(The Register) On Friday, the DC federal appeals court ruled that the recording industry’s efforts to subpoena the names and addresses of ISP Verizon’s customers who were using P2P file-sharing networks to download and upload copyrighted music were unlawful. However, the decision rests on a narrow reading of the federal Digital Millennium Copyright Act (DMCA), and likely will have little long-term impact on the file sharing debate.
In fact, at the same time the DC court was narrowing the ability to get discovery of anonymous users of the Internet, a court in Connecticut reinforced a private company’s right to determine the identity of a person who anonymously criticized the company in e-mail.
The rulings both go to the core of that most cherished and reviled privilege of online life: anonymity.
Anonymity is a wonderful thing. Early American patriots like John Jay, Alexander Hamilton and James Madison routinely published under pseudonyms – such as drafting the Federalist papers under the name ‘Publius’. Ben Franklin and others had long been publishing not only political diatribes but also editorials and comments about issues of the day (like the role of women in society) under fictitious names – and even fictitious genders. Anonymity can help frame important issues apart from the author of the article, and can permit the author to feel free to express controversial ideas or reveal sensitive information in the public interest without fear of retribution.
Who, in January of 2003, would have felt free to criticize Saddam Hussein’s regime from inside Baghdad or Tikrit? Who would criticize Kim Jong Il inside North Korea? Indeed, the US Supreme Court has struck down laws that mandated that ballot initiative petitioners place their names on such petitions, extolling the virtues of anonymous political speech. Such anonymous speech can topple repressive regimes, and encourage mass peaceful protest.
Anonymity is also a horrible thing. It allows sexual deviants, perverts, paedophiles and stalkers to lurk in the dark recesses of the Internet. It allows virus writers, purveyors of malicious code, hackers, crackers and attackers to destroy files and disrupt legitimate business and social enterprises without real fear of justice. It permits, and perhaps encourages, irresponsible speech – fraud, deception, defamation, slander, and incitement to violence. It can be used as a tool for hate groups of all political persuasions to incite fear and hatred.
It can be used to fraudulently manipulate stock prices for personal financial gain, cause personal ruin, and promote unsafe and untested products (like male enhancements, etc.) In can be used to harass, annoy, and flood mail boxes worldwide. Without knowledge of the author of an electronic communication, it becomes difficult to evaluate its bias and bona fides.
The Verizon Decision
A few years ago, under pressure from copyright holders (eg. software companies, recording and motion picture companies) the US Congress passed the Digital Millennium Copyright Act. Some of the provisions of the DMA prohibited the distribution of technologies that could be used to “circumvent” technological measures designed to protect copyrighted works (eg. copy protections). At the time, Congress was concerned about pirated works appearing on the Internet through web-accessible BBSs, newsgroups and web sites. A “pirate” could place a single copyrighted work on a web site, and permit hundreds of thousands of people to download the work.
In writing the DMCA, Congress recognized that the ISP that was hosting the site with the infringing work bore some limited responsibility for contributing to the infringement – it was, after all, their customer that was infringing, using their storage space and bandwidth. So Congress struck a compromise with the ISPs: if the copyright holder certified that they owned the copyright, and that the use of the work was infringing and not authorized, the ISP had to remove access to the infringing material. In return, the ISP was granted immunity in the event that the removal was improper, and was granted immunity for contributing to the infringement, unless there was some other connection between the ISP and the infringer.
Another provision of the DMCA permitted copyright holders to obtain discovery from the ISPs about the identity of the poster. It was the application of this provision that the DC Court considered in the P2P setting.
Under normal law, a plaintiff would file a lawsuit against an offending party (eg. the copyright infringer) and then use the court system to get subpoenas or court orders for information relevant to the lawsuit. The DMCA turns that on its head: copyright holders, simply by asserting the ownership of a copyright and an infringement by a particular anonymous user, can demand that the clerk of the court issue an order to the ISP to pony up the names, addresses and IP history information of their subscribers, with no lawsuit pending.
Indeed, the lower court in the Verizon case ruled that such subpoenas were not even court orders – they were mere ministerial acts by a clerk, and as such were beyond the review of the courts.
But the appellate court last week realized that P2P was different from the kind of “post and download” infringement Congress sought to deal with in the DMCA.
The court recognized that, at the time DMCA was passed, nobody anticipated P2P. The concept of “taking down” offending materials did not really apply to these networks. Sure, you can disable all Internet access by users of P2P networks, or you might disable the ports that are most frequently used for P2P, but this remedy goes far beyond simply removing infringing materials. The infringing materials do not exist on the ISP’s servers: they are on the customer’s machine.
Moreover, the subpoena for information is more akin to asking an ISP for the identity of a person who visited a website to download an offending article, rather than to determine the identity of the person who is hosting it. This, the court ruled, Congress did not explicitly authorize.
But before we declare victory for P2P users, it’s worth looking at another court decision that came down the same day, which seems to provide the RIAA with a roadmap for getting at downloaders’ identities anyway.
At the same time the DC Appeals court was struggling with anonymous music fans, a Superior Court in Connecticut was struggling with an anonymous e-mailer to a French company, La Societe Metro Cash & Carry France.
Apparently this e-mailer sent electronic communications to many of the company’s employees questioning the wisdom and abilities of corporate officers. La Societe Metro sued in France under French defamation law, and also filed a discovery lawsuit against Time Warner (the ISP from which the e-mail originated) in Connecticut. The French company wanted the ISP to give up the subscriber information.
After discussing the history of anonymous speech, and the First Amendment rights to post material on the Internet, the Connecticut court ordered Time Warner to reveal the subscriber information, finding that the French company had shown a prima facie case of defamation, and that the subscriber information was relevant.
Interesting in this case was the fact that the ISP fought the subpoena at all. In most cases, ISPs will reveal this information to all comers with a facially valid court order, and is under no obligation to even inform the subscriber that the information has been sought or disclosed. Indeed, while subscriber agreements typically announce that such information will not be disclosed absent a subpoena, it does not require that the subpoena be legally valid – or tested – and imposes no obligation on the ISP to challenge the validity of the subpoena. Again, if information exists, it is likely to be discovered and disclosed.
The Connecticut court went on to conclude that the identity of Jane Doe (the e-mailer) was relevant to the defamation proceeding, and therefore that Time Warner had to reveal it to the French company.
This provides a road map to the RIAA. While (absent a successful appeal) they may no longer issue hundreds of blanket DMCA subpoenas – at least in the District of Columbia – they can file hundreds of blanket ‘John Doe’ copyright infringement lawsuits and then issue hundreds of ordinary civil subpoenas. Or, they can go to Congress and have the DMCA amended to specifically include P2P networks.
So while the court ruling may slow the RIAA, there are many other arrows in their quiver.
SecurityFocus columnist Mark D Rasch, JD, is a former head of the Justice Department’s computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.