Ruling: IP address does not identify person

[Rob Lister]

Quote:

Originally Posted by HarryT

No. Grandma's ISP should supply the router properly and securely configured. Do you disagree with that idea?

So the ISP is now culpable? Should the ISP also make sure she doesn't get hacked?

[hrosvit]

Quote:

Originally Posted by HarryT

I'm a little surprised to hear that there's no legal requirement for ISPs to keep records as there is (isn't there?) for telephone companies. One might imagine that ISP's records could be useful for all sorts of criminal investigations.

I think (but I'm open to correction if I'm wrong) that UK ISP's are required to keep records for a certain period of time - the figure of 6 months rings a bell.

I cannot speak to the UK, but in the US there is no mandated period.

[Kumabjorn]

Quote:

Originally Posted by HarryT

I would argue that this is his responsibility. It's negligent to leave a wireless connection unsecured.

Sorry, but I would argue that it isn't.
You are not required by law to lock your door, or windows.
If someone breaks in, it is still burglary.
Nor are you required by law to lock your door's car. If it is stolen and used in a bank robbery that is not the car owner's problem, nor if someone runs a red light while driving it.
Analog with that you are not required to lock down your router.
There is something to be said for presumed innocent until proven guilty.
That principle is applicable in cyber crimes as much as in any other crime.

[JoeD]

Quote:

Originally Posted by HarryT

I'm a little surprised to hear that there's no legal requirement for ISPs to keep records as there is (isn't there?) for telephone companies. One might imagine that ISP's records could be useful for all sorts of criminal investigations.

I think (but I'm open to correction if I'm wrong) that UK ISP's are required to keep records for a certain period of time - the figure of 6 months rings a bell.

I think it's 12 months, they've to keep billing data, times you connected/disconnected from the service and IPs assigned. IIRC the EU basically extended the existing telephone data retention laws to apply to parts of an ISPs service.

There was talk about also logging every site you visit (just the domain part) and the source/destination of every email you send or connection you make. I'm not sure if that was put into practice though or if it's still being fought by ISPs. I am pretty sure that they at the very least retain assigned IPs though.

A quick google suggest the US looked at a similar law in 2011, not sure if it's in place or not now though, anyone in the US know?

http://www.zdnet.co.uk/news/security...bill-40093559/

[HarryT]

Quote:

Originally Posted by hrosvit

I really believe that it is preferable that 10 guilty people go free rather than one innocent person be convicted. And I think that possibility is too great if we just use an IP address to determine guilt.

Let me ask you a question, if I may. Consider this scenario:

I live alone. I'm an IT professional, and have been for 30-odd years. I have a properly secured wireless network (WPA2, lengthy string of completely random characters for a passphrase). Nobody but me ever uses my computers. Doesn't take a genius to figure out that if copyrighted material is downloaded via my IP connection then I'm the one who did the deed.

Now, let's suppose I'm a pirate. I think to myself, "aha! If I remove the encryption from my WiFi, I've got a 'get out of jail free' card. If anyone tries to prosecute me for copyright infringement, all I have to do is say that someone else must have used by WiFi without my knowledge!"

True or not?

If true, it's a sad state of affair, to my mind .

[howyoudoin]

Quote:

Originally Posted by HarryT

Yes, I do. If you don't have the knowledge yourself, get it done by someone who does have the knowledge. We require training and certification before someone is allowed to drive a car. An internet connection is potentially a more "dangerous" thing to possess - should we not require responsibility from its owner?

A person speeding in his car could kill others and himself. An unsecured internet connection is nowhere near as dangerous.

[vaughnmr]

Quote:

Originally Posted by HarryT

Let me ask you a question, if I may. Consider this scenario:

I live alone. I'm an IT professional, and have been for 30-odd years. I have a properly secured wireless network (WPA2, lengthy string of completely random characters for a passphrase). Nobody but me ever uses my computers. Doesn't take a genius to figure out that if copyrighted material is downloaded via my IP connection then I'm the one who did the deed.

Now, let's suppose I'm a pirate. I think to myself, "aha! If I remove the encryption from my WiFi, I've got a 'get out of jail free' card. If anyone tries to prosecute me for copyright infringement, all I have to do is say that someone else must have used by WiFi without my knowledge!"

True or not?

If true, it's a sad state of affair, to my mind .

So you don't believe it's possible for wifi to be hacked???

[HarryT]

Quote:

Originally Posted by Rob Lister

So the ISP is now culpable? Should the ISP also make sure she doesn't get hacked?

No, the hacker is culpable. But a properly secured WiFi network (WPA or WPA2, with a pass-phrase that's a string of random characters) is unlikely to be hacked. It can be done, but it takes considerable resources to do so.

[HarryT]

Quote:

Originally Posted by vaughnmr

So you don't believe it's possible for wifi to be hacked???

My understanding is that WPA2 encryption, with a random pass-phrase, is rather difficult to hack. Please do correct me if I'm wrong about that. Last time I looked the standard hacking tools relied on a dictionary search to try to generate the encryption keys. Use of a random sequence of characters defeats that.

[Shack70]

Quote:

Originally Posted by HarryT

My understanding is that WPA2 encryption, with a random pass-phrase, is rather difficult to hack. Please do correct me if I'm wrong about that.

It would be easier to hack your router password and change/remove the password

There is no one sitting youtside your house hacking your router it owuld be easier to just move to the next house and try again.

[hrosvit]

Quote:

Originally Posted by JoeD

I think it's 12 months, they've to keep billing data, times you connected/disconnected from the service and IPs assigned. IIRC the EU basically extended the existing telephone data retention laws to apply to parts of an ISPs service.

Are you talking about the UK or the US? Because I'm looking at a Comcast Law Enforcement guide right now that says they maintain IP logs for 180 days, which is significantly less than a year.

Just checked Cox' LE Guide - they maintain for "up to six months".

Atlantic Broadband says 6 months.

[JoeD]

Quote:

Originally Posted by HarryT

No, the hacker is culpable. But a properly secured WiFi network (WPA or WPA2, with a pass-phrase that's a string of random characters) is unlikely to be hacked. It can be done, but it takes considerable resources to do so.

WPA is really really broken. A minute tops.

WPA2 afaik is fine (currently). But there may be plenty of people who were told when they bought their routers or had the service installed by their ISP not to use an open network or WEP as it's insecure, yet WPA was fine at the time. Those people are likely still running WPA and are likely unaware of the need to change.

[hrosvit]

Quote:

Originally Posted by HarryT

Let me ask you a question, if I may. Consider this scenario:

I live alone. I'm an IT professional, and have been for 30-odd years. I have a properly secured wireless network (WPA2, lengthy string of completely random characters for a passphrase). Nobody but me ever uses my computers. Doesn't take a genius to figure out that if copyrighted material is downloaded via my IP connection then I'm the one who did the deed.

Now, let's suppose I'm a pirate. I think to myself, "aha! If I remove the encryption from my WiFi, I've got a 'get out of jail free' card. If anyone tries to prosecute me for copyright infringement, all I have to do is say that someone else must have used by WiFi without my knowledge!"

True or not?

If true, it's a sad state of affair, to my mind .

To a certain extent, true. If it were a criminal case, and the actor said, "my wireless is open" (and they always do), I would seize his computer and examine it. If he's telling the truth, I won't find the offending files. In that case, I cannot file charges. If he's lying, I'm probably going to find something. Maybe not, though; maybe he's really good. In that case, he gets away with it.

Let me pose another scenario (and this is one I've encountered many times). Three grown deadbeat adult children live with Mom, who is elderly, unfamiliar with technology and, quite frankly, a little senile. Who's name do you think all the utilities (including the internet) are in? So 85 year old mom is now responsible?

[MrsJoseph]

Quote:

Originally Posted by Shack70

It would be easier to hack your router password and change/remove the password

There is no one sitting youtside your house hacking your router it owuld be easier to just move to the next house and try again.

That used to happen to me in college. I had a stalker-hacker who used to hack into my computer and change my passwords. He thought it was funny to lock me out of my own computer because I would have to come down to his room to get the new passwords. Lucky for me he wasn't malicious and just had a crappy sense of humor. If he'd wanted to he could have really screwed me over.

[JoeD]

Quote:

Originally Posted by hrosvit

Are you talking about the UK or the US? Because I'm looking at a Comcast Law Enforcement guide right now that says they maintain IP logs for 180 days, which is significantly less than a year.

Just checked Cox' LE Guide - they maintain for "up to six months".

Atlantic Broadband says 6 months.

UK. I've no idea about the US.

Also, I'm only assuming ISPs are now keeping that info, based on when the EU data retention laws went into effect (back in 2009), I'm not _certain_ they're actually implemented yet though. It may be ISPs are still fighting it or the UK dragged its feet putting into law here.