Government

Is the IP address the new SSN?

Like SSNs before them, IP addresses were never meant to be used as personal identification numbers. Like SSNs before them, IP addresses are being treated like personal ID numbers anyway.

The Social Security Administration started issuing Social Security Numbers (SSNs) in the mid-1930s. It took about three months from the start date to issue 25 million numbers. The purpose of the SSN was to identify Social Security accounts. Until the 1980s, Social Security Cards explicitly stated that they were not to be used for identification purposes. Over time, however, the federally maintained database of SSNs has made it convenient to use SSNs and Social Security cards for individual identification, and it was in the 1980s that this prohibitive text was removed from the cards. SSNs have become de facto national identification numbers -- a fact that many individualists, libertarians, and privacy advocates find distasteful.

The Internet Protocol Suite, often referred to as TCP/IP (for Transmission Control Protocol and Internet Protocol), was developed in the 1960s and 1970s to provide a standardized set of protocols for interaction between computers in a distributed network. The means by which nodes on this network are identified so that one computer "knows" how to contact another is a numeric addressing scheme. The Domain Name System (DNS) was developed as a means of attaching more human-readable names to these numbers, so that, for instance, techrepublic.com can be used to access the servers located at address 216.239.116.137. That number, consisting of four "octets" (so named because each of the four dot-separated numbers is in fact representative of an eight-digit binary number), is known as the Internet Protocol address, or IP address.

The Dynamic Host Configuration Protocol (DHCP) is a means of reusing IP addresses so that computers can join a TCP/IP network and get a number assigned automatically by a centrally managed system, which means that, in general, IP addresses are not guaranteed to be related to any given computer. The fact the IP addresses apply to visible network nodes is also problematic for purposes of establishing any guarantees about the computer responding to a given IP address, for a number of reasons:

  • Network Address Translation (NAT) can allow one device with one IP address to provide network access for an arbitrary number of other devices.
  • IP address spoofing through a variety of different means can deceive those who might want to correlate information between an IP address and a given computer.
  • Anonymous proxies go out of their way to hide any individually identifying data, including the IP address of the computer using the proxy.

Unauthorized access to a network whose authorized nodes are wholly owned by a single individual can also cause problems for identification via IP address. A number of cases have demonstrated how easily someone can be misidentified as a malefactor when, in fact, he or she is only the unfortunate owner of a network accessed without permission by someone else.

Major copyright industry corporations and lobbying groups such as the MPAA and RIAA have used IP addresses in attempts to identify copyright infringers in court. Tracking the trade of copyrighted materials across peer to peer file sharing networks leads to subpoenas sent to Internet Service Providers (ISPs) requesting the names of people whose accounts are associated with those IP addresses, just as the FBI and other law enforcement agencies have used IP addresses to track down suspected criminals. In many cases, for both corporate and governmental enforcement efforts, the wrong people are identified. Unfortunately, being found innocent is no guarantee that one's life will not be ruined by allegations of terrorist plotting or pederasty, and reasonable doubt is no guarantee one will be found innocent in a civil suit when being shaken down for gobs of money by copyright industry lawyers. Despite all this, IP addresses are increasingly being used as a new form of (inter)national identification number -- the SSN for the digital age.

In cases where some criminal act has actually been perpetrated, the primary concern should of course be to find the criminal, rather than simply labeling the most easily found patsy with the term "criminal". One of the most important factors that bears on the likelihood of correctly identifying the criminal is the willingness and ability of investigators to differentiate between actually identifying evidence and merely facile, apparently identifying numbers that do not, in fact, necessarily pertain to any single individual. Between the variability of IP address assignment, the simplicity of misappropriating such numbers to mask one's true identity, and other obstacles to such use for these numbers, no conscientious person could reasonably conclude that an IP address alone is enough to identify a given computer -- let alone to confirm that a given human being was behind that computer. For the most part, the technical details of the situation escape the understanding of legal professionals, many of them because they intentionally ignore the facts of the matter in the pursuit of an easy judgment, but there is still hope that a little sanity may be injected into the legal landscape for matters related to identifying criminals.

In light of the facts of the situation, one might be excused for being surprised that Illinois District Court Judge Harold Baker has denied copyright holders legal standing to subpoena ISPs for user identities based on IP addresses. As reported by TorrentFreak:

A possible landmark ruling in one of the mass-BitTorrent lawsuits in the U.S. may spell the end of the "pay-up-or-else-schemes" that have targeted over 100,000 Internet users in the last year.

The less restrictive rules of civil courts, as compared with those of criminal courts, do not place the same burden of proof on a plaintiff as on a prosecutor. This means that a defendant in a civil case will quite often find himself in the position of having to prove innocence, rather than requiring opposing counsel to prove guilt. Such a state of affairs, coupled with the vast resources of major corporations and the incredibly high penalties handed out for file sharing copyright infringement in similar cases in the past, results in conditions where accused parties often find it preferable to settle out of court. Settling is all too often the best of a bad set of options, even when defendants are innocent of any wrongdoing in the eyes of the law, where a decision may be made simply to avoid costly, drawn out litigation that the individual victims usually cannot hope to win.

These conditions are ripe for extortionary tactics employed by copyright enforcement law firms. The resulting accusations that copyright enforcement has turned into what amounts to nothing more than an extortion racket have been frequent, incisive, and generally ignored by litigative copyright industry organizations. In contrast to the arguments made in many recent copyright infringement cases targeting IP addresses as defendants, Judge Baker's decision appears reasoned, balanced, and informed. It is possible, if this decision serves as precedent for future decisions, that the era of the mass John Doe copyright infringement lawsuit may be drawing to a close.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

59 comments
XJDHDR
XJDHDR

... and the ones that deserve most - if not all - of our hatred are the cyber criminals. If one thinks about it, no one would ever get prosecuted based on an IP address if the internet wasn't used for nefarious purposes to begin with. Copyright infringement, in particular, is probably the most frequently prosecuted using IP addresses and as far as I can see, the only ones doing something about it are the people that own intellectual property. As for everyone else, it seems that anyone that doesn't engage in copyright infringement is either ignoring it or cheering them on. Then they wonder why they are being burdened with heavier DRM schemes, high prices and less quality. I would like to propose that people make a stand against cyber criminals, especially those that have been falsely accused of some cyber crime just because a criminal used their IP address. Edit: It seems that some of the nefarious individuals I mentioned above are trash-rating this comment (most likely because they don't like organised resistance to their activities). I personally think it's quite childish though. Oh, and another thing I forgot to mention previously, I found an article a while ago that gives the issues of copyright infringement and DRM in games a very thorough and neutral analysis. You can find it here (and I recommend that everyone reads it): http://www.tweakguides.com/Piracy_1.html

trduff
trduff

LOL MAC spoofing only works on the local network, the MAC address is lost as soon as it goes through a single gateway.

edwardtisdale
edwardtisdale

1 person= 1 ssn but can have multiple computer connections. I'm guessing this is about some kind of NAT and RFID chips or something. Seeming kinda scary to and cyborg-ish

pablo.handler
pablo.handler

As a foreigner, national of a country which is not US or UK, is amazing to me that these big countries doesn't have such a simple thing like the nationl ID card, issued by the country government. I know, you say that this against personal freedom! Nonsense...

cybershooters
cybershooters

IP addresses and MAC addresses aren't fixed and you can change them - of course you can track down an IP address in an attempt to identify the user, but it's no more the equivalent of an SSN than a telephone number is. And I have to say with IPv6 it will be even easier to make yourself obscure because not only can you change them as with v4, they're next to impossible to commit to memory and aren't user-friendly in any way. How many IP spoof attacks bounce off your firewall every day?

Fyrewerx
Fyrewerx

In the classes I teach, the IP address is like a house number. Usually, when you move, the address doesn't go with you. On the other hand, the MAC address is a much closer relative of the SSN. Your PC can move someplace else, and it gets a different address. However, the MAC address stays the same.

crcgraphix
crcgraphix

Why do we have to take it...? We don't...! So, why don't we set a new form of packet sniffing to sift out the people making the federal cases of everything...???

l_e_cox
l_e_cox

It is nice to think that the law enforcement system is here to protect our rights against criminal activity. But as you point out, it doesn't always seem to go that way. My observations go a step further: It has never been that way. Thus when you say: 'In cases where some criminal act has actually been perpetrated, the primary concern should of course be to find the criminal, rather than simply labeling the most easily found patsy with the term ???criminal???.' I agree. But I also believe, based on a long view of real human history, rather than human ideals, that finding the right patsy has in fact always been the basic operating basis of any system of law enforcement. This doesn't mean that we should give up our ideals. But it does mean that we should face the facts. If the anti-crime effort were truly focused on finding real criminals instead of patsies, why does real crime continue to escalate? The crime picture on this planet is extremely sobering. We will not be able to handle it unless we begin to re-inspect some of our most basic assumptions. IPv4 has been used in criminal investigations, and IPv6 will be even more intensively used. But IP addresses, like SSNs before them, have been used by both "sides" to attempt to track and identify individuals. It is unlikely this trend will change on the basis of rational arguments alone. Those that have misused these systems are not rational people.

ps.techrep
ps.techrep

Until IPv6 was introduced, the NAT argument was sufficient . Since the majority of broadband users continue to have addresses that are changed by their ISPs on a frequent basis, NAT is still an adequate argument against using IPs as IDs. What makes no sense is the phrase "when, in fact, he or she is only the unfortunate owner of a network accessed without permission by someone else." There is no excuse for any network OWNER to have a network open to access by strangers. It isn't unfortunate if this should occur, it is the inevitable result of stupidity, not ignorance. The need for securing networks against intrusion is well publicized. The measures necessary to secure them aren't complex - just expensive and unpalatable for ISPs. An ISPs customer who leaves their LAN open to unauthorized access SHOULD be held accountable for malicious use, just as a person who leaves his car keys in the ignition is accountable for the use of that vehicle. If ISPs insisted, every router and wireless access point in use by a customer would require an active crypto key for LAN connectivity to be able to connect to their WAN.

lshanahan
lshanahan

Is tort reform. The "extortion racket" is often used by individuals or advocacy groups *against* corporations to get an out-of-court settlement or other concessions as well as *by* corporations, etc. Copyright infringement isn't necessarily a crime. It can rise to criminal infringement under certain circumstances, but it is essentially a civil matter. That said, the decision is a good one. I would have a tough time even under civil "preponderance of evidence" rules affirming that a given IP address represents a specific computer, let alone an individual.

John_Baines
John_Baines

The fact that in wireless networks IP addresses may be reused several times in a period of hours by different individuals, makes it very difficult to guarantee beyond a doubt who was on a particular IP at a certain time. Particularly when the times and dates given by the copyright enforcement law firms and associations in their DMCA notifications can often be four hours or more out of date!

jck
jck

At least, in Illinois. Two judges there are throwing out "John Doe" cases using IP addresses, since an IP address is not conclusive proof of who the person committing the offense was. The courts are now starting to treat IP-based cases as they should: the plaintiff's lack of diligence to identify the guilty party and the expectation of the court to do that work for them. Of course, what stops some sicko from driving around and finding an unsecured router to get their illegal materials? Happens every day.

apotheon
apotheon

You might want to look out for how things will change as the world migrates to IPv6.

Fyrewerx
Fyrewerx

According to recent laws, all U.S. states were supposed to have Driving License/Non-Driving ID cards that comply with specific descriptions, according to the Department of Homeland Security, by 2014. Unfortunately, they must push that date out because many states cannot afford to comply in this economy.... extra administration being the highest cost, and a little additional for the special cards.

apotheon
apotheon

> Nonsense... Saying it doesn't make it so.

apotheon
apotheon

The question wasn't whether IP addresses could be effectively used to track people (and, in fact, the fact IP addresses can change -- and may not even apply to the person in question for a given task even if they haven't changed -- and are thus poor excuses for ways to track people was already addressed). The question was whether government and corporations are *using* IP addresses more and more in an improper manner akin to the impropriety of using the SSN -- and whether they're using the IP address as heavily for such purposes.

apotheon
apotheon

I'm not sure what point you intend this to support.

apotheon
apotheon

> However, the MAC address stays the same. . . . unless you change your MAC address.

apotheon
apotheon

I have not found a single point with which to quibble in what you said. I agree on all counts. Thanks for commenting. If there were somewhere to do so, I'd nominate this for "comment of the year".

Charles Bundy
Charles Bundy

"There is no excuse for any network OWNER to have a network open to access by strangers." Municipal mesh? Coffee shop WiFi? "just as a person who leaves his car keys in the ignition is accountable for the use of that vehicle." Not criminally as was Chad's given example. Civil is another matter depending on harm done...

BeyondITall
BeyondITall

You should be wise enough to know that the ONLY way to completely secure a network is to NEVER plug it in. You seem to think that your grandma is savvy enough to lock down her network when multi-national corporations have been broken into and they have "trained professionals" to secure their networks. Should your limited thought processes actually prevail in a court room then I hope you don't cry when being escorted to your cell because someone hacked your network for illegal reasons. I am always amazed at how some people want to impose laws on everyone when they have no clue of what the consequences are and when it does absolutely nothing to prevent the crimes it was intended to prevent in the first place. Yes, I agree, that everyone should make efforts to secure their network but, sending them to prison because they failed to do so? Anyone that has a network could possibly end sharing a prison cell with you because you thought it would be a great idea to lock up anyone that had their network breached. Sorry, for being so crass but, you may as well lock up anyone that has their wallet stolen because they enabled the criminal by not protecting it better. Unless, you actually do entertain these thought processes.

apotheon
apotheon

> There is no excuse for any network OWNER to have a network open to access by strangers. Apparently, you aren't aware of the plethora of wireless encryption cracking tools out there that can get you connected to an encrypted network in minutes a lot of the time. The truth of the matter is that knowing it came from your network, even if it's a generally well-secured network, is no guarantee that some malicious party has not managed to get access to your network. More to the point, it's not proof that you actually did something. > a person who leaves his car keys in the ignition is accountable for the use of that vehicle. It's clear we won't agree on anything here. I find that idea completely ludicrous. edit: My girlfriend just made an interesting point. Basically, your argument extends beyond me and my wireless network. Your argument essentially states that if some pedophile cracks encryption on my wireless network at home and distributes kiddie porn over the Internet, his culpability is transferred to me by way of my wireless network, then to my ISP by way of the Internet connection it provides for my wireless network, then to the stockholders who jointly own the corporation -- which might include you, if you have a retirement investment account.

ps.techrep
ps.techrep

I can buy the argument for IP alone not being an adequate basis for identifying a responsible party. But if traffic can be captured dring malicious use, showing the MAC using the IP . . .

colby77
colby77

I couldn't agree with you more. Since when do people have to be proven innocent? This has set a dangerous precedent in our society and thankfully someone has opened the eyes of these judges.

trduff
trduff

It will, if it is ever really implemented, since each device could have a unique IP. Not sure what that has to do with todays use of MAC addresses. Its like telling me cars are insignificant since everyone will eventually have a personal aircraft.

apotheon
apotheon

> they must push that date out because many states cannot afford to comply in this economy That's not the only reason. Montana flat-out refused to comply; eventually, the federal government granted an "extensions" that Montana didn't want or care to have. Several other states followed Montana's example, and got the same treatment. To quote Montana's Governor Brian Schweitzer in an NPR interview a couple years back, he said that when the federal government starts trying to push you around, "Sometimes, you've just got to tell 'em to go to hell." I'm pretty sure I got the quote exactly right. I might have paraphrased by a word or two, but "tell 'em to go to hell" is definitely a verbatim quote.

Sterling chip Camden
Sterling chip Camden

"If the anti-crime effort were truly focused on finding real criminals instead of patsies, why does real crime continue to escalate?" Does not follow. There may be many reasons why the crime rate goes up, not limited to (but almost certainly including) the failure of law enforcement to do their job. Otherwise, though, great comment.

apotheon
apotheon

> You seem to think that your grandma is savvy enough to lock down her network when multi-national corporations have been broken into and they have "trained professionals" to secure their networks. That's a good point. Should Sony's CEO be locked up in jail because of the activities of people who compromised the security of the PlayStation Network? Is he directly responsible for their actions, and subject to punishment as if he had taken those actions himself? That certainly seems to be the conclusion that ps.techrepub would like us to draw. > I am always amazed at how some people want to impose laws on everyone when they have no clue of what the consequences are and when it does absolutely nothing to prevent the crimes it was intended to prevent in the first place. I think you just described the vast majority of politicians to a T. > Unless, you actually do entertain these thought processes. I think ps.techrepub does entertain that kind of thought. Check out his/her reference to liability for how an automobile may be used if it gets stolen while you're inside a diner waiting for the AAA guy to show up and help you get into the car after you locked the keys inside it.

Sterling chip Camden
Sterling chip Camden

"a person who leaves his car keys in the ignition is accountable for the use of that vehicle." Not true. If someone steals your car, even though you left the keys in it, you are not responsible for them using it to commit another crime.

SafeInAFlash
SafeInAFlash

like MacLovin wrote you can spoof the MAC too. But lets just say it was the same device, was it the same person using said device? You can't sue a Roku or TV or Kindle or even a notebook. You have to sue a person (or company because companies are people too). Maybe when we have all networked devices with mandatory DNA sampling along with a retinal scan as the only way to login we may never know who the operator is. I just can't agree with the article's supposition that we will have an ipv6 address tattooed on our forehead. Do you?

apotheon
apotheon

> if traffic can be captured dring malicious use, showing the MAC using the IP . . . . . . then you might have evidence that the guy spoofed a MAC address. Read How To Spoof A MAC Address. You might find it enlightening.

trduff
trduff

Despite all of the network industry momentum around World IPv6 Day, the protocol is not taking off on the Internet anywhere near as fast as proponents had hoped. A recent survey of Internet traffic compiled by Arbor Networks found that IPv6 represented less than 0.2% of all Internet traffic. Indeed, Arbor said IPv6 traffic -- both tunneled and native -- had declined 12% in the last six months, even as momentum for World IPv6 Day was building. Arbor gathered this data by surveying six carriers in North America and Europe. http://www.networkworld.com/news/2011/052311-ipv6-fail.html?page=2 Its even worse then I had stated according to Arbor Networks

apotheon
apotheon

What are your sources for the claim that "they" don't expect anyone to use IPv6 -- and who the hell are "they"?

trduff
trduff

The reason they have IPV6 day is to try and get people to actually use it. they have valid concerns that it is being way too slow to be implemented and may never happen on the scale imagined. They were very disapointed that a year later after the last IPV6 day that there is still less then 5% implementation In other words almost no change from the year before..

apotheon
apotheon

1. IPv6 support has been implemented all over the place. Every computer in my home (and there are quite a few) is running an OS capable of supporting IPv6. 2. If you mean deployed on the Internet -- it is deployed on the Internet, though at the moment it is parallel with IPv4 in the cases where it has been deployed because ISPs don't want to lock out customers who are still only using IPv4. 3. If you mean widely deployed on the Internet, you might be interested to know that World IPv6 Day is one week away. You're running out of time in which you will be able to pretend IPv6 isn't coming. > Not sure what that has to do with todays use of MAC addresses. Its like telling me cars are insignificant since everyone will eventually have a personal aircraft. . . . except that everyone having his or her own personal aircraft has been perpetually thirty years away for most of a century, while worldwide IPv6 access is maybe a couple years away at this point -- and, for a testing period at least, is only one week away.

seanferd
seanferd

Certainly, I hope your ISP gives more than one address for their resolvers. But what I mean is, if you look at your public IP as shown in the status of your gateway or mobile device, you see one IP, but if you were to do dig or nslookup, it would show your gateway or device as having a different public IP entirely.

Who Am I Really
Who Am I Really

it's shown in the router's config. page the ISP's DNS servers use 64.x.x.x DNS1 64.x.x.x DNS2 64.x.x.x .

seanferd
seanferd

I see you have a NATted public IP as many/most wireless internet users do. The mismatch between the two public IPs you see does not, in my experience, reflect on NAT directly. But some ISPs give you two IPs (NATted or not) - one for DNS requests, and one for all other traffic.

apotheon
apotheon

> how is this confusing? Easy: you didn't explain yourself very well, and even said things that seemed to contradict each other. That's how it was confusing. What you previously said seemed to indicate that on 3G router was issuing hundreds of IP addresses, which made me think you weren't talking about the 3G device you currently have, but about the ISP servers to which you connect via 3G. Before that, it seemed like you were saying that because the IP address was assigned to a router at your end, and not to the computers on the inside of the the local network, somehow that meant government wouldn't trace activity for that IP address back to you. Only now do I realize that you're saying you are basically on a huge NATted network when using 3G. I must admit that I had never checked that with my own 3G device before now; if I already knew this information, I would have understood what you meant -- but then, if I already knew it, you wouldn't need to say it in much detail. I guess the moral of the story is two-fold: 1. I should have poked at the network management for 3G on my service provider a bit more. 2. You should have written what you were saying in a manner calculated to actually convey your meaning clearly to someone who did not already know everything you were discussing. You still aren't being completely clear, but there's enough information for me to have finally developed an accurate hypothesis about what you are trying to say and double-check it myself since I happen to have a 3G connected device. I'm sure that many people reading this thread are not so lucky. Hopefully what I have said will clear things up for some of them.

apotheon
apotheon

Are you telling me the address in question belongs to a router on your network? If so, you're just as screwed as everyone else on the IP address identification front, and what I said in my previous comment is immaterial. From what you said, though, it sounded like the IP address was something assigned to some device that is located in some ISP office or server farm somewhere.

Who Am I Really
Who Am I Really

never mind got nothing better to do than [b]-[/b] troll

apotheon
apotheon

I think your ISP is screwing you. > reveals an IP belonging to the ISP and not the one assigned to the modem This means your ISP is doing something like NAT before even getting as far as your connection device, which means that you could not configure any pass-throughs to devices inside your network if you wanted to, for instance, set up an SSH proxy. I guess a really, really awful ISP (like yours, evidently) might not return your IP address at all. I was not aware any ISPs did that, though.

rongood
rongood

Honest, intelligent,knowledgeable, motivated; fail any of those parameters & police response becomes less effective. Corrupt cops may work only for bribes, or take bribes from criminals to NOT work; an unmotivated or stupid cop might prefer hunting down rapists or car thieves rather than white-collar criminals; even an honest, motivated, diligent & intelligent officer may not have the background, or time to stay current, or may have too heavy a workload already. Fortunately, criminals have to cover ALL their traces, by themselves; cops can & do ask for help. And there are a lot of stupid criminals out there....

apotheon
apotheon

There appears to be a logical fallacy in that statement -- but only if you take it as a strictly logical deduction, which involves a somewhat liberal interpretation of the words. I took it more as a question that needs answering than as a rhetorical implication.

dayen
dayen

Thank GOD for Onstar I can guard the car that I lock my keys in wile I call them on the cell phone so I won't go to jail, under the Laws ofps.techrepub

Charles Bundy
Charles Bundy

The preponderence of decisions in civil litigation hold the owner responsible. Goes all the way back to English common law.

apotheon
apotheon

It's easier to find out someone's IP address.

apotheon
apotheon

Do you have your SSN tattooed on your forehead?

apotheon
apotheon

My girlfriend beat a red light camera (that actually went off when the light didn't turn red until the car was halfway through the intersection) by pointing out she's female and the driver in the photo had facial hair. She just sent a letter as a response to the ticket in the mail, and they tossed out the ticket. It's pretty easy to beat those traffic camera tickets, as long as you have any excuse to challenge them.

SafeInAFlash
SafeInAFlash

if you plan on waisting time and money. I know there would be an attorney that would work for you. You can sue anybody for anything (in this retort sue anything for anything) but that does not mean that you have a case. My refrigerator never bought me lunch. Things do not have checking accounts. A person, company, trust these are some of the entities that can be legitimately sued. So I guess what I am saying is that your example shows that the fine goes to the license holder not the vehicle. In my county their usage has been suspended just for this reason that it is unsure of the identity of the person behind the wheel. And also because they take pictures of right turn on red travellers which is legal here.

SafeInAFlash
SafeInAFlash

Maybe it says it in the title - "Is the IP address the new SSN?"

lmarks
lmarks

SNABU wrote: "True, it may be the same device but... like MacLovin wrote you can spoof the MAC too. But lets just say it was the same device, was it the same person using said device? You can't sue a Roku or TV or Kindle or even a notebook." Ahh, but you can! A precedent is the red light cameras. The state has evidence that a car bearing a particular license plate ran a red light, but no knowledge of the driver's identity. Nevertheless a fine can be imposed. By analogy, a fine could be imposed where the only evidence is a computer's MAC address.

apotheon
apotheon

> I just can't agree with the article's supposition that we will have an ipv6 address tattooed on our forehead. Do you? This seems like a bit of a straw man, from where I'm sitting.