This week, the Electronic Frontier Foundation (EFF) brought news about criminal investigations in relation to an individual computer’s IP address. First, some background.
IP and TOR
For the unaware, an Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication.
Your computer has one, your router, your printer, your Xbox, etc. Every device on a network is issued one of these addresses. And generally speaking, when you venture out on the web, you let other computers know your IP address. That’s why when you search for something on Google even when you aren’t logged in, you still get local results. They’re matching your IP address to your location.
Many people, especially computer geeks (not derogatory – geek here), libertarians, social activists, and the like don’t want their activities online to be traced so easily. Therefore they take steps to cloak their identity when they go online. One of the most commonplace and user-friendly methods is TOR (The Onion Router).
TOR (originally a U.S. Naval Laboratory project) is a type of network encryption software that helps conceal user’s location or usage from someone conducting network surveillance or traffic analysis. It creates a series of random, virtual “tunnels” through other computers on the TOR network in order to disguise a user’s point of origin. Per the TOR Project/EFF:
Tor helps to reduce the risks of both simple and sophisticated traffic analysis by distributing your transactions over several places on the Internet, so no single point can link you to your destination. The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you — and then periodically erasing your footprints.
Once a circuit has been established, many kinds of data can be exchanged and several different sorts of software applications can be deployed over the Tor network. Because each relay sees no more than one hop in the circuit, neither an eavesdropper nor a compromised relay can use traffic analysis to link the connection’s source and destination.
For efficiency, the Tor software uses the same circuit for connections that happen within the same ten minutes or so. Later requests are given a new circuit, to keep people from linking your earlier actions to the new ones.
IP Addresses Are Merely Clues
Of course, using TOR is also useful if you are attempting to disguise online criminal activity. By routing traffic through a TOR relay, a criminal can “hide their tracks” to some extent. If law enforcement associates an IP address with criminal activity on a TOR network, more than likely they have not found the criminal, but merely the last used TOR exit relay. Such was the case of Nolan King:
This spring, agents from Immigration and Customs Enforcement (ICE) executed a search warrant at the home of Nolan King and seized six computer hard drives in connection with a criminal investigation. The warrant was issued on the basis of an IP address that traced back to an account connected to Mr. King’s home, where he was operating a Tor exit relay.
After the computers were seized, EFF spoke with ICE and explained that Mr. King was running a Tor exit relay in his home. We pointed out that ICE could confirm on the Tor Project’s web site that a computer associated with the IP address listed in the warrant was highly likely to have been running an exit relay at the date and time listed in the warrant. ICE later returned the hard drives, warning Mr. King that “this could happen again.” After EFF sent a letter, however, ICE confirmed that it hadn’t retained any data from the computer and that Mr. King is no longer a person of interest in the investigation.
The EFF goes on to point out that running a TOR relay is not illegal and regardless, an IP address is probably not that useful:
First, an IP address doesn’t automatically identify a criminal suspect. It’s just a unique address for a device connected to the Internet, much like a street address identifies a building. In most cases, an IP address will identify a router that one or more computers use to connect to the Internet…
But in many situations, an IP address isn’t personally identifying at all. When it traces back to a router that connects to many computers at a library, cafe, university, or to an open wireless network, VPN or Tor exit relay used by any number of people, an IP address alone doesn’t identify the sender of a specific message. And because of pervasive problems like botnets and malware, suspect IP addresses increasingly turn out to be mere stepping stones for the person actually “using” the computer—a person who is nowhere nearby.
This means an IP address is nothing more than a piece of information, a clue.
Not exactly the slam dunk the authorities would like you to believe. Regardless, it’s an important example of the simple fact that you are not as anonymous on the internet as you think – you leave a digital wake behind you on the internet. What to do about it?
There are ways (beyond just TOR) to cloak your activity online and make it very difficult to track. I’ll address these methods next week.