Thursday, March 28, 2013

I am not my IP address

It appears that the major ISPs have decided to launch an "education campaign" about copyright violation.  If their filters determine someone using your IP address is uploading copyrighted content, you will get a series of increasingly firm warnings telling you that you may be breaking the law.  And, as some have pointed out, to let you know that your ISP is watching what you're doing and to leave a nice, visible paper trail saying "you were warned".

I say "copyrighted content", but in practice that probably means video, .mp3 files and such.  I doubt that they're trying to catch people uploading the text of The Hunger Games or whatever, even though that's just as copyrighted as, say, Thrift Shop.

Before going on, I suppose this is a good opportunity to repeat the disclaimer: I don't speak for my employer.  I speak for myself, at least on a good day.  Let's throw in the "I am not a lawyer" spiel while we're at it.

On the one hand, I'm not horrified by this.  It certainly seems like a better approach than previous attempts to crack down.  The ISPs certainly have some right to do such things.  Your agreement with your ISP is a private contract.  As much as we value free speech as a principle, when you're paying a private company to convey your speech, they get some say.  Restrictions imposed by your ISP are not laws of congress.  Not to say that there shouldn't be some sort of protection, but any first-amendment case would have to be aimed at the laws regulating ISPs, not at the ISPs themselves.   Outside the US, your mileage may vary ... hmm ... how do you say "your mileage may vary" outside the US?

Likewise, the studios and record labels have a right to protect their copyrights (that is, the copyrights they acquired from the people who actually created the content).  Whatever we may think of studios, record labels, publishers and such, there is a legitimate business to be done in financing, publicizing and selecting content.  The question is whether it's done well or badly, ethically or not-so-ethically, and in what cases it makes sense for the creator to take on that role personally or hire it out.

That said, I'm leery of the basic approach of tying activity to an IP address.  In a typical household, any of several people may be using a given address, and the person paying for the service is generally not going to be aware of what every person in the household is doing at all times.

Neither is it safe to assume that the only people using the IP address in question are living in the house to which the IP address is assigned.  There are plenty of insecure wifi routers out there.  For that matter, there are plenty of deliberately insecure routers out there.  Is a coffee shop with free wifi also liable for whatever its guests choose to upload?

Nor is it that hard for someone uploading copyrighted material to disguise that fact, or plausibly deny it -- and it's a good bet that someone who makes a habit of distributing copyrighted material illegally would positively enjoy confounding The Man.

In short, it looks very easy to get false positives (someone notified of suspicious uploading when it's not their fault) and false negatives (someone up to no good going unnoticed).  If the idea is to "stop piracy", it's unlikely to work any better than previous attempts.  On the other hand, if the idea is to remind people that copyrighted material is protected by law, or start a discussion between the person legally on the hook for the internet bill and the rest of the people using it, that could probably work.

Behind all this is the issue in the title: to what extent can an IP address be identified with a person?  A reasonable analog in the real world is the distinction between a car's license plate and a person's driver's license.  A license plate is associated with a person, and that person bears some legal responsibility for what happens with that car, but if you loan your car to a good friend and that friend gets pulled over for speeding, the points go on the friend's license, not yours.

If the friend runs a red light and gets caught by a camera, though, you'll get the notice, as registrant of the car.  What happens next is a bit unclear, particularly if your maybe-not-so-good friend doesn't feel inclined to step up.

The ISP case seems more like the camera case than the pulled-over case.  Just as (generally) only the car can be positively identified, only the IP address, and not the person, can be positively identified [that is, the numeric address is known for sure ... there are ways, at least in theory, to spoof addresses in the sense that the packets sent to and from that address aren't going where the system thinks they're going].  Again, if the idea is to educate people about copyright law and remind them that yes, companies take this seriously and, by the way, we can see what you're doing with your IP connection, that's probably OK.  But if it comes down to fining and arresting people, the IP address involved had better be just one piece of evidence in a stronger case.

Not that that's much comfort if you have to hire a lawyer anyway.


earl said...

Good post.

But the proofreading dep't noted an awkwardness in para 8.

David Hull said...

Fixed. Thanks.