
Judge: An IP-Address Doesn’t Identify a Person (or BitTorrent Pirate) - llambda
http://torrentfreak.com/judge-an-ip-address-doesnt-identify-a-person-120503/
======
jnorthrop
This is an important decision not only from a "piracy" perspective but from a
"privacy" and "information security" view as well. Many US laws and
regulations revolve around protecting personally identifiable information
(PII). If this judge's conclusions stick then we have some freedom from having
to protect IP addresses, which show up in just about everything we log and
collect.

That could be gigantic to those who deal with HIPAA, PCI, GLBA, etc. Although
I guess this has no impact on the European Union regulations and what they
consider PII -- those are much tougher to deal with anyway.

~~~
rickmb
I came here expecting someone trying to pull a anti-privacy fast one. Nice
try.

Just because an IP address alone is not enough to legally beyond doubt
identify a person doesn't mean collecting IP addresses in combination with
online behavior doesn't violate people's privacy.

These are two fundamentally different things. The only real way to identify
someone is through things like DNA or fingerprints. Everything else is just an
indication, it may not be enough to serve as evidence in court, but it's
definitely personal.

The birthmark on my ass may not be unique, but it doesn't give you the right
to collect pictures of it without my permission.

~~~
jnorthrop
My intention was not to "pull a fast one." If you read my blog[1], which of
late is mostly about privacy, I think you'll find I'm fairly neutral on the
subject. Having said that there is all sorts of pseudo-anonymous or anonymous
data that when combined with other data points become PII. I find this
particular case interesting and am curious to hear what others think about
it's implications beyond the piracy case.

An opposing example to this would be the recent ruling in Massachusetts, and
why I found this one so interesting. The court there found that zip codes are
PII[2].

[1] <http://www.jnorthrop.me>

[2] [http://blog.martindale.com/massachusetts-federal-district-
co...](http://blog.martindale.com/massachusetts-federal-district-court-rules-
zip-code-is-pii)

------
brudgers
This may be a two edged sword.

It also means that collecting data based on your IP is not an invasion of
privacy. With IPv6 there is the potential for much finer grained assignment of
IP addresses to such an extent that an IP address could become uniquely
identified with an individual more readily than today.

~~~
antonej
Good point. Is it possible or probable that under IPv6, we could each have a
"static IP for life"? Not that I'd necessarily want that...

~~~
merlincorey
It is not currently possible with the underlying routing technologies, nor do
I think it would be desirable, for you to get a single IPv6 address assigned
to your device for the entirety of its lifetime.

Firstly, each publicly route-able address (for both IPv4 and IPv6) belongs to
a particular network (known as an Autonomous System). The traceroute utility
on unix and windows can be used to show you the path from your local network
to a particular network, simply by traceroute'ing address that you know are
operated by a particular network.

The way this works is a series of routing protocols that ask the question,
"Which network routes this address and what is the best path to get there?"
and answer it in various ways.

So, I do not think it is possible or desirable for a single publicly route-
able IPv6 address to follow a particular device between networks.

Finally, I would like to point out that, even though we can change them, MAC
addresses are supposed to be the permanent unique identifier for a particular
network interface. I do not think adding an IP equivalent makes any sense,
especially when a particular interface may have multiple IP addresses, and a
particular machine may have multiple interfaces.

Now I will forget my hackernews password once again, until I am needed.

------
jasonkolb
I've often thought that if you _really_ wanted to pirate something, just start
an S-corp for ~$200 and put your cable account in its name. If you get sued,
tell them to litigate until they're blue, the company is going under.

~~~
larrys
The strategy could work if done correctly and most certainly in the case of a
mass lawsuit.

If the corp is opened in a place that offers nominee owners or directors even
better. Although there are most certainly legal ways that someone could figure
out who to sue, in a mass lawsuit it would simply not pay to put the effort in
to pierce the corporate veil of any individual when there were 1500 other
targets.

Despite what others have said you've made a good point to always keep in mind
as an entrepreneur. Something that you are legally obligated to do by contract
is very often not worth the time for the other party to file a lawsuit over.
If you rely on attorneys this is not something they always will make you aware
of. (My points are based upon surviving many many years in business both with
and w/o contracts.)

~~~
pasbesoin
A lot of law, in practice, comes down to cost/benefit rather than right/wrong.

------
acak
This may make mass lawsuits difficult but I wonder if this means anything from
an individual harassment perspective. I guess the next question is this (if
someone can shed light on this from a legal perspective):

Is detection of copyright infringement through or from an IP address enough to
get a warrant issued that allows searching of the devices belonging to the
individual using that IP address (or happens to be connected to the internet
through that IP address)?

~~~
jeremyarussell
So far yes it has been. But what he's saying is that in cases of so many
people the risk of catching innocents in crossfire outweighs the likelihood
that their IP address is actually connected to someone doing the infringing.
This is only in New York though, but the precedent is there now for lawyers
around the US to make their cases.

EDIT: likelihood wasn't spelled likely

------
Rudism
I believe this is similar reasoning to why a lot of states have made red light
cameras and speed cameras illegal. The owner of the car is not necessarily the
person who was driving at the time, and it was the driver (not the car) who
broke the law.

~~~
CWuestefeld
Here in New Jersey, they've arrived at a compromise. The person in whose name
the car is registered is responsible for the fine. But it's _only_ a fine,
with no points on your record.

~~~
RobAtticus
I believe that's the case in Maryland, and was under the impression that's how
most of these things work. I guess they figure since the only punishment is
monetary, if you weren't actually the driver you can figure out pretty easily
who was (usually your son/daughter/spouse) so you can get paid back (or ground
them, etc).

------
nextparadigms
Wasn't this ruled several times already in other trials? How many times does
this have to be proven in Court before the other judges start throwing away
such cases?

~~~
CWuestefeld
This is how the judicial system works in the USA.

It's a hierarchy, from the district courts to the circuit courts on up to the
Supreme Court. Basically, decisions made at one level may be binding on that
court and its "descendents", but that's as far as it goes. If you want a
decision to reach nation-wide, it's got to be handed down by the Supreme
Court.

~~~
jstalin
On top of that, this is a decision by a magistrate, which is one step below a
District Court judge, so it can be appealed to the District Court, then to an
Appeals Court, then the Supreme Court. A magistrate's opinion, unfortunately,
has no binding effect at all (on anything other than this case).

~~~
simcop2387
It does however have some help in setting precedent for arguing in those later
courts, if both parties agree with the judge and don't pursue the matter
further. It doesn't guarantee that it will be listened to but it does help
later on.

------
CWuestefeld
While I understand that today there are potential problems, it seems to me
that a person ought to be responsible with what's done with his property. If
he lets someone use his gun, he's got some degree of responsibility, and if he
lets someone use his communication facilities, he's assuming some as well.

Today this is difficult, since the average person doesn't have a clue how to
set up a secure network. But this is a usability problem more than anything,
and if our laws demanded that this be do-able even by somebody's mom, then I
think manufacturers would address that usability problem.

~~~
waqf
Well now, it depends. If I let someone use something of mine that is licensed
and restricted by the government because of the potential for misuse, such as
a gun or prescription medication, then I am responsible inasmuch as I helped
them circumvent government licensing.

If I lend someone an easily obtainable item such as a pencil sharpener or a
cat, and they commit a crime using it, I don't see how I'm responsible.

The question is which of those categories Internet access falls into.

~~~
evincarofautumn
A hundred people are now idly trying to figure out the feasibility and
logistics of robbing a bank with a cat.

I would go so far as to say that, in addition to the legal obligation to not
violate a government license, you also have an ethical obligation to provide
reasonable protection against theft, misuse, &c. Yet somehow it seems strange
to apply that logic to network devices.

~~~
m_for_monkey

        $ cat BigMoney > MyAccount

------
breckinloggins
The actual ruling[1] has some interesting stuff besides what is covered in the
article summary:

\- Discussion about a time when it WAS possible to associate an IP address
with a specific device and that, for the purposes of allowing discovery, it
was REASONABLE to assume that the traffic from that device was initiated by
the owner of that device. This has important implications for the future, as
IPv6 may make "one ISP IP per actual end device" common again

\- Some hilarious footnotes describing the hypocritical nature of the claims
of this and plaintiffs in previous cases. In one case, a plaintiff made a
claim that part of the reason for vigorous copyright claims was to "protect
minors", when the very plaintiff had a teen porn website. Another footnote was
about this plaintiff (K-beech) attempting to claim the moral high ground when
in fact the person behind the company was the same who previously tried to
extort adult book store owners with violence and bomb threats.

\- A VERY interesting footnote which points out that it is still somewhat of
an open question whether pornographic works are copyrightable at ALL

\- The fact that, in the case of pornography, plaintiffs often rely on
defendants settling even though they are innocent, simply because they don't
want their name published in association with a video called "My Little
Panties #2"

\- Abusive tactics by the plaintiff to use information provided by discovery
to harass defendants to settle. This includes asking for phone numbers and
email addresses which, the judge observes, aren't necessary for servicing
defendants and are mostly used to further the plaintiff's aggressive
settlement tactics

\- The hilarity of seeing things like "Maryjane Young Love and Gangbanged" in
an official court filing

\- And a whole section that's arguable more important than the IP address
opinion...

Plaintiffs in these cases usually file a joinder[2] of claims and combine 10s,
100s, and sometimes 1000s of defendants in a single suit. However, the judge
argues that even if he were to grant discovery on all the John Does in the
case, he still might sever the joinder because:

\- It is transparently an attempt to avoid paying the ~$350 filing fee for
each claim. The courts, he says, don't take kindly on losing that much revenue
simply because the fees don't fit the plaintiff's business model

\- Joinder rules require, among other things, that the group of defendants
must be related by the action “arising out of the same transaction,
occurrence, or series of transactions or occurrences” and “any question of law
or fact common to all defendants will arise in the action.”. In a wonderful
display of deeply understanding the technical matters here, the judge argues
that the technical nature of BitTorrent (to wit: that multiple parties seed
the same file at the same time) does not alone satisfy the joinder
requirement, simply because the user is not usually aware of these technical
details.

\- That, in any event, these co-defendants are only related by technical
protocol and not case fact. Because of this, each defendant would still get to
retain counsel, call witnesses, and defend him- or herself separately. In
addition, the rules of joinder require certain actions that would involve
n*(n-1) separate filings and would complicate the discovery process. This, the
judge points out, turns an otherwise simple case into a massively complex one
and thereby goes against the very reason why joinder was created in the first
place.

In my opinion, this has the potential to be an even bigger setback to the
copyright owners' tactics than the IP address opinion. If joinders like these
are routinely severed because of these reasons, it would certainly make the
"mass lawsuits against thousands of unnamed defendants" tactic a losing
business model.

[1] <http://www.scribd.com/fullscreen/92215098> [scribd fullscreen]

[2] <http://en.wikipedia.org/wiki/Joinder>

------
strictfp
A better analogy: a router is like a phone switch. A router allows several
computers to share external IP just like a phone switch allows several phones
to share an external phone number. If you get a call from a switch number you
don't actually know which specific person behind the switch is calling.

------
paraqles
So if the ip is not longer a personal date, then could it be used to track
down "pirates". But the conclusion must also be interpreted in the offer
direction. So is the ownership of an ip, and the trackdown of the person
behind, not enough for the proof of guiltieness in the act of "piracy". I
think that the second part would not be in sight of a particular company.

------
alexchamberlain
Am I correct in thinking that in the UK, the internet subscriber is
responsible for what is downloaded/uploaded on their connection, regardless of
whether they actually did it?

~~~
grabeh
Contractually there may be a duty to ensure your connection is not utilised to
nefarious ends. This contractual duty would not of course extend to parties
outside the contract (unless the Contracts (Rights of Third Parties) Act is
not excluded).

In terms of non-contractual terms, perhaps a film company for example could
argue the subscriber was under a duty of care but again this is unlikely to
stick.

Generally speaking, I think it would depend on a case by case basis and it
would always be open to the subscriber to argue that although the IP address
was linked to them, they were not responsible for the infringing activities.
This would be determined on the evidence in each case therefore.

------
exim
There is no such a concept as "BitTorrent Pirate".

Where do you get these?

~~~
recursive
It refers to someone who pirates media or software using bittorrent.

~~~
exim
What I meant is that one can't pirate media or software. Call it copying or
sharing without permission of an original author, but that has nothing to do
with piracy, theft, murder, etc...

~~~
drzaiusapelord
Its a long accepted colloquialism. It also doesn't help that a lot of torrent
sites openly embrace pirate crap as cutesy. I guess no one likes saying
copyright infringement.

------
dcesiel
Hopefully higher courts will make similar judgements.

------
mhb
Does this reasoning work when I don't want to pay for the pay-per-call calls I
made on my phone?

~~~
andrewpi
No, its different there since you enter into a contract with your telephone
provider where you agree to pay for them.

~~~
mhb
Right. So it seems like the solution to this is going to be that the law will
change so that the IP address owner is responsible for the use of the IP
address.

------
cnbeuiwx
Alright, who forgot to pay off this judge? Someone is going to get very
pissed.

------
rbanffy
If this doesn't create a push towards IPv6, I don't know what will...

~~~
mseebach
That won't change anything. The subpoena will still be for the person who pays
the bill at a location where multiple devices may be connected. I doubt that
judge will give a subpoena to go look for a computer with a given MAC address
at a location. But those worried can just change MAC address every few days.

~~~
rbanffy
When you are not behind a NAT, an IP can uniquely identify a device which, in
turn, can, most likely, uniquely identify its owner.

~~~
jrockway
If you have 2^48 IP addresses (like anyone with a free ipv6 tunnel does), you
can assign your device a new IP address every day for 771164319755 years.

~~~
X-Istence
Aren't most providers going to be handing out /64's? I know Comcast is working
on that at the moment!

------
goggles99
In California, red light cameras can land you a ticket, but not if they cannot
identify you clearly from the photo. They compare your DMV picture of all
things to the intersection photo. If you have your visor down, those high
mounted cameras never get a good shot of your face ;)

Same principle here right? - you can always say it was a roommate or that you
had an unsecured wifi router right?

------
PiracyApologist
Isn't this fact obvious to any hacker worth their salt? This doesn't gratify
my intellectual curiosity (per the guidelines). Flagged. Please keep these
articles on Slashdot/Reddit.

~~~
micaeked
it's about a court decision. keeping track of what the legal camps think about
tech is "gratifying my intellectual curiosity"

