Reveal the identities of alleged pirates, court tells ISP

Hey pirates, is your ISP named Charter Communications?
If so, get ready: if you’ve been ignoring their copyright infringement notices, the record companies may soon be calling. Last week, a court-appointed arbiter ordered the internet provider to give a group of major record labels the personal details of alleged pirates. Charter Communications, an ISP in the US, has been ordered to hand over personally identifying information (PII) for over 11,000 alleged pirates.
From an order issued by special master Regina M. Rodriguez on 28 April:

Defendant is ordered to produce information sufficient for Plaintiffs to match the IP addresses contained in infringement notices served on Charter with particular subscribers.

The order is part of the discovery process in a court case that’s weighing up two harms: harms to subscribers’ privacy rights vs. harms done to copyright holders.
In the world of copyright law, you’re not off the hook just because it’s your users, and not you, who’ve published infringing work. If you enable the publishing of users’ infringing content, the buck stops with you. … or, at least, the buck doesn’t give a hoot about shaking you down for your users’ PII.
This isn’t the first time that the courts have forced the release of identities. It happened three years ago when the vast, porn-stuffed Pornhub site was ordered to expose the names, IP addresses, phone numbers and viewing histories of users who uploaded pirated videos.
More recently, in December 2019, internet provider Cox Communications was hit with a $1 billion damages verdict in a case brought by 53 music companies – including Capitol Records, Warner Bros, and Sony Music – for the copyright infringements of its subscribers. At the time, Cox said it planned to appeal.

Privacy rights

Charter has argued that handing over subscribers’ personal details would be burdensome due to the requirements of privacy law. Besides the work of the database lookups themselves is the fact that that the California Consumer Privacy Act (CCPA) requires the ISP to notify all affected customers so that they can respond.

Rodriguez agreed – notifying 11,000+ customers is a lot of work both for Charter and for the courts were customers to challenge the data sharing, she wrote in the order:

While the information may be relevant, the notification of 11,000+ customers, and the potential legal challenges flowing therefrom, would be burdensome to the parties as well as to the courts.

As a compromise, she suggested that Charter produce PII for just a subset of the alleged pirates. She left it up to Charter and the music companies – a group headed up by Warner Brothers Records – to figure out how big a sample size should be shared. This is the agreement they hammered out: Charter has to hand over PII for all 638 commercial accounts that received infringement notices, as well as for the 112 residential subscribers who received the highest number of notices and the 38 who reached out to Charter after having received notices. From the order:

1. Charter will produce PII for commercial subscribers who were the subject of Plaintiffs’ notices. The parties have represented that this includes 638 accounts.
2. Charter will produce PII for subscribers who corresponded with Charter about Plaintiffs’ notices. The parties have represented that this includes 38 accounts.
3. Charter will produce PII for residential subscribers with the greatest number of copyright infringement “tickets.” The Defendant proposes the number to be 112 and Plaintiffs propose 150.

The rights holders also requested data they said was necessary to match the IP addresses referred to in infringement notices with repeat offending subscribers: namely, Dynamic Host Configuration Protocol (DHCP) logs, documents related to the retention policies for the logs, and other documents sufficient to match specific subscribers to IP addresses.
Charter had tried to argue that DHCP logs alone wouldn’t enable the rights holders to ID specific infringing subscribers, but that it would be a burdensome task. The ISP didn’t explain what was so burdensome, beyond saying that it would require “querying multiple internal systems that interrelate within Charter.”
Sounds like a database query, or a series of database queries.
Whatever Charter meant by that objection, its argument didn’t get it off the DHCP hook. The music companies had argued that they needed the info since they’re charging Charter with being “vicariously liable for subscriber infringement.” As well, they maintain that Charter’s safe harbor defense requires it to prove that it’s “implemented adequate processes to address and stop infringement.”
Rodriguez:

I agree.

… and left the database querying up to Charter to do, given that it had said it would be easier that way.
Charter has already begun producing the information and has until 1 June 2020 to satisfy all the discovery requests.
One of the other discovery requests was a full hard drive of evidence from an anti-piracy company, MarkMonitor, used by the music companies to track infringing activity. MarkMonitor had, in fact, shared that drive, but only with its customer – i.e., the record companies. Now, Rodriguez has ordered the company to share the whole drive – with full metadata – with Charter.
From the order:

The Plaintiffs inserted themselves into the dispute when they accepted the production from MarkMonitor, and they cannot now attempt to sidestep their assumed obligation to produce accurate information.

It’s not known what, exactly, the music companies will do with the subscriber information. As noted by TorrentFreak, the companies may reach out to subscribers to gather yet more evidence as it pursues its case against the ISP.
That wouldn’t be surprising, given the recent $1 billion verdict against Cox. You can imagine the thinking of rights holders when it comes to ISPs: if you can’t stop bleeding from the thousand cuts coming from individual infringers, why not go after the razor blade companies?

---

Latest Naked Security podcast