Tuesday, June 28, 2005

Digital search and seizure

There's a grey area around police powers to compel intermediaries such as ISPs to hand over digital evidence. In both Ireland and the UK, though, the issue seldom arises because most ISPs seem to be happy to give voluntary cooperation, avoiding the need for the police to rely on their compulsory powers. However, this strategy falls down when an intermediary decides not to play ball, and the seizure of Bristol Indymedia servers illustrates the problems that result.

An Indymedia press release gives the background:
On Mon 20th June, Bristol Indymedia (IMC Bristol) received an email from the police asking to contact them with reference to a posting on the IMC Bristol newswire. IMC Bristol volunteers appointed a solicitor and started briefing them to contact the police on their behalf. On Tue 21st June, the police contacted an IMC Bristol volunteer asking for IP logs. The subject of the police enquiry was a posting claiming that damage had been done to either some cars on a train transport, the transport itself, or the railway line.

Bristol Indymedia volunteers hid the post (originally posted late in the evening of 17th June) from their main newswire within 24 hours of it being posted - as it violated IMC Bristol editorial policy - and well before the police made initial contact.

When the solicitor contacted CID on the 21st to inform them that they could not have the server, or access to it, the police said that they could go through data protection and legal moves to get the logs or get a search warrant, and that they may arrest somebody for obstructing the course of justice.

At this point, an IMC Bristol volunteer informed IMC UK about the events. IMC Bristol then contacted Liberty, whose legal advisor contacted the police to press them on the issue that this server was considered an item of journalistic equipment and so subject to special provision under the law. The police have yet to confirm this. NUJ and Privacy International have also been contacted.

As of 24th June 2005, IMC Bristol remain in possession of their server. Communications with the police, and between various legal and civil rights organisations continue while technical and legal issues surrounding the case are clarified. Bristol Indymedia is an independent news service. As part of our policy, we will not make non-public information we hold publicly available. We do not permanently store IP addresses. We do not intend to voluntarily hand over information to the police as they have requested, and have informed them of this.
The police response came shortly afterwards and on June 27th the server was seized. From the Register:
Police seized a server used by Indymedia, the independent newsgathering collective, from the Bristol home of a member of the group after issuing a search warrant on Monday. The raid is the second time within the last year that an Indymedia server has been seized in the UK.

Officers also took the unnamed Bristol collective member in for questioning, and seized a PC, in an incident that has already provoked a huge row. The action happened despite the intervention on Indymedia's behalf by justice group Liberty whose lawyers advised police that the server was "considered an item of journalistic equipment and so subject to special provision under the law".
Despite this reference to a person being "taken in for questioning" later reports indicate that the owner of the server has in fact been charged with incitement to criminal damage. Analysis and insightful comment at Spy Blog which points out that:
It is not unheard of for malicious people to post something illegal or controversial to an open discussion forum and then to complain to the authorities that the administrators of the discussion forum are doing something illegal [...] For the British Transport Police or any other UK Police force to ignore the National High Tech Crime Unit's guidlines on "minimal disruption" to multi-user networked computers during legal evidence gathering or investigations, is a disproportionate abuse of power [...] There is no justification for the "collateral damage" caused by the seizure of an onlime server in order to attempt to identify the IP address of a single poster.
It's hard to understand why the owner of the server was arrested, but this comment from Spy Blog seems about right:
Initially the Bristol IMC volunteer was a potential witness, either to incitement to criminal damage (the offending item argued that damaging cars was legitamate political protest), or to the statement made by the poster that they had committed the damage. Now the volunteer is a suspect. Maybe the BTP [British Transport Police] allege that the suspect incited criminal damage by failing to delete (it was hidden from the newswire but not deleted) the offending post when it came to their attention. Or maybe the arrest was an act of spite when Bristol IMC quite reasonably told the police to go away and get a warrant.
London Freelance discusses the journalistic privilege issues:
When the police contacted them. BIM called the NUJ and civil liberties organisation Liberty, who argued that demanding information from Indymedia requires a special warrant to obtain journalistic material under the Police and Criminal Evidence Act 1984. Asked about this, a British Transport Police spokesperson said "A warrant was obtained; I don't know the details. ... Website server - I don't know if you could describe it as journalistic material?" They later clarified that "We obtained a Section 8 [PACE] Warrant after discussing with the Crown Prosecution Service who said we didn't need a Section 9 / Schedule 1 [journalistic material] warrant." Section 8 warrants cover evidence-gathering except where privileged, excluded (that is, confidential or medical) or "special procedure" (that is, other journalistic) material is involved.
Two brief comments. First, there is a specific English law (the Regulation of Investigatory Powers Act - RIPA) on point and this situation seems to fall under Part I, Chapter II of that Act (access to communications data). Objectionable though RIPA might be, it does provide some safeguards. It becomes useless, though, when the police can evade those safeguards by falling back on an ordinary search warrant. Second, it's certainly true that Indymedia is being treated less favourably than other media organisations, perhaps in an attempt to harass or shut down its operations. As commenters on the Indymedia site note:
The point is whether or not the seizure of the server is justified. I really don't think that should a letter be written to the Times about such behaviour the police would seize all copies of the Times, or their computers.
The seizure of the Indymedia Bristol server illuminated deficits in the law. Law protecting journalists were drafted with mainstream news organisations in mind, so it cannot cope with media collectives. Whilst the police might well have had good reason to investigate the claims made on Indymedia Bristol's web site, by effectively shutting down the whole operation the police have acted insensitively and have used rather extreme methods, especially when Bristol IMC have been far from uncooperative.

Sunday, June 26, 2005

(Yet) Another argument against ID Cards

From the Independent:
Ministers plan to sell your ID card details to raise cash

Personal details of all 44 million adults living in Britain could be sold to private companies as part of government attempts to arrest spiralling costs for the new national identity card scheme, set to get the go-ahead this week.

The Independent on Sunday can today reveal that ministers have opened talks with private firms to pass on personal details of UK citizens for an initial cost of £750 each.


The opening of commercial talks contradicts a promise made when the Home Office launched a public consultation on ID cards in April last year, when officials pledged that "unlike electoral registers, the National Identity Register will not be open for any general access or inspection."


In addition, firms could be charged up to £750 for technology that would allow them instantly to verify customers' identity through iris scanning or finger-printing, according to official documents.
Update: Ministers are denying that personal information will be for sale, but admit that they will establish and charge for a system giving private companies access to the ID card system. From the Telegraph:
Ministers denied a report that personal details of all 44 million adults in the country could be sold to private companies as part of Government efforts to curb the cost.

But the Home Office admitted that there would be a "mechanism" for companies to check that an ID card was genuine and that people were who they said they were.

Officials said the details of the mechanism were still being worked out. There would be a fee but it would be "nowhere near" the £750 claimed by The Independent on Sunday.

Tony McNulty, the immigration minister, said it was nonsense to suggest that the Government intended to sell information on the ID cards register and had opened talks with private companies.

"The Government has no plans whatsoever to sell individuals' details to private companies," he said. "The legislation we have introduced to set up the scheme will ensure that the ID cards database will be secure and confidential. Private companies will not have access to the information held on it and any unauthorised disclosure will be a criminal offence."

Thursday, June 23, 2005

Your personal information is for sale - Indian edition

BBC News reports:
Police are investigating reports an Indian call centre worker sold the bank account details of 1,000 UK customers to an undercover reporter.

The Sun claims one of its journalists bought personal details including passwords, addresses and passport data from a Delhi IT worker for £4.25 each.

City of London Police is investigating after receiving files from the paper.

Tuesday, June 21, 2005

ISPs told "Hand over names if you want to license our content"

Constitutional Code (Rik Lambers) has an interesting post illustrating the incentives facing ISPs asked to disclose customer names:
During a seminar on "online piracy" in the Netherlands last week a representative of Warner Home Entertainment made it clear that Internet Service Providers won't get movie content licensed, unless they provide the identifying information of their customers on demand.

Data Retention Reaches the US - Or Does It?

Orin Kerr is skeptical about the reports that the US Department of Justice has decided to push data retention:
What is the evidence that times have changed, and that now DOJ is "quietly shopping around" this "explosive" idea? As best I can tell from Declan's story, it is this and only this: A few weeks ago, at a Holiday Inn in Alexandria, Virginia, unnamed Department of Justice employees, apparently from DOJ's Child Exploitation and Obscenity Section (CEOS), mentioned the possibility of mandatory data retention requirements in a meeting with some ISP representatives.

Who are these DOJ employees, though? CEOS does not have any high-level policy makers, as far as I know. It is a section consistening entirely of career prosecutors. No one at CEOS has the authority to opine on such a enormous and controversial question except entirely in his personal capacity. And the chances that DOJ would decide to "shop around" such a high-profile proposal using career lawyers meeting at a Holiday Inn seems a bit far-fetched.

If I had to guess, I would imagine all that happened in this meeting was that a random career lawyer at DOJ had been wondering about data retention, and decided to discuss it as a possibility in a meeting despite DOJ policy to the contrary. Or perhaps the lawyer foolishly tried to raise the possibility as a threat to push ISP representatives to think more seriously about voluntary data retention. Either way, DOJ has not changed its policy at all. Is it possible that there is more to the story than that? Yes, but on the whole it is quite unlikely.
He's certainly well placed to make this assessment. From his bio, he was a trial attorney in the Computer Crime and Intellectual Property Section of the Criminal Division at the U.S. Department of Justice, and his publications suggest that he still has good contacts with his former colleagues in the department. Having said that, the story is still of concern until there's an official denial on the table.

Saturday, June 18, 2005

Data Retention Reaches the US

Disturbing news from CNET , which reports that the US government has executed an about turn and decided to push data retention:
Justice Department officials endorsed the concept at a private meeting with Internet service providers and the National Center for Missing and Exploited Children, according to interviews with multiple people who were present. The meeting took place on April 27 at the Holiday Inn Select in Alexandria, Va.

'It was raised not once but several times in the meeting, very emphatically,' said Dave McClure, president of the U.S. Internet Industry Association, which represents small to midsize companies. 'We were told, 'You're going to have to start thinking about data retention if you don't want people to think you're soft on child porn.''

McClure said that while the Justice Department representatives argued that Internet service providers should cooperate voluntarily, they also raised the 'possibility that we should create by law a standard period of data retention.' McClure added that 'my sense was that this is something that they've been working on for a long time.'

This represents an abrupt shift in the Justice Department's long-held position that data retention is unnecessary and imposes an unacceptable burden on Internet providers. In 2001, the Bush administration expressed "serious reservations about broad mandatory data retention regimes."

The current proposal appears to originate with the Justice Department's Child Exploitation and Obscenity Section, which enforces federal child pornography laws. But once mandated by law, the logs likely would be mined during terrorism, copyright infringement and even routine criminal investigations. (The Justice Department did not respond to a request for comment on Wednesday.)
It's hard to know where to begin assessing this development. But a few points strike me immediately.

First, the reference to "voluntary" retention coupled with a standard period set by law echoes the UK proposals for voluntary retention, and is likely to be rejected in the industry in exactly the same manner. The UK response made it clear that ISPs shuddered at the commercial implications of voluntary retention, seeing it as hugely expensive and likely to lead to customers defecting to other, more privacy friendly ISPs.

Second, the data retention period sought by the Justice Department is two months. This immediately undercuts the claims by the Council of Justice and Home Affairs ministers that a period of up to three years is essential. Perhaps our representatives would now like to explain to us how they can seek such an extravagant period when the US apparently considers it unnecessary.

Third, the US already has a federal data preservation* law, which allows "a governmental entity" to require an ISP to preserve data in their possession for up to 90 days. To justify a data retention law, it would have to be shown that the data preservation rules were ineffective. Where's that evidence?

Fourth, note the distasteful threat from the DOJ: "You're going to have to start thinking about data retention if you don't want people to think you're soft on child porn". As with other data retention proposals, the justification is essentially emotive, with references to the headline grabbing subjects of child pornography and terrorism. But, as the article correctly points out "once mandated by law, the logs likely would be mined during ... even routine criminal investigations".

Fifth, as with data retention on this side of the Atlantic, policy is being made in secret with the public excluded. If the DOJ is confident in the merits of its proposals, perhaps it might try to sell them to the public rather than trying to strongarm ISPs in private.

Finally, the attempt to obtain "voluntary" cooperation represents a continuation of a worrying trend. The US government, amongst others, has noticed that it can evade pesky constitutional restrictions such as probable cause by "outsourcing" certain activities to private actors who aren't subject to the same restrictions. These data retention proposals have the same air about them. A federal data retention law would face public scrutiny and opposition, a stiff fight through Congress, judicial review, and would likely be found unconstitutional. Hence the attraction of cooperation from ISPs, which would enable the government to achieve indirectly that which it could not do directly, and all without any public fuss. This is good for the government, perhaps, but bad for democracy and the rule of law.


*The distinction between data retention and data preservation is explained by the Canadian Department of Justice here:
What is data preservation and how is it different from data retention?

It is important to distinguish between data preservation and data retention. As proposed in the consultation paper, a data preservation order would require a service provider to keep existing data of a specific, identified individual who is identified by the courts as the subject of an investigation and not delete it for a specified period of time. This would ensure that information vital to an investigation is not deleted before the police can obtain a search warrant or production order to access the specific data.

Data retention, on the other hand, involves the collection of data from all users of a communication service - regardless of whether or not they are subject to an investigation.

Tuesday, June 14, 2005

The curious legal status of .uk and .ie

From The Register:
The company that runs the UK's Internet registry is not officially recognised by the government and as such has no right to decide what should be done with the millions of domains that it sells each year.

That at least is the claim of Ben Cohen, former owner of iTunes.co.uk, who lost ownership of the domain to Apple in March after a ruling by an independent expert hired through Nominet's domain resolution process.

Cohen has been decrying Nominet since the decision and made a variety of legal threats over the decision. However he recently discovered that he was not able to take the actual decision made against him to the High Court for Judicial Review because of Nominet's peculiar status.

Following questions made under the Freedom of Information Act, the government was forced to state that there is "no formal relationship or written agreement" between the UK government and Nominet. As such, it is not a public body and so is subject only to the usual laws covering UK companies.

Cohen argues that this status is misleading since representatives from government bodies have permanent seats on Nominet's Policy Advisory Board (PAB). The government also accepted that this situation does not exist for any other company.


"At no point has there ever been a statutory or official recognition by the Government of Nominet's position as a the sole issuer of .uk domain names to the public.

"The status of Nominet is important because their dispute resolution service acts in a quasi-Judicial manner in deciding who should lay claim to a domain name when a dispute arises. CyberBritain was planning on taking the decision made on the 10th March to the High Court for Judicial Review. However, this course of action is only open to review decisions made by public bodies.

"Nominet have always claimed to us that they are on the one hand officially recognised by the Government but not a public body, meaning that their decisions would not be subject to Judicial Review. In my mind, this is a paradox as an official or statutory recognition of an organisation to administer what is in effect a public service would generally be subject to Judicial Review. This certainly would be the case with decisions made by Ofcom who regulate telecommunications and television.

"If Nominet have no official recognition (despite civil servants being on their Policy Board) then all domain names issued by them are placed in jeopardy."

Nominet is not impressed with this logic.

"Mr Cohen has continued to threaten legal action in the press and in private, but no proceedings have ever been issued. Nominet has repeatedly explained to Mr Cohen that we believe that he has no basis for suing us and that the particular type of litigation he was threatening (called "Judicial Review") was totally inappropriate because Nominet is not a Government body.

"Nominet is not a Government body and has never claimed to be. We state on our website that we are 'officially recognised' and we explained the meaning of this to Mr Cohen previously.

"The Dispute Resolution Service forms part of the contract we have with registrants of .uk domain names and is enforced as a matter of contract law. We have told Mr Cohen this, and have never tried to suggest that Nominet's Dispute Resolution Service (DRS) is 'quasi-judcial', statutory (i.e. in an Act of Parliament or similar) or Government-backed."
Much the same problem exists in relation to the .ie domain registry which carries out a public function without any legislative or regulatory underpinning. Their FAQ addresses this point, but in a way which raises more questions than it answers:
6. What exactly is the IEDR - is it a statutory body, is it a semi-state, is it part of UCD, is it some kind of public service or is it just a monopoly like, say, the ESB?

6. The IEDR's origins are in UCD but since July 2000 it's been a private company, limited by guarantee. It has no shareholders, the company is owned by its members who are the directors. Surpluses are not distributed, they are added to opening reserves. Directors as per the company's constitution, do not receive fees or emoluments. Only the IEDR can administer .ie - which it does as a public service - but it is not a monopoly in the sense that anybody in Ireland, or elsewhere, can register from a choice of approximately 250 different national and generic TLD names. The IEDR works closely with national and international governments, governing bodies, trade associations and abides by Internet best practice principles while still operating as an independent private company.
The E-Commerce Act 2000 allows (in section 37) the government to regulate the .ie TLD - however this has yet to be done, despite Ministerial promises that the .ie domain will eventually be regulated by ComReg.

You might well ask - so what? As long as the .ie domain functions, why should lawyers nitpick about its legal foundations? The narrow answer is that there have been many complaints about the governance and transparency of the IEDR, including allegations that it is still dominated by UCD (from which it is an offshoot), all of which ultimately have their origins in the lack of a proper legal basis for the registry.

More widely, though, as a matter of principle where a body controls a public asset (the .ie domain), is exercising a public function, and has its origins in the public sector, it should be subject to rules of public oversight (such as the Freedom of Information Act and judicial review). Instead, the IEDR currently exercises a state-sanctioned monopoly without any real oversight.

Update (17/6/05): Ben Cohen has decided to proceed with the judicial review. Stay tuned to see whether the English courts will accept jurisdiction to judicially review decisions of Nominet.

Update (5/8/05): The judicial review application was rejected - but it's not clear whether the court considered whether Nominet was subject to judicial review. According to Out-Law:
the judge noted that the application was flawed in several respects, being both late and unnecessary given the right of appeal which forms part of Nominet's Dispute Resolution Service, which Mr Cohen had failed to use.

This suggests that the application was rejected on a procedural basis (delay and failure to exhaust remedies) rather than on the substantive ground that Nominet was not a public body.

Wednesday, June 08, 2005

Morris Tribunal learns pitfalls of security through obscurity

The Sunday Times (free reg. required) has an interesting story illustrating official ignorance of basic information security:
Tribunal hacker 'was in press agency building'
Stephen O’Brien

THE Press Association of Ireland was threatened with heavy fines and jail sentences by Justice Frederick Morris last week after revealing that it had gained access to his report on garda corruption in Co Donegal before the official launch.

The wire service, the Irish arm of the London-based Press Association (PA), was suspected of hacking into the tribunal’s website to obtain the report. Michael McDowell, the justice minister, claimed that more than 350 separate attempts were made to overcome internet security measures guarding a web version of the report, forcing the authorities to release it earlier than planned.

McDowell did not say who was responsible, but The Sunday Times has established that the “hacking” was traced to PA’s building in Harcourt Street, central Dublin.

Morris, a former High Court president, told journalists at the wire service that he would prosecute anyone who published his report before its official release for obstructing or hindering the work of the tribunal, an offence carrying up to €12,700 in fines and up to two years in prison.

The judge wrote personally to PA in an urgently faxed letter on Tuesday, after staff at the agency contacted the tribunal to verify the authenticity of the report they had found on the web. PA, Britain and Ireland’s largest news agency, immediately agreed to observe the embargo on publication.

PA declined to comment this weekend, but a source at the agency confirmed that the Dublin office got a phone call from a source who explained how to get the report from the website.

“Personally, I think it was a bit of a security cock-up by the tribunal,” the PA source said. “The web link was morristribunal.ie/ and then a series of numbers.”

A government source, however, said the computer used to attack the web security around the report was in the same Dublin building as the PA office. Rogue computer software known as spyware was attached to the server used to “air” the Morris tribunal website.

This spyware then uncovered the secret web link to the tribunal’s report when it was being stored in a supposedly secure location before the official government release.

The spyware notified the hacker when the report was put on the web at 10am on Tuesday, the source said. Over the 70 minutes, 350 attempts were made to access it.

The release of the report was brought forward several days by McDowell after discussions with the tribunal over the compromised security. No complaint has been made to gardai by the tribunal, although experts were able to trace the unique identification number of the computer used to hack into the tribunal site.
Strip away the breathless talk of "hacking", "internet security measures", "rogue computer software", "spyware" and "secret web links" and we have the mundane reality that somebody messed up by posting the report on a public web site, hoping that nobody would find it. An equivalent would be a person placing a book on the shelves in a library, but believing that it is "secret" because it does not appear in the library catalogue. The talk of "hacking" is a smokescreen.

So did reading the report amount to an offence? Unlikely. Under Irish law, the relevant offence would be access without lawful excuse. However, material published on the public web carries with it an implied permission to access that material. Where a publisher hasn't taken steps to limit that permission, then it will be difficult if not impossible to show, beyond a reasonable doubt, that (a) the reader acted without permission, and (b) the reader knew (or perhaps should have known) that they were acting without permission.

A similar issue arose three years ago when Reuters accessed an earnings report, posted on the public website of Swedish IT group Intentia, before its official release. Intentia filed a complaint with the Swedish police. The public prosecutor, however, found that no crime had been committed:
The prosecutor Mr Hakan Roswall chose to do nothing with Intentia's complaint. Mr Roswall concludes that it is illegal to access information stored in a computer that the proprietor deems to be secret and the proprietor protects. Mr Roswall states that Intentia did not clearly state that the information should be secret and did not protect the information. On the contrary it was very easy to access the information. Intentia stated that the report would be available at a certain time, and you only had to slightly change the URL (web address) from the report of the previous quarter in order to obtain the current report. Hence, Mr Roswall will not initiate proceedings against Reuters or any of its reporters.
Update: I've just found a post by Feargal McKay at the Sigla Blog which beats me to the punch on this issue.

Thursday, June 02, 2005

Online Anonymity - Canadian Edition

The Canadian Federal Court of Appeal recently handed down an important decision on online privacy. The case - BMG Canada v. Doe - unsurprisingly involves attempts by the music industry to identify alleged filesharers, using a Norwich Pharmacal analysis.

At first instance, disclosure was refused due to deficiencies in the plaintiffs' evidence, in what was seen as a strongly pro-privacy holding. The Court of Appeal, although it allowed the plaintiffs' appeal in part, accepted that the plaintiffs' evidence was insufficient to order disclosure, and adopted much of the trial judge's reasoning in relation to the privacy issues involved. The key paragraphs of the judgment are:
In cases where plaintiffs show that they have a bona fide claim that unknown persons are infringing their copyright, they have a right to have the identity revealed for the purpose of bringing action. However, caution must be exercised by the courts in ordering such disclosure, to make sure that privacy rights are invaded in the most minimal way.

If there is a lengthy delay between the time the request for the identities is made by the plaintiffs and the time the plaintiffs collect their information, there is a risk that the information as to identity may be inaccurate. Apparently this is because an IP address may not be associated with the same individual for long periods of time. Therefore it is possible that the privacy rights of innocent persons would be infringed and legal proceedings against such persons would be without justification. Thus the greatest care should be taken to avoid delay between the investigation and the request for information. Failure to take such care might well justify a court in refusing to make a disclosure order.

Also, as the intervener, Canadian Internet Policy and Public Interest Clinic, pointed out, plaintiffs should be careful not to extract private information unrelated to copyright infringement, in their investigation. If private information irrelevant to the copyright issues is extracted, and disclosure of the user’s identity is made, the recipient of the information may then be in possession of highly confidential information about the user. If this information is unrelated to copyright infringement, this would be an unjustified intrusion into the rights of the user and might well amount to a breach of PIPEDA by the ISPs, leaving them open to prosecution. Thus in situations where the plaintiffs have failed in their investigation to limit the acquisition of information to the copyright infringement issues, a court might well be justified in declining to grant an order for disclosure of the user’s identity.

In any event, if a disclosure order is granted, specific directions should be given as to the type of information disclosed and the manner in which it can be used. In addition, it must be said that where there exists evidence of copyright infringement, privacy concerns may be met if the court orders that the user only be identified by initials, or makes a confidentiality order.
The court also indicated that disclosure should not be granted if there was some "other improper purpose for seeking the identity of these persons".

Consequently, while the Canadian courts are prepared to grant disclosure on the basis of Norwich Pharmacal, it seems that they will (a) demand a higher standard of evidence before granting a disclosure order; (b) take greater steps to minimise the privacy consequences of a disclosure order; and (c) examine the request to see whether it is pretextual.

Michael Geist has an informative analysis of the decision on his (always interesting) website. He includes a summary, prepared by Alex Cameron (who argued the case), of the test which ISPs must now meet in order to seek disclosure:
Courts shall not order ISPs to disclose the identities of their customers unless the Plaintiff meets its burden of showing each of the following factors. If the Plaintiff fails to show any of the following, then disclosure shall not be made:

1. Plaintiff must show that it has:

(a) targeted the correct IP address by providing clear admissible evidence that it has correctly linked online activities to a specific IP address at a particular time. There should be no risk that innocent people will have their privacy invaded or named as defendants where it is not warranted (para 21); and

(b) "a bona fide claim that unknown persons are infringing their copyright" (para 42), including "i.e., that they really do intend to being an action based on the information they obtain, and that there is no other improper purpose for seeking the identity of these persons". (para.34)

(Note: Even if the plaintiff meets its burden under 1(a), disclosure may be refused where the ISP advises the court that there is a risk of an innocent person having their privacy invaded or named as a defendant where it is not warranted. This might arise if, for example, the ISPs records are incomplete or suggest that the risk is present for another reason)

2. "There should be clear evidence to the effect that the information cannot be obtained from another source such as the operators of the named websites." (para.35)

3. "The public interest in disclosure must outweigh the legitimate privacy concerns of the person sought to be identified if a disclosure order is made" (para.36)

a) the information on which a request for identification is made (eg, IP address) must be timely; no undue delay between investigation and motion for disclosure (para 43)

b) in their investigation, plaintiffs must "limit the acquisition of information to the copyright infringement issue" (para.44)

In cases where the plaintiff has met each of the factors above, "caution must be exercised by the courts in ordering such disclosure, to make sure that privacy rights are invaded in the most minimal way" (para 42). For example, specific directions should be given as to the type of information disclosed and the manner in which it can be used. In addition, the court should consider making a confidentiality order or identifying the defendant by initials only (para.45)