This is an important decision not only from a "piracy" perspective but from a "privacy" and "information security" view as well. Many US laws and regulations revolve around protecting personally identifiable information (PII). If this judge's conclusions stick then we have some freedom from having to protect IP addresses, which show up in just about everything we log and collect.
That could be gigantic to those who deal with HIPAA, PCI, GLBA, etc. Although I guess this has no impact on the European Union regulations and what they consider PII -- those are much tougher to deal with anyway.
I came here expecting someone trying to pull a anti-privacy fast one. Nice try.
Just because an IP address alone is not enough to legally beyond doubt identify a person doesn't mean collecting IP addresses in combination with online behavior doesn't violate people's privacy.
These are two fundamentally different things. The only real way to identify someone is through things like DNA or fingerprints. Everything else is just an indication, it may not be enough to serve as evidence in court, but it's definitely personal.
The birthmark on my ass may not be unique, but it doesn't give you the right to collect pictures of it without my permission.
My intention was not to "pull a fast one." If you read my blog[1], which of late is mostly about privacy, I think you'll find I'm fairly neutral on the subject. Having said that there is all sorts of pseudo-anonymous or anonymous data that when combined with other data points become PII. I find this particular case interesting and am curious to hear what others think about it's implications beyond the piracy case.
An opposing example to this would be the recent ruling in Massachusetts, and why I found this one so interesting. The court there found that zip codes are PII[2].
It also means that collecting data based on your IP is not an invasion of privacy. With IPv6 there is the potential for much finer grained assignment of IP addresses to such an extent that an IP address could become uniquely identified with an individual more readily than today.
It is not currently possible with the underlying routing technologies, nor do I think it would be desirable, for you to get a single IPv6 address assigned to your device for the entirety of its lifetime.
Firstly, each publicly route-able address (for both IPv4 and IPv6) belongs to a particular network (known as an Autonomous System). The traceroute utility on unix and windows can be used to show you the path from your local network to a particular network, simply by traceroute'ing address that you know are operated by a particular network.
The way this works is a series of routing protocols that ask the question, "Which network routes this address and what is the best path to get there?" and answer it in various ways.
So, I do not think it is possible or desirable for a single publicly route-able IPv6 address to follow a particular device between networks.
Finally, I would like to point out that, even though we can change them, MAC addresses are supposed to be the permanent unique identifier for a particular network interface. I do not think adding an IP equivalent makes any sense, especially when a particular interface may have multiple IP addresses, and a particular machine may have multiple interfaces.
Now I will forget my hackernews password once again, until I am needed.
Not unless they decide to completely revamp how addresses are assigned, no.
Edit: and to address the comment that slipped in just ahead of me...MAC addresses as a part of IPv6 addresses are fine. If the interface is on several subnets, then the network portion of the IP address will be different.
Edit2: To clarify my initial comment, as the other commenter stated, there is no effective way to handle the routing for keeping the network portion the same, so that would always depend upon where you are. The only possibility could be to be assigned a permanent host ID, but considering how many devices the average person has with network access (I have a couple dozen easily, but I'm not average,) I'd think that this would be impractical anyway.
I've often thought that if you really wanted to pirate something, just start an S-corp for ~$200 and put your cable account in its name. If you get sued, tell them to litigate until they're blue, the company is going under.
The strategy could work if done correctly and most certainly in the case of a mass lawsuit.
If the corp is opened in a place that offers nominee owners or directors even better. Although there are most certainly legal ways that someone could figure out who to sue, in a mass lawsuit it would simply not pay to put the effort in to pierce the corporate veil of any individual when there were 1500 other targets.
Despite what others have said you've made a good point to always keep in mind as an entrepreneur. Something that you are legally obligated to do by contract is very often not worth the time for the other party to file a lawsuit over. If you rely on attorneys this is not something they always will make you aware of. (My points are based upon surviving many many years in business both with and w/o contracts.)
From the corporation's point of view, it would pay as an investment in deterrence. Companies fight money-losing legal battles all the time because they don't want to open the floodgates to thousands of others doing the same thing.
But you're assuming it would even get to a trier of fact. That is a mistake that lawyers make many timese that I've seen. They will settle a case with another lawyer as if the other side will actually go through and file a lawsuit and even has the money to litigate. McDonalds regularly settles slip and fall lawsuits that are merit less. It is cheaper in certain cases to just pay off the tort lawyer with $10,000 then go to court. And certainly you've seen cases where the little guy gets sued and gives up because they don't have the money to fight even though they are clearly right (or let's assume they are..)
No, I'm implying the exact same mentality that shows how to hack computer programs isn't the one you use for the law. For all people mock the law, humans are involved, and the sort of transparent excuses that would easily fool a computer probably won't fool a judge for a second any more than it would fool a guy on the street. There are ways to hack the law, but it looks different.
Parent says "What if the business's purpose is to provide an open suburban hotspot?"
You say: "excuses that would easily fool a computer probably won't fool a judge for a second any more than it would fool a guy on the street."
I don't think it comes across as an excuse although prosecution would of course present it that way.
There is certainly instances where someone would provide an open hotspot for neighbors. (My neighbor at one building did this.) I don't think it would be difficult at all for this to be shown by any defense attorney after some research with examples of kind people doing the same. I don't think this is as open and shut as you are presenting it. And that is the job of a defense attorney to try to make things appear possible by presenting evidence of the practice (which doesn't have to be widespread either.)
It has to pass the "resonable" test Jurys and some times Judges are much better at working out when some one is "taking the piss" which is the point that jerf is making.
No, it comes down to a question of the letter of the law versus the spirit. By the letter of the law, jasonkolb's proposal would work. However, jasonkolb's propsal clearly violates the spirit under which corporate protection was originally developed.
Now, if you argue that the judge should follow the letter of the law, and ignore the spirit, remember that the first amendment protects the freedom of "speech" and the "press". It doesn't say anything about websites. Of course, the spirit of the law was clearly anti-censorship and would obviously apply to written texts that haven't physically been through a printing press, but the letter of the law says no such thing.
Alternately, you could stick to the letter of the law and simply redefine the word "speech" to include things obviously not spoken, like websites.
Convincing judges that the spirit of the law does not match the letter, or that the dictionary definition of a word isn't the definition to be used in the case, are ways of hacking the law that have nothing to do with judicial corruption.
Sorry but no. Interpreting an IP address as identifying a user isn't a matter of interpreting the spirit of the law it's simply making a factual error. Should an IP address be sufficient to allow a search to be made? Certainly in a criminal case.
It is similar to the case of catching a speeding car but not being able to identify the driver (except speeding isn't a tort). You can't assume the owner is guilty unless the law is drafted to make it so that a car owner is responsible for all authorised use of their vehicle.
Talking about the spirit of the law is considering the law makers intentions and how they would have drafted the details in the current technological background.
Even if you narrow down the guilty party to one of a small group you can't convict the whole group or even a random member of the group on that strength alone. That's not how European or USA law works (though there may be other crime, withholding evidence, harbouring a criminal and such that members of the party would be guilty of).
I wasn't arguing the letter versus spirit in terms of the IP address. I was more arguing about piercing the corporate veil. By the letter of the law, the infringement may have been made by the company, but, by the spirit of the law, it's clearly made by the person.
However, I want to take your speeding car analogy a step further. The police have video of my car parked outside a murder scene during a murder. The murder was performed with my handgun. On the 911 tapes, the victim is shouting that he's being attacked by someone with my name (John Smith). The victim is someone I've previously stated that I intend to kill. The argument that none of those identify me aren't going to form a reasonable doubt unless I can also provide an alibi or implicate a different John Smith.
In the same way, the original poster has publicly stated their intention to start an open network for the specific intent of hiding their downloads. The MPAA has an IP address that shows that a download was made from the account that was purchased by a person intending to hide downloads. If they have server logs showing that other people use that network on a regular basis, they have a decent chance. As it stands, however, it's pushing the bounds of reasonable doubt, not to mention preponderance of the evidence, as needed for a civil case.
It is not a matter of convincing anyone, it is a matter of interpreting the law. I'm just playing devil's advocate here, but you have to consider this within the bounds of the legal system, not what you find to be tasteful or convincing.
There are of course ways to address this via legislation--but that will never happen as it goes to the very core of the corporate personhood issue.
I really like your thinking. This is exactly what you have to do when confronted with legal opinions and what lawyers are telling you. You have to challenge them ask questions and propose ideas. They aren't going to think for you and depending on their ethics they aren't going to put words in your mouth (and tell you how to lie and I'm not implying you are doing that). (Same with accountants as well.)
That would probably violate the terms of the broadband ISP service contract. No doubt people do this all the time and get away with it, but that doesn't mean the big guys wouldn't go ahead and enforce it in situations where it really matters.
As a lawyer, I would never recommend this. Corporate plaintiffs would sue the individual(s) as well under the theory of "piercing the corporate veil." Given these facts, I think they would have a good chance of winning, but even if they lost, that's not the point. The real issue is attorneys fees. $100,000 in legal expenses is a rounding error to large corporations; for many individuals, it is their life savings
If you make the ownership graph sufficiently complicated (as in enough companies crossing enough international jurisdictions through enough shared-ownership layers) you'll be:
You should see what the ownership graphs of most multinationals look like. I did an analysis of JP Morgan at one point and I kid you not the list of companies in small type with no formatting took 10 pages to print out.
For all the people who are saying that this is hacking the legal system you are correct. This is routinely done and I recommend you spend some time reading up on it, because it is fascinating.
For example, did you know that most cities are corporations?
> I recommend you spend some time reading up on it
I work for a portal that was recently acquired. The company who acquired the portal is, in part, owned by the same companies that own the telco that sold the portal, but the composition is different. I'm not even sure there are no cycles in the graph - it's perfectly possible some of the entities involved own themselves.
I wouldn't try to form such a short cycle, but it would be fun to form a series of other cycles with the ownership graph in such a way that drawing the graph would give the prospective investigator a congratulatory message ;-)
Those complex entity structures are usually done for tax or accounting purposes rather than to evade liability, although that can sometimes be an added benefit.
This may make mass lawsuits difficult but I wonder if this means anything from an individual harassment perspective. I guess the next question is this (if someone can shed light on this from a legal perspective):
Is detection of copyright infringement through or from an IP address enough to get a warrant issued that allows searching of the devices belonging to the individual using that IP address (or happens to be connected to the internet through that IP address)?
So far yes it has been. But what he's saying is that in cases of so many people the risk of catching innocents in crossfire outweighs the likelihood that their IP address is actually connected to someone doing the infringing. This is only in New York though, but the precedent is there now for lawyers around the US to make their cases.
I believe this is similar reasoning to why a lot of states have made red light cameras and speed cameras illegal. The owner of the car is not necessarily the person who was driving at the time, and it was the driver (not the car) who broke the law.
Here in New Jersey, they've arrived at a compromise. The person in whose name the car is registered is responsible for the fine. But it's only a fine, with no points on your record.
I believe that's the case in Maryland, and was under the impression that's how most of these things work. I guess they figure since the only punishment is monetary, if you weren't actually the driver you can figure out pretty easily who was (usually your son/daughter/spouse) so you can get paid back (or ground them, etc).
In Australia (well, the state of Queensland where I am at least) I'm pretty sure you can sign a statutory declaration to say that it was somebody else driving (I think you probably have to say who it is and they cop the fine and the points, unless the car was reported stolen).
Photos of speed cameras often have the drivers faces visible, unless covered up - at least here in Norway. So yeah, the license plate doesn't identify a person, but at least it makes finding the right person easier if there's a dispute.
In the UK if you get caught speeding/running a red light by a camera, the ticket gets sent to the registered owner of the car.
You can either take the ticket, or tell them who was driving. You cannot say 'it wasn't me, but I won't tell you who it was'.
It is also a serious criminal offence to take speeding points on someone else's behalf (as it was suggested that government minister Chris Huhne asked his wife to)
> What if you don't know who drove it? (you might have borrowed it to a few friends but don't know who drove it when)
As someone else touched on: in most states of Australia, the owner of the vehicle (as per the registration) is responsible. If you "don't know" who was driving your car it doesn't matter-you are responsible for the vehicle unless you have reported it stolen. Which I think is fair: if you're going to lend your car out, make sure you trust the person driving it.
I feel that nailing the owner is completely unnecessary. The owner might be responsible for the vehicle but the driver is responsible for how it is driven. Parking tickets is a reasonable exception since it's hard to prove who drove it last. For your own sake you should always trust anyone you are lending your vehicle to but you shouldn't have to care for any legal implications that might result in (other than parking tickets).
In Egypt three speeding tickets means jail time (if I remember correctly), only not for the driver but for the owner. IMO that's just sick.
At that point isn't it more of a concern that the supposed completely random person driving your car isn't insured? Personal responsibility rules kick in before then.
Who said anything about not checking insurance? I can loan a car out to two or more trusted, verified friends in the same month and then be unable to specify who had it at a specific hour.
In Germany they have to get a picture of the driver and the license plate. There was a famous case where a UK driver was speeding and putting a dummy in the passenger seat [1]. He couldn't be ticketed for speeding because a dummy appeared to be driving his car.
[1] Germany has Napoleon compliant highways while the UK was much more interested in resisting anything from Napoleon.
Wasn't this ruled several times already in other trials? How many times does this have to be proven in Court before the other judges start throwing away such cases?
It's a hierarchy, from the district courts to the circuit courts on up to the Supreme Court. Basically, decisions made at one level may be binding on that court and its "descendents", but that's as far as it goes. If you want a decision to reach nation-wide, it's got to be handed down by the Supreme Court.
On top of that, this is a decision by a magistrate, which is one step below a District Court judge, so it can be appealed to the District Court, then to an Appeals Court, then the Supreme Court. A magistrate's opinion, unfortunately, has no binding effect at all (on anything other than this case).
It does however have some help in setting precedent for arguing in those later courts, if both parties agree with the judge and don't pursue the matter further. It doesn't guarantee that it will be listened to but it does help later on.
While I understand that today there are potential problems, it seems to me that a person ought to be responsible with what's done with his property. If he lets someone use his gun, he's got some degree of responsibility, and if he lets someone use his communication facilities, he's assuming some as well.
Today this is difficult, since the average person doesn't have a clue how to set up a secure network. But this is a usability problem more than anything, and if our laws demanded that this be do-able even by somebody's mom, then I think manufacturers would address that usability problem.
Well now, it depends. If I let someone use something of mine that is licensed and restricted by the government because of the potential for misuse, such as a gun or prescription medication, then I am responsible inasmuch as I helped them circumvent government licensing.
If I lend someone an easily obtainable item such as a pencil sharpener or a cat, and they commit a crime using it, I don't see how I'm responsible.
The question is which of those categories Internet access falls into.
A hundred people are now idly trying to figure out the feasibility and logistics of robbing a bank with a cat.
I would go so far as to say that, in addition to the legal obligation to not violate a government license, you also have an ethical obligation to provide reasonable protection against theft, misuse, &c. Yet somehow it seems strange to apply that logic to network devices.
Important to not that in the vast majority of the U.S. there is no such thing as gun "licensing" or "registration". You can trade, loan, buy, give, or otherwise move firearms around all you wish with private parties.
Your only obligation in most places is to ask, "Are you legally allowed to own a gun".
"it seems to me that a person ought to be responsible with what's done with his property."
I think in a practical sense this is never going to happen. If you lend someone your car you are responsible and will get sued if they kill someone. The type of lawsuit and even criminal charges might depend on whether you knew of their capacity at the time to commit a crime or fitness to drive. Important distinction with cars and guns. With both you know they can be dangerous. (In the case of a gun you know even more so obviously.) There is not the same widespread knowledge or even possibility with the internet for harm along the lines of death because of use of an internet connection. Although I'm sure it's happened a few times (harassment or planning terrorism.)
As far as the requirement to lock down a network that also is not going to happen as you well know in a world that chooses "football" or "123456" for a password not to mention key loggers and viruses. Simply not the same as keeping your gun in a gun safe or knowing your neighbor is drunk and shouldn't drive your car.
"and if our laws demanded that this be do-able even by somebody's mom, then I think manufacturers would address that usability problem."
I think there is quite the demand from users to not have constant viruses, infections and hacking of computer networks (as well as embarrassment to both the software and hardware industries and to high profile websites.) Do you really think that this can be achieved with "beyond a reasonable doubt" standards so that someone's mom can have secure wifi in her house? I don't. I get calls every day from people who type domain names into the google search box instead of the browser bar.
I think you have it backwards: one of the benefits of being treated as a "common carrier" is that you aren't responsible for others misusage of your service, since you are required to be open to the public.
Common carriers can't be held criminally liable for what their users do, but they are responsible for the actions of their users in the sense that they need to turn over their records if served a subpoena, and may be legally required to keep certain records.
ISP's are not common carriers and have lobbied for decades to not be treated as common carriers because then they can't do deep packet inspection and they must sell equal service to anyone. If a drug smuggler drops a package in a mailbox the postal service is legally obligated to deliver it and not look inside (assuming it doesn't smell or tick). An ISP finds out someone is sharing their wifi with their neighbors, the ISP can cut service b/c of breach of terms of service.
I strongly disagree. When a person gives or lends something or provides a service to another person, you should not be able to hold the first person responsible for what happens, unless they had reason to believe the second person would misuse it.
The legal system depends on treating every person who is mentally competent as being responsible for his or her own actions with regard to the law. What you suggest upends that dependency.
Publishing metasploit, running a torrent tracker, running a car rental service or a gun range would all require extremely expensive liability insurance if liability always transferred.
> If he lets someone use his gun, he's got some degree of responsibility, and if he lets someone use his communication facilities, he's assuming some as well.
Analogies such as these should be avoided because you're falling in the same "you won't download a car" trap.
Say, if someone comes to my party and uses a kitchen knife to commit a crime, what is the degree of my responsibility?
If you ask to use my phone, I'm going to let you borrow it, but I can't know whether you're going to use it to order a pizza or call in a bomb threat.
Of course I have some degree of responsibility, but with guns its is completely different - we went out of our way as a society to make rules about the responsibilities of gun owners.
Manufactors are partially to blame aswell. e.g. WEP is still available. It is totally insecure and should not be used. Any consumer grade equipment that only supports WEP is just encouraging people to be insecure while thinking they are secure.
The actual ruling[1] has some interesting stuff besides what is covered in the article summary:
- Discussion about a time when it WAS possible to associate an IP address with a specific device and that, for the purposes of allowing discovery, it was REASONABLE to assume that the traffic from that device was initiated by the owner of that device. This has important implications for the future, as IPv6 may make "one ISP IP per actual end device" common again
- Some hilarious footnotes describing the hypocritical nature of the claims of this and plaintiffs in previous cases. In one case, a plaintiff made a claim that part of the reason for vigorous copyright claims was to "protect minors", when the very plaintiff had a teen porn website. Another footnote was about this plaintiff (K-beech) attempting to claim the moral high ground when in fact the person behind the company was the same who previously tried to extort adult book store owners with violence and bomb threats.
- A VERY interesting footnote which points out that it is still somewhat of an open question whether pornographic works are copyrightable at ALL
- The fact that, in the case of pornography, plaintiffs often rely on defendants settling even though they are innocent, simply because they don't want their name published in association with a video called "My Little Panties #2"
- Abusive tactics by the plaintiff to use information provided by discovery to harass defendants to settle. This includes asking for phone numbers and email addresses which, the judge observes, aren't necessary for servicing defendants and are mostly used to further the plaintiff's aggressive settlement tactics
- The hilarity of seeing things like "Maryjane Young Love
and
Gangbanged" in an official court filing
- And a whole section that's arguable more important than the IP address opinion...
Plaintiffs in these cases usually file a joinder[2] of claims and combine 10s, 100s, and sometimes 1000s of defendants in a single suit. However, the judge argues that even if he were to grant discovery on all the John Does in the case, he still might sever the joinder because:
- It is transparently an attempt to avoid paying the ~$350 filing fee for each claim. The courts, he says, don't take kindly on losing that much revenue simply because the fees don't fit the plaintiff's business model
- Joinder rules require, among other things, that the group of defendants must be related by the action “arising out of the same transaction, occurrence, or series of transactions or occurrences” and “any
question of law or fact common to all defendants will arise in the action.”. In a wonderful display of deeply understanding the technical matters here, the judge argues that the technical nature of BitTorrent (to wit: that multiple parties seed the same file at the same time) does not alone satisfy the joinder requirement, simply because the user is not usually aware of these technical details.
- That, in any event, these co-defendants are only related by technical protocol and not case fact. Because of this, each defendant would still get to retain counsel, call witnesses, and defend him- or herself separately. In addition, the rules of joinder require certain actions that would involve n*(n-1) separate filings and would complicate the discovery process. This, the judge points out, turns an otherwise simple case into a massively complex one and thereby goes against the very reason why joinder was created in the first place.
In my opinion, this has the potential to be an even bigger setback to the copyright owners' tactics than the IP address opinion. If joinders like these are routinely severed because of these reasons, it would certainly make the "mass lawsuits against thousands of unnamed defendants" tactic a losing business model.
A better analogy: a router is like a phone switch. A router allows several computers to share external IP just like a phone switch allows several phones to share an external phone number. If you get a call from a switch number you don't actually know which specific person behind the switch is calling.
So if the ip is not longer a personal date, then could it be used to track down "pirates".
But the conclusion must also be interpreted in the offer direction. So is the ownership of an ip, and the trackdown of the person behind, not enough for the proof of guiltieness in the act of "piracy".
I think that the second part would not be in sight of a particular company.
Am I correct in thinking that in the UK, the internet subscriber is responsible for what is downloaded/uploaded on their connection, regardless of whether they actually did it?
Contractually there may be a duty to ensure your connection is not utilised to nefarious ends. This contractual duty would not of course extend to parties outside the contract (unless the Contracts (Rights of Third Parties) Act is not excluded).
In terms of non-contractual terms, perhaps a film company for example could argue the subscriber was under a duty of care but again this is unlikely to stick.
Generally speaking, I think it would depend on a case by case basis and it would always be open to the subscriber to argue that although the IP address was linked to them, they were not responsible for the infringing activities. This would be determined on the evidence in each case therefore.
What I meant is that one can't pirate media or software. Call it copying or sharing without permission of an original author, but that has nothing to do with piracy, theft, murder, etc...
Its a long accepted colloquialism. It also doesn't help that a lot of torrent sites openly embrace pirate crap as cutesy. I guess no one likes saying copyright infringement.
Right. So it seems like the solution to this is going to be that the law will change so that the IP address owner is responsible for the use of the IP address.
That won't change anything. The subpoena will still be for the person who pays the bill at a location where multiple devices may be connected. I doubt that judge will give a subpoena to go look for a computer with a given MAC address at a location. But those worried can just change MAC address every few days.
If you have 2^48 IP addresses (like anyone with a free ipv6 tunnel does), you can assign your device a new IP address every day for 771164319755 years.
I've wondered why this hasn't received more attention. Probably because it hasn't "happened yet", WRT the (negative) experience of end users. Can't be too much longer, now, though.
In California, red light cameras can land you a ticket, but not if they cannot identify you clearly from the photo. They compare your DMV picture of all things to the intersection photo. If you have your visor down, those high mounted cameras never get a good shot of your face ;)
Same principle here right? - you can always say it was a roommate or that you had an unsecured wifi router right?
Isn't this fact obvious to any hacker worth their salt? This doesn't gratify my intellectual curiosity (per the guidelines). Flagged. Please keep these articles on Slashdot/Reddit.
That could be gigantic to those who deal with HIPAA, PCI, GLBA, etc. Although I guess this has no impact on the European Union regulations and what they consider PII -- those are much tougher to deal with anyway.