(author here) My experience has been that if you're up front with the police about what you're doing they won't beat your door down and haul you away. What usually happens is that the police look up the IP address they've identified as a problem and then check the ARIN database to see who owns it. ARIN is going to give them the name of the ISP not of the subscriber, so they're accustomed to then calling the ISP to subpoena the name of the customer. If you purchase service from a fiber provider then the name in ARIN's database will either be your provider or (if they SWIP the IPs to you) the name you give your ISP.
In the past what I've seen is that the police will ask you to identify who was using an IP and also to help them catch the person in the act if they do the thing again. So far I haven't seen them get too pushy if you can't do the first thing as long as you're willing to do the second.
> In the past what I've seen is that the police will ask you to identify who was using an IP and also to help them catch the person in the act if they do the thing again
What's the method to catch the person in the act? Is it something like creating a rule: "if [this website] was visited between [foo] and [bar] notify me" at the routing level?
(author here) When I've been involved in this it's been using a traffic sniffer (tcpdump or iptraf or wireshark) to watch the customer's traffic and see what they connect to.
In the past what I've seen is that the police will ask you to identify who was using an IP and also to help them catch the person in the act if they do the thing again. So far I haven't seen them get too pushy if you can't do the first thing as long as you're willing to do the second.