Saturday, March 06, 2004

File-swapping litigation raises important privacy issues

Up until recently, Canadians have been free of the sort of litigation that the American recording industry has inflicted on "file sharers" in the U.S. As many know, the first movements toward similar litigation has recently been noticed in Canada (See the Globe & Mail's article, Canadian Recording Industry hopes to inspire fear over file swapping). Some of the more recent media attention has focussed on the attempt by CRIA to discover the identities of individuals whom they have targetted:

London Free Press: Business Section - Copyright suit raises concerns
David Canton, Freelance writer 2004-03-06 03:22:53

A legal action that could potentially affect anyone who has downloaded music on the Internet was recently initiated in Canada. The plaintiffs in this civil suit are some of the biggest music record labels, represented by the Canadian Recording Industry Association (CRIA).


CRIA intends to go after "egregious" or high-volume file-sharers that make massive quantities of music available for free.

The defendants in these proceedings are unknown for the moment. CRIA is requesting a court order that could change that. If granted, it would require Internet service providers (ISP) to produce names and addresses of the alleged perpetrators.

Electronic Frontier Canada and the Canadian Internet Policy and Public Interest Clinic have both been allowed by the court to intervene in this matter to argue the legal issues surrounding privacy, due process, and copyright law.

CRIA has tracked computers trading in copyrighted songs using their Internet protocol (IP) addresses through the use of surveillance technology. CRIA needs to match those IP addresses with subscriber information to identify the defendants.

Five ISPs have been targeted by CRIA for the disclosure of personal information that would lead to the identification of subscribers using the Web to upload music. The court ordered an adjournment until March 12 so the parties can cross-examine each other's affidavit documents to determine the technical and legal issues in dispute.

Downloading involves taking information from another computer. Uploading is transferring data from one's own computer to another. It is generally accepted that the Copyright Act allows music downloading so long as it is for personal use. Uploading is not so clear. These issues have not yet been decided in courts.


Under the Personal Information Protection and Electronic Documents Act (PIPEDA), an ISP is not permitted to disclose a subscriber's personal information without the person's knowledge and consent. One exception is a court order.

There are many issues to be considered, such as whether civil actions should be held to a higher threshold before privacy is violated than in criminal cases, and whether uploading music as done by the peer-to-peer networks is actually copyright infringement.

There is also concern about the accuracy of the information being sought. Dynamic IP addresses can be reassigned to different customers on a continual basis, making it difficult to determine which individuals upload music files.

The worry is that ISPs could be compelled to provide private information that wrongly identifies someone. One of the ISPs maintains it can not accurately match the IP addresses with alleged file-sharers.

Copyright © The London Free Press 2001,2002,2003

One concern that I have, right off the bat, is that the ISPs probably collect way too much information in the first place and probably should put in place a rigorous retention policy that would delete their logs pretty darn quick. If they don't have the information desired by CRIA, they don't have to worry about it. It is not the job of the ISPs to collect and stockpile evidence for the recording industry (or any other organization). In fact, under PIPEDA they should probably not retain it:

Principle 5 -- Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

The information being requested by CRIA is probably from routine logging of network activity and connections. I know of some providers who (despite advice to the contrary) keep these logs indefinitely for security and audit purposes. In most cases, this is not made known to the customers. I know that my ISP does not mention this sort of information collection in its Privacy Policy, even though the Openness Principle requires making this sort of collection known. My cellphone company doesn't say anything about signalling information, which I am sure is logged and can be traced to me.

According to what I've heard, the US PATRIOT Act allows the Department of Homeland Security to request information about borrowers from public libraries. The logical response from many librarians is to make sure they don't collect information that would be useful to the FBI. From the San Francisco Public Library:

The Library does not maintain a history of what a borrower has previously checked out once books and materials are returned on time.

In short, if you don't want to fight over disclosing it to anyone, don't collect it and, if you do, don't retain it!

No comments: