EFF White Paper Hopes To Educate Cops On The Difference Between An IP Address And A Person

(Mis)Uses of Technology

from the but-are-they-willing-to-learn? dept

Judges have pointed out to copyright trolls on multiple occasions that an IP address is not a person. Trolls still labor under this convenient misconception because they have little else in the way of “proof” of someone’s alleged infringement.

Unfortunately, law enforcement agencies also seem to feel an IP address is a person — or at least a good indicator of where this person might be found. This assumption leads to blunders like ICE raiding a Tor exit node because it thought an IP address was some sort of unique identifier. After having IP addresses explained to it by the EFF, ICE returned the seized hard drives and promised to make the same mistake in the future.

In another case, the Seattle PD raided a Tor exit node in search of a person downloading child porn. It didn’t find the target it was looking for, but went ahead and demanded passwords so it could search files and logs at the unfortunate citizen’s home before realizing it had the wrong person.

The EFF is kind of sick of having to explain the difference between an IP address and a person to government entities. It has put together a white paper [PDF] that should be required reading anywhere government employees feel compelled to act on “evidence” as useless as IP addresses.

Law enforcement’s over-reliance on the technology is a product of police and courts not understanding the limitations of both IP addresses and the tools used to link the IP address with a person or a physical location. And the police too often compound that problem by relying on metaphors in warrant applications that liken IP addresses to physical addresses or license plates, signaling far more confidence in the information than it merits.

[…]

These ill-informed raids jeopardize public safety and violate individuals’ privacy rights. They also waste police time and resources chasing people who are innocent of the crimes being investigated.

By acting on this bogus assumption, law enforcement agencies are wasting time and money. Plus, they’re putting themselves in situations where innocent people could be killed over technical errors, seeing as warrant service these days usually involves militarized squads that value shock and awe tactics over minimizing collateral damage.

The white paper points out what should be obvious to anyone who considers themselves capable of solving “computer crimes:” an IP address is not only not a person, it’s not even a physical location.

First, the technology was never designed to uniquely identify an exact physical location, only an electronic destination on the Internet.

[…]

At a local level, similar IP addresses may be assigned based on geography, albeit only indirectly. ISPs make decisions to allocate blocks of IP addresses to particular locations for a variety of reasons, with the goal of creating a network that efficiently delivers Internet traffic. The result may be that locations near each other feature similar IP addresses, but that is more often the product of where the provider has physical links and routers to a network than geography. For example, if an ISP has a fiber-optic link between two distant cities, the IP addresses assigned to those cities may be similar because it creates a more efficient network. A third city near one of those towns geographically may not share the same connection and it would thus likely have completely different IP addresses assigned to it.

In addition, IP addresses only identify the block of devices assigned to it, not the people utilizing them. Even in cases where there’s only one resident at a physical address linked to an IP address, there’s still a chance law enforcement may be going after the wrong person. As the paper explains, the pool of IPV4 addresses has been used up. In areas where users haven’t been pushed to IPV6 addresses, IP addresses may be shared by more than one user (at more than one physical address) or reassigned to other users by service providers based on need and usage. As the paper states, IP addresses, unlike physical addresses, are not static.

The paper also points out that the use of bad analogies by law enforcement and courts has only made the misconceptions worse. Law enforcement agencies sometimes claim that IP addresses are every bit as unique as license plates. The metaphor fails because IP addresses can be shared or redistributed at private companies’ discretion unlike license plates, which are government-issued and must remain tied to a registrant.

In short, the best analogy for an IP address is an anonymous informant’s tip — something that’s basically hearsay until otherwise confirmed.

In a line of Supreme Court cases dealing with reliability and corroboration problems that arise whenever third parties provide tips to law enforcement, the court has made clear that police must do more to confirm the tips provided by anonymous informants before seeking a warrant or other process…

The question is: will law enforcement care enough about potential collateral damage to educate themselves on the problems of treating IP addresses as people… or will they decide that a combination of forgiveness (good faith exception, etc.) and easily-obtained immunity is preferable to gathering corroborating evidence and acting more cautiously?

Filed Under: crime, ip address, law enforcement, privacy

Two Judges Punch Holes In Copyright Trolls' Claims That An IP Address Is The Same Thing As A Person

Copyright

from the weak-arguments-getting-even-weaker dept

Fight Copyright Trolls has tracked down two more court decisions that reach an obvious conclusion: an IP address is not a person. In both cases, the normal trolling tactics were used: legal threats against alleged infringers, based on nothing more than IP addresses. In the first case, New Jersey Judge Kevin McNulty disagreed with Malibu Media’s request for default judgment, pointing out that the limited info it was working with could not rule out a successful defense being raised by the accused infringer.

As Raul of FCT puts it, it is simply not enough for Malibu Media to obtain an IP address and then bring a claim against any household member with a penis. The judge writes [PDF]:

[…] the Defendant’s connection to the alleged infringement is based solely on an IP address. The IP address here, as the Plaintiff concedes, is actually held by the Defendant’s spouse. (Compl. ¶ 25) In the Amended Complaint, Malibu Media is not certain that the infringer is Defendant, but rather pleads “discovery will likely show that Defendant is the infringer.” (Id. ¶ 27) In fact, the infringer could be another person altogether, such as a family member or, as Malibu Media itself concedes, “sometimes, the infringer is another person who the subscriber has authorized to use the subscriber’s Internet.” (Id. ¶ 28) Or, it could be that the infringer is someone using the subscriber’s Internet via a wireless router that is not password protected. While it is possible that the infringer is Defendant, Malibu Media has not proved that Fodge actually caused or is responsible for the alleged infringement.

Beyond that, the court has issues with the copyright claims in general. While Malibu Media claimed 23 titles were infringed by Fodge, the court points out that only 16 of them were registered before the alleged infringement. An unregistered copyright is not fatal to infringement claims, but it does limit the plaintiff’s claims to actual damages. It also undercuts Malibu’s infringement assertions, as it is much more difficult to prove ownership without a registration.

The second order [PDF], issued by Oregon Magistrate Judge Stacie Beckerman contains something a bit more unexpected.

What is surprising (and I believe unprecedented) is that the judge sua sponte dismissed Count 1 of direct copyright infringement. Many defense attorneys have tried in the past to knock out direct infringement claims and they have never, to my knowledge, been successful. This is because the claim has to merely be plausible which a very, very low threshold. I think this is the first time that a federal judge took it upon herself to examine such a claim, find it not plausible and dismiss it without prejudice.

The dismissal is prompted by the usual troll reliance on IP addresses being treated as people. Judge Beckerman doesn’t see it that way:

The only facts Plaintiff pleads in support of its allegation that Gonzales is the infringer, is that he is the subscriber of the IP address used to download or distribute the movie, and that he was sent notices of infringing activity to which he did not respond. That is not enough. Plaintiff has not alleged any specific facts tying Gonzales to the infringing conduct. While it is possible that the subscriber is also the person who downloaded the movie, it is also possible that a family member, a resident of the household, or an unknown person engaged in the infringing conduct.

What Cobbler Nevada, LLC was trying to do was raise weak allegations first, then work its way backward to establishing Gonzales as being the actual infringing party. The judge notes that this tactic runs afoul of legal precedent.

Twombly and Iqbal do not allow Plaintiff to guess at who is liable, and attempt to confirm liability through discovery. “Plausible” does not mean certain, but it does mean “likely,” and Plaintiff has not pled sufficient facts to support its allegation that Gonzales is the likely infringer here.

In fact, as Raul notes in the FCT post, the odds of Gonzales being the infringer are much lower than in other infringement cases — something Cobbler Nevada knew when pursuing this lawsuit. Footnote 4 of the order makes it clear that the copyright troll knew it had a long list of potential infringers on its hand, but simply chose to go after the name linked to the IP address.

Plaintiff’s counsel acknowledged at oral argument that the IP address linked to the infringing conduct serves an adult foster care home operated by Gonzales. Any resident or guest of that home could be the infringer.

It’s one thing if a troll simply shrugs and hopes the court will let it connect the dots between the IP address it obtained and the person it’s registered to. It’s quite another when a single IP address is host to multiple possible infringers, but the plaintiff chooses instead to focus on the person paying for the connection — or, if they lack a penis — the closest household member in possession of one.

The court also dismisses with prejudice Cobbler Nevada’s indirect infringement claim, logically pointing out that it takes far more to prove this than simply pointing out that the alleged infringer failed to kick everyone else off the network.

Both of these decisions are useful additions to the casework against copyright trolls’ awful business model. Hopefully these will result in more swift dismissals of “an IP address is a person” lawsuits while discouraging further adventures in speculative invoicing.

Filed Under: copyright, copyright trolling, ip address, kevin mcnulty, stacie beckerman
Companies: malibu media

Judge In Playpen Case: FBI's Warrant Is Valid, Even If Its Claims About No Privacy In IP Addresses Are Not

Legal Issues

from the a-net-win-for-the-feds dept

Another court handling an FBI Playpen case has handed down its decision on a motion to suppress. Like other courts fielding prosecutions resulting from this massive investigation, it has found [PDF] that the FBI’s NIT (Network Investigative Technique) is invasive enough to be called a “search.” (via FourthAmendment.com)

The FBI must have felt its NIT deployment would be considered a search. That’s why it obtained a warrant in the first place. But it’s been frantically peddling “not a search” theories as court after court has declared its warrant invalid because the searches were performed outside of the issuing magistrate’s jurisdiction.

In this case, the issue of whether or not the NIT deployment was a search has not been disputed by either party. The court addresses it anyway because it affects the reasoning that follows.

Before reaching the merits of Defendant’s motions, it will be useful to address a preliminary question unaddressed by the parties: Was the deployment of the NIT a “search” of Defendant’s computer within the meaning of the Fourth Amendment? If the use of the NIT was not a search, the Fourth Amendment was not implicated, no warrant was required, and any violation of Rule 41(b) irrelevant.

Rule 41(b), which may be drastically altered by the end of this year, restricts searches to the jurisdiction where the warrants were issued. The FBI is well aware of the deficiencies of its NIT warrant, which is why it presented this legal theory to court in response to an earlier motion.

The government in its response to Defendant’s First Motion to Suppress never argues that no warrant was required because deployment of the NIT was not a Fourth Amendment search. See Gov’t’s Resp. to First Mot. at 15-38. In failing to raise this argument when it would have been appropriate, the government has likely waived it. The government does, in justifying the scope of the warrant, argue that Defendant had no reasonable expectation of privacy in his IP address, even though he was using the Tor network.

The court blows past the “no expectation of privacy in IP addresses” for the moment, instead focusing on the execution of the FBI’s NIT.

The “contents” of a computer are nothing but its code. In placing code on Defendant’s computer, the government literally—one writes code—invaded the contents of the computer. Additionally, the code placed on Defendant’s computer caused Defendant’s computer to transmit certain information without the authority or knowledge of Defendant. In this manner the government seized the contents of Defendant’s computer. Just as in Riley, it is irrelevant that Defendant might not have a reasonable expectation of privacy in some of the information searched and seized by the government. The government’s deployment of the NIT was a Fourth Amendment search.

This key element having been decided, the court moves on to the warrant itself, as well as the government’s contention that an IP address has no expectation of privacy. As to the latter, the court points out that the government obtained much more than just an IP address with its NIT and that it used an intrusive means to do so. The court ultimately agrees with the assertion about the lack of privacy in IP addresses, but does not agree that obtaining an IP address in this fashion can be considered harmless under the Fourth Amendment. Hence the nod to the Supreme Court’s Riley decision. While many records contained on a phone may be subject the Third Party Doctrine and obtained without a warrant, they must be obtained from the third parties, rather than from the phone itself. Replace “phone” with “computer,” and information with no built-in expectation of privacy gains a privacy shield due to where these “records” are stored.

The defendant’s second motion to suppress brings up the Rule 41(b) issue. But it fails, spectacularly, because of the defendant’s location.

Defendant argues that Rule 41(b) only allows magistrate judges to issue warrants for searches outside of their districts in limited, well-defined circumstances, none of which apply to the facts of the instant case. Second Mot. at 6-11. Of course, Defendant acknowledges that the website was being run from within the Eastern District of Virginia, that the magistrate judge sits in the Eastern District of Virginia, and that Defendant’s computer was located in the Eastern District of Virginia when the NIT was deployed.

The legal theory advanced by the defense is that the warrant is still invalid, even when deployed in its proper jurisdiction, because it permitted the FBI to search an untold number of computers located all over the country. The court doesn’t buy this rationale. In fact, it states it would have denied suppression even if the warrant had failed to hold up because the FBI took every step it could to ensure the legitimacy of its search.

The FBI agents in this case did the right thing. They gathered evidence over an extended period and filed a detailed affidavit with a federal magistrate in support of their search warrant application. They filed the warrant application in the federal district that had the closest connection to the search to be executed. The information gathered by the warrant was limited: primarily the IP addresses of those that accessed Playpen and additional information that would aid in identifying what computer accessed the site and what individual used that computer.

The judge doesn’t let the FBI off the hook entirely. It also addresses the FBI’s last-minute argument that the defendant shouldn’t even have been allowed to challenge the warrant.

The government also argues that Defendant does not have standing to challenge the warrant because the alleged defect in the warrant, that it exceeded the magistrate’s jurisdiction, does not apply to him because his computer was in the Eastern District. This seems to be a novel interpretation of standing law in Fourth Amendment cases. The standing inquiry in Fourth Amendment cases asks if the individual seeking suppression had a reasonable expectation of privacy in the thing searched. See Rakas v. Illinois. 439 U.S. 128, 133-34 (1978). Defendant’s computer was searched, and he has a reasonable expectation of privacy in his computer.

The Playpen saga is a complete mess. There’s nothing in this mixed bag of decisions that tips the scale in either direction. For every win about the lack of privacy in IP addresses the FBI secures, it loses another one to the invasive method it used to obtain these addresses. Every time a court grants its credit for “good faith,” multiple courts countered with opinions finding the warrants invalid from the moment they were signed by a magistrate.

About the only “win” the FBI can definitively claim is that its NIT secrets are still mostly secret. And in order to achieve that, it had to watch its evidence be dismissed by a judge who actually believed the FBI had legitimate reasons for refusing to disclose this info.

And yet, it’s unlikely that this will result in the FBI examining its investigation methods. As of right now, it has less than six months before the proposed Rule 41(b) changes are adopted by Congress. And there’s a good chance they will be because Congress has to have the will and determination to “opt out” while distracted by an extended holiday season of shorter work weeks, the annual budget process, reelection campaigns, and a change in regimes.

Filed Under: doj, fbi, ip address, nit, playpen, privacy, warrant

Law Enforcement Raids Another Tor Exit Node Because It Still Believes An IP Address Is A Person

(Mis)Uses of Technology

from the TASE-THAT-ROUTER dept

An IP address is not a person, even less so if said IP address traces back to a Tor exit relay. But that’s not going to stop the “authorities” from subjecting people with no knowledge at all of alleged criminal activity from being subjected to raids and searches.

It happened in Austria. Local police seized a bunch of computer equipment from a residence hosting a Tor exit node. ICE — boldly moving forward with nothing more than an IP address — seized six hard drives from Nolan King, who was also running a Tor exit relay.

Those more familiar with Tor suggested ICE’s “upon information and belief” affidavit statements should probably include at least a little “information” and recommended law enforcement check publicly-available lists of Tor exit nodes before conducting raids based on IP addresses. ICE, however, vowed to keep making this same mistake, no matter what information was brought to its attention.

ICE wasn’t involved in the latest raid predicated on nothing more than an IP address — at least not directly. This search/seizure was performed by Seattle PD conducting a child porn investigation. Sure enough, investigators had traced the activity back to an IP address, which was all the probable cause it needed to show up at privacy activist David Robinson’s home at 6 a.m. and demand access to his computers.

“They were there because I run a Tor exit relay,” he says. Tor (which stands for The Onion Router) is a system that allows people to surf the Internet anonymously. It’s sometimes referred to as the “dark Web,” and it relies on Internet connections provided by volunteers like Robinson.

Robinson said the Seattle PD “should have known” he couldn’t “see” the traffic passing through his node and that relay was little more than a “post office:” something anyone can use, even criminals, to send and receive information.

Considering he’s depicted as a “prominent privacy activist,” Robinson “should have known” a few things himself. This is not the correct response to a 6 a.m. visit by misguided police officers.

[W]hen Seattle police showed up at David Robinson’s home shortly after 6 a.m. last Wednesday, he figured he had little choice but to let them in and hand over all his computer passwords.

That’s no way to handle the police. Of course, they did present Robinson with a bad/worse proposition.

Instead of impounding all of Robinson’s computers, which the warrant would have allowed, they offered to search them on the premises as long as he consented to turning over his passwords. He did, and they let him keep his machines after they scanned them.

On-site imaging: now a thing thanks to extremely cheap, portable storage. Still, that’s not much comfort to Robinson, who no longer trusts his computers.

Given his early morning wake-up call last week and the fact that he may now have to get rid of his computers because he can’t be sure what the police did to them while he was being questioned outside his apartment, Robinson says he may have to reassess whether it’s practical for him to [continue running Tor relays].

It would be a lot more practical if law enforcement didn’t assume “IP address” = “smoking gun.” It also would help if people — including politicians — didn’t assume just because something’s not visible, it must be criminal. As has been pointed out before, Tor Project publishes a list of publicly-available exit relays and anyone can access that list — even law enforcement. Courts have declared, on multiple occasions, that an IP address is not a person. I guess those logical conclusions have yet to trickle down to law enforcement level.

Filed Under: ice, ip address, nolan king, tor

UK Government Brings In Yet More Counter-Terrorism Measures — Including Internal Exile

(Mis)Uses of Technology

from the time-for-another-solzhenitsyn dept

The UK has the sad distinction of leading the way in the West when it comes to playing up the terrorism threat to justify the introduction of disproportionate surveillance laws. One of the favorite rhetorical tricks employed here is to invoke the “capabilities gap”: this refers to the fact that the security services are unable to capture all communications in the same way they once could. But it’s a misleading comparison.

It’s true that it was easier to spy on the public’s communications in the past; the percentage of traffic that can be tracked today may be lower, but the overall quantity of information available to the police and security forces is vastly greater, simply because the range of digital communications is so wide, and their use in everyday life so pervasive. This means that it is quite unnecessary to put in place even more intrusive monitoring in order to gain equivalent amounts of relevant information. However, the UK’s Home Secretary, Theresa May, didn’t let a little thing like the facts get in the way when she introduced yet another counter-terrorist bill earlier this week:

That might seem a curious thing to introduce, since UK ISPs are already required to store metadata. A useful post from the Open Rights Group (ORG) explains this is all about the rise of mobile Internet use:

It is for this reason that the port number for each connection must also be stored under the new proposals. But as ORG goes on to point out, it would be far better if mobile phone companies were encouraged to upgrade their systems to IPv6, which has such an abundance of addresses that this kind of quick fix would be unnecessary. Even then, such addresses would only identify a device, not who was using it at any given time.

Similarly, ORG also notes that this blanket retention could fall foul of a recent ruling by the European Union’s Court of Justice that data retention must be “limited to what is strictly necessary. Indeed, because all IP addresses and port numbers are retained, the fear has to be that sooner or later they will be used in an attempt to identify those accused of copyright infringement — as in Australia.

However, it seems unlikely that the UK government will worry about these kind of details given that the new counter-terrorism and security bill includes even more troubling provisions, such as the following:

Yes, you read that correctly: the new bill will introduce internal exile for the UK. The parallels between the UK and Soviet Russia become more painfully apparent by the day.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: exile, ip address, law enforcement, surveillance, theresa may, uk government

Court Dismisses Copyright Lawsuit, Noting IP Address Is Not Enough Evidence For Infringement

Copyright

from the nice-to-see dept

A few courts have noted similar things, but Fight Copyright Trolls and TorrentFreak both recently covered an interesting district court ruling out of Seattle, where Judge Robert Lansik noted that the producers of the movie Elf Man failed to state a claim for relief, since the only evidence they had was an IP address — which wasn’t enough to actually implicate any particular person in copyright infringement.

Plaintiff’s complaint does not raise a plausible inference that any of the named defendants are liable for direct, contributory, or indirect copyright infringement. In the fact sections of the complaint, plaintiff carefully refrains from alleging that the owners of the IP address – i.e., the named defendants – are the ones who utilized the internet access to download the copyrighted material. Rather, plaintiff alleges that the IP address assigned to each defendant “was observed infringing Plaintiff’s motion picture” … and that each named defendant either (a) downloaded the BitTorrent “client” application and used it to download and share the copyrighted material or (b) permitted, facilitated, or promoted the use of their internet connections by others to download and share the copyrighted material …. Pursuant to plaintiff’s allegations, a particular defendant may have directly and intentionally stolen plaintiff’s copyrighted material, or she may simply have “facilitated” unauthorized copying by purchasing an internet connection which an unidentified third party utilized to download “Elf-Man.” Plaintiff provides no factual allegations that make one scenario more likely than the other: both are merely possible given the alternative allegations of the complaint.

[….] The critical defect in this case is not the alternative pleading of claims of direct, contributory, and indirect infringement. Rather, the problem arises from the alternative pleading of the facts that are supposed to support those claims. The effect of the two “or” conjunctions means that plaintiff has actually alleged no more than that the named defendants purchased internet access and failed to ensure that others did not use that access to download copyrighted material.

Of course, we’ve seen plenty of copyright holders directly allege that failure of a internet account holder to stop infringement is somehow a violation of the law itself, but that’s not what the law says at all. Here, the judge is correctly noting that make a huge inference from just the IP address to having enough for a lawsuit makes the plaintiff’s claim not enough to move forward. This is only a district court ruling, but as a few other courts have made some similar claims, perhaps it can be useful in pushing back on standard copyright trolling, as courts become less willing to entertain fishing expeditions by trolls.

Filed Under: copyright, infringement, ip address

Unfortunate Ruling Says Changing Your IP Address Can Be 'Unauthorized Access' To A Public Website

(Mis)Uses of Technology

from the really-now? dept

We’ve covered for a while why we think Craigslist made a mistake in suing 3taps and Padmapper over scraping of Craigslist data. Of particular concern were the very bad legal precedents this may set, which tend to be completely contrary to Craig Newmark’s own stance on internet freedom (of which he’s been a strong supporter). Indeed, the legal arguments made by Craigslist are insulting to those who believe in internet freedom and really put Craigslist in a poor light. 3taps and Padmapper were driving more traffic to Craigslist and enhancing the service — something that lots of sites on the internet do all the time. And yet they’re facing very harsh penalties.

While an initial court ruling found that some of Craigslist’s wackier theories didn’t apply (e.g. violating the terms of service isn’t a CFAA violation and the copyright claims concerning Craigslist posts failed), the latest ruling, unfortunately, finds that the combination of a cease-and-desist letter and merely changing your IP address creates unauthorized access to a public website. That’s troubling on a variety of levels, mostly because changing an IP address isn’t any form of “hacking.” It’s incredibly easy to do, and in many cases happens automatically without any input from users, if they have a dynamic IP address.

The EFF points out how dangerous a ruling this is:

Changing your IP address is simply not hacking. That’s because masking your IP address is an easy, common thing to do. And there’s plenty of legitimate reasons to do so, whether its to protect your privacy, preserve innovation or avoid price discrimination….

There’s a serious potential for mischief that is encouraged by this decision, as companies could arbitrarily decide whose authorization to “revoke” and need only write a letter and block an IP address to invoke the power of a felony criminal statute in what is, at best, a civil business dispute.

Similarly, Orin Kerr, who tends to be more sympathetic about these kinds of cases, finds the use of a mere IP address change to be quite problematic:

Judge Breyer sees IP blocking as sufficient. But it’s unfortunate that Breyer doesn’t give the issue more analysis, as I think it’s a really interesting question. The counterargument runs like this. IP addresses are very easily changed, and most people use the Internet from different IP addresses every day. As a result, attempting to block someone based on an IP address doesn’t “block” them except in a very temporary sense. It pauses them for a few seconds more than actually blocks them. It’s a technological barrier in the very short term but not in the long term. Is that enough to constitute a technological barrer?

Judge Breyer’s opinion appears to mix up two different aspects of the CFAA. The first aspect is the prohibition on unauthorized access, and the second is its associated mental state element of intent. The CFAA only prohibits intentional unauthorized access; merely knowingly or recklessly accessing without authorization is not prohibited. So whatever unauthorized access means, the person must be guilty of doing that thing (the act of unauthorized access) intentionally to trigger the statute. Breyer seems to mix up those elements by focusing heavily on the fact that 3taps knew that Craigslist didn’t want 3taps to access its site. According to Judge Breyer, the clear notice meant that the case before him didn’t raise all the notice and vagueness issues that prompted the Ninth Circuit’s decision in Nosal.

I think this analysis is somewhat misdirected. In my view, the fact that 3taps was on notice that Craiglist did not want them to access the Craigslist website is only relevant to show intent. From that perspective, Judge Breyer should have been clearer that the cease-and-desist letter couldn’t make visiting the website an “unauthorized access.” The letter is just a written statement of the owner’s wishes as to who can visit the site, just like Terms of Service. In my view, whether the facts of the 3taps case amount to an unauthorized access hinges on the circumvention of IP blocking. If so, then the cease-and-desist letter shows that the act of unauthorized access was intentional; if not, then the letter does not have any relevance to the CFAA.

That’s really the key point here. The cease and desist is no different than the terms of service — and yet it’s already been stated that violating the terms isn’t a CFAA violation. So the real issue here is the changing of an IP address. And the idea that a mere changing of an IP address opens you up to criminal liability is insane. This is a horrible precedent and one that Craigslist and Craig Newmark should be ashamed of, having brought it into this world for no good reason.

Filed Under: cfaa, changing ip, hacking, ip address, unauthorized access
Companies: 3taps, craigslist, padmapper

Comcast Confirms That Steele-Hansmeier Controlled IP Address Used To Seed Content

Failures

from the but-of-course dept

We already covered the filing from Blair Chintella highlighting the audio evidence that John Steele had impersonated both Alan Cooper and Mark Lutz, but there was a second bit of evidence in there that’s just as damning. It appears that a subpoena sent to Comcast has more or less totally confirmed that it was John Steele or an associate who uploaded the films. Delvan Neville’s evidence on this point was pretty convincing, with the one piece lacking being who actually had control over the key IP address that was involved in the activities.

Even though there was clear evidence that John Steele controlled that IP, one of the exhibits is Comcast confirming that 75.72.88.156 was in fact assigned to Steele Hansmeier PLLC, the former law firm of John Steele and Paul Hansmeier. Now, the few remaining defenders of Steele and Hansmeier may try to claim that we have noted that an IP address alone proves little, but this is not the IP address alone. There is so much more evidence around that, and the concerns about an “IP address alone” tend to be with it identifying the wrong random person. The chance that someone uploaded these films before anyone else had and somehow magically known to spoof the very IP address of the law firm that would then begin the copyright trolling process around those films is so close to zero that it’s zero. The evidence at this point is indisputable: John Steele or someone working with him uploaded the films. And, now there’s evidence that he flat out pretended to be Alan Cooper and Mark Lutz. People who know John Steele’s voice have confirmed that it is him. Steele, Hansmeier and Duffy’s angry denials about all of this keep looking worse and worse.

Meanwhile, Nazaire has wasted little time in responding to all of this by… well… ignoring nearly all of the evidence above. At least this time he, or someone else, figured out how to change the metadata on the PDF to actually say “Jacques Nazaire” instead of “Paul Duffy” (which suggested the filings were actually written by Duffy, who is not admitted on this particular case — and whom Nazaire has pretended to distance himself from). However, they haven’t quite figured out the metadata stuff completely. Andrew Norton points out that the metadata still points to the same weird Chinese language PDF producer that Duffy has used, rather than the iT3XT that Nazaire had been using. Oops.

The rest of Nazaire’s response is pretty funny as well. The crux of Chintella’s argument against Nazaire was that he violated the rules with his request to stop the discovery by failing to have the required “meet and confer.” Nazaire argues that his brief emails with demands should suffice because an actual phone call would be taped and played on the internet, where he might be further embarrassed:

It has been alleged that a good faith effort has not been made to meet and confer. The facts however demonstrate that, on August 3 and August 4, a good faith effort was made to have the excess discovery demands in this case withdrawn. Because of the unnecessary publicity garnished by press releases in this case (See Exhibit A), it is difficult for plaintiff’s attorney to call to discuss confidential and privileged matters regarding this case. The telephone and live conversations will more than likely be taped and played on the internet. The confidential matters discussed via email will more than likely be posted as a publicity campaign on the internet. Given the environment that has been created, the plaintiff has made the best effort possible to confer regarding discovery. Plaintiff has not issued any press releases or tweets regarding this matter

I’ll leave it to the lawyers out there to discuss what an absolutely, stupendously ridiculous claim that is to make. Either way, we’ll see what the judge makes of all of this, but the evidence is piling up against Team Prenda, and the hilarious attempts to tap dance out of it keep getting more and more ridiculous.

Filed Under: alan cooper, blair chintella, evidence, ip address, jacques nazaire, john steele, mark lutz, paul duffy, paul hansmeier
Companies: af holdings, prenda, prenda law

IP Address Snapshots Not Sufficient Evidence To File Infringement Suit; Prenda Lawyer Faces Sanctions

Copyright

from the copyright-trolling-smackdown dept

It looks as if Judge Otis Wright is about done humoring Brett Gibbs and Prenda Law/AF Holdings/Ingenuity 13 LLC’s continued legal asshattery. In a lengthy order that reads more like a smackdown, Wright attacks Gibb’s abuse of the legal system and thoroughly dismantles his so-called “business model.”

First, Wright takes on the evidence Prenda Law presents, consisting of a “snapshot” of possible infringement in progress. He points out that a time-coded screenshot hardly makes the case that actual infringement occurred.

This snapshot allegedly shows that the Defendants were downloading the copyrighted work—at least at that moment in time. But downloading a large file like a video takes time; and depending on a user’s Internet-connection speed, it may take a long time. In fact, it may take so long that the user may have terminated the download. The user may have also terminated the download for other reasons. To allege copyright infringement based on an IP snapshot is akin to alleging theft based on a single surveillance camera shot: a photo of a child reaching for candy from a display does not automatically mean he stole it. No Court would allow a lawsuit to be filed based on that amount of evidence…

And as part of its prima facie copyright claim, Plaintiff must show that Defendants copied the copyrighted work. Feist Publ’ns, Inc. v. Rural Tel. Serv. Co., 499 U.S. 340, 361 (1991). If a download was not completed, Plaintiff’s lawsuit may be deemed frivolous. In this case, Plaintiff’s reliance on snapshot evidence to establish its copyright infringement claims is misplaced. A reasonable investigation should include evidence showing that Defendants downloaded the entire copyrighted work—or at least a usable portion of a copyrighted work. Plaintiff has none of this—no evidence that Defendants completed their download, and no evidence that what they downloaded is a substantially similar copy of the copyrighted work. Thus, Plaintiff’s attorney violated Rule 11(b)(3) for filing a pleading that lacks factual foundation.

TorrentLawyer summarizes Wright’s opening salvo as laying down two rules via case law, ones that will adversely affect copyright trolling in California, and which could affect proceedings elsewhere:

RULE 1. IN ORDER TO SUE A DEFENDANT FOR COPYRIGHT INFRINGEMENT, YOU MUST PROVE THAT THE DEFENDANT DOWNLOADED THE ENTIRE COPYRIGHTED VIDEO.

RULE 2. A “SNAPSHOT OBSERVATION” OF AN IP ADDRESS ENGAGED IN DOWNLOADING AT THAT MOMENT IS INSUFFICIENT PROOF OF COPYRIGHT INFRINGEMENT

This sort of lawsuit has almost always relied on little more than a snapshot and an IP address as “evidence,” the latter of which has been shot down by multiple courts for its inability to correctly identify alleged infringers. Now, Wright is throwing out Gibb’s precious bundle of snapshots as well.

Wright tackles the IP address issue next, under a heading titled “Lack of reasonable investigation of actual infringer’s identity.” He points to earlier explanations by the plaintiffs as to how they arrived at the identity of the alleged infringer and picks apart their “methodology.” Here’s Ingenuity 13 LLC’s explanation of their deductive process.

Though the subscriber, David Wagar, remained silent, Plaintiff’s investigation of his household established that Benjamin Wagar was the likely infringer of Plaintiff’s copyright. As such, Plaintiff mailed its Amended Complaint to the Court naming Benjamin Wagar as the Defendant in this action. (ECF No. 14, at 2.)…

In cases where the subscriber remains silent, Plaintiff conducts investigations to determine the likelihood that the subscriber, or someone in his or her household, was the actual infringer. . . . For example, if the subscriber is 75 years old, or the subscriber is female, it is statistically quite unlikely that the subscriber was the infringer. In such cases, Plaintiff performs an investigation into the subscriber’s household to determine if there is a likely infringer of Plaintiff’s copyright. . . . Plaintiff bases its choices regarding whom to name as the infringer on factual analysis. (ECF No. 15, at 24.)

“Factual analysis?” Really? Wright calls it for what it is.

The Court interprets this to mean: if the subscriber is 75 years old or female, then Plaintiff looks to see if there is a pubescent male in the house; and if so, he is named as the defendant. Plaintiff’s “factual analysis” cannot be characterized as anything more than a hunch.

Wright gives Ingenuity 13 LLC several suggestions on how to narrow this list of suspects down, including “wardriving” to check whether the WiFi connection in question is open, whether several downloads have occurred at the same IP address, or just a good old-fashioned stakeout.

Such an investigation may not be perfect, but it narrows down the possible infringers and is better than the Plaintiff’s current investigation, which the Court finds involves nothing more than blindly picking a male resident from a subscriber’s home.

This sentence is damning enough, but the followup is the killer:

But this type of investigation requires time and effort, something that would destroy Plaintiff’s business model.

Wright notes the difference between criminal and civil suits that rely on IP addresses for identification. In criminal proceedings, the court usually can rely on the fact that an actual investigation has taken place prior to the charges being brought. In a civil case, the court has no such guarantee, but that doesn’t mean the judicial system has to entertain these claims.

[W]hen viewed with a court’s duty to serve the public interest, a plaintiff cannot be given free rein to sue anyone they wish—the plaintiff has to actually show facts supporting its allegations.

Back to TorrentLawyer with another addition to California federal court case law and another blow to trolling-as-business-model.

RULE 3. BEFORE SUING A DEFENDANT FOR COPYRIGHT INFRINGEMENT, YOU MUST DO A “REASONABLE INVESTIGATION” TO DETERMINE THAT IT WAS THE NAMED DEFENDANT WHO DID THE DOWNLOAD, AND NOT SOMEONE ELSE WITH ACCESS TO HIS INTERNET CONNECTION.

All in all, this smackdown is going to make copyright trolling in California a rather unprofitable venture. Expect to see some venue-shifting in the future. Unfortunately for Ingenuity 13 LLC, it’s already entrenched in a losing battle, and it’s going to get even worse. Wright also had some choice words for Brett Gibbs’ misconduct. Two allegations stem from his failure to comply with the Court’s orders to cease discovery. Gibbs first told the court the plaintiffs had not obtained any information about the subscribers in question, before later regaling the court with tales of its efforts to obtain the forbidden information when responding to Orders to Show Cause.

The third allegation is more serious, alleging fraud on the court. This circles back to the mysterious “Alan Cooper.”

Upon review of papers filed by attorney Morgan E. Pietz, the Court perceives that Plaintiff may have defrauded the Court. (ECF No. 23.) At the center of this issue is the identity of a person named Alan Cooper and the validity of the underlying copyright assignments. If it is true that Alan Cooper’s identity was misappropriated and the underlying copyright assignments were improperly executed using his identity, then Plaintiff faces a few problems.

First, with an invalid assignment, Plaintiff has no standing in these cases. Second, by bringing these cases, Plaintiff’s conduct can be considered vexatious, as these cases were filed for a facially improper purpose. And third, the Court will not idle while Plaintiff defrauds this institution.

Wright then orders Gibbs to show cause why he should not be sanctioned for this misconduct, while declining to extend the sanctions to AF Holding and Ingenuity LLC — based on Gibbs’ “fiduciary interest” in the plaintiffs and the likelihood that the plaintiffs are “devoid of assets.”

Wright gets in a little dig at the still-nonexistent Alan Cooper:

If Mr. Gibbs or Mr. Pietz so desire, they each may file by February 19, 2013, a brief discussing this matter. The Court will also welcome the appearance of Alan Cooper—to either confirm or refute the fraud allegations.

Things were already looking pretty grim for Brett Gibbs, but the worst may still be on the very near horizon:

Based on the evidence presented at the March 11, 2013 hearing, the Court will consider whether sanctions are appropriate, and if so, determine the proper punishment. This may include a monetary fine, incarceration, or other sanctions sufficient to deter future misconduct. Failure by Mr. Gibbs to appear will result in the automatic imposition of sanctions along with the immediate issuance of a bench warrant for contempt.

What started out for Gibbs and co. as a route to easy money has morphed into possible jail time and a complete undermining of the “business model” Prenda Law, AF Holdings and Ingenuity 13 LLC hoped would make them, if not actual millionaires, at least slightly richer. And so another chapter of the Gibbs/AF Holdings/Prenda Law saga concludes, leaving us with the sort of cliffhanger that only those whose names haven’t been listed above will enjoy seeing played to its conclusion.

Filed Under: brett gibbs, copyright, evidence, hunches, ip address, prenda, snapshot, subscribers
Companies: af holdings, prenda law

Verizon, Once Again, Fights For Consumer Privacy Against Copyright Shakedown Attempts

Privacy

from the good-for-them dept

The internet sometimes has a short memory. While Verizon is often (quite accurately) seen as a big company that does some ridiculous things, one issue that the company has been good about for many years is fighting against overly aggressive attempts by copyright holders to identify IP address holders. A decade ago, Verizon was the key player in pushing back on the RIAA’s attempts to identify people it accused of file sharing without filing a lawsuit. If you don’t recall, the RIAA used a rather unique (i.e. totally bogus) interpretation of the DMCA to mean that it could issue subpoenas to ISPs to identify users based on an IP address without first filing a lawsuit. Verizon fought this claim (pretty strongly) and argued for its users’ privacy rights, and eventually the court sided with Verizon. In fact, this fight was a large part of the reason that the RIAA started actually suing users, because it meant that it had to sue first in order to identify.

Thus, it’s not entirely surprising — but still nice — to find out that Verizon is, once again, fighting to protect its users’ privacy. Last fall, we wrote about the unfortunate decision by publisher John Wiley & Sons to follow the trail led by copyright trolls, and start suing groups of people accused of sharing Wiley’s infamous “For Dummies” books via BitTorrent. Similar to copyright trolls, Wiley lumped together a bunch of IP addresses into a single lawsuit — though, it didn’t go quite as far as some trolling operations.

Even so, Verizon is going to court to fight back against the subpoenas for user information. It has a few procedural objections, and also noted (as many courts have found) that lumping together many people in the same lawsuit is improper joinder. But the key issues are privacy ones. Verizon objected that the identifying information isn’t really designed to get “relevant” information for a lawsuit, but rather to send a settlement letter (like most copyright trolling operations). Furthermore, Verizon takes it up a notch by claiming that disclosing such information may violate “rights of privacy and protections guaranteed by the First Amendment.”

Apparently, there will be a discussion with the court concerning these objections soon, but in the mean time, it’s good to see Verizon, once again, defending some privacy rights for its users.

Filed Under: copyright troll, dmca, ip address, settlement letter, subpoenas
Companies: john wiley & sons, riaa, verizon