First, the background. I'm disappointed but not surprised to find that my 2009 prediction - that Eircom would end up falsely accusing innocent users - has come to pass in relation to 300 users:
THE "three strikes" scheme to prevent music piracy, which is operated by Eircom at the behest of record companies, is being investigated by the data protection commissioner (DPC) after customers said they were sent warning letters in error. The investigation began after an Eircom customer complained that he had wrongly received a "first strike" letter. The company has admitted it incorrectly issued such warnings to a "limited number" of customers.So why did Eircom falsely accuse users?
This was due to a software failure caused when the clocks went back last October, it said.Far from being a technical sounding "software failure", this appears to show up ineptitude in relation to a very basic aspect of network management - i.e. making sure that the server clock reflects daylight savings time. As a result, it seems that users found themselves being accused on the basis of what somebody else did from the same IP address either an hour earlier or an hour later. Consequently, the users who were wrongfully accused should consider themselves lucky that this incompetence did not lead to their being accused of a serious crime - for example, being arrested and having their homes searched due to the wrong time being used (as happened to these Indian users).
The significance of this case goes beyond simple technical failings, however, as the complaint to the Data Protection Commissioner has triggered a wider investigation of the legality of the entire three strikes system:
The DPC said it was investigating the complaint "including whether the subject matter gives rise to any questions as to the proportionality of the graduated response system operated by Eircom and the music industry".This is unsurprising - when the Eircom / IRMA three strikes settlement was being agreed the Data Protection Commissioner identified significant data protection problems with it. These problems remain, notwithstanding the deeply flawed High Court judgment which approved of the system - a judgment which, for example, decided on the question of whether or not IP addresses are personal data without once considering the views of the Article 29 Working Party. It is not surprising that the Data Protection Commissioner was not convinced by that judgment (the judgment was problematic at least in part because the Commissioner was not represented - the only parties before the court had a vested interest in the system being implemented). However, until a concrete complaint arose no further action could be taken.
The complaint in this case has now triggered that action, and it seems likely that the Commissioner will reach a decision reflecting his previous views that using IP addresses to cut off customers' internet connections is disproportionate and does not constitute "fair use" of personal information. If so, the Commissioner has the power and indeed the duty to issue an enforcement notice which would prevent Eircom from using personal data for this purpose - which would ultimately seem likely to put the matter back before the courts. Watch this space.