NY Judge Rules IP Addresses Insufficient To Identify Pirates 268
milbournosphere writes "New York Judge Gary Brown has found that IP addresses don't provide enough evidence to identify pirates, and wrote an extensive argument explaining his reasoning. A quote from the judge's order: 'While a decade ago, home wireless networks were nearly non-existent, 61% of U.S. homes now have wireless access. As a result, a single IP address usually supports multiple computer devices – which unlike traditional telephones can be operated simultaneously by different individuals. Different family members, or even visitors, could have performed the alleged downloads. Unless the wireless router has been appropriately secured (and in some cases, even if it has been secured), neighbors or passersby could access the Internet using the IP address assigned to a particular subscriber and download the plaintiff's film.' Perhaps this will help to stem the tide of frivolous mass lawsuits being brought by the RIAA and other rights-holders where IP addresses are the bulk of the 'evidence' suggested."
Judges. (Score:5, Insightful)
Some of them are teachable.
Re:To be fair.... (Score:5, Insightful)
Right, because we should expect 100% of the US population to understand network security and know how to properly secure a wifi router. Makes perfect sense!
Finally some common sense in the judiciary (Score:5, Insightful)
Re:Does this apply to all cases? (Score:4, Insightful)
Does this ruling apply if someone downloads child porn, makes bomb threats, discusses with terrorists or other larger crimes? Just saying it should be consistent if pirates get a pass.
In the context of this ruling, an IP address is not enough evidence to justify giving your name and address to someone who claims that his copyright is infringed, but isn't really interested in sorting out the copyright infringement but only to blackmail you into a settlement. Especially if someone tries to get the names of dozens of people while paying only one court fee.
On the other hand, it is surely enough evidence to get the police started investigating serious crimes.
Re:To be fair.... (Score:5, Insightful)
Right, because we should expect 100% of the US population to understand network security and know how to properly secure a wifi router. Makes perfect sense!
Also, this. [neowin.net]
Re:Does this apply to all cases? (Score:5, Insightful)
Comment removed (Score:5, Insightful)
Re:Does this apply to all cases? (Score:5, Insightful)
If a search warrant required as much evidence as a conviction, there would be no point to search warrants.
Re:To be fair.... (Score:5, Insightful)
It takes about 60 seconds to teach somebody to secure their wireless router. The only remotely time consuming part is getting them to believe that it's actually a smart idea.
I think you've got those backwards.
OK, listen, if you leave this unlocked then anyone who finds it can download anything. They can download child porn, illegal movies, terrorist documents, whatever, and it's all linked to you.
Well that sounds bad, better lock it up.
Right. OK, so the first thing you do is open your browser and go to one nine two dot one six ...
Wait, what's a browser?
Just double-click on the blue "E".
Got it. OK, I type in one nine two ...
Wait, not in the Bing search bar, you type it into the address field.
What's the address field?
And WEP vulnerabilities (Score:5, Insightful)
A lot of people still have WEP only routers. My parents are some of those people. They are not tech people, they bought a router back in the day when WEP was all you got. It still works so they won't get a new one.
They aren't the only ones either. While I don't see a whole lot of APs from my house, of the ones I do see two are WPA1, two are WEP, none (except mine) are WPA2.
And if we want to start to make it illegal to have bad security, well then we first need to start with door locks. Residential houses always have shitty locks. They are just regular ass locks from Home Depot that are vulnerable to bumping, ice picking, have no key control, and so on. You can get better locks no problem, they just cost a whole lot more so people don't bother.
However if you want to say "You have to buy a new router any time the old ones are found to have security issues, otherwise you are liable for any breakins," then I think you also have ot say "You have to buy better locks, otherwise you are liable for any breakins."
Re:Does this apply to all cases? (Score:5, Insightful)
That depends. The parking ticket thing was standing between a city government and a revenue stream. That is known to be the most dangerous place to stand in all of existence.
Re:Does this apply to all cases? (Score:5, Insightful)
I was in a private residence, they had no rights to order me to do anything, because I was not hindering their investigation, nor was I doing or involved in anything illegal. If the cops can go into any residence and order the occupants around and arrest people for not "not following orders" ... then I have a HUGE problem with that society. And you don't?
Re:Does this apply to all cases? (Score:5, Insightful)
This still means that an IP address is sufficient for them to seize and search your computer hard disks and such, so if you have corroborating evidence there you'd still be fucked.
For a criminal matter, an IP address might be enough by itself to issue a search warrant.
Luckily, the copyright infringement that is being done in file sharing doesn't fall under the "criminal" section of copyright law.
Re:Does this apply to all cases? (Score:3, Insightful)
For the most part, an IP address has never been able to prove anything short of a temporary usage.
- most cable and DSL modems use NAT, one ip address for the outside.
- proximity to busy areas (eg in a condo building that's part of a shopping district is enough) is enough to claim "it wasn't me"
- Wireless devices (mobile phones, tablets) that can also operate as WiFi access points may not be secured enough
- Shopping Convention centers may have many of the above showing up peoples devices, particularly iPhone and iPad's which do this by default.
In 2004, when I first bought a router, I also bought a GPS and went wardriving with the laptop for kicks. At the time, most of the 802.11b routers were not encrypted, and it was easy to just pop in and pop off any unencrypted one.
When I lived in a condo building, I had line of sight to WiFi access points located so far away (where you'd need binoculars to find it) that I was able to access them for minutes at a time. Some of these were early Hotel systems that were unencrypted.
Some neighboring condo units had unencrypted routers that were clearly hijacked, as they would reboot randomly
Some people leave their routers "open" to have plausible deniability
Some people use Tor onion routing behind such routers
Some people may intentionally look stupid, but they actually run a VPN over the wireless system to an initial exit point somewhere in the US so they can use US services (Eg netflix, hulu) or pirate indiscriminately on other people's systems.
Overall the problem is that responsibility lies first at the ISP, for not detecting "open" routers. Many ISP's issue wireless DSL and Cable modems in only a "semi-secure" state, that it only takes a disgruntled employee at the ISP to dump the configurations, along with the administrative passwords for the devices to compromise all of them. Many of these devices share the exact same admin password.
The Subscriber's responsibility is only for devices physically attached to the cable modem, which may include secondary wireless routers. So if they give out passwords for their friends to use it, and their friend comes back a month later and downloads some seriously illegal stuff, you're not going to remember seeing your friend downloading anything. So if it's your router, it's your problem, but if the ISP has any control over the router/modem it's the ISP's responsibility. If their subscriber is a moron, they should cut them loose.
I'm not suggesting that ISP's be responsible for damages, and neither should subscribers be responsible for damages caused by someone accessing the system without their knowledge, but both should take proactive action against letting people use their system.
This also means that ISP's should be detecting "bot" traffic, hijacked machines, at their headend and proactively warn users about suspicious activity where the customer's usage pattern changes.
Not far enough (Score:5, Insightful)
1. The complaint comes in via an unverifiable email. The ISP has no idea who really sent it. As any ISP knows, spoofing an email is about the simplest thing for a teenage hacker to perform.
2. Even if the ISP could verify the sender, they have no idea if the sender is really the content owner. In fact, the ISP has absolutely no way to find out who the content owner is. This is something, that by its very definition would need to be decided in a court of law.
3. The ISP has no idea if the person sending the email is telling the truth in the least. Even if they are telling the truth they have no idea how competent their methods are. All they have is an email that says they "saw" the user download some content they own. They could have made it up, they could have terrible methods for detection. I believe there was one case where a university student managed to get DMCA notices sent to several campus printers IP addresses.
4. And most importantly, the ISP KNOWS most of the complaints are total BS. I personally saw at least 25% of the complaints that came in were against IP addresses that didn't have customers on them... or belonged to network devices we owned.
The entire premise that someone can connect to a torrent and then say that every IP address that their software tells them is connecting to that torrent is a pirate is asinine. There's a simple solution to your problem media industry... stop price gouging. Work WITH and not against netflix, pandora, and the like. Make it easier to pay you than it is to pirate... and the pirate community will die. Humans follow the path of least resistance. It's illegal to run red lights, but people still do it all the time, because it's easier than stopping. How do they really stop people from red lights? Take them out and put in a round-a-bout.
Re:Does this apply to all cases? (Score:5, Insightful)
No, you loan your car to someone. Therefore you are responsible. If someone steals your car and crashes into a bus full of nuns, you aren't.
You may be able to make a case that if the person billed for the IP address would be responsible for guests, but if the kid next door is "stealing" internet from you then you shouldn't be.
Its an analogy fail. Get over yourself.
Re:Does this apply to all cases? (Score:2, Insightful)
As far as I can tell, parking tickets are essentially "liens" on the vehicle for services rendered(storing your car). The idea that they stored your car without entering in to contract with you seems to be the hole in this logic. Trying to get a municipal government to explain legal reasoning behind their actions has always been an uphill battle for me.
Traffic Court is another concept which defies logic. Seemingly, you aren't entitled to a court appointed attorney because the penalties are financial and do not have the potential to result in a singly day of imprisonment. The Supreme Court ruling that established court appointed attorneys referenced the right to an attorney specifically when threatened with a single day of jail time which was a clumsy and unnecessary qualification to the concept IMHO.
The courts generally seem to run based on a weird hybrid of civil and criminal rules of procedure. This seems to be as a result of them being established by a legislature delegating the authority and jurisdiction to tax.
This is why the ticketing officer seems to be the plaintiff, witness, and executioner. It would be perverse under normal circumstances for an individual to be able to delegate themselves as representation for a large group of people seeking collective damages. They aren't licensed to practice law so they can't really call themselves as witnesses or even function as a lawyer on someone-else's behalf.
It's a hardcore conflict of interests any way you look at it and their testimony would be here-say except I think they document everything as an affidavit as part of their paperwork when they issue the ticket. Except there are no witnesses to the affidavit AFAIK.
It's all pretty thinly veiled lack of due process with dodgy legal justification IMHO.
Re:To be fair.... (Score:4, Insightful)
Thanks for helping to prove my point to the parent. A computer science degree and 20 years of experience isn't enough of a qualification to help teach someone how to secure their wireless router, you also need to be an insufferable douche. Not everyone can do it like you can. Those "regular people" out there don't have a chance.