EFF White Paper Hopes To Educate Cops On The Difference Between An IP Address And A Person
from the but-are-they-willing-to-learn? dept
Judges have pointed out to copyright trolls on multiple occasions that an IP address is not a person. Trolls still labor under this convenient misconception because they have little else in the way of “proof” of someone’s alleged infringement.
Unfortunately, law enforcement agencies also seem to feel an IP address is a person — or at least a good indicator of where this person might be found. This assumption leads to blunders like ICE raiding a Tor exit node because it thought an IP address was some sort of unique identifier. After having IP addresses explained to it by the EFF, ICE returned the seized hard drives and promised to make the same mistake in the future.
In another case, the Seattle PD raided a Tor exit node in search of a person downloading child porn. It didn’t find the target it was looking for, but went ahead and demanded passwords so it could search files and logs at the unfortunate citizen’s home before realizing it had the wrong person.
The EFF is kind of sick of having to explain the difference between an IP address and a person to government entities. It has put together a white paper [PDF] that should be required reading anywhere government employees feel compelled to act on “evidence” as useless as IP addresses.
Law enforcement’s over-reliance on the technology is a product of police and courts not understanding the limitations of both IP addresses and the tools used to link the IP address with a person or a physical location. And the police too often compound that problem by relying on metaphors in warrant applications that liken IP addresses to physical addresses or license plates, signaling far more confidence in the information than it merits.
These ill-informed raids jeopardize public safety and violate individuals’ privacy rights. They also waste police time and resources chasing people who are innocent of the crimes being investigated.
By acting on this bogus assumption, law enforcement agencies are wasting time and money. Plus, they’re putting themselves in situations where innocent people could be killed over technical errors, seeing as warrant service these days usually involves militarized squads that value shock and awe tactics over minimizing collateral damage.
The white paper points out what should be obvious to anyone who considers themselves capable of solving “computer crimes:” an IP address is not only not a person, it’s not even a physical location.
First, the technology was never designed to uniquely identify an exact physical location, only an electronic destination on the Internet.
At a local level, similar IP addresses may be assigned based on geography, albeit only indirectly. ISPs make decisions to allocate blocks of IP addresses to particular locations for a variety of reasons, with the goal of creating a network that efficiently delivers Internet traffic. The result may be that locations near each other feature similar IP addresses, but that is more often the product of where the provider has physical links and routers to a network than geography. For example, if an ISP has a fiber-optic link between two distant cities, the IP addresses assigned to those cities may be similar because it creates a more efficient network. A third city near one of those towns geographically may not share the same connection and it would thus likely have completely different IP addresses assigned to it.
In addition, IP addresses only identify the block of devices assigned to it, not the people utilizing them. Even in cases where there’s only one resident at a physical address linked to an IP address, there’s still a chance law enforcement may be going after the wrong person. As the paper explains, the pool of IPV4 addresses has been used up. In areas where users haven’t been pushed to IPV6 addresses, IP addresses may be shared by more than one user (at more than one physical address) or reassigned to other users by service providers based on need and usage. As the paper states, IP addresses, unlike physical addresses, are not static.
The paper also points out that the use of bad analogies by law enforcement and courts has only made the misconceptions worse. Law enforcement agencies sometimes claim that IP addresses are every bit as unique as license plates. The metaphor fails because IP addresses can be shared or redistributed at private companies’ discretion unlike license plates, which are government-issued and must remain tied to a registrant.
In short, the best analogy for an IP address is an anonymous informant’s tip — something that’s basically hearsay until otherwise confirmed.
In a line of Supreme Court cases dealing with reliability and corroboration problems that arise whenever third parties provide tips to law enforcement, the court has made clear that police must do more to confirm the tips provided by anonymous informants before seeking a warrant or other process…
The question is: will law enforcement care enough about potential collateral damage to educate themselves on the problems of treating IP addresses as people… or will they decide that a combination of forgiveness (good faith exception, etc.) and easily-obtained immunity is preferable to gathering corroborating evidence and acting more cautiously?