A recent, widely published AP story entitled, “Investigators Followed Digital Trail in Pregnant Woman’s Killing,” highlighted the use of computer forensics to locate the suspect and recover the kidnapped infant in the December, 2004 murder case of Bobbie Jo Stinnett in Kansas City, Missouri.  In fact, the computer and Internet evidence were the sole leads in the investigation.  Investigators included the Stinnett computer in their collection of evidence and were able to quickly locate an online message board posting from an individual who had communicated with Stinnett.  They had arranged to meet on the morning of her murder.  Investigators followed the trail through the Internet Protocol (IP) address of the message board posting and quickly located the street address from which the posting was made.  At that address, police found the kidnapper, Lisa Montgomery, and the infant.

The existence of such traceable computer information, coupled with the swift and accurate use of it as evidence to track down a murder suspect and rescue a kidnapped infant allow most to praise technology and breath a sigh of relief.  When this relief settles, however, some will be left with the concern that IP tracing can and will be used with malicious intent.  The suspect in the Stinnett murder had taken measures to be anonymous; she used a false identity and avoided disclosing any identifiable information about herself in the electronic communications with the victim.  Yet a seemingly random 11-digit number led police right to her doorstep.

Anonymity Is Not Guaranteed
There is a perception that anonymity is guaranteed on the Internet, particularly on message boards where users are typically given the option to post anonymously.  While most people would not concern themselves with whether or not their IP address can be traced back to their home or office, there are some situations in which concern may be justified.  IP addresses can be gleaned from e-mail, message board postings and chat rooms – all of which are locations and activities frequented by a vast number of people.  This raises the question:  Can the privacy of anyone be compromised through IP tracing?  The answer lies in technology, as well as legality.

Privacy compromise through the Internet is not a new concern.  A great deal of publicity regarding privacy compromise has occurred in the past few years as a result of the use of browser cookies.  Cookies are small text files stored on a user’s computer, and they contain information useful to websites in identifying return visitors among other things.  Most people are starting to understand the limitations of cookies, and view them as an asset, not a threat.  It is important to understand that cookies cannot read from a hard drive or extract personal information about the user.  However, any personal information a user submits to a website will likely be stored in the cookie.  This might include credit card information, name, address and other personal data.  Many people find this very convenient, as it prevents the need to re-enter frequently used information.  The most important point to remember about cookies is that they only contain information that the user has willingly provided to the website.  It is imperative, therefore, that users only provide such personal information to sites they trust.

An IP address is a unique identifying number assigned to every computer connected to the Internet.  Once recorded, the IP address can be a pointer of sorts back to a specific computer regardless of whether or not the user ever logs on again.  In the case of the Stinnett murder, it was essentially a calling card.

Both the murderer/kidnapper and the victim posted messages to an online message board for dog breeders.  The day before the murder, several postings were made to the website that indicated the two women had planned to meet at Stinnett’s home the next day to discuss dogs Stinnett had for sale.  The post read:

“I’ve e-mailed you with the directions so we can meet.  I do so hope that the e-mail reaches you.  Great chatting with you on messenger.  And do look forward to chatting with you tomorrow a.m.”

Unbeknownst to the 23-year-old mother-to-be, the woman she was “looking forward to chatting with” would take her life.

A Simple Path
Technically, the process the investigators needed to follow was very simple.  The IP address displayed with the posting, and indeed the IP address of everyone who has ever sent an e-mail message or posted to a message board is fully traceable.  Every IP address is assigned by an Internet Service Provider (ISP), and the ISP maintains account information for the individual to which the IP address was assigned.  Rare is the ISP that does not take seriously the privacy of its account holders; revealing personal information of customers can result in significant lawsuit settlements.  However, as demonstrated in the search for a suspect in the Stinnett murder case, ISPs are compelled to produce account information to law enforcement.  The simple fact that this information is protected only by the limits to which the ISP is willing to go to protect it may give rise to concern.

It appears that Bobbie Jo Stinnett willingly provided her home address to her murderer.  After all, Stinnett was in the business of breeding dogs, and Montgomery presented herself as a potential customer.  If Stinnett had not provided her street address, if Stinnett had sensed a threat to her safety (and there is no indication that she did), perhaps she would not have revealed her home address to Montgomery.  In light of the extreme and unfathomable lengths Montgomery took to possess a baby, it is not too far-fetched to suggest that she would or could have taken steps to obtain Stinnett’s home address in the same way the investigators ultimately located hers.  Shouldn’t we all be concerned that the very technology used by investigators to hunt down murder suspects and find kidnapped victims could also be used as a tool to commit the crime in the first place?

The answer is both yes and no.  First, the IP address is useless in finding the computer without the account information of the user to which the ISP assigned the address.  Also, while an IP address can indeed provide a direct route to a particular computer, it is important to point out that the complexity of the path varies with Internet Service Providers.  For example, the message believed to have been posted by Montgomery requesting a meeting with Stinnett had an IP address.  A simple search on a Whois site such as www.arin.net/whois resolves the IP to a particular ISP.  With this information, investigators solicited the assistance of security personnel at the ISP, and they were ultimately given the name and address of the account holder to which the IP address was assigned at the time of the message board posting.  Someone who wishes to determine the identity and street address of another based on an IP address would need the assistance of the ISP.  As already pointed out, ISPs have good reason to protect this information.  However, since the privacy and safety of thousands can be quickly compromised by a single corrupt and properly motivated ISP employee, the relative ease with which this match can be made is indeed disquieting.

The brutal reality is that an individual intent on doing harm to another typically has many options for obtaining information and access to that individual.  The methods available to law enforcement to obtain private information about a murder suspect as part of an investigation may be duplicated by others with unlawful intent, but most people need not worry.  While the process may be easy enough from a technical standpoint, the barriers (particularly the steadfast resolve by ISPs to safeguard customer information) are such that identity and location confirmation via IP tracking is not the easiest or most practical.  Nevertheless, as with any other facets of the Internet, it is always a good idea to be aware of the breadth of control one has in maintaining security and privacy.

About our author . . .

Carole Longendyke is a Partner and Director of Forensics for P.G. Lewis & Associates, LLC, a Data Forensics firm located in Whitehouse Station, NJ.  She can be reached at 908.823.0005 or clongendyke@pglewis.com