or actions on the internet would know this.

So how long until we see legislation that a) makes open AP owners liable / accomplices in crimes committed on open APs b) requires open APs authenticate and log all user activity c) outright bans open APs?

Of course, as it should be. When one speeds in a car, the owner of the car is liable for the ticket, no matter who the driver. When a dog bites somebody, the owner is liable, even when the owner could do nothing to prevent it. When a tile falls off a roof one somebodies head, the owner of the building is liable, even if he didn't know, had no reasons to suspect of even had no way to know that a tile could come off.

All these situations are so-called risk-liabilities. How else would we solve situations like this?

No, the owner of the car is not always liable for the ticket. Car rental companies will not pay fines you accrue just because they are the legal owners of the car. The dog ownership analogy has even less merit. A dog is not a sane person in the eyes of the law so as a guardian you are responsible for keeping your dog in line. On the other hand, a person who is using your WiFi for whatever illicit purposes is responsible for their own actions.

...because when you sign the car rental agreement, you agree to pay back any fines. Whoever cashes these fines will get their money from the rental agency, and they will then get it from you (or sue you for breach of contract if you don't pay them).

I was not saying that the dog did anything consciously. The point is that there is a class of liabilities that do no depend on being 'factually responsible' for something. You can have no power whatsoever to prevent something, and still be liable for it. That makes the case for this wireless network even stronger - there is something you can do as an owner. You can take reasonable measures to stop others from using it. It makes perfect sense to hold people responsible for enabling the improper use by others.

(note also that I'm not claiming that somebody who has an open access point will be jailed for child pornography; what I'm saying is that there is a very reasonable case to be made for holding people accountable for not taking proper care of their property (wifi network) that will enable others to use it illicitly).

When you lend a person your gun and he goes on to shoot someone, you're not liable (in general; there are some notable exceptions). The question is whether the thing you own was instrumental in the perpetration of the crime or whether it could have easily been replaced by another instance of the same thing.

In case of the dog and the tile, it was the things themselves that caused the damage, unguided by a human. In case of the car, the law is there for convenience purposes: they can only trace it to you and to be able to fine speeding, it cannot be otherwise. Those seem like the usual cases, but they are actually special cases. The usual case is you lending a book, a glass of water, a gun. If someone uses the knowledge, the water or the gun to cause harm, they are liable.

With ubiquitous free wifi, your AP is not instrumental in the perpetration of a crime. The criminal could easily have gone elsewhere; that makes you a non-accessory. Of course, IANAL. But see http://en.wikipedia.org/wiki/Accessory_(legal_term). I do not see how providing internet access could possibly make you an accessory to a crime.

I don't think it's that obvious. Two counter-examples:

If you use someones paper, pen, envelope and stamp to threaten someone, you're still liable.

If you tap someones electricity, you're liable.

I'm not sure where you are from, but I've never heard of a driver being held responsible for somebody else speeding in their vehicle. Even with cameras, the court is required to prove it was you in the vehicle if you contest it.

Edit: USA, btw

Netherlands, but (with some caveats) it also holds for at least some US states. Note that I'm talking about traffic camera tickets, that's quite important. If you get a ticket, the burden of proof is on the owner to prove it wasn't him. I can't easily find references to specific US state law, since most I get are scam sites about how to get out of speeding fines - but for the rest, there are people reporting online on having the same system, and others where you can fill in a report saying it wasn't you and then you're off the hook (one official reference I did find was from Portland, http://www.portlandonline.com/police/index.cfm?a=33798&c..., where apparently you can get away with it).

It seems pretty simple to me. The AP owner is acting as a small ISP and should have all relevant protections.

? Right, that would put on the owner of the AP, for example, the obligation to take "expeditious" action when a notice of copyright infringement is received. So you'd have to, as a consumer, respond within a day, or maybe a few days, to such notices. Being an ISP does not put one above the law.

Besides, it's not a 'customer' (so there's no ISP<->user relation) if the owner of the AP doesn't even know the user, or even that the user exists.

Right. They have to take action upon receipt of a notice. And they're not liable for what happens before being notified.

Welcome to Germany, where this is already the case..

Time to invest in a DD-WRT router to be sure there aren't any backdoors for ARP requests to map IP addresses to physical hardware.

You should elaborate on that so other people reading the discussion can get an idea what you're talking about.

My understanding is that proprietary router firmware may have unknown vulnerabilities that someone could use to discover the MAC addresses of computers making specific requests. That would allow, for instance, law enforcement to tie internet usage to specific computers.

DD-WRT and other open source firmware should be a little more secure in this regard. The open source firmware out there is definitely more reliable over long periods of time than the stock firmware that comes on most routers, so I assume it's also more secure.

Couldn't have said it better myself.

MAC addresses can be easily spoofed. For example, on some ethernet cards:

    sudo ifconfig eth0 hw ether 00:12:34:56:78:9A
will change your hardware address.

Yup. I've actually used this, to work around certain cable modems that only allow the mac address they were set up from.

True but if your MAC just happened to match a MAC the litigating attorney had on file due to the exploits which ChuckMcM is referring, it would be much more difficult to claim innocence as you can do with a shared IP.

MAC spoofing would only be relevant if you were regularly using random spoofed MACs on your own network.

Not necessary -- someone could spoof their MAC to match mine. IMO, this is more likely when there is already malicious intent, and it's almost trivial to do.

I've used spoofing frequently on a local college's campus to get around blocks they've put on my system. Apparently some of the student use Ethernet jacks aren't for student use.

> MAC spoofing would only be relevant if you were regularly using random spoofed MACs on your own network.

Or, if for some reason that practice was widespread enough that it provided plausible deniability.

The case for MAC spoofing being common (at least with people "borrowing" your wi-fi) makes sense because some networks have MAC address based white lists, so this defense isn't quite as crazy as it sounds at first. IANAL etc.

Just use the DD-WRT feature that lets you have 2 APs, one encrypted and one open. Connect all your kit to the private one, and limit the outgoing bandwidth of the open one. This should surely give both security and plausible deniability?

They still break down your door though.

About time. Identifying people by IP address is like identifying people that live in a certain house. A house can have many people living in it. It's not a one-to-one mapping.

The law already knows how to deal with that. It's called a search warrant. When many people are living in a house, and you have sufficient reason to believe that one of them has committed a crime, you can get a search warrant to do search the house.

The case at hand is a civil case, where the option of a search warrant is not available. If it were a child porn case, the police would still be able to get a warrant to search the house where the IP address is assigned.

I think is the right idea. An IP address is a piece in the puzzle of evidence. By itself, it should not be enough to prove guilt, but it might be enough for a search warrant.

I hope is that as time goes on, the legal system (and hopefully all parts of the government) better learn how technologies work and don't work so they can make more informed decisions. Hopefully, as the younger generation start their careers in those fields, they bring better understanding of technologies with them. Though there is another article I read today that is an anecdotal story about someone my age that doesn't know difference between a web browser and search engine.

After writing all this, it reminded me of a friend. He is now an IT manager and his wife is a lawyer (currently a judge's assistant I think). They were talking a couple years ago about the lack of credible expert witnesses in the IT field. She had seen that they are not staying current in the IT field, similarly what can happen with conference speakers. They spend all their time talking about technologies while not having the time to gain a deep knowledge of new technologies.

I seem to taken a tangent towards the end (or maybe the beginning), but oh well.

It's not clear to me that armed men busting down people's doors at 3am is a preferable model.

That's exactly what this could be the precedent to prevent. The mistaken pornographer case showed that an IP is not necessarily evidence enough for a warrant, esp. a no-knock warrant. It will quite possibly lead to requiring more evidence than just an IP in the future.

Not all search warrants are no-knock warrants.

Perhaps more judges would see this light were they the ones behind such ambiguous IP addresses. Surely some judges have open wireless networks at home. Would it be illegal to put a computer in range of a judge's house, have it search for child porn, and pipe anything it downloads straight to /dev/null so that it isn't actually stored?

I'm no networking expert, but don't they also note the mac addresses and generally use DHCP for open wifi? If so, they could totally identify folks with that info...

Most expire the mapping within a few days although AT&T Uverse routers default to ~30 days. Personally due to the fact that I tend to set up a lot of machines and want them available by hostname I set mine to ~30 minutes.

they don't have your mac address in most situations; they have the mac address of the router, which is not the same thing. hence the discussion above about being careful to avoid a router that might leak this information in some other way.

dhcp gives addresses to the computers connected to the wifi. but those addresses are only used on the "user" side of the router. packets going out from the router to the internet do not contain those addresses (nor do they contain each user's mac address).

as far as the rest of the internet goes, there's a single address, with multiple ports, which is your router. the nat (network address translation) in your router maps from the port used to the local mac/ip (dhcp) address. so someone "outside" does not know, without additional information, which user of the wifi is making a particular connection. hence this story.

I wonder how IPv6 adoption is going to affect this. NAT is still available under IPv6, but most won't use it and your MAC is by default a part of your address.

This is optimistic.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact