Skip to content
Naked Security Naked Security

86-year-old grandmother billed $5K, accused of pirating zombie game

An Ontario octogenarian has been caught up in Canada's institution of new copyright infringement rules.

An Ontario octogenarian has been snared in what’s being called a “dragnet cash grab” following Canada’s institution of new copyright infringement rules. She’s on the hook for $5,000, for allegedly downloading Metro 2033, a first-person shooter video game featuring heavy armament and splattered zombies.

CBC News Ottawa reports that 86-year-old Christine McMillan was in for a bit of a shock when she received two emails, back in May, forwarded by her ISP, informing her that she was being held accountable for allegedly illegally downloading a game she says she’s never heard of.

CBC shared a video which it says captures McMillan’s reaction when she was exposed to the game for the first time.

Her thoughts on the game she was accused of illegally downloading:

Dreadful. Who would want to watch this? Disgusting. I can’t understand why anybody would find this… [to be] entertainment?

I mean, anybody who lived through the second world war… or any of the wars… I mean, this would have no appeal as entertainment, I have to tell ya. Disgusting.

As CBC notes, she’s likely one of thousands of Canadians who’ve received notices to pay up, whether they’re guilty of copyright infringement or not.

The notices came from a private company called Canadian Intellectual Property Rights Enforcement (CANIPRE)

As TorrentFreak reports, McMillan is one of hundreds of thousands of Canadians who’ve been accused of copyright infringement under Canada’s “notice and notice” regulations, introduced last year under the Copyright Modernization Act.

The law requires internet providers to forward copyright infringement notices to customers suspected of illegally downloading content, including video games and movies.

According to CBC, the supposed copyright infringers are identified only through IP address. ISPs don’t disclose any further information to the copyright enforcers.

McMillan called the legislation “foolish” and said she “couldn’t believe the government would support” the enforcers “threatening” people over the internet and demanding cash.

In fact, at first, she thought it was a scam, she told CBC:

They didn’t tell me how much I owed, they only told me that if I didn’t comply, I would be liable for a fine of up to $5,000 and I could pay immediately by entering my credit card number.

However, it’s all quite legal.

The owner of CANIPRE, Barry Logan, told CBC that the company ran the wording of the notices past lawyers, and they vetted it for legality.

McMillan said she’s going to ignore the notices and hope the problem will just go away. Hopefully, taking her to court will prove too expensive for the enforcement company, she said.

But how did her IP address get tagged in the first place? She has an adult grandson, but he doesn’t have access to her network, she said.

Who’s shooting mutants with this lady’s IP address?

Assuming we can take McMillan at her word – that she does not spend her time planted on the couch, enjoying a first-person shooter game featuring dark corridors and splattered guts – then how did her IP address get implicated in the alleged copyright infringement?

CBC News Ottawa talked to network security analyst and technology expert Wil Knoll, who suggested that somebody who lives in the same apartment building as McMillan could have accessed her unsecured wireless connection, then downloaded the game using her IP address. Alternatively, even if her network had a password, it could have been hacked, he said.

Knoll:

It’s very hard then to correlate, or nearly impossible, to correlate from that IP address to any individual that’s inside the house, or to prove it forensically.

Especially if these infractions are happening months and months and months ago.

That certainly makes sense. Many people leave their home networks wide open for anybody to use from an outside connection.

The repercussions can be surprisingly nasty.

We’ve seen one instance where a heavily armed SWAT team stormed the wrong house, breaking down the door of a home in Indiana, smashing windows and tossing a flashbang stun grenade, startling an 18-year-old and her grandmother who were watching TV.

Officers were looking for the person behind an anti-police post, from somebody who mentioned, with a smiley emoticon, that they had explosives.

The suspect actually lived in a different house on the same street.

That’s just one example of where a poorly secured WiFi home networks can lead. We’ve also seen unsecured networks be exploited by people sending pornographic spam or even terrorist-related emails.

Unsecured networks are found in plenty of other places outside of people’s homes or apartment buildings. We know that because Sophos has checked, in many cities around the world.

In experiments in London, New York City, San Francisco and several other big cities, Sophos “warbikers” James Lyne and Chester Wisniewski used a simple set of tools to detect thousands of wireless networks while touring busy neighborhoods on a bicycle.

They found that in every city they visited, there was a high proportion of WiFi hotspots using outdated security or none at all. In London, for example, just 17% of hotspots the researchers scanned had the recommended WPA2 setting for encrypting wireless traffic, and about a quarter of hotspots were open networks, with no encryption at all.

Many of the small businesses running those networks also revealed a lack of security awareness by using default network names with no random element, making it likely they were using default passwords as well (both are bad practices).

Getting WiFi security right is essential for everyone, be it small businesses or owners of home networks.

In fact, unsecure WiFi is one of Sophos’s Seven Deadly IT Sins. You can read more about that and the 6 other sins here.

As far as businesses go, Naked Security can help: here are three tips for small businesses for securing WiFi.


11 Comments

Good thing a judge in New York determined that an IP address is not enough to go on for piracy charges. Now, if only this lady was in the US instead of Canada…

Another issue for some people (but I don’t think this victim) is the wireless networking being provided on the ISP’s hardware. I have very little confidence that an ISP does the security correctly.
So, I’m always going to have my own firewall sitting between my network and the ISP’s device. If I can, I also disable wireless on the ISP’s device, but as we know, such disabling isn’t always perfect.
Interestingly, though, my security setup wouldn’t protect me from a law such as this one. Because, if it was a hacker using the ISP’s network, I would have no way to prove it. On the other hand, I WOULD be able to prove it didn’t come through my firewall. So, some protection is afforded.

Metro 2033 isn’t a zombie game. Didn’t read the rest of the article after that.
What the game is about is really easy to verify. If you’ve guessed/made that up, why should I trust you with the more complicated stuff?

Jimmy, you lack the patience to read a three-minute article, yet not the time to express your disdain for it. Why are you this fervent about a detail so inconsequential to the story?

You already know everything–why do you bother reading NS?

That’s just one example of where a poorly secured WiFi home networks can lead.

Hang on. Who says it’s anything to do with an IP address? For all you know it could simply be incompetent police work (having seen local plods dig up the wrong field, it’s entirely possible)

Real issue here is actually that the authorities like to be able to bully the little folk, and the inaccuracy of correlation of wifi is a great pretext to do just that.

JM’s comment got me thinking:
Is there any way to look at a WAN packet, and figure out what the LAN IP address is? I hope not, for stateful firewalls, but I don’t really know the answer.

@Jim
In most circumstances, no. But this isn’t really going to help unless you keep long term DHCP logs with MAC addresses associated as you can’t prove much from that. IP Addresses on local networks can be recycled and most comply to the “192.168.0.*” set or something to that effect, all private Class C networks that can be used in any home or work environment.

IPv6 should clear things up a little in the future but that’s really still years away from mass market use IMHO (yes, I know the likes of Google etc. use it but most do not use it at home AFAIK).

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?