An Internet Protocol (IP) address is a unique identifier assigned to devices connected to a network, enabling them to communicate with other devices over the internet. Law enforcement often relies on IP addresses to trace the origin of illegal online activities, such as cybercrimes. This blog will provide a detailed explanation of IP addresses, how they are used in cybercrime investigations, and the potential defenses one might use to challenge the collection or use of IP addresses in such cases.

What is an IP Address?

An IP address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. It serves two main functions:

  1. Identification: It acts as an identifier for a particular device on a network.
  2. Location Addressing: It provides the location of the device within the network, enabling data to be routed to and from the correct destination.

There are primarily two types of IP addresses. They are:

  1. IPv4 (Internet Protocol version 4): This is the most common type, formatted as a series of four groups of numbers (e.g., 192.168.1.1), with each group containing a numerical value between 0 and 255.
  2. IPv6 (Internet Protocol version 6): This version has been introduced to accommodate the growing number of internet-connected devices. IPv6 addresses are longer and include both numbers and letters (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334).
defenses for incriminating IP address evidence

Public vs. Private IP Addresses

It is important to recognize that there are both public and private IP addresses. A public IP address is assigned by an Internet Service Provider (ISP) to a user’s home or business network. A public IP address is accessible to anyone on the internet.

A private IP address is assigned to devices within a local network (such as computers, printers, or phones) and only visible within that network.

How an IP Address Becomes Known to Law Enforcement

When a cybercrime is committed, law enforcement may use IP addresses to trace the origin of the illegal activity. This is possible because every interaction on the internet leaves behind a trail of data, including the IP addresses of the devices involved. Law enforcement can acquire these IP addresses through a variety of methods such as:

Internet Service Providers

Internet Service Providers (ISPs) track and store IP addresses assigned to their customers. When law enforcement is investigating a cybercrime, they can request access to this data by obtaining a court order such as a subpoena or warrant. This data may reveal the IP address used during the alleged criminal activity and the account holder’s name associated with that address.

IP Logging

Websites and servers often log the IP addresses of visitors. If a user is engaging in illegal activities, such as hacking or distributing malicious software, their IP address can be recorded by the site or service they interact with. The business may then supply this information to law enforcement.

Packet Sniffing

Law enforcement can monitor internet traffic using specialized tools which capture and analyze data packets transmitted over a network. These packets contain IP address information that can be traced back to the individual device responsible for the transmission.

Open Source Intelligence

In some cases, law enforcement may use publicly available information (e.g., social media posts or websites) to link an IP address to a person or group engaged in illegal activities.

defenses for incriminating IP address evidence
Photo by Mikhail Nilov on Pexels.com

The Limitations of IP Address Identification

An IP address alone is often insufficient to definitively prove who committed a crime. This is because multiple devices (in a home or office) can share the same public IP address, especially in cases where a router or proxy server is used to connect multiple devices to the internet. As such, identifying the specific person responsible for the illegal activity requires additional investigative methods. For example, a business with multiple employees can utilize a public IP address. The IP address alone could not definitively identify the individual engaged in criminal activity. Rather, further investigation by law enforcement would be required.

Defenses to Consider Regarding IP Address Evidence

While IP addresses are a critical tool in cybercrime investigations, their collection and use in criminal prosecutions are subject to legal scrutiny. Defendants can challenge IP address evidence based on several grounds such as:

Questioning the Accuracy of the IP Address Identification

One defense strategy is to question whether the IP address accurately identifies the defendant. Since multiple devices can share the same public IP addresses (as in the case of family members, roommates, or coworkers sharing the same internet connection), it can be argued that the accused was not necessarily the person committing the crime.

Also, some Internet Service Providers assign dynamic IP addresses, meaning the address changes each time the device connects to the internet. If law enforcement is relying on a dynamic IP address, the defense could argue that the specific IP address used at the time of the alleged crime may no longer be tied to the accused.

In homes, businesses, and public places, a single IP address may serve multiple devices. In such cases, identifying one device among many using the same network can be difficult, and the defense can argue that other individuals may have committed the crime.

Challenging the Legal Process Used to Obtain the IP Address

Another common defense is to challenge whether the evidence collected from the IP address was obtained legally. If law enforcement did not follow proper procedures, the evidence may be excluded from court.

In the United States, the Fourth Amendment protects individuals from unreasonable searches and seizures. If law enforcement collected IP address data without a valid warrant, or without probable cause, the defense can argue that the collection violated the defendant’s constitutional rights.

Law enforcement must often obtain a subpoena to compel an ISP to turn over customer data. The defense may argue that the subpoena was overly broad, improperly issued, or lacked legal justification, making the evidence inadmissible.

Challenging the Reliability of the Evidence

Even if the IP address was obtained legally, the defense can challenge the reliability of the evidence.

Cybercriminals often use methods to hide their true IP addresses. Spoofing (falsifying an IP address to appear as if it is coming from a different source) or hacking into someone else’s network, can make it appear that the crime originated from the defendant’s IP address when it did not. The defense can argue that the accused’s IP address was hijacked by another party.

Many people use Virtual Private Networks (VPNs) or proxy servers to mask their true IP addresses. These tools make it difficult for law enforcement to trace the activity back to an individual. The defense can argue that the IP address identified was not directly tied to the accused because it was obscured by such technology.

Lack of Direct Connection to the Crime

Even if the IP address belongs to the defendant, the defense can argue that the connection between the IP address and the crime is tenuous or insufficient to prove guilt. For instance, a person may argue that their network was hacked or accessed by an unknown third party who committed the crime without their knowledge or consent.

In some cases, individuals may unknowingly leave their WiFi networks unsecured, allowing others to access the internet using their IP address. If law enforcement traces illegal activity to the IP address, the defense can argue that the network was open and the accused was unaware of the criminal activity taking place.

Exclusion of Evidence (Fruit of the Poisonous Tree Doctrine):

The defense can also challenge whether the IP address evidence was obtained as part of an unlawful investigation or surveillance. If the initial evidence collection was illegal, any further evidence obtained from that IP address may be inadmissible under the “fruit of the poisonous tree” doctrine. This defense applies if law enforcement violated the accused’s rights during the investigation.

My Final Thoughts

IP addresses play a significant role in cybercrime investigations, serving as key pieces of evidence to trace illegal activity back to specific devices. However, an IP address alone is often insufficient to prove criminal responsibility. Defendants facing cybercrime charges can use several defense strategies, such as questioning the accuracy of the IP address identification, challenging the legality of the data collection, and arguing that their network was hijacked by another party. By understanding how IP address collection occurs and its limitations, individuals accused of cybercrimes can better protect their rights in court.

If you, or someone you know, will be proceeding to trial, challenging an imposed sentence or pursuing any type of post-conviction relief, our book, The Colossal Book of Criminal Citations, is a crucial resource in the pursuit of justice. Our books are soft cover, institution friendly, in stock, and frequently advertised in Prison Legal News magazine. Order your copy today, or on behalf of someone incarcerated.