Would you like to share an article on cybercrime? Please contribute!

These articles do not necessarily reflect official positions of the Council of Europe

Blogs Blogs

Obtaining the identification of the user of an IP address and Budapest Convention

1. I learnt a couple of decades ago, at the university, that law in books is not the same as law in action. Recently, I found the real evidence of that, reading the “Assessment Report on Implementation of the Preservation Provisions of the Budapest Convention on Cybercrime” (adopted by the T-CY at its 8th Plenary, 5-6 December 2012 - According to this report (pages 77 and 78), most of the Parties to Budapest Convention have already implemented the rules referring preservation and expedited disclosure of traffic data. Within the 31 responding States to the questionnaire that was in the origin of the report, 27 of them have already implemented Article 17 of the Convention and 24 of them have implemented Article 30.

However, in practical terms, in some countries, obtaining the disclosure of traffic data is subject to conditions that are not compatible with the expedited character required by those rules of the Convention.

I would like to bring to the discussion the question of obtaining an IP Address detail, in relation to a concrete case, and the eventual legal constraints, in the light of the Convention.

2. When an ISP provides to a law enforcement agent the identification of the user of a determined IP address, in a particular day and time (probably, the time details were already known by the investigators); or when an ISP provides the identification of an IP number used by an already identified person, this is not likely to disclose private or confidential information. In fact, these data do not disclose any sensitive information about the route of the communications or any other traffic information of the person concerned.

In practical terms, this kind of information only will confirm that an already identified communication was established – it is just a confirmation of the identity of someone that the law enforcement agents already knew, but whose name and details didn’t knew. In other words, this information only establishes the connection between a particular communication, which is already known, and its point of origin.

Of course, the same does not occur when information is required referring to an extended period of time or to multiple communications established by a suspect.

3. The legal conditions to obtain this type of information depend on the national regulations. And national regulations, among the Parties of Budapest Convention, have different solutions. Some countries include the IP address related information within traffic data; besides, they only allow law enforcement agents to obtain traffic data in serious crimes investigations and require a judge order allowing it. Other countries adopt a more simple procedure, assuming that the above mentioned IP related information is a part of subscriber information, that can be obtained in any investigation (regardless it is or not serious crime) and by mere initiative of the police.

Even if it is an option of the States, to decide the formal requirements of obtaining that kind of information, this question is relevant within the community of the Parties of the Budapest Convention.

In fact, if this type of request refers to cross border investigations, for example because the IP address belongs to a foreign ISP, than, the request must be addressed to that foreign ISP. Eventually, in this case, expedited preservation of data (as described in Article 16 of the Budapest Convention) and expedited disclosure of traffic data (as described in Article 17) need to be used.

4. Normally, in the real life, the procedural measure of expedited disclosure of traffic data refers only to the IP address. In fact, the expedited disclosure of traffic data aims to allow the investigating authority to identify the service providers and the path through which a communication was transmitted (Article 17, 1, b of the Budapest Convention). And the identification of the origin of the communication is normally given by the IP address. Still according to Article 17 (number 2), this procedure will be implemented, in each one of the domestic legislations, subject to Article 15, which means that its “establishment, implementation and application (…) are subject to conditions and safeguards provided for under its domestic law”.

If the domestic law limits the disclosure of traffic data (and many European countries do that), to serious crime and require a judge order, probably, the concerned country will not be able to comply in an expedited manner and in all cases, with this article of the Budapest Convention. This can jeopardize concrete criminal investigations.

Unless, the mentioned information regarding the IP address has not the same treatment as traffic data.

5. The Budapest Convention does not include a definition or a particular statute of the IP address. Besides, it is not also expressly provided if the IP address is – or it is not -, traffic data. However, the definition of traffic data, as described in Article 1, d, of the Convention is very broad and comprehensive, covering “any computer data relating to a communication by means of a computer system, generated by a computer system (…) indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service”. In this context, in a first approach, the interpreter could think that the IP address used in a particular communication could be traffic data.

The fact is that this theoretical discussion about whether the IP address is - or is not -, traffic data, is not decisive for the definition of its status, as Article 18, 3 of the Convention expressly provides particular rules that point out a clear solution, including the IP Address in the category of subscriber information.

6. According to that provision, “subscriber information” means any information held by a service provider, relating to subscribers of its services (other than traffic or content data) and by which it can be established, among other, “the subscriber’s identity, postal or geographic address, telephone and other access number”. Even if the IP address is not expressly mentioned (which is normal, in a technological neutral Convention), this "access number" is precisely the IP address. In digital communications there is no other "access number" or even any other reality that can correspond to this concept, being legitimate to conclude that this reference was expressly stated in the Convention to refer to the IP address.

In the Explanatory Report of the Convention (paragraph 179 - it is explained that this provision refers to all technical measures that enable the subscriber to obtain the communication service. Thus, the provision includes all the technical numbers or addresses (telephone number, web site address or domain name, email address, etc.). The Explanatory Report adds (paragraph 180) that subscriber information (...) also means any information, other than traffic data or content data, by which it can be established the user's identity, postal or geographic address, telephone and other access number. And it concludes that (paragraph 182), for example, on the basis of the provision of a particular name (...) a particular associated telephone number or private email address may be requested. On the basis of a particular telephone number or email address, the name and address of the subscriber concerned may be requested.

In this context, it is irrelevant whether the IP address is a fixed address, assigned permanently to a single user, or a dynamic address, successively assigned to multiple users: both of them are the "access number" and in none of the cases the sought information is able to disclose personal or private information.

No comments yet. Please sign in to comment.
Tools on Cybercrime & Electronic Evidence Empowering You!
Web Content Display Web Content Display

This tool is co-funded  by the GLACY  and Cybercrime@Octopus projects