Without isolating a user, any confronted elder with just an ip, the elder could always say they were watching over their flock doing exact same thing wts is doing. The elder could deny participating in discussion - so what proof would wts have to df the elder? None. WTS could have been collecting ips for years and so what? We haven't heard of any elders getting busted by wts, if they had I'm sure these elders would have been df and they would have posted here stating they were caught by wts. So I doubt they are collecting ips of users as it's really a futile excercise. WTS is not FBI or KGB! Just a delusional organization. If there is any spying, it is to find out copyrighted material, and is this spying done by witnesses or by outside agency? This is another question as an agency wouldn't be affected by what they read on sites like this one while witnesses could be.
I agree that the WTB&TS is not doing this. But I wanted to explore the technical ins-and-outs of this sort of "hacking" - what it would it take for the WTB&TS to ID active elders on forum sites (or any user for that matter - but I think they would be interested in elders, COs, etc). True, the elder could come up with an excuse like you said - that he was just watching over the flock. But elders shouldn't be going to these sites AT ALL. It's against the rules. Even if an elder were to lurk around, not participating in the discussions, I could see the WTS saying that individual just isn't an elder anymore.
I've said it on another thread - that I don't think the WTS cares about the leaked elder's manual specifically. I do think they care about all of the notes that get put into the margins - the notes that are given to the elder orally at the training school. If there is an elder on a forum like this, and the WTS knew it, even lurking, why not just remove the elder? Easy way to contain information.
But, of course, you are right - if this were occurring, there would be many elders coming forward (after their removal, or just after a good back-room shalacking) and warning everyone else that the WTS is doing such things.
Again, I'm just playing around with the idea. I don't really think the WTS is doing this. In light of JTB's claims, I just wanted to see what it would take. I still think that it wouldn't be too hard to match an IP address to a username using the identicon (see OP).
In any case, the use of a good proxy server would eliminate all threat in either of these situations...