The court holds that the plaintiff must demonstrate reasonable evidence the defendant was the person using the computer.
In this particular case, the defendant ran what amounts to lodging, was deposed, and it was immediately figured out it wasn't him. The complicating factor is that because his lodging was medical in nature, he was not able to hand over guest information.
I mention this context because it's unlikely you would be able to get out of being sued by saying "Well maybe it was my roommate LOL"
> I mention this context because it's unlikely you would be able to get out of being sued by saying "Well maybe it was my roommate LOL"
Well, the question is whether I'm responsible for the use of my computer network. If someone hacks into it and starts using it without me noticing, am I responsible?
Suppose you lived alone, and this scenario unfolded. The plaintiff would reasonably argue that because you lived alone, you were the infringer. Would a court believe this to be reasonable? The ruling doesn't say. Now, if you then, using your own money, hired a computer forensics tech who discovered evidence you had been hacked, and also surrendered your computer and router in discovery and it was confirmed the router showed signs of unauthorized access and the computer didn't have file sharing programs or the file in question, I think it's fairly clear this court would let you off the hook. On the other hand, if your forensics tech found no evidence of tampering and did find filesharing software on your computer, I think you'd have a much harder time asserting that your alibi causes their allegation to fall apart.
The court is saying "Look, you can't just saying the IP address is the person, you need to offer a reasonable claim that it is". It is not saying IP addresses are useless or that your identity must be proven beyond a reasonable doubt.
Neither my first post nor this post were meant to be normative -- I'm not from the US, the country I am from makes passive filesharing (i.e. uploading while torrenting) more or less legal, and I would be very happy if legal rulings stopped piracy fishing expeditions. I just wanted to describe the substance of the ruling in a more substantial way than the headline did.
The best way I can interpret this is that your post was being deliberately misleading, because you implied that roommates won't invalidate IP authentication, but you actually meant that lying about having roommates won't invalidate IP identification.
GP, if I read correctly, tries to limit the expectations we can have based on this ruling since the circumstances where unusual. (Read GPs post again for more details.)
English is not my first language but GP seemed very clear and easy to read.
Assuming you live/operate the network in the US, it is grey, but your future operation of the open-wifi might be made more difficult.
Have a look here[1] of the potential actions that can be taken against you and your potential response to those.
In the end it will be a matter of how far you and the other party are willing to push this.
This will be different of course if it can be demonstrated that you intentionally ran the open-wifi to bamboozle or encourage illegal use. (because you advertized for or boasted about it in an online forum for instance).
France managed to create a law for that specific reason. France decided that any owner of a connection is responsible for it. So if you invite friends over and they start to torrent movies or else, you will be responsible.
This seems strange. If someone uses my car for a malicious act, or uses my house's electrical connection to damage the grid, or something like that, I'm clearly not liable.
If you put a law like this, why even have a justice system? Either you are guilty of piracy or you are guilty of not securing enough your computer.
Having a case where you are guilty whatever you say makes no sense, especially for something where the damages to society are very abstract and not proven, like piracy.
It's possible to actually nor have your computer used in piracy, and the justice system would still be about proving whether it was. Also, even if there was liability for negligence in security contributing to piracy, it might be lesser than for willful piracy itself.
The law suggested may be bad, but it doesn't remove the role of the justice system in determine the existence and degree of liability.
Interesting. I've never heard this before. Id love to see some statutes or cases here, because it's not clear to me. This behavior isn't unheard of in my neck of the woods
I can't help you regarding the US. I live in Germany and there's a law (§15 StVO) that says "The driver of a vehicle must take the necessary precautions to prevent accidents and disturbances to traffic when they exit the vehicle. Vehicles also have to be secured against unauthorized use."
I had a quick google and I found mentions that you will get fines for this. I did not find an example of something bad happening with an unlocked car.
Depends on the act. In the state of Georgia, at least, if a passenger in the car you're driving throws litter out the window, you're responsible (not that this particular law is ever enforced).
Germany has recently reverted a law like this for Wifi. If you have an open wifi and someone torrents over it, then you're not liable for the illegal activity itself (though a court can force you to install filters and fine you if you didn't and it happens again).
France managed to create a law for that case too. It can be refered as "lack of security". You are also responsible for having a connection that is supposedly secure. If that's not the case ("oh, I have no technical knowledge on how to enable password protection for my network"), you are responsible as well. There are exemples of companies that were fined because of this law.
How does this work for public locations like libraries or Starbucks? I remember when I went to France many places had free wifi (sometimes with password but it's not like it's hard to ask for it).
It is up to the company to "secure" their connection to prevent this type of thing (block some ports that are used to torrent, block websites, ...). We, technical people, know that is such an imperfect law that can be circumvented in so many ways and yet it exists today.
No, unlike something like a firearm which you are legally required to secure and can suffer potentially criminal and/or civil liability if someone steals it and uses it to commit a crime, there is no such legal requirement to secure your network against outsider misuse.
IANAL that’s just my personal understanding / belief.
The key point would be the use would have to be unsanctioned and you were totally unaware. Once you give someone your WiFi password, it’s less clear if you have any liability. I’m not sure of any case where the actual user was known but the person who provided the network connection was blamed.
Network access is fairly universal. The particular method used to access the Internet is practically irrelevant. The actor and the act are what is important, not how the packets are routed.
I believe the legal term you’re looking for is “strict liability”.
Many states don’t actually have laws about securing firearms directly but have a concept of strict liability about what happens if they are stolen, or stolen and not reported.
Have a look through your ISP's terms of use and you might find specific relevant statements there. Operating an open-wifi Internet access setup might be difficult if your ISP terminates your contract.
An example, this is from Verizon[1]
2. Use of your Service and Account and Compliance with Applicable Authority. You are responsible for all use of your Service and account, whether by you or someone using your account with or without your permission, including all secondary or sub-accounts associated with your primary account, and to pay for all activity associated with your account. You agree to comply with all applicable laws, regulations and rules regarding your use of the Service and to only use the Service within the United States (unless otherwise permitted by this Agreement).
3. Restrictions on Use. The Service is a consumer grade service and is not designed for or intended to be used for any commercial purpose. Except as otherwise set forth in this Agreement, you may not resell, re-provision or rent the Service, (either for a fee or without charge) or allow third parties to use the Service via wired, wireless or other means. For example, you may not provide Internet access to third parties through a wired or wireless connection or use the Service to facilitate public Internet access (such as through a Wi-Fi hotspot), use it for high volume purposes, or engage in similar activities that constitute such use (commercial or non-commercial). If you subscribe to a Broadband Service, you may connect multiple computers/devices within a single home to your modem and/or router to access the Service through a single Verizon-issued IP address, and if available through the Service, you may permit guests to access the Internet through your Service’s Wi-Fi capabilities. You also may not exceed the bandwidth usage limitations that Verizon may establish from time to time for the Service, or use the Service to host any type of server. Violation of this Section may result in bandwidth restrictions on your Service or suspension or termination of your Service.
The facts of the actual case make it much easier to understand the problem, but how is that situation actually different? There are still multiple people it could have been, no evidence is presented to distinguish between them at all and it's an obvious injustice to punish one person when it was another who did it.
You don't, that's the point; claiming "the criminals had mail sent to 1342 Grass Lane, therefore the owner of 1342 Grass Lane is the criminal" is patently ridiculous, and it's good that the court realizes that the same applies (if anything, even more so) to IP addresses.
To clarify, the plaintiff does have to prove it was the defendant that wronged them, but instead the standard of proof being "beyond a reasonable doubt" it's something like on "the balance of probabilities."
unless the law says "it's your internet connection and you're responsible for what happens" I doubt it matters that much. Standard of proof is much lower but still have to prove that x most likely downloaded the movie.
That's a contract with the provider. I'm responsible to Comcast if my connection is used to download 17 TB of data on a metered subscription, even if I was hacked. That contract doesn't leave me responsible for anything except between me and Comcast.
It surprises me in a way that "big internet" (AT&T, Verizon, Comcast etc) and associated large enterprise interests have not been more staunch proponents of IPv6, at least for fixed consumer connections.
It would be trivial in that circumstance to blow away any kind of NAT and the pseudo-anonymity/plausible deniabililty it provides and make client devices performing illegitimate activity directly identifiable.
I wonder if such a ruling might be different in that context. It's a perturbing thought.
Ipv6 defined "privacy extensions" to combat this very thing - and most operating systems use it by default. The idea is that devices generate random addresses instead of just using the device Mac address. I can't say how well this defeats tracking, however, this article (https://www.internetsociety.org/blog/2014/12/ipv6-privacy-ad...) concludes
> ... the ability of security services to track you on IPv4 versus IPv6 is pretty much about the same.
> It would be trivial in that circumstance to blow away any kind of NAT and the pseudo-anonymity/plausible deniabililty it provides and make client devices performing illegitimate activity directly identifiable.
Identifying the device and identifying the person using it are two entirely different things. Multiple people use the same device all the time.
Big ISPs don't want to become copyright enforcers; it costs them a lot of money already and enabling IPv6 would cost them even more. (ISPs that could cheaply deploy IPv6 have already done it, so the ones that haven't generally can't afford to.) They're greedy but they're not proactively evil.
I don't agree. Keep in mind who owns the big ISPs and what corporate empires they're apart of. Several of the biggest ISPs (especially the cable ones) are part of giant media conglomerates - their corporate parents are also the parents of some of the biggest copyright owners out there.
How exactly would this work?
It's my understanding the IP addresses have to be allocated in a somewhat uniform manner to make routing feasible so it looks like it would require you to give a block of IPv6 addresses to the customer's router for it to allocate to the attached PCs, phones and what not, which seems like it would take us back to chewing through the address space pretty quick and also not necessarily achieve the desired effect unless the router keeps logs of the assignments it makes.
But if every device has a fixed or randomized identifier then surely the identifier contains absolutely no routing information whatsoever (the machine might have an address starting ffff:ffff:... but might be behind routers eeee:eeee:... or dddd:dddd:... in completely different parts of the world).
If ISPs gave every customer as many IPv6 addresses as are in the entire IPv4 space to distribute among their personal devices, and "every customer" amounted to the entire population of the world, that would use roughly 1 / (10^19) of the total space.
IPv6 will _not_ have NAT be the default case... IPv4 NAT is the default for the vast majority of [home] routers, and offers a bit of privacy protection built-in.
I would expect the home router to provide some level of device obfuscation in this case, specifically to help protect user privacy. I don’t its a fight that can be outright “won” but certainly you don’t just hand over unique device identifiers if at all possible.
I truly think that we are losing privacy when we give up NAT.
I really don't think it matters too much for client devices anyways, we've found plenty of workarounds by now where it matters. Maybe the best case is NAT-optional.
When I was 18 or so a dozen years ago I had two detectives show up at my door (USA). Apparently my neighbor, with whom we were friendly, had connected to our wifi in order to try to hide his solicitation of a minor (luckily an FBI agent). They just stopped by to let us know trouble might be headed our way during the investigation and court proceedings. It was strange. They just left. Don't know if they ever contacted my dad about it further, but I do know he confessed to the whole thing.
Some IP addresses are more personal than others.
What I mean is that yes, on it's own an IP address does not pinpoint persons, but devices. So it remains upon the complainer in the case of a copyright infringement case to present a further reasoning 'above the speculative level' that the by the IP identified device at the time of the infringement was under the control of the alleged infringer.
In this case they failed. That doesn't mean it will always fail.
If you're mobile ISP uses IPv6 for everything and assigned your mobile a static IPv6 address, then it will be harder to argue it wasn't you.
If you're Home router is provided and managed by your ISP, and it is configured to use DHCP Static Leases, then the local IP of your mobile phone (a fairly personal device) is close (not equal) to being equally as effective as a personal identifier as it's MAC.
If on the other hand you connected to an Open-Wifi set up by an amateur 4 NAT's down that does not keep logs, and you randomize your MAC every time you connect to a new network, it might be more difficult for tying an IP to your device without reasonable doubt.
In that last case if the pursuer wanted the open-wifi operator's operation could be made more difficult by DMCA complaints and leverage through the ISP's terms of service.
It usually points to a router, of which there can be hundreds of devices connected to it on your home network. Securing your wifi is one thing (which doesn't even absolutely prove that it was one of your home devices that did the torrenting, thanks to things like the KRACK attacks), but to then say "well you should secure your internal network such that torrenting cannot happen" is absolutely ridiculous. Torrent programs can work off any port, so that filters out port blocks. Is grandma going to install layer 7 traffic inspection so the grandkids can't doing illegal stuff on that newfangled interwebs? They'll switch to https then...
My point is that anyone with the technical know-how and very rudimentary internet access can bypass almost any restriction you try to put on it. What if the pirate is a minor and won't listen to their parents and keeps on torrenting? Do you permanently take their internet access away? How does that then stifle them for school homework or their social interaction? How can we expect each and every citizen to deploy NSA grade traffic monitoring on their router? The whole thing is ridiculous and the courts are still vehemently out of touch
>>> Judge rules that copyright trolls need more than just an IP address if they want to go after copyright infringement. An IP is not enough proof to tie a person to a crime.
I didn't see anything in the story to suggest that the plaintiff was acting as a "troll" in the sense that I understand from reading about patent trolls. In this case, the plaintiff, while found to be in the wrong, was in fact the creator of the content and probably intended to commercialize it.
I would argue that in the case of file-sharing that it's Trolling when the plaintiff is going after an individual who, when removed from the system of distribution, would have no real effect on the rate or availability of the copyrighted work. Someone just downloading a copy would always fit this definition, and while BitTorrent always involves some amount of "distribution" by the legal definition, they don't represent a distributor in a meaningful way.
Going after this individual does not protect the the monetization of the copyrighted work. The individual's actions only represent the loss of motorization for the single copy they might have purchased. The only possible argument for this protecting monetization of the copyrighted work would be some kind of "chilling effect" on others sharing, but given the prevalence of file sharing after decades of such legal cases, this seems like a extremely weak argument.
Given that, then only reasonable conclusion is that the they are attempting to make money using the law itself, rather then using it to protect the monetization of the copyrighted work.
This doesn't seem to be anything new or different. Just because a muder victim's blood is found on your clothes and you are holding a knife doesn't necessarily mean you are the murderer -- but it is evidence.
At the end of the day you will be tried by a judge or a jury. If your only defense is some kind of grand, implausible chain of maybes and what-ifs, they will rule against you. If you have a perfectly reasonable explanation, then they won't.
The content companies were so eager to settle out of court for just this reason; they knew that if enough of these cases went to court, a judgment against them results in case law that hinders their ability to strong-arm casual pirates.
The article states that 'this is a win for privacy advocates and pirates'.
I'm not disagreeing, but I hope this will not re-open doors of trying to leverage this into getting IP addresses out of being privacy linked data in a privacy regulation context.
What aggravates me about using IP addresses to accuse alleged pirates is the same thing that aggravates me about traffic cameras: It's not my responsibility, duty, or privilege to enforce the law.
In this particular case, the defendant ran what amounts to lodging, was deposed, and it was immediately figured out it wasn't him. The complicating factor is that because his lodging was medical in nature, he was not able to hand over guest information.
I mention this context because it's unlikely you would be able to get out of being sued by saying "Well maybe it was my roommate LOL"