US Judge: An IP Address Isn't Enough to Prove a Pirate

Just because your IP address was involved in illegal downloads doesn't mean you did the downloading.

Jan 22 2014, 2:00pm
via Flickr/Lee Shaver

In a rare turn of events, a US judge has said that a suspect of internet piracy should not be prosecuted solely because their computer's IP address—or online fingerprint, if you will—is identified as being involved with illegally downloading a film. Washington-based District Judge Robert Lasnik argued that an IP address doesn't provide sufficient evidence to prove that a user is guilty of copyright infringement.

In this specific case, the executives behind the film Elf-Man filed legal proceedings against hundreds of people, based on evidence that their IP addresses were allegedly involved in downloading the film over BitTorrent.

Ignoring the side issue of why anyone would ever want to watch Wee Man desperately trying to scrape together any sort of entertainment career post-Jackass, the matter revolves around problems with trying to equate an IP address with a person in meatspace.

According to those behind the lawsuit, their investigation proves that these hundreds of people either “(a) downloaded the pirated film themselves, or (b) permitted, facilitated, or promoted the use of their Internet connections by others to download the film.”

But Judge Lasnik had issue with the latter claim. “[The movie studio] has actually alleged no more than that the named defendants purchased Internet access and failed to ensure that others did not use that access to download copyrighted material,” he explained in court documents.

What Lasnik means by this is that providing an offending IP address to a court is not enough to identify who actually downloaded the movie. There are far too many scenarios that complicate the issue: It could be someone else using that computer; a piece of malware could have turned the laptop into a bot and downloaded it automatically; a passer-by or “free-loader” may have jumped onto unprotected wifi and gone on a downloading spree. In organisations where tens or hundreds of people share the same IP address, such as in a business environment, it becomes even harder to identify an individual's internet usage in the cloud of digital activity. 

Of course, some of these scenarios are more likely than others, but the point is that only having an IP address as evidence is not enough to identify an individual, and if your internet access is hijacked by a third party, you may not be legally culpable for what gets downloaded.

At the moment, many film studios practice mass 'John Doe' litigation. That’s when a defendant can’t be fully identified before a lawsuit begins, and prosecutors instead issue legal proceedings typically with nothing more than a record of an IP address' activity. Once granted a subpoena by the courts, the film studios' lawyers then approach the respective internet service providers, demanding that they release their customers' details so they can be prosecuted. 

Not only is this practice largely ineffective at prosecuting online pirates (at least if Judge Lasnik's response is anything to go by), it also raises the much more sinister issue of assuming guilt of the defendant before a proper case has been brought before a court. 

Movie pirates will no doubt be heartened by the ruling. But with other judges making similar points recently, is there a chance this trend could affect other sectors of information exchange? The parallels with pirating music are obvious, but what if this applied to more sensitive material, such as corporate secrets or espionage?

In that hypothetical scenario, you could perhaps see people involved in more serious digital theft being found not guilty—assuming that their operational security is top notch and prosecutors only have a flimsy IP address to go on. Even if investigators somehow got through the various technical layers that hackers typically implement, such as Tor, bridges, VPNs, and using publicly available networks, they could perhaps still be protected by the idea that an IP address is not a person

But for now the ruling only relates to this specific case; Lasnik granted one of the defendants’ motion to dismiss the case against them. If his position catches on, lawyers may need more than just the record of an IP address when accusing internet users of copyright infringement in the future.