Another brief contribution below: > On 25 Apr 2018, at 19:55, Ted Lemon <[email protected]> wrote: > >> But an IP address is different. We can’t map it to a person. The legal >> system can map it to a physical location unless that location has shared >> WiFi, VPN or is a tor exit node. I have all 3. > > Unfortunately, although you are absolutely correct that it can't be mapped to > a person, that is in fact how LEOs have historically tended to treat it. > The person to whom it is mapped is presumed to be the subscriber. >
In my experience it’s a pretty poor investigator that would rely on IP address only for the purposes of identifying a real-world identity. I mention this point in both of the draft documents that I have published. Any remotely experienced defence expert would have a relatively simple job stomping on a prosecution case that relied on an argument that IP address equals real-world person, if there were no other supporting lines of evidence. That’s not to say that the IP address might not be a crucial piece of evidence, it’s just that it would need to be taken in the context of the other aspects of the investigation. For example, the IP address evidence suggesting that a person is involved in some sort of fraudulent activity might be supported by the fact that they have massive amounts of unexplained wealth (e.g. with no corresponding tax returns), evidence collected from the person’s devices (e.g. malware droppers, browsing history, etc.), statements from the suspect that they are the only person that uses those devices where evidence was found, etc. etc. >> We don’t send armed police in confiscating everything here in Denmark. Often >> it is just a friendly knock on the door and a talk/confession. > > Here in the U.S. a criminal investigation of the sort you describe, where the > victim is a network service provider, seems unlikely, although perhaps in > some jurisdictions they are catching up. A typical consumer of this data > would be a DMCA complainant or a police officer investigating some > non-computer-fraud case that happens to involve some visible online activity > that, if traced, might lead in the direction of a suspect. The evidence from service providers is important, of course, but before any conversation ever takes place with an ISP there needs to be some way of finding out which ISP needs to be talked to. A suspicious IP address (and source port!) needs to have been identified somehow and then a process will take place to identify who was using that IP address (and source port!) at a particular point in time. Without adequate logs from the victim or platform (which i agree is most likely not the service provider) it’s difficult for the investigation to even get started…..and from there we’re all the way back to the start of the discussion again so rather than repeating the whole position again, I refer to my document where the arguments relating to availability of the required information are laid out in more detail. daveor _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
