Is the IP address the new SSN?

Like SSNs before them, IP addresses were never meant to be used as personal identification numbers. Like SSNs before them, IP addresses are being treated like personal ID numbers anyway.

The Social Security Administration started issuing Social Security Numbers (SSNs) in the mid-1930s. It took about three months from the start date to issue 25 million numbers. The purpose of the SSN was to identify Social Security accounts. Until the 1980s, Social Security Cards explicitly stated that they were not to be used for identification purposes. Over time, however, the federally maintained database of SSNs has made it convenient to use SSNs and Social Security cards for individual identification, and it was in the 1980s that this prohibitive text was removed from the cards. SSNs have become de facto national identification numbers — a fact that many individualists, libertarians, and privacy advocates find distasteful.

The Internet Protocol Suite, often referred to as TCP/IP (for Transmission Control Protocol and Internet Protocol), was developed in the 1960s and 1970s to provide a standardized set of protocols for interaction between computers in a distributed network. The means by which nodes on this network are identified so that one computer "knows" how to contact another is a numeric addressing scheme. The Domain Name System (DNS) was developed as a means of attaching more human-readable names to these numbers, so that, for instance, can be used to access the servers located at address That number, consisting of four "octets" (so named because each of the four dot-separated numbers is in fact representative of an eight-digit binary number), is known as the Internet Protocol address, or IP address.

The Dynamic Host Configuration Protocol (DHCP) is a means of reusing IP addresses so that computers can join a TCP/IP network and get a number assigned automatically by a centrally managed system, which means that, in general, IP addresses are not guaranteed to be related to any given computer. The fact the IP addresses apply to visible network nodes is also problematic for purposes of establishing any guarantees about the computer responding to a given IP address, for a number of reasons:

  • Network Address Translation (NAT) can allow one device with one IP address to provide network access for an arbitrary number of other devices.
  • IP address spoofing through a variety of different means can deceive those who might want to correlate information between an IP address and a given computer.
  • Anonymous proxies go out of their way to hide any individually identifying data, including the IP address of the computer using the proxy.

Unauthorized access to a network whose authorized nodes are wholly owned by a single individual can also cause problems for identification via IP address. A number of cases have demonstrated how easily someone can be misidentified as a malefactor when, in fact, he or she is only the unfortunate owner of a network accessed without permission by someone else.

Major copyright industry corporations and lobbying groups such as the MPAA and RIAA have used IP addresses in attempts to identify copyright infringers in court. Tracking the trade of copyrighted materials across peer to peer file sharing networks leads to subpoenas sent to Internet Service Providers (ISPs) requesting the names of people whose accounts are associated with those IP addresses, just as the FBI and other law enforcement agencies have used IP addresses to track down suspected criminals. In many cases, for both corporate and governmental enforcement efforts, the wrong people are identified. Unfortunately, being found innocent is no guarantee that one's life will not be ruined by allegations of terrorist plotting or pederasty, and reasonable doubt is no guarantee one will be found innocent in a civil suit when being shaken down for gobs of money by copyright industry lawyers. Despite all this, IP addresses are increasingly being used as a new form of (inter)national identification number — the SSN for the digital age.

In cases where some criminal act has actually been perpetrated, the primary concern should of course be to find the criminal, rather than simply labeling the most easily found patsy with the term "criminal". One of the most important factors that bears on the likelihood of correctly identifying the criminal is the willingness and ability of investigators to differentiate between actually identifying evidence and merely facile, apparently identifying numbers that do not, in fact, necessarily pertain to any single individual. Between the variability of IP address assignment, the simplicity of misappropriating such numbers to mask one's true identity, and other obstacles to such use for these numbers, no conscientious person could reasonably conclude that an IP address alone is enough to identify a given computer — let alone to confirm that a given human being was behind that computer. For the most part, the technical details of the situation escape the understanding of legal professionals, many of them because they intentionally ignore the facts of the matter in the pursuit of an easy judgment, but there is still hope that a little sanity may be injected into the legal landscape for matters related to identifying criminals.

In light of the facts of the situation, one might be excused for being surprised that Illinois District Court Judge Harold Baker has denied copyright holders legal standing to subpoena ISPs for user identities based on IP addresses. As reported by TorrentFreak:

A possible landmark ruling in one of the mass-BitTorrent lawsuits in the U.S. may spell the end of the "pay-up-or-else-schemes" that have targeted over 100,000 Internet users in the last year.

The less restrictive rules of civil courts, as compared with those of criminal courts, do not place the same burden of proof on a plaintiff as on a prosecutor. This means that a defendant in a civil case will quite often find himself in the position of having to prove innocence, rather than requiring opposing counsel to prove guilt. Such a state of affairs, coupled with the vast resources of major corporations and the incredibly high penalties handed out for file sharing copyright infringement in similar cases in the past, results in conditions where accused parties often find it preferable to settle out of court. Settling is all too often the best of a bad set of options, even when defendants are innocent of any wrongdoing in the eyes of the law, where a decision may be made simply to avoid costly, drawn out litigation that the individual victims usually cannot hope to win.

These conditions are ripe for extortionary tactics employed by copyright enforcement law firms. The resulting accusations that copyright enforcement has turned into what amounts to nothing more than an extortion racket have been frequent, incisive, and generally ignored by litigative copyright industry organizations. In contrast to the arguments made in many recent copyright infringement cases targeting IP addresses as defendants, Judge Baker's decision appears reasoned, balanced, and informed. It is possible, if this decision serves as precedent for future decisions, that the era of the mass John Doe copyright infringement lawsuit may be drawing to a close.


Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks