Saturday, June 11, 2011

Data Protection Commissioner investigating Eircom's "three strikes" system

Between the bank holiday weekend and the Sunday Times paywall Mark Tighe's story last week revealing that the Data Protection Commissioner is investigating the Eircom / IRMA three strikes system didn't receive the attention it deserved. However the investigation has the potential to entirely derail the system and needs to be considered further.

First, the background. I'm disappointed but not surprised to find that my 2009 prediction - that Eircom would end up falsely accusing innocent users - has come to pass in relation to 300 users:
THE "three strikes" scheme to prevent music piracy, which is operated by Eircom at the behest of record companies, is being investigated by the data protection commissioner (DPC) after customers said they were sent warning letters in error. The investigation began after an Eircom customer complained that he had wrongly received a "first strike" letter. The company has admitted it incorrectly issued such warnings to a "limited number" of customers.
So why did Eircom falsely accuse users?
This was due to a software failure caused when the clocks went back last October, it said.
Far from being a technical sounding "software failure", this appears to show up ineptitude in relation to a very basic aspect of network management - i.e. making sure that the server clock reflects daylight savings time. As a result, it seems that users found themselves being accused on the basis of what somebody else did from the same IP address either an hour earlier or an hour later. Consequently, the users who were wrongfully accused should consider themselves lucky that this incompetence did not lead to their being accused of a serious crime - for example, being arrested and having their homes searched due to the wrong time being used (as happened to these Indian users).

The significance of this case goes beyond simple technical failings, however, as the complaint to the Data Protection Commissioner has triggered a wider investigation of the legality of the entire three strikes system:
The DPC said it was investigating the complaint "including whether the subject matter gives rise to any questions as to the proportionality of the graduated response system operated by Eircom and the music industry".
This is unsurprising - when the Eircom / IRMA three strikes settlement was being agreed the Data Protection Commissioner identified significant data protection problems with it. These problems remain, notwithstanding the deeply flawed High Court judgment which approved of the system - a judgment which, for example, decided on the question of whether or not IP addresses are personal data without once considering the views of the Article 29 Working Party. It is not surprising that the Data Protection Commissioner was not convinced by that judgment (the judgment was problematic at least in part because the Commissioner was not represented - the only parties before the court had a vested interest in the system being implemented). However, until a concrete complaint arose no further action could be taken.

The complaint in this case has now triggered that action, and it seems likely that the Commissioner will reach a decision reflecting his previous views that using IP addresses to cut off customers' internet connections is disproportionate and does not constitute "fair use" of personal information. If so, the Commissioner has the power and indeed the duty to issue an enforcement notice which would prevent Eircom from using personal data for this purpose - which would ultimately seem likely to put the matter back before the courts. Watch this space.

7 comments:

  1. It seems to me that those wrongly accused would have at least a good case for defamation if not other remedies.

    Thoughts?

    ReplyDelete
  2. As you say TJ, this is not at all surprising. Errors were bound to happen.

    I missed this story until now - interesting how a paywall can have the effect of stopping a story from getting out unless it's picked up elsewhere.

    ReplyDelete
  3. Eircom was always likely to end up falsely accusing innocent users. Errors are not only likely to occur as a result of incompetence on the side of the ISP and those performing the monitoring.

    Consider the (common) situation where wicked neighbours are hi-jacking another unsuspecting neighbours Wi-Fi network to gain free internet. Notwithstanding those cases where users have no wireless security, there are freely available tools which allow anyone with minimal know-how to crack common WEP and WPA security measures.

    ReplyDelete
  4. @Fred - good question. The defamation point may be more difficult than it initially appears.

    Are we considering the initial report from the music industry to Eircom (IP x.x.x.x uploaded y at time z) or the letter from Eircom to the subscriber?

    In the case of the initial report, it may be that this was accurate and it was the timestamp error at Eircom's end that led to the mistake. In that situation, it is hard to see how the initial report is defamatory.

    In the case of the letter from Eircom to the subscriber, whether it is defamatory will also depend on whether we have sufficient publication to a third party. If we treat the letter as saying "you the subscriber have illegally shared music" then we wouldn't seem to have sufficient publication. On the other hand, if we treat the letter as saying "one of your users has illegally downloaded music" (your child, housemate, etc.) then we might have publication but perhaps not sufficient identification - especially in cases of open wifi.

    ReplyDelete
  5. @Fred - also, in both cases we would have to consider whether qualified privilege attached and if so whether the mistake on the part of the music industry / Eircom would result in that privilege being lost.

    ReplyDelete
  6. I'm confused (not for the 1st time today I may add). Eircom operate a 3 strike system, how ? They claim they do not operate any monitoring software so how then can they operate a strike system in the first place ?
    Try accessing The Pirate Bay whilst connected to Eircom and you get a notice to say they have blocked the site as a result of a court order. Half way down the page they then state; eircom would like to reassure customers that:
    eircom will not monitor customer’s activities at any stage, nor will it place any monitoring equipment or software on its network in order to facilitate this block.

    Can anyone make sense out of this ?
    BTW; great post.

    All the best.

    Shee AKA SecurityShee

    ReplyDelete
  7. @Shee - the monitoring is done by a third party engaged by the music industry. Some details here:
    http://the1709blog.blogspot.com/2010/05/eircom-users-to-face-dtecnet-scrutiny.html

    ReplyDelete