Where a criminal act involves the use of an internet connection, in what circumstances will it be incumbent on investigating and prosecuting authorities to seek out, preserve, and disclose information relating to IP addresses?
This question was considered in two recent High Court decisions, in both of which the applicants sought prohibition of their trials by way of judicial review.
What is an IP Address?
An Internet Protocol address (IP address) is a numerical label such as 192.0.2.1 that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. It serves two principal functions: it identifies the host, or more specifically its network interface, and it provides the location of the host in the network, and thus the capability of establishing a path to that host (information from Wikipedia).
Put more simply, an IP address is a string of numbers assigned to an internet-connected device. Think of it like an address on a house. An IP address can be considered a digital address for your internet-connected devices, as it reveals your geolocation (but not your precise location like a home address does) to help providers deliver content that’s relevant to you. (information from Norton, a well-regarded online security company).
How is an IP address relevant to online crime?
In both of the High Court cases it was argued by the accused persons that the absence of IP address information deprived them of a line of defence argument. In broad terms they said that, if the IP address information was available, they might be in a position to prove that they were not at the same location as the device when the criminal activity took place.
In both cases reliance was placed on the evidence of a Digital Forensic Expert (Ross Donnelly) to the effect that that the external IP addresses are a unique identifier on the internet and are assigned by the internet service provider to each connection. This gives rise to the potential of a forensic fingerprint. The IP records would establish the physical location or address.
As against that, however, the prosecution in both cases disputed the suggestion that the IP address is a digital fingerprint. Unlike a fingerprint, it does not identify who was using the computer. Further, the use of technology in the form of VPNs, which is a virtual private network which encrypts one’s internet traffic and protects one’s online identity, can disguise the true address. In fact, the IP address often can tell one very little information.
What is a ‘VPN’?
Wikipedia defines a virtual private network (VPN) as ‘a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet’.
Norton, the well-regarded security company, explains it more clearly:
“The simplest way to protect your IP address is to use a virtual private network (VPN). This hides your online activity by using encryption, scrambling the data you send while searching the Internet so that hackers can decipher it. It also changes your IP address completely, placing your geolocation hundreds or maybe thousands of miles from where you are accessing the internet.” (Link)
High Court Decisions
Both cases concerned money laundering charges. Money had been stolen from innocent third parties by invoice redirect fraud. The stolen money had then been transferred into bank accounts connected to the accused.
Both cases were dismissed. The High Court set out a number of reasons for dismissing the applications (including the weight of other evidence against each accused) and appeared to make findings of fact that (i) the use of a VPN or other devices to hide an IP address is commonplace and (ii) that it was highly unlikely that the thieves (in what the applicants secribed as a ‘complex web of financial transactions’) would leave their calling card in the form of an easily identifiable IP address.
Raja Naseeb -v- Director of Public Prosecutions [2024] IEHC 37
Adnan Afzal -v- Director of Public Prosecutions [2024] IEHC 38
Impact of Virtual Private Networks
If it is always possible that a VPN is being used, are IP addresses ever going to be relevant in a criminal prosecution?
On the one hand, if an IP address shows that the online criminal activity took place in close geographic proximity to the accused, does this help to prove anything? The prosecution might argue that it is a useful piece of circumstantial evidence, but is it? Could a criminal, hundreds of miles away from the accused, have used a VPN to make it appear that the online activity was taking place close to the accused?
When an IP address shows that the online criminal activity took place hundreds of miles from the accused, does this help to prove anything? Again, isn’t it possible that a VPN was used?
An interesting question would be whether it is possible to determine whether or not a VPN is being used for a particular online activity. The short answer is no, it is not possible. There is a longer answer (see this article on the comparitech website, for example) but it seems that, until such time as it is possible to definitively establish whether a VPN is being used for a particular online activity, the relevance of IP addresses as evidence will be limited.
Further Reading
- “Viewpoint: How hackers are caught out by law enforcers“, BBC Online, 12 March 2012
- “IP Addresses in the Context of Digital Evidence in the Criminal and Civil Case Law of the Slovak Republic“, Forensic Science International, April 2020
- “The Secrets of Geolocation Accuracy“, www.whatismyipaddress.com