Cybertelecom Federal Internet Law & Policy An Educational Project

IP Numbers Issues

• IP Numbers
  • Routing and CIDR
  • IPv6
• IANA and the Regional Internet Registries
  • Allocations and Transfers
  • Legacy Addresses
  • Private Addresses
  • IP Number Assignments
• Issues
  • IP Numbers as Property
  • IP Numbers as personal identifiers
  • IP Security
  • Liability based on IP numbers
• Definitions
• Papers
• News

---

Use of IP Addresses as Personal Identifiers

See also Statistics | Assessment | Forensics

• Is the individual or corporation that is being represented or identified with a communication actually the individual or corporation that is responsible for that communication. See also spoofing; fraud.
  • What is an IP Address?
    • IP Address Assignment to an end-user
    • See also Domain Name System

  www.WhatIsMyIP.com

  • How Do You Identify an IP Address?
    • Identify your own IP Address?
    • Identify IP Addresses interacting with an end point?
      • Server Logs: Servers generally record the incoming IP addresses of computers (individuals) that are interacting with that server. Ask for a webpage, and the website may log your IP address. One issue which involves "data retention" is how long the site might retain that information. If one is able to gain access to server logs and uncover the IP address of the visitor, one can use reverse IP look-up to identify who the visitor is. Reverse IP look-up may only identify the network from which the visitor came. Knowing the specific IP address and the network to which that IP address belongs, one may be able to issue a subpoena to that network asking the network to match the specific IP address to the account that used that IP address at the day and time in question. A word of caution, however: as we move run out of IPv4 addresses and into the IPv6 transition, the network will increasingly be kludged with devices such as NAT boxes which may make it increasingly difficult to match a specific IP address to a specific individual. The P2P copyright litigations are filled with instances where plaintiffs have IP numbers of P2P users, and attempt to unmakes the individual behind the IP number.
    • Identify end points that an IP Address is interacting with?
      • ECPA :: Trap and Trace
  • What Information Can You Get with an IP Address?
    • Name, Address, Telephone Number, Electronic Mail Address, ISP which 'owns' the IP address
      • See ECPA :: Trap and Trace
      • See Stored Communications Act :: Subscriber Information
      • See Petreaus Incident (how email address on threating email led to Petreaus' secret email account and his resignation)
      • See Forensics
    • Geolocation
    • IP Addresses as PII
      
  • How Do You Obtain Personal Information Associated with an IP Address?
    • See Forensics
    • Network Tools
      • WHOIS :: Association of personal information with network addresses, accuracy of information, hijacking
        • Reverse DNS Lookup
      • Reverse Lookup :: Find records associated with that IP address including network which is allocated that IP address, domain names associated with that IP address
      • Traceroute :: Provides route from test origin to destination IP address, with hops (networks) along route - revealing which networks are next to (interconnected with) destination IP address.
      • Search :: IP address may appear in logs (for example in Wikipedia's logs) showing activity
    • Legal Process
      • ECPA :: Subscriber Information
      • Rule 45 Civil Procedure
        • See also Malibu Media, LLC v. John Doe Subscriber assigned IP Address 173.68.5.86, 2016 WL 2894919 (S.D.N.Y. May 16, 2016); Malibu Media, LLC v. Doe, 2016 WL 2854420 (E.D. Cal. May 16, 2016); In re Malibu Media Adult Film Copyright Infringement Cases, 2015 WL 3605834 (E.D.N.Y. June 8, 2015); and Malibu Media, LLC v. Doe, 2015 WL 5013874 (S.D.N.Y. Aug. 18, 2015) (in case where plaintiff alleges defendants have violated the copyright of plaintiff's adult videos through the use of bit torrent, and plaintiff has defendant's IP addressess, granting plaintiff's motion to serve Rule 45 third party subpoenas on ISPs for the purpose of learning defendants' names and addresses)
        • Frequently Asked Questions for Subpoena Targets, EFF
        • State v. Reid, 954 A.2d 503 (N.J. 2008) citizens have a “reasonable expectation of privacy” in the “subscriber information they provide to Internet service providers – just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies.” 
    • EFF Recommendations to Law Enforcement and Courts [Unreliable Informant, 17 EFF]
      • Verify and Corroborate data
        • How reliable is data source?
        • Methodology of data source?
        • Verify data from one source with data from another (for example, geolocation data with ISP subscriber information)
        • "Conduct physical surveillance of property to see if there are indicia of a crime."
      • Investigate
        • whether its likely that more than one person uses the IP address for Internet access
        • whether the IP address is being used with TOR, a proxy, or a VPN
      • Ensure representations concerning IP addresses are factually accurate
        • IP addresses are not physical addresses or license plates
        • IP addresses are not unique identifiers and devices are not uniquely identified by an IP address
  • Examples of uses of network addresses to determine identification
    • Liability / Enforcement / Security
      • Forensics
        • Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Computer Crime and Intellectual Property Section, Criminal Division, DOJ (2009) In a common computer search scenario, investigators learn of online criminal conduct. Using records obtained from a victim or from a service provider, investigators determine the Internet Protocol ("IP") address used to commit the crime. Using a subpoena or other process discussed in Chapter 3, investigators then compel the Internet Service Provider ("ISP") that has control over that IP address to identify which of its customers was assigned that IP address at the relevant time, and to provide (if known) the user's name, street address, and other identifying information. In some cases, investigators confirm that the person named by the ISP actually resides at that the street address by, for example, conducting a mail cover or checking utility bills. Affidavits that describe such an investigation are typically sufficient to establish probable cause, and the probable cause is strengthened if the affidavit corroborates with some additional facts the association of an IP address with a physical address.

          "Defendants sometimes will argue that the mere association of an IP address with a physical address is insufficient to establish probable cause because it is technologically possible for individuals not residing at that address to use the defendant's Internet connection. Most often, this argument takes the form of a defendant arguing that he has, or could have had, an open wireless Internet connection, which would have allowed any nearby person with commonly available equipment to use the defendant's Internet connection and IP address. Courts have consistently rejected this argument because the probable cause standard for warrants requires only a fair probability that evidence or contraband will be found.

          • Perez, 484 F.3d at 740 (probable cause standard met by the association of an IP address with a physical address despite defendant's argument that he could have had an "unsecure wireless connection" allowing others to use his IP address);
          • Carter, 549 F. Supp. 2d at 1267-69 (rejecting argument that affidavit for search warrant should have mentioned the possibility of an open wireless connection);
          • United States v. Latham, 2007 WL 4563459, at *11 (D. Nev. Dec. 18, 2007) (finding probable cause even though "[i]t was possible that someone other than Larry Latham or a resident of his household had accessed the Internet either through his wireless router or by 'spoofing' his address in order to engage in the exchange of child pornography").

          Indeed, this argument is particularly weak because the wireless access point itself will typically contain evidence within the scope of the warrant. For similar reasons, courts have rejected challenges to a finding of probable cause based on the failure of an affidavit to rule out "hacking, 'spoofing', tampering, theft, destruction, or viral infections by others."

          • United States v. Hibble, 2006 WL 2620349, at *4 (D. Ariz. Sept. 11, 2006) (citing United States v. Gourde, 440 F.3d 1065, 1073 n.5 (9th Cir. 2006) (en banc)).

          As the Fifth Circuit explained, "though it was possible that the transmissions originated outside of the residence to which the IP address was assigned, it remained likely that the source of the transmissions was inside that residence." Perez, 484 F.3d at 740. Alternative explanations "are more suited to being raised as a defense at trial." Hibble, 2006 WL 2620349, at *4.

        • Caselaw
        • United States v. Perez, 484 F.3d 735, 740 (5th Cir. 2007) (probable cause established through IP address used to access child pornography and ISP records of physical address)
        • United States v. Grant, 218 F.3d 72, 76 (1st Cir. 2000) (evidence that an Internet account belonging to the defendant was involved in criminal activity on several occasions, and that the defendant's car was parked at his residence during at least one such occasion, created probable cause to search the defendant's residence)
        • United States v. Carter, 549 F. Supp. 2d 1257, 1261 (D. Nev. 2008) (probable cause established through IP address, ISP records, and utility records)
        • United States v. Hanson, 2007 WL 4287716, at *8 (D. Me. Dec. 5, 2007) (finding probable cause based on IP address and physical address despite "no direct knowledge whether any computer hardware . . . was physically located at the" residence)
        • United States v. Huitt, 2007 WL 2355782, at *4 (D. Idaho Aug. 17, 2007) (probable cause established through IP address and separate email address both linked to same physical location).
        • News
          • Chris Matyszczyk, Woman Jailed After Setting Up Fake Facebook Account to Frame ex-Love, CNET (Dec. 1, 2016) ("in 2015 the Las Vegas resident set up a fake Facebook account, used it to suggest that he had stalked her, kidnapped her and beaten her, and then went to the police with her accusations." "Prosecutors asked Facebook and T-Mobile to disclose Lawson's phone and IP records." )
          • Kevin Poulsen, The Slip-Up That Caught the Jewish Center Bomb Caller, The Daily Beast March 27, 2017 ("But in his rush to reach as many Jewish institutions as possible, the original bomb hoaxer grew careless. On at least one occasion, he neglected to route his Internet connection through a proxy server, leaving behind a real IP address in the server logs. The address was in Israel, where police traced it to a WiFi access point that Kaydar was allegedly accessing through a giant antenna pointed out a window in his home")
      • Copyright infringement
        • Breaking Glass
      • Child Pornography
      • Blacklist / Whitelist
        • DDOS
        • Spam [Hogg]
      • See also Liability for WiFi Access Point; Open Wifi Access Points Generally
    • Authentication
      • [Hogg ("These systems keep track of the Internet Protocol (IP) address that an end user used the last time that user accessed the site and try to determine if the user is legitimate. When that same user accesses the site from a different source IP address, the site asks for further authentication to revalidate the client's computer.")]
      • Use of Static IP Addresses to authentic identity. [Hogg]
      • Authenticate single IP address (individual accessing online resource) or a range of addresses (permission of an enterprise to access a library)
    • Serving Content
      • Advertising profiling
      • Access to Content or Applications
        • Copyright / Sports Content Licensing
    • Business Intelligence [Hogg]
    • Domestic disputes (divorce)
      • Chris Matyszczyk, Woman Jailed After Setting Up Fake Facebook Account to Frame ex-Love, CNET (Dec. 1, 2016) ("in 2015 the Las Vegas resident set up a fake Facebook account, used it to suggest that he had stalked her, kidnapped her and beaten her, and then went to the police with her accusations." "Prosecutors asked Facebook and T-Mobile to disclose Lawson's phone and IP records." )
    • Geolocation
  • Misidentification / False identification
    • IP Address Identifies Device, not individual
      • IP Addresses generally provide access to multiple end users
      • IP Address assignments are generally dynamic and change
        • Reassignment or Reallocation
      • Liability for Third Party Actions
      • Open Wifi access points
      • Compromised Systems (Bots, P2P)
      • See BitTorrent Copyright Cases
    • Accuracy of Data
      • Accuracy of Geolocation
        • Kashmir Hill Farm Incident
      • WHOIS Inaccuracy
      • Spoofing
        • [Hogg ("any IP packet can be spoofed and the source-address modified or crafted")]
      • CWE 291: Reliance on IP Address for Authentication, MITRE 7/17/2013 ("IP addresses can be easily spoofed... IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication.")
      • Matthew Tanase, IP Spoofing: An Introduction, Symantic (March 11, 2003) ("IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine. ")
      • [Hogg ("Organizations that rely on using an IP address as a form of authentication run the risk of an attacker learning that IP address and attacking using that address. Attackers who know the addresses that are being used could perform a Man-in-the-Middle (MITM) attack or use TCP session hijacking. ... Organizations that use these techniques are relying on the secrecy of their IP addressing for the purposes of security.")]
      • State of IP Spoofing, CAIDA
    • IP Address Masking
      • NATS
      • Proxies
        • If an end user is employing a proxy to access something on the Internet, the logs at that 'something' will reflect the IP address of the proxy, not of the end user.
        • TOR
      • Internet Freedom (supporting tools to protect dissidents' online identities)
        • Voice of America
      • Virtual Private Networks
      • Anonymity
    • DHCP
    • Recording Keeping

Reference

• EFF
  • Aaron Mackey, Seth Schoen, Cindy Cohn, Unreliable Informant: IP Addresses, Digital Tips, and Police Raids, EFF Sept 2016
  • Marcia Hoffman, Why IP Addresses Alone Don’t Identify Criminals, Electronic Frontier Foundation (Aug. 24, 2011) (“First, an IP address doesn't automatically identify a criminal suspect. It's just a unique address for a device connected to the Internet, much like a street address identifies a building. In most cases, an IP address will identify a router that one or more computers use to connect to the Internet. Sometimes a router's IP address might correspond fairly well to a specific user—for example, a person who lives alone and has a password-protected wireless network. And tracking the IP addresses associated with a person over time can create a detailed portrait of her movements and activities in private spaces”)
  • A Digital Rumor Should Never Lead to a Police Raid, EFF 9/22/16 
• NIST PII 2010 p 7, & Sec. 2.2 (This definition is the GAO expression of an amalgam of the definitions of PII from OMB Memorandums 07-16 and 06-19.
• GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008)
• IP Addresses and Personally Identifiable Information, CircleID 2/25/2008
• Are IP addresses personal?, Google 2/25/2008
• Scott Hogg, Address Authentication - The Internet Journal, Vol. 16, No. 1, March 2013
• Mike St. Johns, "Identification Protocol," RFC 1413, February 1993.
• McIntyre, Joshua J., The Number is Me: Why Internet Protocol (IP) Addresses Should Be Protected as Personally Identifiable Information (August 15, 2010). DePaul Law Review, Vol. 60, No. 3, 2011.

IP Numbers as Property

• The contracts between RIR's and IP address blocks generally states that IP blocks are not property.
• ARIN Number Resource Policy Manual Sec. 6.4.1 IP Numbers Are Not Property
• Sec. 8.3 Transfers to Specified Recipients
• This is a contractual agreement between parties and may not be binding on third parties
• There are however some legacy blocks that were allocated before the current RIR scheme.
• Recently a bankruptcy court approved the transfer of Nortel's IPv4 address block to Microsoft. Implicit in this decision is that the IPv4 addresses are property.
• Legacy Registration Services Agreement April 30, 2011 "Effective immediately, the transferor of legacy address space is not required to have the resources under a current registration services agreement with ARIN. In the absence of a Legacy RSA or RSA, transfer requests may take longer than expected and/or not be completed at all, because the address holder must be verified and confirmed to be a valid transferor via the vetting process."
• The FCC's policy is that telephone numbers are not property.
• NANOG Panel: The IPv4 Secondary Market Feb. 6, 2012 "Panel with a RIR with runout, a RIR facing runout, a "broker" who operates in the grey market, and someone who's helping others figure out ways to do more with less."
• Stern v. The Islamic Republic of Iran, Civil No. 00-2602 (DCDC Nov. 10, 2014).
• There is little authority on the question of whether Internet domain names may be attached in satisfaction of a judgment. Indeed, no reported decision of any American court appears to have decided the specific issue of whether a ccTLD may be attached. The Virginia Supreme Court's discussion of these issues in Network Solutions Inc. v. Umbro Int'l, Inc., 529 SE2d 80 (VA. 2000) is helpful in illuminating the questions presented.  There, the court held that a domain name could not be garnished by a judgment creditor under the relevant Virginia statute because it was "inextricably bound" to the domain name services provided by the registry operator. Id. At 86. The court elaborated: "[W]hatever contractual rights the judgment debtor has in the domain names at issue in this appeal, those rights do not exist separate and apart from [the registry] services that make the domain names operational Internet addresses."  Id. The court further observed that allowing garnishment of a registry's services as part of garnishing a right to a domain name would mean that "practically any service would be garnishable." Id. At 86-87.

The Court finds this reasoning persuasive as applied to District of Columbia [where this suit was filed] attachment law as well.  The ccTLDs exist only as they are made operational by the ccTLD managers that administer the registries of second level domain names within them and by the parties that cause the ccTLDs to be listed on the root zone file.  A ccTLD, like a domain name, cannot be conceptualized apart from the services provided by these parties.  The Court cannot order plaintiffs' insertion into this arrangement.  Cf. United States ex rel. Global Bldg. Supply, Inc. v. Harkins Builders, Inc., 45 F.3d 830, 833 (4th Cir. 1995) (holding that "where the property is in the form of a contract right, the judgment creditor does not 'step into the shoes' of the judgment debtor and become a party to the contract, but merely has the right to hold the garnishee liable for the value of that contract right").

While interpretations of the DC Code are sparse, they tend to support this understanding of ccTLDs.  The District of Columbia Court of Appeals has held that "money payable upon a contingency or condition is not subject to garnishment until the contingency has happened or the condition has been fulfilled." Cummings Gen. Tire Co. v. Volpe Constr. Co., 230 A.2d 712, 713 (DC 1967).  Thus, payments under a contract that are conditioned upon completion of the work contracted for are not subject to garnishment because the "existence and amount" of the debt is "contingent and uncertain." Id. While this suit does not squarely fit within the rule articulated by the court in Cummings General Tire, that rule does illuminate the fact that courts may not, through garnishment proceedings, insert a judgment creditor into an ongoing contractual arrangement that necessarily requires continued work or service to have value.  Here, the ccTLDs only have value because they are operated by ccTLD managers and because they are connected to computers around the world through the root zone. DC law does not allow their attachment.

• ICANN's legal filings.
• A U.S. federal court has agreed with the Internet Corporation for Assigned Names and Numbers (ICANN) that the country code Top-Level Domains (ccTLDs) are not property subject to attachment. ICANN Nov. 12, 2014 A U.S. federal court has agreed with the Internet Corporation for Assigned Names and Numbers (ICANN) that the country code Top-Level Domains (ccTLDs) are not property subject to attachment.

• Ripe NCC, “Global Distribution of IP-Addresses,”.
• RIPE NCC IPv4 Address Allocation and Assignment Policies for the RIPE NCC Service Region, Sec. 5.5 Feb. 2010
• Depository Inc. Internet Registry

IP Security

• See DNS Security, BGP Security
• IP Spoofing
• CAIDA Spoofer