Tuesday, May 17, 2005

German Court Refuses to Order ISPs to Disclose User Identities

Heise has an article indicating that the Higher Regional Court in Hamburg has declined to order ISPs to disclose the identities of users alleged to be infringing copyright by running FTP servers. The court held that, as ISPs were not joint wrongdoers, their obligations were limited to blocking and removing infringing material:
In its highly detailed opinion the court concludes that the obligation in piracy cases to provide information on the creation and/or distribution of pirated items - created by the right to information specified by the Copyright Act - only applied to those parties themselves involved in the said illegal acts. The access provider was not a party of this kind, the court ruled, as it merely provided access to the Web. Contrary to the opinion of the District Court a provider could also not be held accountable as a so-called "Mitstörer" (co-troublemaker) in breach of the law on the grounds of having providing access to the Internet. The legislation of paragraph 8 subsection 2 of the Tele Services Act (TDG), according to which access providers in line with the laws in general and despite a certain privileged position as to liability are enjoined to "remove and block" illegal content, had not change this state of affairs, the Higher Regional Court concluded. After all, "remove" and "block" specifically did not imply the divulging of information, thus the OLG. With its decision the OLG Hamburg has taken the same line as the OLG in Frankfurt-on-the-Main. The judges in the federal state of Hesse hence also disputed that there was a right to demand information from access providers, as such a right to demand information served to discover and drain the sources and distribution channels of pirated items and only such parties as committed or participated in such violations of copyright were obliged to provide information, they concluded.
It'll be interesting to see whether this approach will survive the implementation of the IP Enforcement Directive. Article 8 of this draconian Directive creates a "right of information" - i.e. a right to compel third parties to disclose information, including the identity of an alleged infringer. (Effectively transplanting the Norwich Pharmacal order into EU law.) The Directive itself, after much lobbying, was amended to limit this to "acts carried out on a commercial scale" i.e. "those carried out for direct or indirect economic or commercial advantage; this would normally exclude acts carried out by end consumers acting in good faith" (see recital 14). However, this definition is opaque. What's meant by "indirect economic advantage"? Would it include savings made by downloading music from others? What's the significance of the reference to "acting in good faith"? If A has a large music collection, and shares that via a p2p network, is he acting on a commercial scale? Does it make a difference whether he knows that what he's doing is illegal?

Also, even if Article 8 itself doesn't cover this situation, nothing in the Directive precludes member states from choosing to extend it to non-commercial situations (see recital 14), and we can expect the music / film industry lobbies to push at national level for the directive to be extended to cover all alleged infringements - commercial or otherwise.

Via The Register

Monday, May 16, 2005

Google's Web Accelerator

Google's famous motto - "Don't be Evil" - has lost some of its shine lately. A prime target for critics is the new Web Accelerator: a browser add-in that runs all your web browsing - not just your searches - through Google's servers. The pay-off is faster browsing through technical wizardry including lots of caching by Google. The downsides? Privacy problems and dubious legality.

Jeff Jarvis doesn't like this from a copyright point of view:

It's one matter when the search engine caches a page you can't get anymore; that's a copyright violation but an all-in-all benign one in the sense that it's only giving you content you could not otherwise see (no different from, say, the web archive).

But it's quite another matter for Google to get in the way of serving current content. This means that the page is served from Google rather than from a publisher's server, which means that the publisher cannot count the traffic and serve targeted and dynamic advertising.

It also means that Google is copying content on its servers and serving it from there and thus is violating copyright.

And it means that Google is in a position to snoop on data on consumers' usage of sites that Google does not own: That is, Google will know what the consumers on my site are doing better than I will for these "accelerated" pages.

Karl-Friedrich Lenz doesn't like the data retention implications:
I have been opposed to any large-scale collection of Internet traffic data for years.

There is a heated battle going on about exactly this question right now in Europe. Enemies of freedom are gaining influence and want to turn the Internet into one big surveillance instrument. Under these circumstances, it is absolutely unacceptable to try building the world's largest Internet traffic data collection under the misleading excuse of speeding up web surfing. This calls for active resistance to Google, which deserves to be put completely out of business for this move.

He's also analysed the data protection, copyright and liability issues from an EU perspective, in a very interesting post that deserves to be quoted in full:
However, this "web accelerator" is clearly another new level of privacy violation, even if it only affects those who choose to live under the Google searchlights just to get a few downloads done faster.

Therefore, I will take a few minutes to look at whether it might be illegal under current European law.

There are three potential problems.

One is copyright. The service seems to be working, among other things, by using a "prefetch" command. That is, Google is downloading content the user might possibly require next in advance.

This downloading is a reproduction, just as the illegal cache of the whole Web Google is doing is a reproduction.

That means it needs an exception or limitation, since obviously Google has no licenses.

The only exception possible is Article 5 Number 1 a) of the 2001 Information Society Copyright Directive.

That exception requires that the "prefetch" is an "integral and essential part of a technological process whose sole purpose is to enable a transmission in a network between third parties in a network".

The "prefetch" does not enable a transmission in all cases where the user does not choose to actually use the prefetched file. In all those cases, it adds only unnecessary burdens to the whole Internet traffic load. Therefore, it seems to be open to doubt if the exception extends this far.

The next potential problem is data protection. Article 6 paragraph 1 of the 2002 Electronic Communications Data Protection Directive says:

"1. Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1)."

Since Google "logs page requests" and does not seem to delete them when the communication is finished, all that keeps them from violating Article 6 is the anonymity of the user. However, since the pages logged may contain personally identifiable information, that defense is rather weak in most cases.

The third potential problem is that of liability for illegal content.

Under Article 13 of the 2000 Electronic Commerce Directive, an exception for liability is granted for "Caching".

However, in this case the exception is clearly restricted to cases where the cache is for the purpose of making more efficient the information's onward transmission to other recipients of the service upon their request. With "prefetched" pages there is no user request.

So if any of the billions of prefetched pages on some user's computer turns out to be illegal in that particular country, there is nothing to stop Google's liability for delivering that particular content.

Summing up, there seem to be some potential legal problems with the "web accelerator" service under European law, especially regarding the "prefetched" pages.

However, the moral repulsiveness of turning the searchlights on your users, as opposed to having them turned on the web content, depends in no way on the finer legal points mentioned above.

The Inside Google Blog, meanwhile, doesn't like the fact that the Web Accelerator is apparently serving up private information to the wrong people:
See, Google isn't serving web pages faster, its serving other people's versions of the web page faster. What does that mean? Try using Web Accelerator on a forum site, one with lots of geeks who love Google and probably already have Web Accelerator installed. Why, if you're lucky, you'll be logged in as someone else, as the folks at SomethingAwful.com discovered. The posters in that forum discovered that most of the times they refreshed the page, they were logged in as a different person, seeing their friend's control panel for the forums


Installing Accelerator will, at some point, let you into a private area you shouldn't be seeing. Maybe it'll be a control panel or options area for a logged in user. Maybe it'll be a porn site with password protection. Maybe it will be a private Microsoft message board where developers discuss trade secrets regarding the next version of Windows. It will happen, and when it does, I expect screenshots.

Friday, May 06, 2005

How much will Irish filesharers end up paying IRMA?

Let's assume, for the sake of argument, that Irish ISPs will eventually be ordered by the High Court to disclose users' identities to IRMA. If this happens, it's unlikely that any of the cases will proceed to trial - the pattern from the US and UK has been for the overwhelming majority of cases to settle out of court. What sort of payments is IRMA likely to demand?

The average settlement in the last round of UK cases was, according to the BPI, around £2,000. At the high end, two defendants paid over £4,000 each to settle their cases. The numbers of file involved varied from several hundred to several thousand, with the higher settlements presumably reflecting more files being shared.

In the US, settlements have on average been much the same, but in some cases have been much higher. In the first wave of litigation in 2003, it seems that the average settlement was about $3,000, with settlement demands starting at about $3,000-$4,000. Individual settlements, however, included several of $7,500, and at least one for $10,000. Since then there have been reports that the average settlement has gone up to $4,000. There have also been some unusual cases involving student filesharing networks where the settlements have come in at $12,000-$17,000.

Significantly, several of the US cases have involved people who arguably weren't guilty of any wrongdoing, but who nevertheless found it safer and cheaper to pay up. Leaving legal fees aside for the moment, the main reason for this is the draconian statutory damages US law provides for copyright infringement. Instead of requiring proof of actual damage, US law allows plaintiffs to recover $750 to $30,000 per copyrighted work, which can be increased to $150,000 for willful infringement. So, if you share 100 files, that's a statutory minimum of $750 x 100 = $75,000 in damages, irrespective of how often those files were in fact downloaded. Facing the risk of these (arguably unconstitutional) penalties, it's hardly surprising that the RIAA has substantial leverage over defendants.

Turning back to the Irish situation, presumably IRMA will initially be looking for settlements in line with the majority of US and UK settlements, which would put the demands in the region of €3,000-€5,000 or thereabouts. If they restrict themselves to these figures, it's unlikely to be worth a defendant's time seeking legal advice and contesting the action, particularly since a loss would involve paying that amount and more in legal fees (for both sides) alone. Factors which will influence the amount of any settlement will presumably include the number of files involved, the length of time for which the material was shared, and (possibly) any mitigating factors such as the sharing being unintentional or by a child.

If a filesharing case did go to trial, it's difficult to put a figure on what damages might be awarded (and possibly redundant, since the damages might well be dwarfed by legal fees). Irish law does not have statutory damages comparable to US law: the damages which can be awarded are generally limited to the actual loss suffered by the plaintiff (which will be difficult to prove in filesharing cases), though aggravated and exemplary damages can also be awarded in particularly serious cases. The only reported Irish decision discussing damages in this type of case seems to be Universal Studios v. Mulligan where the court awarded (in 1999 pounds) £75,000 damages to various film studios injured by the defendant's sale of several thousand pirated videos, of which £25,000 was compensatory and £50,000 aggravated. That case, though, involved a large scale commercial operation, over a period of years, which made the defendant substantial sums of money. It's very unlikely that an award of damages in a filesharing case would come anywhere near that benchmark - and judging from Universal Studios, it's also unlikely that aggravated damages would be awarded.

Update - The Register reports that eight Dutch filesharers have settled for approximately €2100 each. According to EDRI the filesharers were required to:
sign a unlimited binding agreement to never ever "directly or indirectly be involved in any way or have an interest in unlawfully distributing materials on the internet". If ever again caught in such a very broadly defined act, the signee agrees to pay a fine of 5.000 euro per day.