Monday, May 16, 2011

Legal Implications of IP Addresses

A plethora of recent legal issues ranging from the prosecution of child pornography to the enforcement of civil copyrights have relied upon the IP address of a computer to identify individuals. However, an IP address is not an individual according to the United States District Court of the Central District of Illinois. Prompted by a recent MSNBC article, the legal system is beginning to realize that an IP address does not necessarily link an individual to certain computer use; in fact, the same IP address can be used by many individuals with access to the computer in question, or by visitors with access to the same wireless router. VPR Int'l v. Does 1 - 1017, Case No. 11-2068 (C.D. Ill. 2011).

An IP address (or Internet Protocol Address) is, at its most basic, a series of 4 numbers ranging from 0 to 255, each separated by a period (.). These numbers are used to uniquely identify each and every computer connected to the internet in much the same way that a physical address is used to uniquely identify each and every physical location in the world. When information is sent out over the internet or when information is received on the internet, it is labeled with both the IP address of the sender and of the recipient. Much like a letter is addressed with both the address of the recipient and the return address of the sender.

Complicating this issue is the concept of a subnet. For the sake of simplicity, think of a subnet as the city and state of an address. Every router connected to the internet has a unique IP address within one subnet and then each computer connected to that router has a unique IP address within the router’s subnet. Typically, it is not the IP address of an individual computer that is broadcast over the internet to send and receive information, but rather the IP address of the router. The router, as the name implies, then routes the requested information to the computer that requested it. Think of a router as the mailroom for a large business. All of the employees of the business have access to the mailbox and can receive mail at the business address and the mailroom sorts the mail to go to individual employees.

Of course, this architecture leads to a situation where the IP address visible on the internet as downloading illegal content such as child pornography or posting vicious hate filled threats on Facebook could belong to multiple computers. An internet service provider would only be able to identify the IP address of the router that passed on an individual computer’s request for information; the service provider would be unable to identify the individual computer.

Most households own a wireless router. Many wireless routers are “unsecured”. This means that any person with a laptop, iPad or Wi-Fi device can utilize another person’s wireless router without the use of a password. An unsecured router is like an unlocked mailroom; anyone in the building can go in and send a package or take a package, even if it is a package that is not intended for them.

Imagine trying to identify the sender of a mail bomb based solely on the address of the unlocked mailroom for a large business. Any of the employees of the business are suspects as are any person that could have walked into the mailroom when the package was sent. This is exactly the problem involved in tracking down copyright infringers or child pornographers on the internet. A subpoena directed to an internet service provider to identify the owner of an IP address can only identify the router that requested the information. If the router is unsecured, then the suspects could include all the users of the router, together with the neighbors that are in range of the router’s wireless signal and all the cars that could have been parked nearby or driven through. Even if the router is secured, the suspects include anyone with knowledge of the router’s password and anyone that could have stolen the router’s password.

Therefore, without some other information, such as statements, admissions or other physical evidence, it is nearly impossible to identify the individual that was sitting in the computer chair at the time that the illicit content was downloaded or at the time that the harassing message was posted to Facebook.