On a Friday in February, a visitor to the website 4chan posted child porn photos to the "international" channel. 4chan may be notorious for the offensive images that get posted there, but it turns out there are limits even on that free-wheeling board. According to a police affidavit, 4chan flagged the post, recorded the Internet Protocol (IP) address associated with the user who posted it, and reported it to the National Center for Missing and Exploited Children. The Center passed the tip along to the feds, who forwarded it to the Seattle Police Department, where it landed on the desk of Detective Daljit Gill.
The ultimate fate of that tip, according to a new white paper from the digital civil liberties group Electronic Frontier Foundation, reveals in part why IP addresses can be unreliable pieces of evidence that are misused by police and the courts.
An IP address is a unique identifier assigned to a computer or computer network that allows it to connect to the internet. Detective Gill looked up the IP address handed over by 4chan using a publicly available tool from MaxMind, which provides more information, like geographic coordinates where the computer might be located and the Internet Service Provider (ISP) it's associated with. The ISP in this case was a company called WaveG; Gill sent it a search warrant asking for the name and address associated with the account.
The address pointed at a Seattle couple: David Robinson and Jan Bultmann. So at 6:15 a.m. on a Wednesday morning last March, gun-toting police officers showed up at the door of their condo, flashing a warrant and saying they needed to search the premises. The cops threatened to take all of the computer equipment in the house unless Robinson and Bultmann answered their questions and let them search devices. Robinson got dressed while a police officer watched, according to local alt-weekly The Stranger. Then Robinson and his wife were taken into white police vans and questioned separately for nearly an hour about whether they were child porn connoisseurs.
"They asked terrible questions, really offensive stuff. The interrogator seemed convinced I was trafficking in child pornography," Robinson told me by phone.
But there was one big problem: they weren't the ones who had uploaded the child porn. Robinson and Bultmann explained to the officers that they operate a Tor exit relay, a software used by activists, dissidents, privacy enthusiasts, and yes, criminals and child porn aficionados, who want to be able to surf the internet without having their identities exposed. The couple started running the relay as volunteers in 2010, inspired by Wikileaks and whistleblowers who might want to use it for their work.
Tor is an anonymous web browser that routes a user's traffic through a few different computer nodes in its network, so that it's not possible to see where a request originated. The network relies on volunteers to run the computers through which a user's request is passed along. Robinson and Bultmann had employed one of their computers—an old Asus Netbook—to run the software that makes the anonymity browser network possible, and specifically to run the riskiest node in the chain: the exit relay which provides the IP address ultimately associated with a user's activity. In this case, someone used Tor to make the porn post, and his or her traffic had been routed through the computer in Robinson and Bultmann's house. The couple wasn't pleased to have helped someone post child porn to the internet, but that's the thing about privacy-protective tools: They're going to be used for good and bad purposes, and to support one, you might have to support the other.
While it's understandable why the cops would show up asking the couple questions, a raid based on the IP address alone seems unreasonable. As Robinson points out, there's a public list of the IP addresses associated with Tor exit relays. He (and the Electronic Frontier Foundation, in its white paper) wish the police would check it.
In the six years they'd been running the relay, this is the first time police had shown up at their door. There wasn't any evidence for police to find, because information that passes through the Tor network is encrypted, the files and data not saved locally. The police asked Robinson to unlock one MacBook Air, and then seemed satisfied these weren't the criminals they were looking for and left. But months later, the case remains open with Robinson and Bultmann's names on police documents linking them to child pornography.
"I haven't run an exit relay since. The police told me they'd be back if it happened again," Robinson said; he's still running a Tor node, just not the end point anymore. "I have to take the threat seriously because I don't want my wife or I to wake up with guns in our faces."
IP addresses can be incredibly useful for a police investigation, but they can also lead cops astray. The Electronic Frontier Foundation (EFF) wants police officers and judges to be more careful in how they use IP addresses, thinking of them as helpful clues rather than a smoking gun. "Police too often take IP address information to mean that a person associated with an address is the party who committed a crime," write EFF lawyer Aaron Mackey, technologist Seth Schoen, and Executive Director Cindy Cohn in a white paper aimed at courts and cops. "For many reasons, connecting an individual to a crime linked to an IP address, without any additional investigation, is irresponsible and threatens the civil liberties of innocent people."
Tor volunteers aren't the only victims of police over-reliance on IP addresses. The cops have raided homes of innocent people as a result of neighbors using a person's open Wi-Fi network to do something criminal. IP addresses are sometimes reassigned. And police have made assumptions based on IP geolocation alone that have had traumatic consequences.
As reported here at Fusion, homes in Kansas and Virginia were subject to visits from police, internet vigilantes, and federal law enforcement simply because they had been mapped as default locations in the MaxMind database—places the company points to when it's not sure exactly where an IP address is located. (MaxMind says its IP geolocation is inaccurate in the United States 12% of the time.) The result for these two homes was millions of IP addresses being erroneously associated with their geographic coordinates. Tony Pav, the owner of the Virginia home told me about one of his visits from the police:
In 2012, he came home late one night to find the police about to break down his door. They said they were looking for a stolen government laptop with personal information on it. He let them in to search; it wasn’t there, even though its IP address was pointing right at his house.
“They tore up my house looking for it, and found nothing,” he said.
The visitors who showed up at these homes might have realized their error if they had sought out additional information about who actually owned the IP address from the Internet Service Provider, like Gill did in the child porn case.
"Although IP addresses can sometimes be reliable indicators of locations or individuals when combined with other information, such as ISP records, use of the IP address alone, without more, can too often result in dangerous, frightening, and resource-wasting police raids based on warrants issued without proper investigation," write the authors in the EFF paper. They suggest that IP addresses be thought of like an anonymous informant, one whose testimony needs corroborating evidence in order to be believed.
But that's not how IP addresses are usually described by law enforcement. When going to judges to get permission to raid someone's home, police and prosecutors have compared IP addresses to license plates, but for computers, or home addresses. And that's a gross overstatement, says EFF. IP addresses aren't always unique, and as evidenced by the case of David Robinson and the home raided because of a neighbor's internet servers, are sometimes shared by multiple users.
"If the EFF has alternative language for how IP addresses should be described in warrants, that could be helpful," said Orin Kerr, a former federal prosecutor who is now a law professor at George Washington University. "What's hard about this topic is that every judge, police officer and warrant is different."
Some people are more familiar with the limits of IP addresses than others, and sometimes the IP address is more reliable than in other cases. Kerr says IP addresses usually need additional evidence to reliably finger someone, but that it varies from case to case. It's not the first time this subject has been explored. Years ago, when the issue of IP address reliability was first being raised, including by EFF, Kerr says there was a question of whether police needed to determine whether a suspect Wi-Fi network was open (meaning lots of people may have used it) or password-protected. Ultimately, it was determined that police aren't constitutionally required to do that due diligence.
EFF hopes its white paper makes the rounds in justice circles and cuts down on the number of people unfairly accused of crimes based on IP address information alone.
"We want there to be concerns planted with police and courts so they're asking questions about whether IP addresses are being used responsibly, in compliance with the 4th Amendment," said EFF's Aaron Mackey. Hypothetically, being more skeptical of IP addresses will mean not accusing an innocent person of a crime, but it'll also save police resources, as they won't spend a morning raiding the home of someone who has nothing to offer them but a privacy lesson.
How Police and Courts are Misusing Unreliable IP Address Information and What They Can Do to Better Verify Electronic Tips [Electronic Frontier Foundation]