My browser shreds cookies as soon as I leave a site in most cases, as well as all other site date. These days the tracking works based on multiple signals, so even if you delete the cookies, if the IP address and browser signals like user agent and screen resolution match, they will re-associate that identity with you. You need to screw with a lot of metrics to throw them off.
In my country a spam lawsuit against 50 people where only one of them is possibly "guilty" of a civil offence with a relatively small financial loss isn't going to fly. They have largely given up suing people here because such speculative invoicing scams tend not to stand up to judicial scrutiny. At best an IP address identifies a subscriber, who may not be the person who downloaded the file, and who isn't under any legal obligation to help determine who it was, and who can't be held liable as there are no reasonable means for them to prevent such "abuse".