Earlier this year the UK’s ISPs have hand over information about names and addresses, following court action by those who feel their copyrights have been infringed, e.g the games and music industry.
These companies try and track those using file sharing technologies such as bit torrent or other peer to peer programs. What the investigators end up with is an IP address, e.g they can show that 220.127.116.11 has been sharing specific music files.
As the IP address are, generally, from home users, they only reveal the company providing the line, e.g BT, not the end user.
The IP address does not identify the person who was actually using the IP address at a given time. In addition to this most home IP addresses are also dynamic, which means that different people can have the same IP address at different times.
The only people who can resolve the IP addresses to a given person are the ISPs. E.g BT can identify who had IP address 18.104.22.168 on Saturday 25th October 2008 and who had it on June 1st 2008.
The ISP will not provide this information by a simple request, but they need to be compelled by a court order. Which is what happened earlier this year, and thousands of home addresses were resolved from IP addresses, by the ISPs. It is suggested that up to 25,000 home addresses were identified as part of these court orders.
Once the investigators and their employers e.g BPI (British Phonographic Institute), games industry, etc, had identified the home addresses these companies took different actions.
Some companies wrote to the home address trying to “educate” the users. Others wrote, via the solicitor Davenport Lyons, to the registered owners of the IP addresses identified and demanded that the users pay a £600 fine or face additional action.
Where do you stand?
So, the games and music industry is now getting tough. But where do you stand?
Firstly any firm is on a very sticky wicket if they try and issue a fine based purely on an IP address. It is entirely unreasonable to suggest that you can identify a user from a IP address. For example, a house with one computer may have multiple users. A home may have a family computer, the father pays the bill but its the son who is down loading the music (without his father’s knowledge). The father can not be held reasonable for that action any more than he can if his son goes out and steals a car.
Secondly most homes now have multiple computers, and the IP address just shows the house that was down loading music, and not which computer.
Think of a student house with 4 people living in it, one person pays the bill but another person down loads the music, one student can not be responsible for another, just because they live in the same house.
The first and second problem can be combined. E.g a house can have four people living it in, but the girl friend of one of the students stays over regularly and down loads music files, on her account on one of the computers in the house. Can the person who pays the bill in the house really be held responsible for the actions of the partner of a person he lives with? Of course not.
There is then the third option, insecure networks. Most routers come with wireless networks running as default and it is insecure. If your neighbor uses your network to down load music, should you be held responsible for this?
If the UK government cannot maintain control of critical information, how can a home user be expected to secure data?
Can they get more information?
As shown above the IP address is not enough to ensure a conviction/fine, the company would need to gain more information, from investigating the the suspected home computers. This is possible, legally.
A company, e.g BPI, could request an order/warrant to search a suspected house based on the IP address/home address provided previously, and that would could well be reasonable.
If that did occur BPI would need to get the order, then attend the address, make an exact copy of the suspected hard drive(s) and then take the data away for analysis. This sort of operation would be conducted by contractors, so it is entirely technologically and legally possible. But the cost of doing this would be so expensive, probably £10,000s on per address, that it would be cost prohobitaive on a massive scale. But, the BPIs and the like could consider doing this on a selective scale to send out a message – it depends on how much they value their PR.
Is it legal?
Currently the ISPs have passed over the information, via a High Court order, and so it is entirely legal.
There have been no morning raids or Anton Piller orders, at home addresses reported in the press so far, but they would also be legal if they did occur. The ICO has not commented on the issue either, again showing that this is legal in the UK and there is no objection.
However, on 29th January 2008 the European Court of Justice in the case of “Productores de Música de España Promusicae vs. Telefónica de España“ the ECJ stated that the provision of traffic information for civil reasons, i.e resolving the IP address to the home address, was not required by member states, but it could be required if necessary at a national level.
In this case the exact same court procedures started in Spain as they did in the UK: The music industry demanded information on users, from the IP addresses they had collected. The difference is that in Spain the ISP Telefonica refused to do this, stating that this information was there for criminal purposes only. Spain then referred the case to the ECJ for advice.
The ECJ agreed with Telefonica. Sadly the the UK ISPs are not inclined to defend their users as much as the other countries, but if an ISP did decided to make a stand for their users they are almost certain to win following the ECJ ruling.