August 8th, 2002 09:38 PM
Personal Risk Resulting From IP Exposure?
Hello everyone. I'm seeking some advice/information related to IP addresses.
I admin a small online community. It's private, password protected, and a new member can only gain access at the invitation of a current member; such invitation must then pass administrative approval. We can't be found via search engines and all our advertising is by word of mouth. Our members post under user names, not their legal names. Most of our members were formerly involved in a much, much larger community where harassment, trolling, stalking behaviour and even death threats became the norm, so we don't mind being closeted away. As a result of that experience, there is a certain level of vigilance and fear among my members that wouldn't necessarily be present in another community our size.
Recently, I asked all members to provide a non-primary e-mail address of their choosing that I can post publicly in order to facilitate ease of private communication among members. A few of my members are vehemently opposed to this idea. They fear their IP addresses could be discovered as a result and this could expose them to possible personal harm. In particular, they fear an unsavoury character could use this information to harass, stalk, and discover even more personal information such as their land address and real names. I don't have a great deal of knowledge in this area. I don't know if that sort of thing could happen or not.
The service I host my site through records the IP addresses of all members who post -- these are then made available to admins. Some of those IP are static, some are not. When I run them through WHOIS, the land address of my member's ISP is provided. Sometimes the ISP is located within that member's geographical area, other times they are separated by thousands of miles. Therefore my first question is: Can knowledge of an individual's IP address coupled with knowledge of the land address of their ISP be combined to reveal private information such as their name, land address or telephone number?
All my members seem to understand that exchanging mail with one another is a potential means of exposing their IP address. The group that is most opposed to posting of addies, further states that there are mail programs that can detect your address simply by sending mail to your account. They assert that no "exchange" has to take place; these programs can arrive in your mailbox and then "bounce-back" to the sender, complete with the recipient's IP address. I've done some preliminary searches but I can't find any information related to same. Which brings me to my second question: Is there anywhere I can find a concise summary of e-mail programs and what they're capable of as written for the lay person?
I've tabled my decision on this policy until I can gather some solid information on the matter. It's very likely that I'll go with an amended policy that allows members to choose for themselves if they want their address posted. As an admin, I work hard to educate my members on the areas where they could be at risk and what they can do to protect themselves and their loved ones in the online environment. I don't allow my members any illusions about my ability to completely protect them from the negative element that is out there -- I expect that they must assume the lion's share when it comes to protecting themselves. However, neither do I want to inadvertantly expose them to risk as a result of an poorly informed policy. Can someone please point me in the direction of some resources (preferably online) that I can use to better educate myself in regard to this issue?
August 8th, 2002 11:49 PM
Well, yes and no. It depends alot on the individuals ISP, some ISP's will give out personal information by means of WHOIS (usually). That doesn't happen very often now-a-days. If they have a popular ISP like AOL or MSN, no information will be given out, but some smaller local ISP's will often give out information without knowing the importance of the info they give out. I hope this was helpful, and id like to join this *group* you have if it is related to computers or computer security. PM me if you will give out more information
August 9th, 2002 12:33 AM
Whois does NOT reveal anyones personal information. When doing a whois, the information that you see is not that of the specific IP address, but rather the network in which the IP address belongs to. When you register a block of IP's with ARIN (http://www.arin.net) you give them information such as administrative contacts, geographical location, etc... This is the information you see when using the whois service.
Originally posted here by Unused
some ISP's will give out personal information by means of WHOIS (usually).
*Note: ARIN is not the only registry. Different regions of the world deal with different Regional Registries.
If you want more information regarding IPv4 and v6 registry, checkout
The only way (that I can think of) to find out personal information, with only the persons IP address, would be to do a whois on their IP, then email/phone their ISP and social engineer them into giving you the person's personal info. However, the chance of something like this happening is very slim (especially with larger ISPs.)
August 9th, 2002 09:09 AM
Thank you for your help.
Unused, to answer your question -- no, our primary focus is not on issues of computers or security, but given that we're all connected via the net the subject comes up from time to time. In regard to IP and ISP, I've noted that with some of my members, the geographic location of their ISP could be revealing in regard to where they are located on the map. With others, the ISP is located so many miles from their homes I wouldn't think it would be a concern. I concede that I don't *know* if it could be.
Sudo, thank you for the information on registries. That was very helpful. I've made note of those urls.
Meanwhile, in another thread [How can I hide my IP?] I found a link to an article at privacy.net titled: The IP Address -- Your Internet Identity [http://consumer.net/IPpaper.asp] The focus in that article appears to be more on protecting your "online" privacy, particularly as a consumer, as opposed to preventing your online identity from exposing your offline identity. It's not exactly what I was looking for but it's a strong step in the right direction. If I find more telling information, I'll return to post it in this thread.
August 9th, 2002 02:27 PM
If some of your members know some other info like there username on there ISP, that with the IP might be able to provide them with some finger information. . .address, phone number, etc. Like unused said though, that's usually just with the smaller ISP's, mine gives it out, but you can always log into your shell and edit the info. . .I changed mine just to give my initials and nothing else. . .
Every now and then, one of you won't annoy me.