Appeals Court Says An IP Address Is 'Tantamount To A Computer's Name' While Handing The FBI Another NIT Win
from the [extremely-superintendent-chalmers-voice]-good-lord dept
Fortunately, this profoundly-wrong conclusion is buried inside a decision that's merely off-base. If it was the crux of the case, we might have witnessed a rush of copyright trolls to the Eleventh Circuit to take advantage of the panel's wrongness.
But this decision is not about IP addresses… not entirely. They do play a part. The Eleventh Circuit Court of Appeals is the latest federal appellate court to deny suppression motions filed over the FBI's use of an invalid warrant to round up suspected child porn consumers. The "Playpen" investigation involved the FBI seizing a dark web child porn site and running it for a few weeks while it sent out malware to anyone who visited the site. The FBI's "Network Investigative Technique" (NIT) sent identifying info back to the FBI, including IP addresses and an assortment of hardware data.
As the court notes in its decision [PDF], pretty much every other appeals court has already gotten in on this action. (Spoiler alert: every other appeals court has granted the FBI "good faith" even though the DOJ was actively pursuing a law change that would make the actions it took in this case legal. The violation of jurisdiction limitations by the FBI's NIT was very much not legal when it occurred.)
By our count, we become today the eleventh (!) court of appeals to assess the constitutionality of the so-called “NIT warrant.” Although the ten others haven’t all employed the same analysis, they’ve all reached the same conclusion—namely, that evidence discovered under the NIT warrant need not be suppressed. We find no good reason to diverge from that consensus here…
That being said, there are some interesting issues discussed in the opinion, but here's where it kind of falls apart. The Eleventh Circuit may be joining ten (!) other circuits in upholding the FBI's illegal search, but it's the first to make this preposterous claim while doing so. (h/t Orin Kerr)
In the normal world of web browsing, an internet service provider—Comcast or AT&T, for example—assigns an IP address to every computer that it provides with internet access. An IP address is a unique numerical identifier, tantamount to a computer’s name.
That's… just completely wrong. An IP address doesn't identify a device any more than it identifies a person or location. It is very definitely not "tantamount to a computer's name." The court uses this erroneous conclusion for pretty benign ends -- to veto the DOJ's belated attempt to rebrand its NIT malware as a "tracking device" in order to salvage its invalid search warrant. Even so, this slip-up is embarrassing, especially in a decision that contains a great deal of technical discussion.
But I suppose all's well that ends unsurprisingly. The Eleventh Circuit agrees with the other circuits: the warrant obtained was invalid from the moment it was obtained as it allowed the FBI to perform searches outside of the jurisdiction in which it was issued. But there's no remedy for the two alleged child porn consumers. As the court states here, the error was the magistrate judge's, who should never have signed a warrant granting extra-jurisdictional searches. According to the Eleventh Circuit, the FBI agent had every reason to believe the granted warrant was valid and that the searches could be executed. No one's evidence is getting suppressed and no one's convictions are being overturned.
The problem with this assumption is that it glosses over the issue of the DOJ's Rule 41 politicking, which was well underway when this FBI agent approached a judge with a warrant that asked permission to violate a rule that hadn't been rewritten yet. To call this "good faith" presumes a lot about the FBI and its investigators. It concludes they were unaware of the DOJ's petitioning of the US court system to rewrite Rule 41 when everything about this case points to the fact that these investigators knew about the proposed rule change and knew this NIT deployment wasn't legal at the point they handed the affidavit to the magistrate.
In the end, it's another unearned win for the FBI. And it's one that comes paired with a tech gaffe that's going to sound very appealing (!) to IP trolls.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 11th circuit, computer names, identification, ip address
Reader Comments
Subscribe: RSS
View by: Time | Thread
'Look, they all jumped off the cliff so clearly we should too.'
Although the ten others haven’t all employed the same analysis, they’ve all reached the same conclusion—namely, that evidence discovered under the NIT warrant need not be suppressed. We find no good reason to diverge from that consensus here…
... other than the fact said evidence was gathered under an illegal warrant, and as such all evidence related to that warrant should be inadmissible?
Other than the fact that if you allow evidence obtained via an illegal warrant you essentially have ruled that warrants are not needed, contrary to the Constitution which very clearly requires them?
Other than the fact that by allowing evidence obtained via an illegal warrant to be used you have all but flat out said that those pesky 'constitutional rights' can be ignored on a whim with no penalty, ensuring that violations will continue as there is no penalty even while there are potential gains?
Other than those reasons, any of which should have been more than enough?
Judges like this are an insult to the legal field and concept of justice, too cowardly or corrupt to tell a government agency that the constitution is not just a set of guidelines that can simply be ignored if following them would make someone's job harder.
[ link to this | view in chronology ]
Not even close these days, as there is a shortage of IP v4 addresses. With carrier level NAT and DHCP, you need time and a port number to even identify the router through which the computer connected.
[ link to this | view in chronology ]
Re:
Are American ISPs doing that? I thought it was a third-world thing. I've never had an ISP refuse to give me one public IP (not since the remote-terminal days of the early-to-mid '90s).
[ link to this | view in chronology ]
Re:
It might be an interesting argument to make, though, especially if the router was leased from the ISP and thus was the ISP's property and controlled by it the whole time. If one takes the decision's statement as it's worded, then one should look on the computer for the IP address the ISP assigned to it which is almost certainly in the 192.168/16 netblock. That's also almost certainly not the IP address listed as the source of the download of the illegal material (which would belong to the router belonging to the ISP, not the computer belonging to the user). Given that, by the government's own evidence, the ISP they're looking for was not the one assigned to any computer belonging to the user by their ISP, what basis does the government have for the charges?
[ link to this | view in chronology ]
As good as a name
Well, we can say an IP is as good to identify a computer, as a name can identify a person, let's say, John Smith.
[ link to this | view in chronology ]
Re: As good as a name
It's more like take a number at the post office or DMV - for that moment, in that location, you were very briefly #947... unless you got tired of waiting and gave the number to someone else and left... or your friend was holding the number... or you swapped numbers with someone else. You get the idea. The number was not good outside a limited area for a limited time, and could not be tied to you directly since they call your number when it's your turn, not your name. Unless you personally hand them the number at that exact moment, no one can later say who #947 was.
[ link to this | view in chronology ]
Re: Re: As good as a name
Or maybe you made your own ticket #947.
[ link to this | view in chronology ]
Assume that you have an Internet connection with Wi-Fi. If a friend with a device other than your computer were to access your Wi-Fi network, they would then be using the same IP address as you. How, then, could the authorities know with even the slightest bit of certainty which one of you committed an illegal act based only on the IP address?
[ link to this | view in chronology ]
Re:
Doesn't matter. If they don't want to host your friends white supremacist device on their networks, they don't have too.
Show me the law or statute that says you can aide and abet a criminal with no legal consequences.
If you are in possession of stolen goods, you will be charged. Doesn't matter who stole them, you have possession and you will be charged.
[ link to this | view in chronology ]
Re: As good as a name
FTFY.
[ link to this | view in chronology ]
Re: As good as a name
Don't you mean Jhon Smith?
[ link to this | view in chronology ]
That computer has a name...Guilty.
As has been pointed out above, identifying a particular computer with IP addresses is overly simplistic. For example I have two routers, in series, and five computers connected to the inside one. For the moment, lets leave the fact of my VPN connection out of the equation, we'll assume I slip up and turn the VPN off, but still connect to the Internet. Now, which computer is guilty?
This kind of makes me wonder why the defense's haven't brought in network engineering experts to refute this nonsense.
[ link to this | view in chronology ]
Re: That computer has a name...Guilty.
Just expand that to a public location. I manage a network that has around 10,000 devices on it. While I do have a pool of Class C public addresses available. I have only ever seen it use one public IP address for anything that can connect to the wireless.
[ link to this | view in chronology ]
Re: That computer has a name...Guilty.
Judges don't need no stinkin' experts. They already know it all!
[ link to this | view in chronology ]
We could look at it another way...
In one way of looking at it, an IP does actually refer to a single computer. At my house, that's the modem/router provided to me by the ISP. In the case of an "illegal download", the router is "guilty" of (routing requests) to illegally download content, not the users computer. Maybe there's a good legal reason to rent routers from the ISP. The device with that IP address is the ISPs!
[ link to this | view in chronology ]
Re: We could look at it another way...
Unfortunately, arguments have already pivoted to "the IP address may technically belong to the router, but as far as the ISP is concerned, the IP is temporarily assigned to the account holder."
This gives LEOs reasonable suspicion that the account holder is associated with the crime, so they can come and investigate the home the account holder has registered with the ISP for that IP address.
[ link to this | view in chronology ]
lack of a chain of custody
Im still hung up on the fact that the data from the NIT was transmitted in plain text with no cryptography to ensure data wasn't manipulated in-transit. The lack of a chain of custody between the NIT and the FBI server alone should make the IP adresses gathered suspect.
[ link to this | view in chronology ]
MAC, NIC and ARP
<em>Appeals Court Says An IP Address Is 'Tantamount To A Computer's Name' While Handing The FBI Another NIT Win</em>
The federal court jesters (ie judges) comprising the US Court of Appeals for the 11th Circuit might be on to something if they said the MAC address coded onto a machines network interface card is 'Tantamount To A Computers Name' but they didn't.
[ link to this | view in chronology ]
Re: MAC, NIC and ARP
Well, that assumes that the user does not have the knowledge to change their MAC address on a whim.
[ link to this | view in chronology ]
Re: Re: MAC, NIC and ARP
MAC address normally doesn't change. That is what the ISP is using to allow you on their Intenet and have service.
On the other hand, the IP4 address you have on the Internet is almost always Dynamic. You generally have to PAY to have a Static IP address. Unless you run a Web server at home which most people don't, you're generally going to have a Dynamic IP address that will change once in a while.
Your local network, wired or wireless, doesn't matter. It is what it is. It's your IP address out into the world at large, the 72.45.123.33, or whatever block of IP addresses your ISP is assigned to use. This is the IP address that is TEMP that the world sees at large. Not your MAC, but your IP4 address. Do you want to be blamed on something someone else did when that HAD that IP number and now YOU do?
[ link to this | view in chronology ]
Re: Re: Re: MAC, NIC and ARP
While I agree the mac is not normally changed by users, someone that is doing illegal activities is more likely to take steps to cover their tracks. Like modify their mac.
[ link to this | view in chronology ]
Re: Re: Re: MAC, NIC and ARP
Only if they insist that you use their router, which has its own MAC on their side. It does not apply yo the computers on your side of the router, as you are free to replace parts and computers as you wish. If you are able to use your own router, as I can, the mac on that side changes when you change your router.
[ link to this | view in chronology ]
Re: Re: Re: MAC, NIC and ARP
That used to be the case.
It was not hard back then and a simple search would quickly reveal how to change it and it was recommended in some consumer security articles.
But now it is an option built into the OS to randomize your MAC address. Sure it is still a little bit buried in menus, but you don't even need to know how a MAC address is supposed to look to turn this feature on for WIFI.
Disregarding the fact that the description of IP addresses (in the ruling) are terrifyingly wrong and shows a lack of even basic understanding, I do not believe that IP-to-MAC bindings are in any way a reliable indicator anymore.
From what I read about law enforcement "investigations" and "evidence", I would be able to completely frame another person with ease and be completely confident that this person would get the blame because no other avenue was even considered. I wouldn't even need much understanding... everything could be done with freely available applications.
[ link to this | view in chronology ]
Re: Re: Re: MAC, NIC and ARP
"MAC address normally doesn't change"
Except, it's trivial to spoof without any additional software on a desktop. I'd assume it's easy enough to do on mobile devices as well.
But, the difference is moot anyway, since the device that's usually connecting to the ISP is a router, not the device the end user is using. That's what's particularly stupid about this comment - you don't have the "name" of a computer at all, you only have the device the computer used to connect. Which may not belong to the customer of the ISP, or indeed necessarily anyone they know.
[ link to this | view in chronology ]
I hope they appeal.
I hope they show the case where the FBI held a family at gunpoint for hours b/c of an ip address b/c they never bothered to see if it their router was secured.
Then they stumbled across the neighbor who WAS the CP downloading asshole.
Justice means we all follow the rules, but now it just is a cover for QI & remaining ignorant of facts so we can get the "bad guys".
If and IP address is a computers name, then why the FSCK haven't we raided the FBI for providing CP & encouraging the creation of more.
[ link to this | view in chronology ]
For most ISP setups, the IP address the ISP hands out goes to the modem/router. The modem/router then hands out a NATed address to any devices on the customer side. If you have the IP address AND a Time, you should be able to find the MAC address of the modem/router in the DHCP server log(assuming such was kept). With that you might be able to tie to a particular modem/router and derive the account using that device. Unless the ISP can read the DHCP logs from the modem/router, you can't identify any of the devices that received private IPs from the modem/router. Gets even harder if the customer has the ISP modem in bridge mode and provided their own router.
[ link to this | view in chronology ]
Re:
And that can be a NATed, so you need the port at ISP level to resolve the end user. That is an ISP level IP address can be shared by several customers due to their use of NAT to get round the shortage of IP V4 addresses.
[ link to this | view in chronology ]
Re: Re:
" .. use of NAT to get round the shortage of IP V4 addresses."
That is not the reason for NAT.
[ link to this | view in chronology ]
Re: Re: Re:
It is for ISP's, at least until they support IP V6
[ link to this | view in chronology ]
Re: Re: Re: Re:
"The technique was originally used as a shortcut to avoid the need to readdress every host when a network was moved. "
https://en.wikipedia.org/wiki/Network_address_translation
[ link to this | view in chronology ]
We're all missing the good point about an IP address being a computer name.
If I spoof my IP address to the 11th COA, they can get blamed for whatever I do on the web.
[ link to this | view in chronology ]
Re:
I honestly wish this would actually be the case if not for fact that "high courts, low courts" would absolutely be in play here. Let's say someone spoofs the 11th COA's IP address and downloads Malibu Media smut. What's likelier? The 11th COA pays Colette a sum of money to go away, or actually initiates an investigation/official statement to say "that time didn't count"?
The uselessness of IP addresses as evidence was already clearly established before the judge in Strike 3 had to remind Fox Rothschild that his evidence was garbage. The RIAA, US government, the Vatican etc already have IP address evidence linking them to pirated music and pornography. Yet the only thing we hear is such evidence surfacing - no follow-through investigations, no penalties enforced, nothing.
And why is that? Because - as in the case of the RIAA being caught redhanded for using content without permission - copyright enforcers are terrible at self-policing, and have no intention to do so.
[ link to this | view in chronology ]
an IP adress is selected by the isp, and assigned to customers pc,s as they log on to the web .Saying an ip adress is simply wrong,
it could be given to any device or pc who use,s the isp,
or even by someone who is within wifi range of the router,
Many routers can be hacked as they use basic default passwords.
Yes its likely an ip shows the pc is within a certain area, served by the isp,
but it should not be used as definite proof that a specific pc acessed a website at a certain time.
Unless they have data from the isp that shows the ip adress and the mac adress of the pc, each pc has a unique Mac adress .
The ip adress by itself should not be used to convict anyone of a crime,
This was adressed years ago when the record companys were going after users for downloading songs and music based on the isp adress .
It ,s not as if the subject of ip adress evidence has not come up in many legal case,s in america .
[ link to this | view in chronology ]
Re:
"assigned to customers pc"
usually assigned to what they call a modem
"log on to the web"
How does one accomplish this?
Does The Web have a logon page? I have never seen it - that's weird.
[ link to this | view in chronology ]
Re: Re:
I think this guy is stuck in the AOL days of yore... or might just be one of the many Americans stuck in the FCCs "broadband is okay on our map" zone that has to use dial-up to "log on to the web".
[ link to this | view in chronology ]
The EVIDENCE is NOT contested. ONLY a Court Rule in question.
A) The IP address turned out valid because NIT software accurately reported, along with absolutely identifying detail. The FBI went to right place. That's why evidence as such is NOT contested. All arguing that line is STUPID.
B) Law is to protect the innocent, NOT to protect the guilty. This is extreme last hope lawyering. No black letter law nor Constitutional Right was ever in question, only a Court Rule that hadn't been updated...
C) Which Court Rule has been FIXED. This basis for challenge will NEVER again come up!
Yet Techdirt / minion / fanboys clearly hope that downloaders of child pornography can escape.
Minion's pointing up that is the eleventh Appeals level decision (besides as many original!) only shows weird mania to stay WRONG without any visible reason in first place, continued for years now without any hope from intermediate "win" in court, besides that your position (as I noted last week in the "sexting" case) can ONLY support child pornography.
NO GOOD is served by Techdirt's position. Yet minion attempts justification:
Implies a "honey trap". There was no such. A series of steps with clear intent was necessary: NO ONE even could have blundered into this alleged "trap".
Implies lack of jurisdiction. The internet requires such reach of warrants, because one cannot know in advance the jurisdiction. -- The mere Rule is now FIXED.
Implies lack of "good faith" by police level. NO, went to a court and were authorized. Techdirt simply hates police as such.
THAT LEAVES minion and other legalists with only shrieking over a mere Court Rule. The try been shot down ELEVEN times now.
Since persist after ELEVEN Appeals level decisions, and despite appearing to be in favor of child pornography, one has to ask WHY, Techdirt, WHY?
WHY do you spend your tiny bit of "authority" on THIS? What's in it for you, readers, or the general public? WHY do you persist for years now advocating for a few downloaders of child pornography?
[ link to this | view in chronology ]
Re: The EVIDENCE is NOT contested. ONLY a Court Rule in question
"Law is to protect the innocent, NOT to protect the guilty"
Then, why do you spend so much time demanding that innocent people are harassed by it and opposing calls to change that?
"WHY do you spend your tiny bit of "authority" on THIS?'
Well, it's certainly better that wasting zero authority on this. You know you could make some good points here if you weren't so obsessed with name-calling and lying in between the occasional good point you stumble across?
[ link to this | view in chronology ]
Re: Re:
No, seriously... is anyone surprised that the idea of IP address being treated as word-of-God level evidence makes out_of_the_blue cream his thong?
[ link to this | view in chronology ]
The law protects all people, regardless of their innocence or guilt. The Fourth, Fifth, Sixth, and Ninth Amendments — and any related “common law” court precedents — do not (and should not) disappear because someone is either guilty of or accused of a crime. Even people accused of heinous crimes such as murder, sexual abuse of children, and commercial copyright infringement retain their rights regardless of how much you want them all executed based only on mere accusation.
You offer no evidence that Techdirt commenters or Techdirt writers want child porn downloaders to “escape”, much less because they’re child porn downloaders (which is clearly your assertion here). Your mere accusations are worthless. If anything, what we want is for courts to rule on tech-related issues without ignorance, fear, malice, or ill-will driving those rulings — and to uphold the civil rights of all who stand accused of a crime, no matter how heinous the crime or how unlikeable the defendant.
A person accused of a crime (supposedly) walks into court with a presumption of innocence. That you want the presumption done away so you can feel comfortable with whatever violent punishment is dished out to a potentially innocent person based only on an accusation of guilt doesn’t make it go away. The law makes sure of that.
[ link to this | view in chronology ]
Re:
"The law protects all people"
In theory
[ link to this | view in chronology ]
Re: Re:
The law is only as good as the people put in place to enforce it fairly.
[ link to this | view in chronology ]
Re: The EVIDENCE is NOT contested. ONLY a Court Rule in question
So you're saying evidence obtained in violation of the Constitution, the law and court rules should not be questioned or contested as long as law enforcement gets the right bad guy?
So much for the fruit of the poisonous tree doctrine, along most of our rights.
[ link to this | view in chronology ]
Re: Re: The EVIDENCE is NOT contested. ONLY a Court Rule in ques
For a statist the only “poisonous tree” has its roots in that pesky, so-called “Bill of Rights”.
[ link to this | view in chronology ]
An IP address is tantamount to a ... street name. (I like metaphors so I'm going for this)
An IP address points you to a place where there can be one or many houses (desktops) and cars (mobile devices) on the street. It doesn't tell you where on the street something is, it just says here is the street name in this section of the internet. Some streets are really long and have thousands of houses and maybe thousands of cars on them every single day. Some are small cul-de-sacs that have maybe a house or two and very few cars... and maybe that street is owned by a single person or family.
So far so good, but the metaphor quickly breaks down (as most do).
1) When we think of houses on a street, we think of unmoving structures. But you have to think more of Winnebagos or RVs, houses that can be moved with a little bit of effort (I remember lugging my desktop to LAN parties)
2) Street names don't normally get arbitrarily changed/swapped with each other every so often whereas IP addresses do. I know my home IP changes every so often (usually just after midnight local time) because I have to update an IP white list every time it happens (thanks Verizon)
I bet there are even more ways this metaphor breaks, but at least its more sensical than comparing an IP address to a computer name.
[ link to this | view in chronology ]
Re:
The internet is not a superhighway.
http://www.gdargaud.net/Humor/Highway.html
[ link to this | view in chronology ]