ip address – Techdirt (original) (raw)

Stories filed under: "ip address"

ProtonMail Turned Over French Activist's IP Address To Law Enforcement Following A Request From Swiss Authorities

from the vet-your-secure-providers,-folks dept

ProtonMail has long advertised itself as a particularly privacy-conscious email service. The free end-to-end encrypted email service promises more privacy and security than many of its competitors. But there are limits. ProtonMail operates out of Switzerland, making it subject to that country’s laws (which, to be fair, are hardly draconian). It also (at least temporarily) retains a certain amount of information about users’ emails — metadata that can be used to verify accounts in the case of a lost password.

And while email between ProtonMail accounts is encrypted, the same protection isn’t applied to emails between services, like communications sent to or from ProtonMail from other email services. This is an understandable limitation, which is why many seeking secure communications have moved to encrypted messaging services, rather than email offerings that collect metadata about communications.

These inherent weaknesses have been exploited by French law enforcement to obtain information about a French activist — something it achieved with the assistance of Swiss authorities.

ProtonMail, a hosted email service with a focus on end-to-end encrypted communications, has been facing criticism after a police report showed that French authorities managed to obtain the IP address of a French activist who was using the online service. The company has communicated widely about the incident, stating that it doesn’t log IP addresses by default and it only complies with local regulation — in that case Swiss law. While ProtonMail didn’t cooperate with French authorities, French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users.

ProtonMail wasn’t able to hand over much information due to its refusal to gather much information about its users. But it did hand over some, which made it clear that ProtonMail not only collects some email metadata, but will actively collect more metadata if forced to do so by local law. French law may not apply to the Swiss-based email company, but Swiss law certainly does.

Proton’s founder, Andy Yen, offered up this explanation, which said local law supersedes the privacy ProtonMail claims it offers its users.

Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities.

And that’s how foreign governments can extract information from an encrypted email service that gives users the impression that it’s capable of protecting even the limited information it collects from nosy officials. The message going forward, however, is that ProtonMail is subject to the laws of multiple countries in the European Union and will comply with Europol orders if issued/forwarded by Swiss authorities.

As Karl Bode (hey, I know that guy!) points out in his article for Motherboard, there are two problems here. The first is that what’s advertised appears to exceed what ProtonMail can actually guarantee its users. The other problem is the communication method itself, which generates a lot of information that other communication methods don’t, creating a metadata paper trail that can be scooped up/gathered in bulk by law enforcement and intelligence agencies.

While ProtonMail does take some steps to protect user privacy better than other email service providers, the fact remains that email is inherently a protocol that requires a lot of information to be shared between parties, and is notoriously difficult to encrypt.

[…]

Ultimately, many of the security and privacy weaknesses are not necessarily ProtonMail’s fault but are weaknesses with email itself. Security experts have pointed out that for highly sensitive communications, email is almost never the best option.

These unavoidable facts — along with its cooperation with French and Swiss authorities — have led ProtonMail to revise its claims about user data. It no longer claims it does not collect personal information to create accounts or log IP information “by default.”

It now says simply:

ProtonMail is email that respects privacy and puts people (not advertisers) first. Your data belongs to you, and our encryption ensures that.

Well, except for when your data is subject to Swiss government demands for data, either directly or by proxy. User beware is the rule going forward now that this successful metadata grab has been exposed.

Filed Under: email, encryption, france, ip address, metadata, privacy, switzerland
Companies: protonmail

from the don't-see-that-every-day dept

Lately so many of our copyright trolling stories have been about Richard Liebowitz or Mathew Higbee, but we shouldn’t forget about Malibu Media, which is still out there doing Malibu Media things. The latest, to come out of a court in Connecticut is that the infamous copyright troll has had a default judgment request denied. This is exceptionally rare.

Default judgments are what you get when the other side doesn’t even bother to show up. They’re almost always granted as a matter of course (though, collecting on a default judgment is not always so easy). However, in this case US District Court judge Jeffrey Meyer isn’t buying what Malibu Media is selling. Judge Meyer jumps right in and points out how unfair it is to blame the ISP account holder for actions that may have been done by someone else:

Imagine that someone accesses the internet via a particular internet protocol (?IP?) address and illegally downloads movies. That IP address was assigned by an internet service provider (?ISP?) to one of its subscriber accounts. Is it fair to say that the ISP account subscriber?the person who pays the internet bill?is the individual who must have engaged in the illegal activity and who should pay a large damages award if he or she does not appear in court to deny doing anything wrong? At a time when wireless internet networks and personal electronic devices are ubiquitous, and when network passwords, logins for TV streaming services, and Amazon accounts are freely shared with family, friends, roommates, businesses, and even strangers, I don?t think so.

From there, despite the defendant providing no defense at all, the judge says that Malibu Media “has not alleged plausible grounds” for the case and thus the request must be denied:

Defendant John Doe is the named subscriber to a Cox Communications internet service account that is associated with the IP address that was used to unlawfully download several of Malibu Media?s films. Because Malibu Media does not allege any additional facts beyond Doe?s subscriber status to show that he engaged in the unlawful downloading of Malibu Media films, I conclude that Malibu Media has not alleged plausible grounds for relief and will deny Malibu Media?s motion for default judgment without prejudice.

Again, many judges will just grant a default judgment as a matter of course, and wouldn’t even consider whether or not there was a plausible claim in the complaint unless there was a motion to dismiss from the defense.

But, it certainly appears that more and more judges are wising up to copyright trolling tactics. Here, the court makes clear that it has the power to deny a default judgment in a case like this.

A court should not grant a motion for default judgment simply because a plaintiff alleges in a conclusory fashion that a defendant has violated the law. Instead, the factual allegations in support of default judgment must establish plausible grounds for relief. Thus, a court must evaluate whether the factual allegations set forth as a basis for the default judgment motion would survive a challenge by way of a motion to dismiss for failure to state a claim under Rule 12(b)(6) of the Federal Rules of Civil Procedure.

And here, the judge appears to really understand that just having an IP address is not the same as knowing who did any infringement:

On the one hand, some courts conclude that, if there has been a copyright infringement traced to a particular IP address, it is plausible to conclude that the subscriber to the ISP account that corresponds to this IP address is the one who engaged in the acts of copyright infringement….

On the other hand, a growing weight of authority runs to the contrary, with courts concluding that a defendant?s status as subscriber of the ISP account associated with the IP address used to infringe a copyright, standing alone, merely makes it possible?rather than plausible?that it was the defendant who engaged in the acts of unlawful infringement….

What’s notable here is how many of the cases the judge cites for both of those arguments are… Malibu Media cases. The judge has done the research it appears:

The Second Circuit has yet to address the issue, but the Ninth Circuit has persuasively explained why a plaintiff like Malibu Media does not state plausible grounds for relief by alleging only that a defendant is the registered owner of the internet subscriber account assigned to the IP address associated with the infringement activity. See Cobbler Nevada LLC v. Gonzalez, 901 F.3d 1142 (9th Cir. 2018). ?Although copyright owners can often trace infringement of copyrighted material to an IP address, it is not always easy to pinpoint the particular individual or device engaged in the infringement.? Id. at 1146. ?[S]imply establishing an account [that is associated with an IP address] does not mean the subscriber is even accessing the internet, and multiple devices can access the internet under the same IP address.?

The court isn’t throwing out the case entirely, giving Malibu Media another chance to make their case, but also won’t just rubber stamp a default:

To be sure, I understand that ?the technology limitations potentially puts a plaintiff [like Malibu Media] in a difficult position in naming the correct defendant,? but ?such limitations do not relieve a plaintiff of alleging sufficient facts so that a court can reasonably infer that the named defendant is the actual infringer.? Malibu Media v. Park, 2019 WL 2960146, at *6. Without additional allegations, ?[i]t thus remains just as possible that the IP address was used by family members, roommates, guests, friends, and neighbors.? Malibu Media v. Duncan, 2020 WL 567105, at *6. Accordingly, I will deny the motion for default judgment without prejudice to renewal on the basis of additional allegations to plausibly show that it was Doe who engaged in the alleged infringing activity.

It’s good to see more and more courts understanding the games copyright trolls play and not letting them get away with them.

Filed Under: copyright, copyright troll, default judgment, ip address
Companies: malibu media

Appeals Court Says An IP Address Is 'Tantamount To A Computer's Name' While Handing The FBI Another NIT Win

from the [extremely-superintendent-chalmers-voice]-good-lord dept

Fortunately, this profoundly-wrong conclusion is buried inside a decision that’s merely off-base. If it was the crux of the case, we might have witnessed a rush of copyright trolls to the Eleventh Circuit to take advantage of the panel’s wrongness.

But this decision is not about IP addresses… not entirely. They do play a part. The Eleventh Circuit Court of Appeals is the latest federal appellate court to deny suppression motions filed over the FBI’s use of an invalid warrant to round up suspected child porn consumers. The “Playpen” investigation involved the FBI seizing a dark web child porn site and running it for a few weeks while it sent out malware to anyone who visited the site. The FBI’s “Network Investigative Technique” (NIT) sent identifying info back to the FBI, including IP addresses and an assortment of hardware data.

As the court notes in its decision [PDF], pretty much every other appeals court has already gotten in on this action. (Spoiler alert: every other appeals court has granted the FBI “good faith” even though the DOJ was actively pursuing a law change that would make the actions it took in this case legal. The violation of jurisdiction limitations by the FBI’s NIT was very much not legal when it occurred.)

By our count, we become today the eleventh (!) court of appeals to assess the constitutionality of the so-called “NIT warrant.” Although the ten others haven’t all employed the same analysis, they’ve all reached the same conclusion—namely, that evidence discovered under the NIT warrant need not be suppressed. We find no good reason to diverge from that consensus here…

That being said, there are some interesting issues discussed in the opinion, but here’s where it kind of falls apart. The Eleventh Circuit may be joining ten (!) other circuits in upholding the FBI’s illegal search, but it’s the first to make this preposterous claim while doing so. (h/t Orin Kerr)

In the normal world of web browsing, an internet service provider—Comcast or AT&T, for example—assigns an IP address to every computer that it provides with internet access. An IP address is a unique numerical identifier, tantamount to a computer’s name.

That’s… just completely wrong. An IP address doesn’t identify a device any more than it identifies a person or location. It is very definitely not “tantamount to a computer’s name.” The court uses this erroneous conclusion for pretty benign ends — to veto the DOJ’s belated attempt to rebrand its NIT malware as a “tracking device” in order to salvage its invalid search warrant. Even so, this slip-up is embarrassing, especially in a decision that contains a great deal of technical discussion.

But I suppose all’s well that ends unsurprisingly. The Eleventh Circuit agrees with the other circuits: the warrant obtained was invalid from the moment it was obtained as it allowed the FBI to perform searches outside of the jurisdiction in which it was issued. But there’s no remedy for the two alleged child porn consumers. As the court states here, the error was the magistrate judge’s, who should never have signed a warrant granting extra-jurisdictional searches. According to the Eleventh Circuit, the FBI agent had every reason to believe the granted warrant was valid and that the searches could be executed. No one’s evidence is getting suppressed and no one’s convictions are being overturned.

The problem with this assumption is that it glosses over the issue of the DOJ’s Rule 41 politicking, which was well underway when this FBI agent approached a judge with a warrant that asked permission to violate a rule that hadn’t been rewritten yet. To call this “good faith” presumes a lot about the FBI and its investigators. It concludes they were unaware of the DOJ’s petitioning of the US court system to rewrite Rule 41 when everything about this case points to the fact that these investigators knew about the proposed rule change and knew this NIT deployment wasn’t legal at the point they handed the affidavit to the magistrate.

In the end, it’s another unearned win for the FBI. And it’s one that comes paired with a tech gaffe that’s going to sound very appealing (!) to IP trolls.

Filed Under: 11th circuit, computer names, identification, ip address

Strike 3 Gets Another Judge To Remind It That IP Addresses Aren't Infringers

from the ip-freely dept

While copyright trolling has continued to be a scourge across many countries, America included, there have finally been signs of the courts beginning to push back against them. One of the more nefarious trolls, Strike 3 Holdings, masquerades as a pornography company while it actually does the far dirtier work of bilking internet service account holders based on non-evidence. Armed typically with nothing more than IP addresses, the whole trolling enterprise relies on using those IP addresses to have ISPs unmask their own customers, under the theory that those customers are the most likely infringers of Strike 3 content. The courts have finally begun catching on to how faulty the very premise is, with more than one judge pushing back on IP addresses even being actual evidence.

It’s a list that continues to grow, with one Judge in Florida apparently taking issue with the use of IP addresses entirely.

In February, Judge Ungaro was assigned a case filed by the adult entertainment company “Strike 3 Holdings,” which has filed hundreds of lawsuits over the past several months.

The company accused IP-address “72.28.136.217” of sharing its content through BitTorrent without permission. The Judge, however, was reluctant to issue a subpoena. She asked the company how the use of geolocation and other technologies could reasonably pinpoint the identity and location of the alleged infringer.

Strike 3 went on to boast that its IP address matching was roughly 95% effective. After all, as Blackstone’s Ratio goes: Better to let ten guilty men go free than to let any more than five out of one-hundred suffer.

That, of course, is not how the saying goes. Instead, the idea is supposed to be that justice is based on good, quality evidence that points directly to the accused. Instead, in addition to mentioned flawed IP location issue, Strike 3 flatout admits that this IP-to-user identification doesn’t actually tell who infringed what.

Strike 3 further admitted that, at this point, it doesn’t know whether the account holder is the actual copyright infringer. However, the company believes that this is the most plausible target and says it will try to find out more once the identity of the person in question is revealed.

That’s actually remarkably honest as far as copyright trolls go: we’re not entirely sure our IP address is correctly identified, and that IP address doesn’t actually tell us who the infringer is, but we promise to try to get actual evidence if you help us with this non-evidence. Still, it doesn’t make much of a case for the court ordering anything at all, does it?

That’s why it really shouldn’t be a surprise when you get a judge stating things like the following.

“There is nothing that links the IP address location to the identity of the person actually downloading and viewing Plaintiff’s videos, and establishing whether that person lives in this district,” Judge Ungaro writes.

The order points out that an IP-address alone can’t identify someone. As such, it can’t accurately pinpoint the person who allegedly downloaded the copyright infringing content.

“For example, it is entirely possible that the IP address belongs to a coffee shop or open Wi-Fi network, which the alleged infringer briefly used on a visit to Miami,” Judge Ungaro notes. “Even if the IP address were located within a residence in this district, the geolocation software cannot identify who has access to that residence’s computer and who actually used it to infringe Plaintiff’s copyright,” she adds.

Exactly. And the rules of evidence aren’t there just for the sake of letting porn-watchers go free on technicalities. They matter. If we were to allow copyright trolls to substitute the kind of shoddy facts like IP addresses for actual evidence, and if courts were to accept that substitute, then what we’re really all allowing for is a substitute for justice. The public doesn’t want that.

And, it would appear, more and more judges are finally realizing that they don’t want that either.

Filed Under: copyright, copyright troll, identification, ip address, subpoena
Companies: strike 3 holdings

Important Appeals Court Ruling States Clearly That Merely Having An IP Address Is Insufficient For Infringement Claims

from the a-good-ruling dept

Tons of copyright lawsuits (and even more copyright trolling shakedowns that never even reach court) are based on one single bit of data: the IP address. We’ve seen numerous district courts reject using a bare IP address as evidence of infringement, but now we have a very important (even if short and to the point) ruling in the 9th Circuit that could put a serious damper on copyright trolling.

In this copyright action, we consider whether a bare allegation that a defendant is the registered subscriber of an Internet Protocol (?IP?) address associated with infringing activity is sufficient to state a claim for direct or contributory infringement. We conclude that it is not.

The case involved well known copyright trolling lawyer Carl Crowell representing Cobbler Nevada LLC. As we discussed in our article on the district court decision, the actions in this case were particularly nefarious. Crowell quickly learned that the IP address in question belonged to an adult foster care home, but decided to go after the operator, Thomas Gonzales, even though he was aware that any of the many residents or staff may have actually been responsible for the infringement. Gonzales (reasonably) refused to just cough up the names and details of residents and staff without a court order, and Crowell’s response was just to go after Gonzales directly. But the facts of this case made it especially easy for the lower court to highlight how a mere IP address is not nearly enough to allege infringement.

The district court properly dismissed Cobbler Nevada?s claims. The direct infringement claim fails because Gonzales?s status as the registered subscriber of an infringing IP address, standing alone, does not create a reasonable inference that he is also the infringer. Because multiple devices and individuals may be able to connect via an IP address, simply identifying the IP subscriber solves only part of the puzzle. A plaintiff must allege something more to create a reasonable inference that a subscriber is also an infringer. Nor can Cobbler Nevada succeed on a contributory infringement theory because, without allegations of intentional encouragement or inducement of infringement, an individual?s failure to take affirmative steps to police his internet connection is insufficient to state a claim.

The direct infringement part is easy. Obviously, there’s no evidence presented with a single IP address that Gonzales was downloading, so it’s on its face ridiculous to claim to have evidence of direct infringement.

The only connection between Gonzales and the infringement was that he was the registered internet subscriber and that he was sent infringement notices. To establish a claim of copyright infringement, Cobbler Nevada ?must show that [it] owns the copyright and that the defendant himself violated one or more of the plaintiff?s exclusive rights under the Copyright Act.? Ellison v. Robertson, 357 F.3d 1072, 1076 (9th Cir. 2004). Cobbler Nevada has not done so.

The more important part here is the contributory infringement argument. Crowell/Cobbler claimed that Gonzales could be liable for contributory infringement for failing to lock down and police his internet connection. That’s a pretty big leap and the court is not impressed. It first highlights the ever important Betamax ruling that you can’t make a third party liable for infringement for distributing a product or service that is “widely used for legitimate, non-infringing purposes.” Internet access counts. It also points to the Grokster ruling, in which the Supreme Court said that “inducement” to infringe could be seen as contributory liability. But merely failing to police your internet connection is, in no way, inducement.

Cobbler Nevada?s complaint lacks any allegations that Gonzales ?actively encourage[ed] (or induc[ed]) infringement through specific acts.?… Nothing in Cobbler Nevada?s complaint alleges, or even suggests, that Gonzales actively induced or materially contributed to the infringement through ?purposeful, culpable expression and conduct.? … No allegations suggest that Gonzales made any ?clear expression? or took ?affirmative steps? to foster the infringement?Gonzales?s only action was his failure to ?secure, police and protect? the connection.

And, based on the Betamax test, Gonzales is in the clear as well:

Providing internet access can hardly be said to be distributing a product or service that is not ?capable of substantial? or ?commercially significant noninfringing uses.?

The court has some additional words on Crowell trying to push his theory of contributory liability:

We note that Cobbler Nevada?s theory both strays from precedent and effectively creates an affirmative duty for private internet subscribers to actively monitor their internet service for infringement. Imposing such a duty would put at risk any purchaser of internet service who shares access with a family member or roommate, or who is not technologically savvy enough to secure the connection to block access by a frugal neighbor. This situation hardly seems to be one of ?the circumstances in which it is just to hold one individual accountable for the actions of another.?

The court then upholds the lower court’s awarding of attorney’s fees to Gonzales, noting the “objective unreasonableness” of Cobbler’s arguments.

Specifically, the court flagged as unreasonable Cobbler Nevada?s decision to name Gonzales as the defendant, even after concluding that Gonzales was not ?a regular occupant of the residence or a likely infringer.? The court also considered deterrence: it reasoned that awarding fees would deter Cobbler Nevada from an ?overaggressive pursuit of alleged infringers without a reasonable factual basis? while encouraging defendants with valid defenses to defend their rights. See Fogerty, 510 U.S. at 534 n.19. The court?s rationale is in keeping with the purposes of the Copyright Act. See Kirtsaeng, 136 S. Ct. at 1988?89 (a district court ?may order fee-shifting . . . to deter . . . overaggressive assertions of copyright claims?).

Now, where this case may have a bigger impact is in lawsuits against ISPs for failing to police their networks. You may have heard of a few of these cases recently. Just last week Cox settled one of those cases, but it’s facing an even bigger one from all the major record labels.

But that case is not unlike this one, just on a different scale. In this case, Gonzales is the ISP, and got sued for failing to police his network, despite receiving many infringement notices. As the court makes clear, that does not make him liable for infringement. In the Cox case, it too is the ISP who was sued for failing to police its network, despite receiving many infringement notices (indeed, Cox did much more than Gonzales). So it would appear that we may have a bit of a circuit clash here, in which the 4th Circuit says that ISPs can be liable for infringement based solely on notices of evidence that is nothing more than IP addresses, while the 9th Circuit (correctly) understands the implications of such a ruling, even to the point of finding it “objectively unreasonable.”

Filed Under: 9th circuit, carl crowell, contributory infringement, copyright, copyright trolling, evidence, inducement, ip address

from the speculative-policing dept

The Eighth Circuit Appeals Court has handed down a judicial shrug [PDF] in a case where police decided an IP address was pretty much all they needed to search eleven occupants and their devices for child porn. Qualified immunity is upheld, despite the fact the officers searched rooms they possibly had no Fourth Amendment permission to search and despite the fact that no child porn was discovered anywhere on the multiple devices they seized.

The detectives had a warrant to search a single-family dwelling. This residence had been split into unofficial apartments. Despite there being some clear delineation between the multiple private spaces, the police decided the original warrant covered every separate “residence” inside the residence.

[Detective Jessie] Smith–accompanied by Minot Police Sergeant Dave Goodman and Detective Krista Thompson, plus six other law enforcement officials–arrived at the residence on the morning of May 6, 2014, to execute the search warrant. Once inside, law enforcement officials interviewed the persons present and learned that the residence had as many as eleven occupants, some of whom sublet basement bedrooms, and all of whom could access the internet service wirelessly. No child pornography was found during the search of the entire residence, including a basement bedroom that Doe and another person rented.

The court says there’s nothing wrong with the law enforcement effort, even though it would seem more proper for additional warrants to be sought, rather than simply relying on a warrant whose sworn facts were no longer factual. It’s not as though the police didn’t have that option. Any concerns about evidence vanishing could have been mitigated using the same steps depicted here:

Doe was not present, but police were told that he was at work, and that he had a laptop computer which he carried in a blue bag. Smith, Goodman, and Thompson, who had been given a description of Doe’s vehicle, proceeded to Doe’s place of employment. The officers spotted Doe’s car in the parking lot, and saw a blue laptop bag on the front seat. Inside the premises, the officers met privately with Doe in a conference room, telling him about their investigation and asking for permission to search his vehicle. When Doe denied permission, the officers advised him that they would seek a warrant to search his vehicle and the laptop, and that he could not remove his vehicle while the warrant was being obtained. Doe was not told that he could not leave the premises. Smith then prepared another search warrant application, supplementing his original affidavit with the results of the initial search of the residence, information learned from interviews of the occupants, and his observation of the laptop bag in Doe’s vehicle; and a second search warrant was issued for Doe’s vehicle and for any computers and electronic devices located in it.

The decision to approach Doe at work had consequences. But only for Doe.

Goodman, Thompson, and Smith then executed the warrant and previewed the laptop computer on site. Once again, they found no child pornography. During this time, a period of about two and one-half hours, Doe was denied access to his vehicle. He was not arrested or charged with any crime. He nevertheless lost his job, and was forced to move out of his rented room.

Doe’s life took a hit, thanks to officers working with little more than an IP address — one shared by at least eleven residents — and a warrant that should have been invalid the moment it was served. But the court insists moving ahead with a warrant that describes a living situation completely different than the one actually observed during warrant service is still a “reasonable” search that doesn’t clearly violate established rights.

As the dissent points out, federal precedent says otherwise. When officers are faced with facts that contradict their sworn assertions, they’re supposed to limit their searches to the confines of the warrant they obtained. Failure to do so is to perform searches not backed by probable cause.

Federal courts have consistently held that if officers obtain a warrant to search a building containing a single residential unit, and discover or reasonably should discover during the execution of the warrant that the building actually contains multiple residential units, they are required to limit their search to the unit or units for which they have specific probable cause… Here, once the officers arrived at the building named in the warrant, they realized it had been subdivided into separate units, with as many as eleven tenants and subtenants. All eleven could access the building’s wireless internet, and the officers had no information leading them to any particular unit, tenant, or device. Therefore, the chance of finding child pornography in any single residential unit—including Doe’s rented room—was substantially less than the “fair probability” required for probable cause, and the execution of the warrant was objectively unreasonable.

Likewise, the warrant obtained to search Doe’s car and laptop was not supported by probable cause.

The only evidence suggesting that Doe might be the person who downloaded the child pornography was that he was one of at least eleven people who could access his building’s wireless internet, and that he had a laptop computer in his vehicle. This evidence falls far short of establishing probable cause, and “no reasonably competent officer would have concluded that a warrant should issue.”

By upholding the officers’ qualified immunity, the court is basically stating it’s fine to handle child porn investigations with the same sort of detailed rigor deployed by copyright trolls. Search warrants are apparently being handed out to law enforcement that contain little more than a subscriber’s name and a Google Maps photo of the building at the address provided by the ISP. It’s speculative policing, requiring almost nothing in the way of actual detective work. But this is very serious stuff. Child porn investigations should be handled much more carefully, considering the severity of the crime, the vulnerability of the victims, and the incredible collateral damage done to innocent people wrongly accused of this crime. Instead, it appears officers are rushing forward with way more enthusiasm than supporting facts.

The evidence here — rather, the complete lack of it — shows how dangerous it can be when assumptions are made about IP addresses and those who have access to them. Sure, it’s not dangerous for the cops — they have qualified immunity and tons of judicial slack on their side. But for those on the receiving end, it can cost them their livelihood, even when they’re innocent.

Filed Under: 4th amendment, 8th circuit, ip address, privacy, search

Extra Digit Accidentally Typed By Officer Turns UK Man Into A Pedophile

from the LIFE-HAS-CRASHED-[a]bort-[r]etry-[f]ail dept

What’s a few typos between you and a friend a few cops? Nothing, really. The lives they ruin will not be their own.

UK resident Nigel Lang lost more than two years of his life to a typo. He was never jailed, but the life he lived was bereft of freedom. Thanks to the addition of a single wrong digit, Lang’s house was raided, his electronics seized, and his life’s goals rerouted.

He was told that when police requested details about an IP address connected to the sharing of indecent images of children, one extra keystroke was made by mistake, sending police to entirely the wrong physical location.

That’s all it took to turn Lang’s life upside down. While police searched his electronics for nonexistent child porn, Lang lost his job counseling troubled teens and was cut off from his family.

Lang was bailed, but under strict and devastating conditions. Social services had visited his partner at home while he was being interviewed to conduct a “safeguarding assessment”, and it was decided he could not live at the family home, visit his son there, or have any unsupervised contact with his son anywhere.

It took more than a year before anyone would even entertain the idea that some error might have been made. At first, Lang, who is black, suspected this wrongful arrest might have been racially-motivated. But the IP address mistakenly entered by law enforcement was registered to his partner, who is white. He then tried to get to the bottom of why police had targeted him in the first place. If anyone wonders why so few complaints against law enforcement result in punishment, here’s part of the answer: the complaint process is unofficially discouraged by officers and staff.

Lang said that before he was able to officially lodge the complaint, an officer called him, questioning his need to complain and asking him whether his arrest had even had any impact upon his life.

GOOD LORD. It’s as if police officers have no idea what life’s like for the people they police. And it’s as though they think all their errors are harmless.

Lang’s complaint, based on the faulty discrimination premise, was rejected. The rejection, however, pointed Lang towards the truth. The arrest order — based on incorrect information — had actually originated more than 100 miles away from Lang’s home, with an entirely different law enforcement agency.

South Yorkshire police’s DI Sean McMahon, who investigated the complaint, wrote that in May 2011, officers had received information from their colleagues in Hertfordshire that they had identified an IP address that had shared more than 100 images of children via peer-to-peer software in April that year. Hertfordshire police had established that the IP address belonged to the account in the name of Lang’s partner.

The letter also pointed out very little investigatory work had been done by Hertfordshire. The police there had little more to go on than an IP address, but felt justified in swearing out a warrant. The raid was conducted by the South Yorkshire police, who at least helpfully suggested in the letter that the information used by Hertfordshire might have been incorrect.

But the point of the letter was to close the investigation of Lang’s complaint. According to South Yorkshire Police, officers had acted in good faith based on information handed to them by another law enforcement agency. There was nothing more it could do for Lang and closed the complaint.

More than three years after his arrest, the Hertfordshire police finally admitted their error.

Hertfordshire police were initially resistant, refusing to speak to Lang’s solicitor before they could talk to Lang himself. Over the phone, he was finally told the circumstances behind his arrest: While requesting details about an IP address linked to indecent images of children from an internet service provider, police had added an extra digit – a single keystroke – by mistake. When the ISP came back with a physical address for the IP address provided, it led police to Lang’s front door. The internet account set up by Lang’s partner just happened to have the wrong IP address at the wrong time.

Lang also managed to obtain this admission of wrongdoing in writing, along with a 60,000settlement.Theboguscharges—stillonhisrecordyearslater—arefinallybeingexpunged.While60,000 settlement. The bogus charges — still on his record years later — are finally being expunged. While 60,000settlement.Theboguschargesstillonhisrecordyearslaterarefinallybeingexpunged.While60,000 seems rather low for turning someone into a de facto pedophile based on erroneous information, Lang’s settlement came with something you’ll never find attached to one here in the United States: an apology and a statement of culpability.

Lang is still waiting for an apology from the agency that raided his house and placed him under arrest. Most likely, that apology will never come. Hertfordshire screwed up its data entry and local officers had no reason to question the information given to them.

But that’s all it takes to derail — if not completely ruin — someone’s life: an extra digit. Predicating arrests solely on IP addresses is only part of the problem. Law enforcement and intelligence agencies all over the world are building massive databases from anything they can lay their hands on. These databases freely intermingle personal data on innocent people with those charged with crimes. A little fat fingering can do a whole lot of damage. Clerical errors may cause law enforcement agencies a little embarrassment and/or a chunk of taxpayers’ cash if a settlement is handed out. That’s nothing compared to the damage done to citizens who find themselves on the receiving end.

Filed Under: child porn, hertfordshire, ip address, nigel lang, police, south yorkshire, uk

from the spray-and-pray(ers-for-relief) dept

Copyright trolls still labor under the (deliberate) misconception that an IP address is a person. Sometimes judges allow it. Sometimes judges remind them not to conflate the two. And sometimes — well, maybe just this once — the IP address being sued is actually a Tor exit node, evidence of nothing. (h/t Raul)

In an opinion handed down by Judge Michael Simon, the person Dallas Buyers Club is suing for infringement will be subject to adverse jury instructions thanks to the Tor exit node DBC sued. The order refers to alleged evidence spoliation by the defendant, who shut down his exit node after being sued. The defendant has (correctly) pointed out “Evidence of what?” because it’s highly unlikely his node would cough up any usable identifying information about infringers utilizing the node.

All DBC had was an IP address, and it wasn’t linked to the defendant — at least not in terms of it being his personal computer.

The internet protocol (“IP”) address identified by Plaintiff as infringing on Plaintiff’s movie is an IP address associated with a one of Defendant’s servers. Defendant operated this server as a virtual machine (“VM”). Using VM technology, Defendant migrated information from his old multiple servers onto two servers operating as VMs. One of these is the physical machine associated with the allegedly infringing IP address (“Infringing Machine”).

On the Infringing Machine, Defendant installed Tor Network software and created a “Tor Node,” which facilitates use of the Tor Network by end users by routing information through Defendant’s machine. Also on this machine were VMs for two email servers. The Infringing Machine had two hard drives, which were mirrored. Defendant did not use the Infringing Machine as a personal computer and did not attach any personal computer to this machine. The Infringing Machine was located on a server rack.

It wasn’t until 10 months after the original filing that DBC finally submitted an amended complaint actually naming a human defendant (along with his business “Integrity Computer Services”). Prior to being served himself, the defendant learned of the lawsuit and participated in some discovery conferences. At two points between the lawsuit’s filing and his appearance at the conferences, the defendant attempted to fix his malfunctioning RAID system by deploying a utility that basically wiped everything off the drives. He left the Tor node running and moved anything related to his personal business off the server.

DBC claimed this was done to destroy evidence. The defendant countered, explaining it was highly unlikely a Tor exit node would produce usable information. (He had also offered to shut down the node to “amicably resolve” the lawsuit by ending the alleged infringement his node was supposedly “allowing” to happen.)

The Court finds credible Defendant’s statements that he genuinely believed that his hard drives would not contain any information that would identify or provide relevant data relating to the alleged infringement, based on his understanding of how Tor Nodes operate. Defendant explained his understanding and the basis for it in detail.

The Court also finds instructive the unique facts of this case. The Infringing Machine was not a personal computer from which all data was wiped with after-market software. The Infringing Machine was a Tor Node that routed information for other end users around the world. As Defendant points out, it is questionable that he had a motive to deceive the Court by wiping information that may or may not have identified some unknown user somewhere in the world.

Despite this, the court has decided to sanction the defendant for not preserving what may have been completely useless data. It won’t go as far as DBC wants it to (the troll asked for a default judgment in its favor) but it won’t help the defendant much if this case goes to trial.

Accordingly, the Court orders that the jury shall be instructed as follows:

Defendant John Huszar has failed to preserve computer hard drives that may have contained evidence relevant to this case. You may presume that the lost evidence was favorable to Plaintiff. Whether this finding is important to you in reaching a verdict in this case is for you to decide.

A partial win for the speculative invoicing team at DBC. If this case goes to trial, the defendant starts with a strike against him when the jury goes to deliberate. Perhaps the jury will see the case for what it is: a copyright troll suing a Tor exit node because it can’t be bothered to go after those actually committing infringement. Then again, the discussion of RAID controllers, IP address-cloaking efforts, and other technical details may become “evidence” the defendant had “something to hide.” “Normal” computer users don’t run Tor exit nodes or multiple servers, and when the facts seem weird and ungainly, they tend to work against the person deploying them.

Filed Under: copyright, copyright troll, dallas buyers club, exit node, ip address, tor
Companies: dbc

from the killer-grandma dept

Copyright trolling is somehow still a thing and it never seems to fail to provide ridiculous examples of miscarriages of justice. It has been long pointed out how rife with inaccuracy the process of threatening individuals with lawsuits and fines based on infringement as evidenced only by IP address is. Even courts have time and time again pointed out that an IP address is not sufficient to identify a person responsible for a given action. Yet the trolls still send out their threat letters, because bullying in this manner generally works.

The latest example of this kind of trolling misfire comes from Canada, where 86-year-old Christine McMillan received a threat letter from CANIPRE over an alleged infringing download of Metro 2033, a game in which the player slaughters zombies in a post-nuclear world.

“I found it quite shocking … I’m 86 years old, no one has access to my computer but me, why would I download a war game?” McMillan told Go Public.

In May, she received two emails forwarded by her internet provider. They were from a private company called Canadian Intellectual Property Rights Enforcement (CANIPRE) claiming she had illegally downloaded Metro 2033, a first-person shooter game where nuclear war survivors have to kill zombies.? McMillan’s IP address, the string of numbers that identifies each computer communicating over a network, was used to download the game.

McMillan says she thought the threat letter was a scam at first and, to be fair, it kind of is. With all the discretion of a carpet-bomb, CANIPRE saw her IP address associated with an infringing download and decided she had to pay $5k as a result. Because of Canada’s Copyright Modernization Act, her ISP forwarded the notices to her blindly. Needless to say, this lovely woman in her eighties was both scared and confused, being told that the threat letters were legal and legit, but having never murdered a digital zombie in her life. Since receiving the letter, her confusion has turned to understandable anger.

“It seems to be a very foolish piece of legislation,” McMillan said. “That somebody can threaten you over the internet … that to me is intimidation and I can’t believe the government would support such action.”

I’m right here with you, Christine, because this kind of fear and threat tactics are generally reserved for the exact kind of scams too often targeting senior citizens that she initially assumed this was. For the courts to push back on the very “evidence” that groups like CANIPRE rely on solely to threaten people with thousands of dollars in settlement offers isn’t so much copyright enforcement as it is extortion. Wireless networks, even when secured, can be used by unauthorized users. Every instance of threatening those whose networks have been accessed in this way to commit copyright infringement is victimizing someone who is already a victim, which is as clear a miscarriage of justice in the Western system as I can think of.

But, again, copyright trolls do this because it works. Even CANIPRE doesn’t defend the practice beyond saying that it is technically legal to do all of this, before bragging about how many people fearfully pay upon demand.

The owner of CANIPRE told Go Public he gets 400 calls and emails from people on a busy day and “most of them” settle.

“Ultimately, we are helping our clients get their educational message out about anti-piracy and theft of content and how it harms them and their rightful marketplace,” Barry Logan said.

When asked about the wording that McMillan found threatening, Logan said his company ran the language by lawyers and it’s legal. He says his company has collected about $500,000 for its clients since the Notice and Notice regime started almost two years ago.

Keep in mind that this is a house of monetary notes built entirely on IP addresses and preying on a public that mostly is unaware of the subtlety in the law and the legal defenses they have at their disposal. Whatever that is, it certainly isn’t justice.

Filed Under: canada, christine mcmillan, copyright, copyright trolling, ip address, shakedown
Companies: canpipre

EFF White Paper Hopes To Educate Cops On The Difference Between An IP Address And A Person

from the but-are-they-willing-to-learn? dept

Judges have pointed out to copyright trolls on multiple occasions that an IP address is not a person. Trolls still labor under this convenient misconception because they have little else in the way of “proof” of someone’s alleged infringement.

Unfortunately, law enforcement agencies also seem to feel an IP address is a person — or at least a good indicator of where this person might be found. This assumption leads to blunders like ICE raiding a Tor exit node because it thought an IP address was some sort of unique identifier. After having IP addresses explained to it by the EFF, ICE returned the seized hard drives and promised to make the same mistake in the future.

In another case, the Seattle PD raided a Tor exit node in search of a person downloading child porn. It didn’t find the target it was looking for, but went ahead and demanded passwords so it could search files and logs at the unfortunate citizen’s home before realizing it had the wrong person.

The EFF is kind of sick of having to explain the difference between an IP address and a person to government entities. It has put together a white paper [PDF] that should be required reading anywhere government employees feel compelled to act on “evidence” as useless as IP addresses.

Law enforcement’s over-reliance on the technology is a product of police and courts not understanding the limitations of both IP addresses and the tools used to link the IP address with a person or a physical location. And the police too often compound that problem by relying on metaphors in warrant applications that liken IP addresses to physical addresses or license plates, signaling far more confidence in the information than it merits.

[…]

These ill-informed raids jeopardize public safety and violate individuals’ privacy rights. They also waste police time and resources chasing people who are innocent of the crimes being investigated.

By acting on this bogus assumption, law enforcement agencies are wasting time and money. Plus, they’re putting themselves in situations where innocent people could be killed over technical errors, seeing as warrant service these days usually involves militarized squads that value shock and awe tactics over minimizing collateral damage.

The white paper points out what should be obvious to anyone who considers themselves capable of solving “computer crimes:” an IP address is not only not a person, it’s not even a physical location.

First, the technology was never designed to uniquely identify an exact physical location, only an electronic destination on the Internet.

[…]

At a local level, similar IP addresses may be assigned based on geography, albeit only indirectly. ISPs make decisions to allocate blocks of IP addresses to particular locations for a variety of reasons, with the goal of creating a network that efficiently delivers Internet traffic. The result may be that locations near each other feature similar IP addresses, but that is more often the product of where the provider has physical links and routers to a network than geography. For example, if an ISP has a fiber-optic link between two distant cities, the IP addresses assigned to those cities may be similar because it creates a more efficient network. A third city near one of those towns geographically may not share the same connection and it would thus likely have completely different IP addresses assigned to it.

In addition, IP addresses only identify the block of devices assigned to it, not the people utilizing them. Even in cases where there’s only one resident at a physical address linked to an IP address, there’s still a chance law enforcement may be going after the wrong person. As the paper explains, the pool of IPV4 addresses has been used up. In areas where users haven’t been pushed to IPV6 addresses, IP addresses may be shared by more than one user (at more than one physical address) or reassigned to other users by service providers based on need and usage. As the paper states, IP addresses, unlike physical addresses, are not static.

The paper also points out that the use of bad analogies by law enforcement and courts has only made the misconceptions worse. Law enforcement agencies sometimes claim that IP addresses are every bit as unique as license plates. The metaphor fails because IP addresses can be shared or redistributed at private companies’ discretion unlike license plates, which are government-issued and must remain tied to a registrant.

In short, the best analogy for an IP address is an anonymous informant’s tip — something that’s basically hearsay until otherwise confirmed.

In a line of Supreme Court cases dealing with reliability and corroboration problems that arise whenever third parties provide tips to law enforcement, the court has made clear that police must do more to confirm the tips provided by anonymous informants before seeking a warrant or other process…

The question is: will law enforcement care enough about potential collateral damage to educate themselves on the problems of treating IP addresses as people… or will they decide that a combination of forgiveness (good faith exception, etc.) and easily-obtained immunity is preferable to gathering corroborating evidence and acting more cautiously?

Filed Under: crime, ip address, law enforcement, privacy