Wednesday, August 01, 2012

DEA & robust evidence of copyright infringement

Consumer Focus last week published a really important report by Dr Richard Clayton of Cambridge University on collecting robust evidence of online copyright infringement through peer-to-peer filesharing. The report was commissioned to help Ofcom:
"in the implementation of the Digital Economy Act 2010 through a statutory Initial Obligations Code. When it comes to taking action against people accused of infringement, the standards of evidence are critical. The Digital Economy Act 2010 requires that the Initial Obligations Code makes provisions on the ‘means of obtaining evidence’ and the ‘standard of evidence’ for copyright owners who want to lodge ‘copyright infringement reports’ against consumers with their internet service provider (ISP).
The report provides advice on standards and procedures which should be adopted to ensure that copyright owners can reliably identify an internet connection which has been used to infringe copyright through peer-to-peer filesharing. Dr Clayton then describes how ISPs can robustly match internet subscriber details to IP addresses, which are dynamically allocated to domestic internet connections. Under the Digital Economy Act 2010 subscribers, who are the bill payers for an internet connection, can appeal a notification of alleged copyright infringement if they can show that they did not commit the alleged infringement, and took ‘reasonable steps’ to prevent others from infringing. Dr Clayton therefore concludes his expert report on traceability by assessing how subscribers to an internet connection could identify who may have used their connection to infringe copyright."
Saskia Walzel, policy manager at Consumer Focus responsible for copyright policy, has a nice article in ORGZine explaining the key findings.
In outline the report covers:
  • the theoretical basis for monitoring file sharing activity and detailed advice on how this should be done properly - this monitoring is theoretically possible but it is essential that the practical details are right
  • the need for good record keeping to ensure all this monitoring can be audited, errors detected and corrected
  • the problems ISPs will face 
  • a "doctrine of perfection" in relation to the gathering of evidence (if the ISP receives a batch of data containing just a single error then the whole batch should be rejected) that needs to be applied to reduce the risk of systemic failures leading to widespread false accusations of copyright infringement
  • the problems with identifying suspected subscribers when ISPs are using large scale NATs (which breach end to end neutrality)
  • the fact that the ISP customer may be unable to identify who has been using their account for inappropriate file sharing
  • p2p designs and development and likely evolution to evade the kind of monitoring the DEA requires
  • when an ISP writes to a customer about alleged copyright infringement it is recommended that an outline of how the monitoring system works should be included; they should also be told "the full range of scenarios" as to how file sharing can occur on their account without their knowledge.
The reality of the Digital Economy Act's (DEA) online infringement of copyright provisions (sections 3 - 18) may finally begin to hit home next year (theoretically) when thousands of people start to get accusatory letters about copyright infringement from their ISPs. The UK courts have not fully tested evidence presented in such copyright infringement cases as the few that have been pursued were eventually settled out of court. So there is no authoritative legal guidance on standards of evidence or process. Richard Clayton's report is, therefore, an invaluable contribution, particularly so for the clarity with which he analyses the technical, evidentiary, monitoring and systems processes involved.

The report describes, in detail, the kinds of procedures and standards that need to be followed and the how, what, when, where, who and why of specific technical evidence that needs to be collected to be confident of identifying a specific IP address used in copyright infringement.  It is unacceptable just to crudely harvest IP addresses and send out threatening letters as the now infamous ACS Law crew did. There has to be a clear unbroken chain of solid, reliable, technically sound, recordable, auditable evidence, delivered through a robust investigative process, leading from the infringement to the alleged offending IP address.

Establishing the IP address is only the first step according to the DEA. The ISP then has to identify the customer associated with that IP address at the relevant time and notify them of a complaint by a copyright owner. The customer then has to decide whether to appeal. There's a £20 fee for appealing but if they can prove that they personally didn't engage in copyright infringement and took “reasonable steps” to prevent others from infringing they'll win the appeal.

Unfortunately, as Richard Clayton very articulately explains in the report, the ISP customer whose name is on the account may not be able to identify who has been using their internet connection for file sharing.  The reasons are many (see paragraphs 108 to 134 of the report).  That finding alone raises important questions about the DEA online copyright infringement provisions and whether they can be operated fairly and with due process.

I highly recommend reading the report in full. It should be required reading for anyone who considers themselves an informed citizen. It's a very accessibly written technical document on how to gather, robustly and reliably, digital forensic evidence of internet users' alleged misuse of peer to peer technologies.  Richard Clayton makes no comment about the privacy or ethical issues associated with all this - though there are clear warnings e.g. about the need for the monitoring system design to be open to the public, as 'secret' or proprietary designs are not capable of creating reliable results - but the pervading sense of this report is overwhelmingly one of: if you have to do this then you damn well better do it properly and with due process.

Dr Clayton should be highly commended for producing a unique, terrific report on an important subject which even the most geekily challenged reader can peruse with little difficulty.

No comments: