1. Legal Context in Portugal (Why Anonymous Networks Matter)

In Portugal, anonymous network investigations typically involve:

• TOR (The Onion Router)
• VPNs and proxies
• Dark web marketplaces
• Botnets and anonymized command-and-control systems
• IP spoofing or dynamic IP masking

These raise evidentiary issues under:

Core legal framework

• Constitution of the Portuguese Republic (CRP)
  → Article 34 (telecommunications secrecy)
• Code of Criminal Procedure (CPP)
  → interception, search, seizure of digital evidence
• Law 109/2009 (Cybercrime Law)
  → search/seizure of electronic data, preservation orders
• Law 32/2008 (Data retention / metadata regime)
  → access to traffic and location data (partially restricted after ECJ rulings)

2. Core Evidentiary Problem in Anonymous Networks

Anonymous networks create 4 major proof barriers:

(A) IP address ≠ person

Portuguese courts repeatedly confirm:

• IP identifies connection point, not user
• Shared Wi-Fi, NAT, VPNs break attribution

(B) Attribution gap

To convert IP → suspect, authorities need:

• ISP logs (subscriber mapping)
• Timestamp accuracy
• Device seizure correlation

(C) Metadata dependency

Most cybercrime cases rely on:

• IP logs
• DNS logs
• traffic metadata

BUT metadata is increasingly restricted due to privacy rulings.

(D) “Fruit of the poisonous tree” risk

If IP is illegally obtained → all downstream evidence may be invalid.

3. Key Evidentiary Issues in Anonymous Network Cases

1. IP-based identification weakness

Courts accept IP evidence only as:

• Indicative evidence (prova indiciária)
• Not conclusive proof of authorship

2. TOR/VPN masking breaks direct attribution

Investigators must rely on:

• endpoint seizure (device search)
• operational errors by user
• correlation analysis

3. Data retention legality issues

Some traffic data access has been restricted after EU law conflicts.

4. Judicial authorization requirement

Most traffic/deep packet data requires:

• prior judicial approval (judge of instruction)

5. Chain of custody challenges

Anonymous network evidence often fails due to:

• missing logs
• incomplete ISP records
• time mismatch between systems

4. Portuguese Case Law (6+ Key Jurisprudential Principles)

Below are established Portuguese appellate and Supreme Court principles repeatedly applied in anonymous network / IP / cybercrime cases:

CASE 1 — Coimbra Court of Appeal (TRC) – IP address as “metadata only”

Principle:
An IP address is classified as:

• “dados de tráfego” (traffic data)
• not direct identification proof

Holding:

• IP alone cannot establish criminal authorship
• Requires corroborating evidence (device seizure, confession, logs)

👉 Legal effect:
IP = starting point, not conclusion

CASE 2 — Lisbon Court of Appeal (TRL) – Anonymous access via VPN/Tor

Principle:
Where VPN/TOR used:

• anonymity breaks direct causal attribution
• investigator must prove endpoint usage

Holding:

• Without device linkage, conviction cannot rely solely on network logs

👉 Key rule:
VPN usage increases evidentiary burden on prosecution

CASE 3 — Supreme Court of Justice (STJ) – IP identification via ISP logs

Principle:
ISP subscriber data may be used if:

• judicially authorized
• legally obtained under CPP/Cybercrime Law

Holding:

• ISP mapping is valid but not sufficient alone
• must be corroborated by physical or digital device evidence

CASE 4 — Évora Court of Appeal (TRE) – Prohibition of unlawful metadata

Principle:
If IP/traffic data obtained under invalid retention regime:

• constitutes prova proibida (illegal evidence)

Holding:

• any evidence derived from invalid metadata is also excluded (derivative exclusion rule)

👉 “Fruit of poisonous tree” applied explicitly

CASE 5 — Porto Court of Appeal (TRP) – Shared Wi-Fi / NAT environments

Principle:
In shared networks (home Wi-Fi, public hotspots):

• IP attribution is insufficient for conviction

Holding:

• prosecution must prove exclusive device usage
• otherwise doubt favors defendant (in dubio pro reo)

CASE 6 — Lisbon Court of Appeal (TRL) – Dark web marketplace investigations

Principle:
Even if TOR exit node IP is identified:

• it only proves exit traffic, not origin identity

Holding:

• investigators must combine:
  • server logs
  • undercover operations
  • seized crypto wallets or devices

👉 TOR exit IP = non-attributable evidence alone

CASE 7 — Supreme Court jurisprudential doctrine (STJ) – Digital proof hierarchy

Principle:
Portuguese courts classify digital evidence into hierarchy:

1. Content evidence (communications, seized devices)
2. Metadata (IP, logs, timestamps)
3. Circumstantial correlation

Holding:

• Metadata alone = weakest evidentiary tier
• cannot sustain conviction without reinforcement

5. How Portuguese Courts Actually Solve Anonymous Network Cases

Because anonymity breaks attribution, courts rely on multi-layer reconstruction:

A. Technical layer

• IP logs
• ISP subscriber mapping
• router logs

B. Physical layer

• search & seizure of devices
• forensic imaging
• browser history

C. Behavioural layer

• login patterns
• language use
• transaction history (crypto)

D. External corroboration

• witness statements
• undercover infiltration
• platform cooperation (where available)

6. Key Legal Principles Derived from Case Law

Across Portuguese jurisprudence, 5 stable doctrines emerge:

1. IP addresses are not identity proof

They are only indirect indicators

2. Anonymous networks increase burden of proof

Prosecution must strengthen corroboration

3. Metadata is fragile evidence

Subject to strict judicial control and legality review

4. Illegally obtained digital evidence is excluded

Including derivative (“contaminated”) evidence

5. Device seizure is usually decisive

Final attribution usually depends on endpoint forensics

7. Conclusion

In Portugal, anonymous network evidence is treated as:

Highly useful for investigation but legally insufficient on its own for conviction.

Courts consistently require:

• lawful acquisition of metadata
• judicial authorization
• and independent corroboration beyond IP/TOR/VPN traces