Challenging BPI's Claims That IP Addresses Alone Are Accepted By Courts As Proof Of Infringement
from the lies-the-recording-industry-tells dept
BPI, the equivalent of the RIAA in the UK, is apparently insisting that the evidence it uses to accuse file sharers of infringement is "of an extremely high standard." Of course, the "evidence" is an IP address, which anyone with a basic understanding of technology knows is, by itself, not indicative of much. You could combine that with other evidence to have a bit more useful info, but IP addresses are hardly the sort of "extremely high standard" of evidence you would think they are from the BPI's claims. So, the folks at the Open Rights Group are asking BPI to back up their claims that the evidence is of such a high standard and that UK courts have accepted this evidence, asking a simple yes or no question:Has any UK court ever treated an IP address as being sufficient by itself to identify a defendant as a copyright infringer in a contested copyright infringement claim decided after a trial of an action?This is because -- in typical recording industry misleading fashion -- BPI uses weasel words in its claims, saying
It is the same quality of evidence that was provided in more than one hundred cases to the High Court in litigation against end users and which was accepted by the court in each case. Most of these cases resulted in settlements, and all of those on which judgment was given found in the BPI's favourHmm, citing settlements is useless because a "settlement" is not a ruling on the merits, and therefore does not prove that an IP address is quality evidence. And while judgments are made on the merits, saying that such evidence was used in successful cases is not the same thing as saying an IP address, in and of itself, is sufficient to prove infringement. Apparently, ORG asked BPI to clarify this well over a month ago, and still has not received an answer. Shocking.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: evidence, ip addresses, uk
Companies: bpi
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
One lady is saying some outrageous things in public.
http://www.zeropaid.com/news/91251/eu-digital-agenda-vp-need-to-sideline-content-gatekeeper s/
Kiwis want their mobiles clean.
http://www.zeropaid.com/news/91257/music-industry-slams-kiwis-mobile-phone-three-strikes-exe mption/
[ link to this | view in chronology ]
Seems unfair ...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So, according to Techdirt what is "acceptable evidence"?
I'm all for due process, but let's not make ridiculous and technically incorrect claims.
[ link to this | view in chronology ]
Re: So, according to Techdirt what is "acceptable evidence"?
Actually just 3 days ago, my own mother called me over to look at her system, it had 2 Trojans installed. I can't think of a fair system that would destroy the lives of it's most vulnerable people, so one industry can scare people, who already buy into buying over and over again to compensate for diminished revenue due to those that won't ever buy... I don't know what kind of money you have laying around to defend yourself but 100k is more than most have in the bank. This practice is entirely based on that reality, and if you don't know that, well...
[ link to this | view in chronology ]
Re: Re: So, according to Techdirt what is "acceptable evidence"?
They have to pass the identity to the court to file the case, only after the case has been filed those users have the need to proof themselves innocent.
In such an early pharse it's unfair for them to require them to pick out user list that's possible trojan victims.
[ link to this | view in chronology ]
Re: Re: Re: So, according to Techdirt what is "acceptable evidence"?
[ link to this | view in chronology ]
Re: Re: Re: So, according to Techdirt what is "acceptable evidence"?
There may be circumstantial evidence that increases the likeliness that the defendant did commit the infringement(such as using your own username/email address on a peer-to-peer network like Kazaa), but even then, it's easier to argue that the person is responsible because it was their connection and their computer, because you can't use that as evidence to prove that the defendant did actually commit the infringement. A neighbor's kid might have come over and downloaded music. They might have wi-fi, which may be open because they don't know how or want to implement security settings, or their wireless network may be hacked (since it is relatively easy to do so).
The problem is that the approach of these lawsuits is to assume guilt, send settlement letters, and reap in the payments, without having sufficient evidence (that and the entire system of copyright is an abuse itself). And the companies' lawyers don't usually need greater evidence. If you send a threatening letter from a law firm to random people and claim you've detected copyright infringement, many are going to settle, whether or not they did it. It's the telemarketing or email spam method. Shoot enough bullets and you're going to hit something. Not many people have the time or money to fight lawsuits.
[ link to this | view in chronology ]
Re: Re: Re: Re: So, according to Techdirt what is "acceptable evidence"?
[ link to this | view in chronology ]
Re: Re: So, according to Techdirt what is "acceptable evidence"?
[ link to this | view in chronology ]
Re: So, according to Techdirt what is "acceptable evidence"?
IP address alone doesn't mean much unless the user is using a static IP plan (in such case you'll also need confirmation from ISP as a proof of such plan that IP address won't change)
[ link to this | view in chronology ]
Re: Re: So, according to Techdirt what is "acceptable evidence"?
Such log can be assumed as present, otherwise where do you think defendant name came from?
[ link to this | view in chronology ]
Re: So, according to Techdirt what is "acceptable evidence"?
IP address merely indicates the subscriber. Seizing computers would be pointless as people can simply swap drives, get new computers etc.
However, further evidence could include information gained from any direct communication with that subscriber. Most of the speculative invoice letters doing the rounds are specifically written not only to create a chilling effect, but also to encourage the subscriber to give up further information that could possibly be used against them at some point down the line.
It is an unfortunate fact that upon receiving these letters, many people either panic or get cocky, and ring or write to the law firms giving up all sorts of information about their home and family situation, their online activities, their knowledge of file sharing, of computers, networks etc etc.
It's that communication that will get picked to pieces for 'further evidence'.
This is similar to the parking tickets issued from private car parking companies (a civil 'contract' issue). The invoice gets sent to the registered keeper of the car, but they have no evidence as to who was actually driving it, so can't really pursue it much further than constant streams of threatening letters. However, if the car owner writes back and admits they were driving (and many do, typically while writing a 'back off, I'm not paying' letter), then the parking firm have concrete evidence to take to court.
IP Address alone does not prove that an individual committed any infringement; and that's also assuming that there were no mistakes made in collecting the IP Address in the first place.
I also find it troubling that any 'evidence' collected solely by an 'interested party' (i.e. the rights holders or their agents), with no independent overview whatsoever, could ever be considered valid evidence at all.
[ link to this | view in chronology ]
Re: Re: So, according to Techdirt what is "acceptable evidence"?
It wouldn't get past the ACPO guidelines in the UK
Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
(see my link in comment below below for full detail.
[ link to this | view in chronology ]
Re: So, according to Techdirt what is "acceptable evidence"?
Your fundamental flawed assumption is that it somehow has to be possible to get adequate evidence.
The point is that it isn't - and no amount of wishful thinking will change that.
Live with it.
[ link to this | view in chronology ]
Re: Re: So, according to Techdirt what is "acceptable evidence"?
You're funny man. So, no crime committed over internet can be prosecuted? Just because you think that IP address is not an evidence? Are you for real?
Every technological or political change begin with wishful thinking.
[ link to this | view in chronology ]
Re: Re: Re: So, according to Techdirt what is "acceptable evidence"?
We can't find the real "culprit" so we just kill everyone who vaguely fits the description.
[ link to this | view in chronology ]
Re: Re: Re: So, according to Techdirt what is "acceptable evidence"?
You're funny man. So, no crime committed over internet can be prosecuted? Just because you think that IP address is not an evidence? Are you for real?
Of course some crimes committed over the internet can be prosecuted, and yes and IP address can be a useful "lead" for investigators. However the lead hs to be followed up, and the methods required for that to produce real evidence are rigorous.
See for example the UK police guidelines on the subject.
I am very much for real - it is you that is in fantasy land.
Every technological or political change begin with wishful thinking.
Not that kind of wishful thinking.
[ link to this | view in chronology ]
Re: Re: Re: So, according to Techdirt what is "acceptable evidence"?
And bear in mind that was where the forensic examiners had full access to every system involved on a private corporate network where at least a basic level of security is mandated and were dealing with a primary system that held financial data and so logging and auditing was far above the industry norm for general systems.
Just how rigorous a proof do you think you would get out of a home network in a similar case? Of course that pre-supposes an actual burden of proof as in a criminal trial. For copyright infringement and especialy file sharing the current standard seems to be "Well, I (the person with a financial stake in a guilty verdict) say they are guilty, so they must be!".
With this level of "proof" on the plaintiff side I consider that acceptable defenses should include:
-The "Liar! Liar! Pants on fire!" defense
-The "A big boy did it and ran away!" defense
-The "A dog ate my homework." defense
and of course
-The "Mysterious dude" defense (that's the one that starts "This dude, I'd never seen him before, came and...."
[ link to this | view in chronology ]
Re: Re: Re: So, according to Techdirt what is "acceptable evidence"?
and when it actually is a crime, there are rules for whats admissible in court and not only how that evidence is introduced but who is allowed to look for that evidence in many cases.
[ link to this | view in chronology ]
Re: So, according to Techdirt what is "acceptable evidence"?
There are at least 100 million fully-compromised systems out there; probably more like 200 million by now, if we conservatively extrapolate growth rates, consider the size of contemporary botnets, factor in the steadily-declining effectiveness of anti-malware software, and, well, just look at our own log files, which unfortunately only a tiny fraction of system/network administrators ever do.
Nothing that any of those systems do can be attributed to their former owners, because there's no way to externally distinguish between "an action taken by the new owners" and "an action that the new owners permit the former owners to take". If the former owners can still browse the web or read email or whatever, that's only because the new owners have allowed them to do so: it's not the former owners system any more.
This is common knowledge among everyone who's been paying attention to security for most of the past decade: at this point, it's like announcing that the ocean is wet. Clearly BPI et.al. are willfully choosing to omit this -- it's quite impossible that any entity with the technical resources they possess is unaware of it.
A forensic-grade examination of computer Z -- a competent forensic-grade examination -- may, under some circumstances, be enough to establish that it isn't (at the time of the examination) owned by someone else. (Of course that doesn't mean it wasn't earlier: systems alternate between those two states all the time.) But even that, combined with (let's say) evidence that Z was used to do Y while on the IP address in question and at the time in question doesn't come close to proving that X did it unless there is additional supporting evidence showing that X was the only one with physical and logical access.
The bottom line is that evidentiary standards from decades ago, when there were no bots and no DHCP and no laptops and seven orders of magnitude fewer systems and so on simply don't apply any more. Unfortunately BPI et.al., who are clearly aware of this, have no reason to educate judges or juries about it, and to date, defense lawyers haven't (AFAIK) mounted an appropriate educational effort either. And so the farce continues.
[ link to this | view in chronology ]
Re: So, according to Techdirt what is "acceptable evidence"?
As far as I'm concerned, that is the cost of doing business.
don't like it? get out
[ link to this | view in chronology ]
Re: So, according to Techdirt what is "acceptable evidence"?
[ link to this | view in chronology ]
an analogy
/facepalm
[ link to this | view in chronology ]
Re: an analogy
Same, btw, with guns. If somebody got killed with your gun - you're first suspect.
Welcome to reality.
[ link to this | view in chronology ]
Re: Re: an analogy
The BPI on the other hand would rather simply convict based on an assumption that 1 IP = 1 person, equally 1 car does not equal 1 driver.
Clear enough Mr troll?
[ link to this | view in chronology ]
Re: Re: Re: an analogy
You never been there, don't you? Unless _you_ (not police) shows that your car/gun had been stolen, you're guilty.
You're living in a dream world of some kind of "ultimate justice". Real world is nothing of this kind.
[ link to this | view in chronology ]
Re: Re: Re: Re: an analogy
From which country are you citing the law?
In many civilized societies there is presumption of innocence, at least it says so in their laws.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: an analogy
Computers!
[ link to this | view in chronology ]
Re: Re: Re: an analogy
Can't be - because of the following scenario:
Thief hijacks your car and has a crash in which you (in the passenger seat) and a 3rd party are killed. The hijacker moves you body into the driver's seat and then runs off.
Would it be right for the police to simply assume it was all your doing and let the case rest?
(After all you aren't around to take responsibility for proving your innocence)
[ link to this | view in chronology ]
Re: Re: Re: Re: an analogy
[ link to this | view in chronology ]
Re: Re: an analogy
Wrong -it's still up to the prosecution to prove that you were driving.
If you can prove that your car was stolen then this WILL help to get the police of your back - but it isn't necessary in order to be acquitted.
[ link to this | view in chronology ]
Re: Re: Re: an analogy
Richard---
I'm familiar with it more in the tort context (which would actually be a closer analogy to use of IP addresses in infringement, anyway) but Ifroen is talking about a real legal issue. Many states only make the owner of a car vicariously liable for a drivers torts if the driver was family, but that's not universal. New York has a permissive use statute, which means that the owner of a car can be held vicariously liable for the unintentional torts of any driver who had permission. And the key point is that the defendant has the burden to DISprove permission. The plaintiff wouldn't have the initial burden of proving permission. I'll have to leave it to Ifroen to confirm whether this also applies criminally, but the IP/car analogy seems to hold up civilly...
abc gum---
Again, I can't speak to the criminal issue at the moment, but in civil cases it's about American law. (Or, perhaps more accurately, about the law of some American states, since they vary.) And even if it does apply criminally, it wouldn't mean the presumption of innocence was being ignored.
That presumption doesn't mean that the prosecution bears the burden for every single point raised. They bear a heavy initial burden, but if the defendant raises a defense, the defendant can have the initial burden of demonstrating that defense. (I say "often" again because these burdens can also vary by state.) Generally, the prosecution would have to disprove each element of the defense beyond a reasonable doubt, but even at common law a defendant had to prove insanity by a preponderance. And in New York, there are two categories---1) defenses, which the prosecution must disprove beyond a reasonable doubt, or 2) affirmative defenses, which defendant must prove by a preponderance of the evidence.
Long story short---I can't speak towards the car example in a criminal context, but in the tort context some states do require you to disprove ownership. And even criminally, the presumption of innocence does not mean that the prosecution must disprove defenses 100% of the time.
[ link to this | view in chronology ]
Re: Re: Re: Re: an analogy
Certainly in the UK specific authorisation is necessary to create liability for copyright infringement.
Consequently no-one in the UK has ever been successfully prosecuted for copyright infringement on the basis of an IP address alone.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: an analogy
One user made the analogy between IP addresses and automobiles in an effort to demonstrate how ridiculous BPI's stance is. Not just whether it is legally valid, but that it is patently ridiculous: if BPI's reasoning applied elsewhere, look at how unconscionable the result would be.
Demonstrating that the analogous, intended-as-ridiculous result actually has occurred pushes back against his suggestion that the law couldn't possibly stomach BPI's logic. And even if he hadn't made the analogy first, it'd still be reasonable for me to offer it, as it can contribute to a broader point about how presumptions of liability sometimes shift the normal burdens of proof.
I didn't weigh in on whether BPI's argument ought to be win out, normatively, nor whether BPI's argument actually does hold up under the particular UK laws involved. But other posters were discussing whether BPI's legal logic was inherently flawed and legally laughable, so I weighed in on that point. It seems pretty clear that that argument is relevant to the original post.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: an analogy
We all know the law can be an ass at times - so the fact that you can find examples of stupid laws doesn't necessarily affect general principles.
The law (if you trawl through the stupidities of particular US states) can stomach an amazing variety of foolishness (almost including at one time that the value of PI whould be 4) so I'm still not sure how your examples really advance the argument.
[ link to this | view in chronology ]
Re: Re: Re: Re: an analogy
You are the first to add that to this really bad analogy.
1) equate civil to criminal
2) guilty till proven innocent
3) responsible for the actions of others
4) rinse, repeat
5) profit !
[ link to this | view in chronology ]
Re: Re: an analogy
in criminal cases as you are pointing out, the burden of proof is on the prosecution, not the defendant. plain and simple. if someone steals your car and kills someone with it, the way it works is THEY have to prove you were driving not YOU have to prove you werent.
[ link to this | view in chronology ]
I comment because I can!
For example, my IP address used to change all the time. It wasn't until several years ago, when piracy began making the headlines a lot more often, that IP address turn over was dialed so far back that it bordered on being static. Even so, simply changing one single letter/number of my MAC address is enough to force my ISP's automated DHCP server to hand out a new IP address. I can always tell when it gives me the address of someone who has been using file sharing too because I will get hammered with tons of unsolicited incoming connection attempts, at which point I change it again.
I've often wondered over the years what will happen when the current generation, those wielding most of the power, inevitably retire and are replaced by younger, more technically knowledgeable folks? You know, the ones who aren't phased at all by technology. Slowly, with each passing day, it is becoming more and more noticeable that those who were too scared and/or inept to set the clock on their VCR are beginning to vacate their positions of power. I truly believe the current mindset on things, such as file sharing, is going to be radically different a decade from now. No matter how many minor victories they achieve, the cards are ultimately stacked against the entertainment industry and they will lose the war.
Despite fourteen years of internet use, I have never gotten a single warning. I'm sure some ISP's have better methods of tracking their users, but we haven't really seen them. Well, at least I haven't insofar as all the court cases to date are concerned. Even if things do go horribly awry some day, I'm not too worried because I know there are plenty of alternatives. Getting ones hands on free entertainment is just too easy where technology is concerned, and it gets a little bit easier every year. Don't get me wrong, I feel artists should be paid for their work and am happy to do so provided the circumstances are fair. When the entertainment industry finally decides to offer comparable service, convenience, quality, and pricing as I currently get from file sharing, and can do it without the constant attempts at controlling when/where/how I use their product, I will be the first to sign up. A reasonable monthly rate that allows one to access anything and everything ever created since the dawn of time, all on demand; who wouldn't want to sign up for that? Even though file sharing is a powerful tool, I don't it will ever be able to fulfill what I have in mind, at least not the way the industry could. Imagine turning the internet into the biggest central library of culture ever conceived. It would be as significant as the Library of Alexandria was. Too bad the industry is so blinded by greed and cannot see the bigger picture.
[ link to this | view in chronology ]
Just to make it clear for those who don't habla IP addresses
An IP address as seen from the internet is (almost) never 1 person. In fact it can potentially represent thousands of people.
NAT (Network Address Translation) is a process whereby the address of a computer on a local (private) network is translated on to a "real world" IP address.
NAT overload is where one "real world" address is used to represent many "private" addresses, that are kept straight by the box that joins the 2 (the router). This process is not trackable to the source from the "outside world".
NAT overload is the default usage for interenet connections in (almost) every home internet connection and most companies.
In order to track a specific usage (session) of a "real world IP" to the PC using it requires the NAT log from the router doing the translation so that the MAC (hardware) address of the device can be matched to the specific connection session to the real world.
Most domestic internet routers do not log this. Most company routers don't keep the logs for very long.
Assuming you get to the specific device that made the connection, the only way to tie it to a person is a username logged in the system log.
Many home users share both computers and usernames. By default most computers do not log user logons and logoffs. Many companies do not log user logons either.
Many home wireless networks are completely open for any user passing the house to use (see Google wireless data capture furore - this is what it was about). Where they are secured, it is mostly trivial to break wireless security - the basic "out of the box" level called WEP takes 5 seconds or less to break with freely available software. Such a "rogue" user will appear identical to the outside world as a legitimate user of that connection.
Many companies allow the usage of their network by visitors. Events for example often give free access to press (and trust me press laptops are fairly likely to be virus ridden and used, shall we say "dubiously")
For simplicity we will ignore all the myriad ways in which the various identifiers (internal IP, external IP, MAC, username) can be faked and require serious forensic examination to track down or even detect the fakery.
On my own home network my "real world" IP address can represent approx 15 devices and 6 users that *I* know about (i.e. not including uninvited guests). On a corporate network the legitimate users of a single "real world" IP can number in the thousands. Basically, an IP address is "proof" of NOTHING. In any case where the IP address is the "evidence" you are at BEST talking about secondary liability and even that is tough to actually prove if you are using a rigorous process.
[ link to this | view in chronology ]
Re: Just to make it clear for those who don't habla IP addresses
On many cable systems it is possible to attached a "hacked" box and create a phantom user that does not officially exist. The IP address of such a user will inevitably be mapped onto that of some legitimate user. equally inevitably the users of hacked boxes will be heavily into piracy - since they are already breaking the law - and believe themselves (justifiably) to be pretty much untraceable.
According to one computer crime consultant (employed to catch such people) there are parts of the UK where such hackers are unprosecutable because most of the jury will be using hacked boxes themselves!
[ link to this | view in chronology ]
Re: Re: Just to make it clear for those who don't habla IP addresses
[ link to this | view in chronology ]
Re: Re: Re: Just to make it clear for those who don't habla IP addresses
[ link to this | view in chronology ]
???
[ link to this | view in chronology ]
Re: ???
I hear the BPI hired him last week.
Oh,wait.. hang on a minute..?
[ link to this | view in chronology ]
Re: Re: ???
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
As for logging, most decent DHCP solutions will log lease history, but I wouldn't imagine ISP's keeping this data for long, but it's not really that much data per event- you get 2 numbers (IP and MAC) and maybe a bit of text info about the requesting client type You'd probably get about 2 million log entries in 1 GB. A few GB per month I'd guess depending on how big the ISP.
Out of that, if you were in time, you'd get the IP address and the MAC (hardware) address it was leased to. Comparing the hardware of the endpoint device (router) would "confirm" (well no not really but lets assume no-ones done anything naughty) the source internet connection of the IP address.
Of course that still doesn't get you anywhere near the person making that connection, all it does is identify the source location and not even that since both IP and MAC can be spoofed - I'd think you'd pretty much have to trace it in real-time to get anything that woudl amount to "proof"
[ link to this | view in chronology ]
this is why they hate safe harbor provisions
BPI wants, nay it NEEDS for an IP to be sufficient evidence because it's all the evidence they're going to be able to get without breaking the law or going broke conducting investigations.
this is why safe harbor provisions are such a bark up the ass for groups like this. the people they are going after are hard to find and aren't likely to have any money. it would be better in their opinion to just sue ISPs, since they're easier to find and are more likely to have money.
civil suits are supposed to be about justice, but they're really about getting paid. expensive proceedings against broke people are lousy ways to get paid.
policing the distribution of content is also an expensive process when done legally. this is why the MPAA's and the BPI's of the world would prefer to force ISP's and website operators to do the policing instead.
[ link to this | view in chronology ]
BPI?
[ link to this | view in chronology ]
Re: BPI?
[ link to this | view in chronology ]