Slashdot Mirror

← Back to Stories (view on slashdot.org)

NY Judge Rules IP Addresses Insufficient To Identify Pirates

Posted by timothy on from the that-pesky-proof-thing dept.

milbournosphere writes "New York Judge Gary Brown has found that IP addresses don't provide enough evidence to identify pirates, and wrote an extensive argument explaining his reasoning. A quote from the judge's order: 'While a decade ago, home wireless networks were nearly non-existent, 61% of U.S. homes now have wireless access. As a result, a single IP address usually supports multiple computer devices – which unlike traditional telephones can be operated simultaneously by different individuals. Different family members, or even visitors, could have performed the alleged downloads. Unless the wireless router has been appropriately secured (and in some cases, even if it has been secured), neighbors or passersby could access the Internet using the IP address assigned to a particular subscriber and download the plaintiff's film.' Perhaps this will help to stem the tide of frivolous mass lawsuits being brought by the RIAA and other rights-holders where IP addresses are the bulk of the 'evidence' suggested."

31 of 268 comments (clear)

  1. Does this apply to all cases? by CriticalAnalysis · · Score: 4, Interesting

    Does this ruling apply if someone downloads child porn, makes bomb threats, discusses with terrorists or other larger crimes? Just saying it should be consistent if pirates get a pass.

    1. Re:Does this apply to all cases? by Anonymous Coward · · Score: 5, Informative

      This still means that an IP address is sufficient for them to seize and search your computer hard disks and such, so if you have corroborating evidence there you'd still be fucked. It's just not sufficient in the absence of anything else.

    2. Re:Does this apply to all cases? by CanHasDIY · · Score: 3, Informative

      Those are criminal infractions; 'piracy' is technically a civil matter.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    3. Re:Does this apply to all cases? by gnasher719 · · Score: 3, Insightful

      Does this ruling apply if someone downloads child porn, makes bomb threats, discusses with terrorists or other larger crimes? Just saying it should be consistent if pirates get a pass.

      In the context of this ruling, an IP address is not enough evidence to justify giving your name and address to someone who claims that his copyright is infringed, but isn't really interested in sorting out the copyright infringement but only to blackmail you into a settlement. Especially if someone tries to get the names of dozens of people while paying only one court fee.

      On the other hand, it is surely enough evidence to get the police started investigating serious crimes.

    4. Re:Does this apply to all cases? by pavon · · Score: 4, Interesting

      Well, the ruling doesn't really set any legal precedent since it is just a district judge, and it is about a civil case not a criminal one. But it is consistent with how most judges have ruled across the country. The consensus is that it is more than sufficient evidence to get a warrant, is not even close to enough to secure a conviction by itself, but when combined with other evidence may do the job. Just follows common sense really.

    5. Re:Does this apply to all cases? by slater.jay · · Score: 5, Informative

      The standard for probable cause in the case of a search warrant is significantly lower than the standard for conviction.

    6. Re:Does this apply to all cases? by dbet · · Score: 4, Insightful

      I think if someone made bomb threats from an IP address, the FBI would FULLY investigate, because jailing the wrong person means the bomb still goes off, where the RIAA doesn't care if they sue the wrong person.

    7. Re:Does this apply to all cases? by MoonBuggy · · Score: 4, Insightful

      Surely that reinforces the point, though? Criminal cases have higher standards of proof than civil ("beyond reasonable doubt" compared to "on the balance of probabilities"), so if it's not enough for a civil case it sure as hell isn't enough for a criminal one.

    8. Re:Does this apply to all cases? by Arancaytar · · Score: 4, Insightful

      If a search warrant required as much evidence as a conviction, there would be no point to search warrants.

    9. Re:Does this apply to all cases? by girlintraining · · Score: 4, Informative

      The standard for probable cause in the case of a search warrant is significantly lower than the standard for conviction.

      Yes, but everyone is hungup on the idea that the plaintiff has to prove an individual is responsible. At the moment, this may be true, but it's not much of an obstacle. Whenever you park your car illegally, they write a ticket out to the vehicle owner; And there have been many cases where the vehicle's owner was later arrested for not paying a fine they didn't know about because they had loaned their vehicle out to someone else. And unless the vehicle owner can prove they weren't the ones operating the vehicle, the courts have held they are responsible; They can't simply say "It was Ghost Man that parked my car downtown, not me!"

      So for now, in that jurisdiction, they may be able to stop people from being sued for copyright infringement based on the IP address alone; But laws can and will be passed within a few years there where the ip address "owner" is responsible (and by owner, I mean ISP subscriber).

      At best, this is an empty victory: It may stall copyright enforcement in that juridsdiction temporarily, but it will resume, and the cat and mouse game will move forward. They'll just start using things like timing, traffic analysis, client version identification, etc., to form digital fingerprints that (after they've seized your computer) will be used to individually identify you even from behind your standard NAT router.

      --
      #fuckbeta #iamslashdot #dicemustdie
    10. Re:Does this apply to all cases? by sjames · · Score: 5, Insightful

      That depends. The parking ticket thing was standing between a city government and a revenue stream. That is known to be the most dangerous place to stand in all of existence.

    11. Re:Does this apply to all cases? by Archangel+Michael · · Score: 4, Interesting

      Except that it is not. I was arrested for "resisting arrest", then added a charge of being "drunk in public" to cover the act that I knew that they couldn't arrest me for resisting arrest alone. They then changed the charge to "Resisting arrest" and "Assault on a police officer" after I informed the police I was neither "drunk" nor in "public" (being sober INSIDE a private residence).

      The prosecutor continued prosecution through the trial and I was acquitted in less than 1 hour. Juries take a very dim view of police trying to cover their asses. It also helps that could recall with exact detail (even to this day) the entire conversation the police officers had trying to cover the fact that they were arresting an asshole (me) who was smarter than they were.

      My suggestion is, don't resist, but don't help them. They often claim the latter is the former, it is not.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    12. Re:Does this apply to all cases? by Archangel+Michael · · Score: 5, Insightful

      I was in a private residence, they had no rights to order me to do anything, because I was not hindering their investigation, nor was I doing or involved in anything illegal. If the cops can go into any residence and order the occupants around and arrest people for not "not following orders" ... then I have a HUGE problem with that society. And you don't?

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    13. Re:Does this apply to all cases? by nabsltd · · Score: 4, Insightful

      This still means that an IP address is sufficient for them to seize and search your computer hard disks and such, so if you have corroborating evidence there you'd still be fucked.

      For a criminal matter, an IP address might be enough by itself to issue a search warrant.

      Luckily, the copyright infringement that is being done in file sharing doesn't fall under the "criminal" section of copyright law.

    14. Re:Does this apply to all cases? by Anonymous Coward · · Score: 3, Insightful

      For the most part, an IP address has never been able to prove anything short of a temporary usage.
      - most cable and DSL modems use NAT, one ip address for the outside.
      - proximity to busy areas (eg in a condo building that's part of a shopping district is enough) is enough to claim "it wasn't me"
      - Wireless devices (mobile phones, tablets) that can also operate as WiFi access points may not be secured enough
      - Shopping Convention centers may have many of the above showing up peoples devices, particularly iPhone and iPad's which do this by default.

      In 2004, when I first bought a router, I also bought a GPS and went wardriving with the laptop for kicks. At the time, most of the 802.11b routers were not encrypted, and it was easy to just pop in and pop off any unencrypted one.
      When I lived in a condo building, I had line of sight to WiFi access points located so far away (where you'd need binoculars to find it) that I was able to access them for minutes at a time. Some of these were early Hotel systems that were unencrypted.
      Some neighboring condo units had unencrypted routers that were clearly hijacked, as they would reboot randomly
      Some people leave their routers "open" to have plausible deniability
      Some people use Tor onion routing behind such routers
      Some people may intentionally look stupid, but they actually run a VPN over the wireless system to an initial exit point somewhere in the US so they can use US services (Eg netflix, hulu) or pirate indiscriminately on other people's systems.

      Overall the problem is that responsibility lies first at the ISP, for not detecting "open" routers. Many ISP's issue wireless DSL and Cable modems in only a "semi-secure" state, that it only takes a disgruntled employee at the ISP to dump the configurations, along with the administrative passwords for the devices to compromise all of them. Many of these devices share the exact same admin password.

      The Subscriber's responsibility is only for devices physically attached to the cable modem, which may include secondary wireless routers. So if they give out passwords for their friends to use it, and their friend comes back a month later and downloads some seriously illegal stuff, you're not going to remember seeing your friend downloading anything. So if it's your router, it's your problem, but if the ISP has any control over the router/modem it's the ISP's responsibility. If their subscriber is a moron, they should cut them loose.

      I'm not suggesting that ISP's be responsible for damages, and neither should subscribers be responsible for damages caused by someone accessing the system without their knowledge, but both should take proactive action against letting people use their system.

      This also means that ISP's should be detecting "bot" traffic, hijacked machines, at their headend and proactively warn users about suspicious activity where the customer's usage pattern changes.

    15. Re:Does this apply to all cases? by Cwix · · Score: 4, Insightful

      No, you loan your car to someone. Therefore you are responsible. If someone steals your car and crashes into a bus full of nuns, you aren't.

      You may be able to make a case that if the person billed for the IP address would be responsible for guests, but if the kid next door is "stealing" internet from you then you shouldn't be.

      Its an analogy fail. Get over yourself.

      --
      You are entitled to your own opinions, not your own facts.
    16. Re:Does this apply to all cases? by Jane+Q.+Public · · Score: 5, Informative

      "It's not flawed at all, it's just a position you disagree with."

      Actually, it is flawed, because automobiles are just about the only things for which the courts have upheld this idea... and there is very little doubt that they have done so for no reason other than that not doing so would interfere with their own branch of government's revenue stream, just as someone else mentioned. Otherwise they would have generalized the concept to other areas of the law... but they haven't.

      In general, you cannot be held liable for other people's actions, even if they used something belonging to you in order to do it. Automobiles have been held to be an exception to that, but that's the important part: they are an exception, not the rule. So as an analogy it doesn't work.

      "You're an accomplice in any illegal activity if you fail to take any steps to prevent it. "

      Horsepucky. It just doesn't work that way. In most states -- maybe even all -- this is simply not true. There is no obligation on the part of a citizen to prevent others from committing crimes. It simply isn't a valid legal principle. I could stand by and watch a man shoot other people for no reason, and I am still not his accomplice. Not even remotely, in any area of the law with which I am familiar. I am not obligated by law to insert myself into the situation at all. Failing to do so might mean I was not a very nice person, but it does not make me a criminal.

      The only exception to this of which I am aware is that some states have "Good Samaritan" laws that require you to help people under certain, specific circumstances. For example, in my state you are obligated to stop and help someone who is stuck in the snow in a remote area, because the chance of otherwise not finding help and freezing to death is so great. And to be honest, I am not convinced that even that law is completely Constitutional.

      "There's plenty of legal precident to support my position, and only moral indignation to support yours."

      No, there isn't. I know for an absolute fact that my state laws contradict every single thing you have stated here, the sole exception being the part about automobile liability. And I am pretty sure that most other states are similar.

    17. Re:Does this apply to all cases? by Anthony+Mouse · · Score: 3, Informative

      You're an accomplice in any illegal activity if you fail to take any steps to prevent it.

      I'd be curious to hear which law school you attended that taught you that, considering how wrong it is.

      My previous example demonstrates additional legal situations where the owner can be charged for a crime that's committed by the user, absent proof that the user did it instead of the owner.

      You neglect that your examples are the exception rather than the rule. Cars are large, fast, dangerous and expensive. They have their own rules. Almost nothing works that way, nor should it. The person responsible is the person responsible, not random innocent bystanders who happens to be in the general vicinity or who lent general purpose tools to someone not knowing they would be used for nefarious purposes.

    18. Re:Does this apply to all cases? by girlintraining · · Score: 3, Informative

      Actually, it is flawed, because automobiles are just about the only things for which the courts have upheld this idea...

      Oil tanker owner held liable for captain being negligent and crashing. Owner of a building complex that caught fire held liable, even though he wasn't the one who started the fire. Hotel owner held liable for meth lab being setup in room. Owners of male cattle not held responsible for bull killing someone. By the way, that's a biblical reference; I just wanted to demonstrate it's not a new concept. I can provide many, many more examples. It's not just cars. If you own something, you can be held responsible if you're neglegent in the maintenance of it.
      Your failure to secure your wifi connection and then having it used in the commission of a crime makes you liable for damages. This has already happened in the UK and Germany. It's currently being looked into in several jurisdictions in the United States. Bottom line here, there is plenty of legal precident here and globally to create, enforce, and have upheld, a law that makes the owners of an unsecured network legally liable for illegal activity which occurs on it.

      No, there isn't. I know for an absolute fact that my state laws contradict every single thing you have stated here, the sole exception being the part about automobile liability. And I am pretty sure that most other states are similar.

      I have provided several links indicating that at the state and national level, this is something that is being considered, has legal merit, and may be enforceable. Your turn.

      --
      #fuckbeta #iamslashdot #dicemustdie
  2. Judges. by AG+the+other · · Score: 5, Insightful

    Some of them are teachable.

    --
    Non bene pro toto libertas venditur auro
  3. Yes, this does appear to be a federal court by slimjim8094 · · Score: 5, Informative

    Don't know why it wasn't in the writeup. This ruling was in the federal court for New York's East District, which I think (IANAL) means it is precedent there (but not necessarily elsewhere in the country)

    --
    I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
  4. Re:To be fair.... by MrEricSir · · Score: 5, Insightful

    And as for people who run unlocked wireless routers and let anybody in the neighborhood utilize their bandwidth, I have zero sympathy.

    Right, because we should expect 100% of the US population to understand network security and know how to properly secure a wifi router. Makes perfect sense!

    --
    There's no -1 for "I don't get it."
  5. Finally some common sense in the judiciary by Galestar · · Score: 5, Insightful

    Thank you Judge Gary Brown

    --
    AccountKiller
  6. Re:To be fair.... by CanHasDIY · · Score: 4, Insightful

    And as for people who run unlocked wireless routers and let anybody in the neighborhood utilize their bandwidth, I have zero sympathy.

    Right, because we should expect 100% of the US population to understand network security and know how to properly secure a wifi router. Makes perfect sense!

    Also, this.

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
  7. Re:To be fair.... by amicusNYCL · · Score: 5, Insightful

    It takes about 60 seconds to teach somebody to secure their wireless router. The only remotely time consuming part is getting them to believe that it's actually a smart idea.

    I think you've got those backwards.

    OK, listen, if you leave this unlocked then anyone who finds it can download anything. They can download child porn, illegal movies, terrorist documents, whatever, and it's all linked to you.

    Well that sounds bad, better lock it up.

    Right. OK, so the first thing you do is open your browser and go to one nine two dot one six ...

    Wait, what's a browser?

    Just double-click on the blue "E".

    Got it. OK, I type in one nine two ...

    Wait, not in the Bing search bar, you type it into the address field.

    What's the address field?

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  8. And WEP vulnerabilities by Sycraft-fu · · Score: 4, Insightful

    A lot of people still have WEP only routers. My parents are some of those people. They are not tech people, they bought a router back in the day when WEP was all you got. It still works so they won't get a new one.

    They aren't the only ones either. While I don't see a whole lot of APs from my house, of the ones I do see two are WPA1, two are WEP, none (except mine) are WPA2.

    And if we want to start to make it illegal to have bad security, well then we first need to start with door locks. Residential houses always have shitty locks. They are just regular ass locks from Home Depot that are vulnerable to bumping, ice picking, have no key control, and so on. You can get better locks no problem, they just cost a whole lot more so people don't bother.

    However if you want to say "You have to buy a new router any time the old ones are found to have security issues, otherwise you are liable for any breakins," then I think you also have ot say "You have to buy better locks, otherwise you are liable for any breakins."

  9. Where is IPv6 anti-NAT crowd now? by ugen · · Score: 3, Informative

    This is a great argument. Unfortunately, once we are all moved to IPv6, and with help of IPv6 zealots who are against NAT privacy protection "on a principle" - each device behind home router will receive its very own unique IP (perhaps more than one, if temporary IPs are used, but certainly unique address). Once that is in place, the argument no longer holds and we are back to square one.

    I certainly hope that Linux network stack crowd (because they are the ones whose product will be used, as is customary, in large chunk of wifi routers and other home network devices) will get something done before copyright holders wisen up, and poke Comcast/Cox cable/Verizon to roll out IPv6 to end users.

    1. Re:Where is IPv6 anti-NAT crowd now? by Just+Some+Guy · · Score: 4, Informative

      From Wikipedia:

      Privacy extensions for IPv6 have been defined to address these privacy concerns. When privacy extensions are enabled, the operating system generates ephemeral IP addresses by concatenating a randomly generated host identifier with the assigned network prefix. These ephemeral addresses, instead of trackable static IP addresses, are used to communicate with remote hosts. The use of ephemeral addresses makes it difficult to accurately track a user's Internet activity by scanning activity streams for a single IPv6 address.

      Privacy extensions are enabled by default in Windows, Mac OS X (since 10.7), and iOS since version 4.3. Some Linux distributions have enabled privacy extensions as well.

      People dislike NAT because it's a crappy idea whose best featured are better implemented in other ways. It's not because we're too dumb to understand the issues or too cavalier to care about them.

      I certainly hope that Linux network stack crowd (because they are the ones whose product will be used, as is customary, in large chunk of wifi routers and other home network devices) will get something done before copyright holders wisen up, and poke Comcast/Cox cable/Verizon to roll out IPv6 to end users.

      We did, about a decade ago.

      --
      Dewey, what part of this looks like authorities should be involved?
    2. Re:Where is IPv6 anti-NAT crowd now? by farble1670 · · Score: 3

      Once that is in place, the argument no longer holds and we are back to square one.

      if you are using the "wasn't me downloading that" defense as a loophole to allow you to get away with illegal activities, then sure, you are back to square one.

      on the other hand, if your goal is to ensure that people aren't incorrectly identified and persecuted for for crimes they did not commit, then it solves the problem perfectly.

  10. Not far enough by Charliemopps · · Score: 4, Insightful

    While agree with the Judge, it's not nearly going far enough. I used to work in a department that handled copyright infringement complaints for a large ISP. When the copyright owner makes a complaint, by law the ISP is required to take action. But there are multiple problems with the entire premise.

    1. The complaint comes in via an unverifiable email. The ISP has no idea who really sent it. As any ISP knows, spoofing an email is about the simplest thing for a teenage hacker to perform.
    2. Even if the ISP could verify the sender, they have no idea if the sender is really the content owner. In fact, the ISP has absolutely no way to find out who the content owner is. This is something, that by its very definition would need to be decided in a court of law.
    3. The ISP has no idea if the person sending the email is telling the truth in the least. Even if they are telling the truth they have no idea how competent their methods are. All they have is an email that says they "saw" the user download some content they own. They could have made it up, they could have terrible methods for detection. I believe there was one case where a university student managed to get DMCA notices sent to several campus printers IP addresses.
    4. And most importantly, the ISP KNOWS most of the complaints are total BS. I personally saw at least 25% of the complaints that came in were against IP addresses that didn't have customers on them... or belonged to network devices we owned.

    The entire premise that someone can connect to a torrent and then say that every IP address that their software tells them is connecting to that torrent is a pirate is asinine. There's a simple solution to your problem media industry... stop price gouging. Work WITH and not against netflix, pandora, and the like. Make it easier to pay you than it is to pirate... and the pirate community will die. Humans follow the path of least resistance. It's illegal to run red lights, but people still do it all the time, because it's easier than stopping. How do they really stop people from red lights? Take them out and put in a round-a-bout.

  11. Re:To be fair.... by amicusNYCL · · Score: 3, Insightful

    Thanks for helping to prove my point to the parent. A computer science degree and 20 years of experience isn't enough of a qualification to help teach someone how to secure their wireless router, you also need to be an insufferable douche. Not everyone can do it like you can. Those "regular people" out there don't have a chance.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black