The RIAA’s Ultimatum: Innocent Infringers, Settle Your Case or Fight us in Court.  Either way, we win.

 

Ross Edwards

            The seven-year battle over digital downloading has made one truth evident: too many people are being sued.  Innocent individuals are being forced to submit to strong-arm tactics employed by the RIAA.[1]  As a result, consumers are afraid to share their music with family and friends, free speech on the Internet is withering, and technological advancement slowing.

After a long legal battle with the programs and networks that facilitated illegal file sharing, the RIAA’s campaign against music downloading has finally led it to sue direct infringers.  Direct infringers are the people who upload and download copyrighted works.  They are the college students who build libraries of millions of songs; but they are also the people who download a few songs of an artist to decide whether they want to purchase his or her album.  They are the individuals who upload and download massive amounts of copyrighted music with full knowledge that what they are doing is illegal; but they are also the individuals who have no idea that what they are doing is against the law.  In short, everyone who uploads or downloads copyrighted music, no matter the amount of the music or the intent of the Internet user, is a potential target of the RIAA.  Many commentators argue that the law should be changed substantively to narrow this extremely broad class of potential defendants.[2]  This author worries about a sub-group of these defendants; this group consists of innocent people who are targeted, sued, and harassed by the RIAA machine it its broad and sweeping attempt to stifle illegal music downloading on the Internet.

            The possibility that an innocent person might be targeted in a lawsuit is intimately connected to the way that the Internet works and how lawsuits with respect to illegal downloading are commenced and pursued.  In an Internet context, users’ computers are identified by a sequence of numbers, called IP addresses.[3]  When a computer connects to the Internet, the Internet Service Provider (ISP) assigns the computer a new IP address.[4]  The computer uses the IP address to communicate with other computers and networks on the Internet.[5]  Using the net is made possible because of IP addresses.[6]  Like the address of a residence, the IP address tells other computers where to send information.  Just as a letter might arrive at a person’s door, in an Internet context, the information appears in the form of IP packets at the network interface of the user’s computer’s screen. Presenting the packet’s information on the screen is like opening the letter.

The ISPs keep information regarding what computers were assigned specific IP addresses at specific times.  They also have their customers’ information such as their names, addresses, and account information such as credit card numbers or checking account numbers.  When the IP address is combined with this customer data, it is possible to determine who uploaded or downloaded information to or from another computer on the Internet at a given time.  This information is crucial for the RIAA to proceed in its lawsuits against alleged infringers.  An example illustrates this point:  The RIAA has information that a computer with an IP address of 123.456.7.8 uploaded a copy of Metallica’s song, “Nothing Else Matters” to the Internet on April 1, 2006, at 2:30pm.  By learning the identity of the customer whose computer was given that IP address at that date and time, the RIAA, in theory, will have found their defendant.  The lawsuit cannot proceed, however, unless and until the RIAA gets the crucial information that links the IP address to the Internet user’s identity.  ISPs have this information.

The RIAA, to acquire the information, first uses the Internet to determine which ISP had control of the IP address in question.[7]  Once it discovers which ISP had control over the IP address of the alleged infringer, it can utilize the broad subpoena power granted to it by the Digital Millennium Copyright Act (DCMA).[8]  The DCMA allows any copyright owner or their agent to force ISP’s to disclose their customers’ information, including what IP addresses were assigned to their consumers at various times and personal information about the suspected customer.[9]  Once the RIAA has these data, they can proceed to sue or threaten the suspected infringer.

Initially, the ISP’s and Internet users alike tried to avoid disclosure of this information.[10]  Their efforts failed.  Courts forced the ISP’s to reveal the identities of their customers.[11]

Internet users who are accused by the RIAA of infringement usually receive intimidating letters from one of the aggressive firms representing the RIAA.[12]  The letter accuses the person of illegally downloading copyrighted music and offers to settle the legal claim against the individual.  Some letters tell the recipients that the firms have enough evidence to prevail in the action should it go to court.  The targeted individuals, guilty or innocent, are forced to make a difficult decision: settle their case for a relatively small amount of money[13] or hire an attorney and fight the lawsuit.  This simple cost-benefit analysis usually leads the reasonable person to settle the case and move on.[14]

The ultimate problem that calls into question the broad subpoena power that the DCMA grants to the RIAA is that oftentimes the IP address that corresponds to the alleged infringer actually ends up leading the RIAA to innocent individuals.  Innocent individuals are thus targeted by the RIAA and put in a position where it makes more sense to settle their case than fight the lawsuit and be vindicated.

            In this article, the author examines the various ways in which an IP address may not correctly identify the true infringer in direct copyright infringement cases, and how as a result innocent people are targeted in lawsuits and can be forced to settle their cases.  The author then recommends that the DCMA’s subpoena provision be amended to correct this problem and provide an incentive for innocent persons to fight their cases in court.  In the final part, the author suggests a new method, based on the research contained herein, to bolster a motion to quash a subpoena served to an ISP under first amendment principles.

 

 

 

I.                    How the RIAA came to sue their customers.

            In 1995, downloading music or other media over the Internet was a concept that a small group of people in America was familiar with.  At that time, the MP3[15] was in its infancy and the average computer was unable to transfer music files efficiently.[16]  In the years that followed, however, technological advancements made downloading and uploading MP3 files quick and easy.[17]   In 1999, with the advent of Napster,[18] millions of people in America, especially college students, began to learn how to use the Internet to exchange large files.  These files, of course, consisted in large part of copyrighted music.  Millions of files were uploaded and downloaded on a daily basis.  At one point it was estimated that approximately 90 million users were using the Napster program daily.[19]  The RIAA and many recording artists complained that Napster had dealt them a devastating financial blow.[20]  They leaped at the opportunity to stop the downloading juggernaut.  The strategy was threefold.  First, the RIAA lobbied lawmakers to enact strict laws aimed at curbing downloading.  Second, it embarked on a public relations campaign to educate the public regarding the illegality of file sharing.  Third, it filed lawsuits against the creators of the technology that threatened their very existence.

Their first target was the networks and programs that facilitated downloading.[21]  The case that brought the issue of illegal downloading into the limelight was the landmark Napster[22] case. By that time Napster was a well-known name and a public symbol of the free flow of music, albeit copyrighted music, the Internet offers.  After beating Napster in a highly publicized case, the RIAA moved on to peer-to-peer (P2P) networks without centralized servers.[23]  This was not surprising since the fall of Napster caused most of the program’s users to flock to other file sharing programs such as Grokster and Morpheus.[24]  While it seemed initially that the decentralized nature of the P2P networks would enable them to withstand claims of contributory infringement,[25] the Supreme Court in Metro-Goldwyn-Mayer, Inc. v Grokster, Ltd.,[26] held that the P2P networks can also be liable for the infringement that occurs on their websites.[27]  Many programs that merely allow people to exchange files digitally, whether the content be copyrighted or not, fell victim to the RIAA’s aggressive litigation campaign.[28]  Even with these victories, the RIAA did not see significant results.  The piracy continued.[29]  So they sued their consumers.  The RIAA began to sue private individuals for direct infringement.

            In August and September of 2003, over 1,500 subpoenas were issued across the country.[30]  In 2004, after the RIAA’s power to subpoena ISP’s before filing suit against the alleged infringers was rejected,[31] it started to file massive John Doe lawsuits.  In January 21, 2004, the RIAA filed 532 John Doe lawsuits.[32]     In 2004 the RIAA filed approximately 5,460 lawsuits against alleged infringers.[33]  In 2005, it filed over 700 lawsuits a month.[34]  There is no sign that the trend is slowing down.

II.                 Evidence suggests that innocent people are being sued by the RIAA.

            There is abundant evidence that people are being sued in cases that should be laughed out of court.  In the beginning of the RIAA’s campaign against direct infringers, it claimed to only pursue actions against individuals who downloaded massive numbers of copyrighted works; hindsight shows that the RIAA did not make good on this promise.  Rather, it struck out blindly against people who allegedly copied as few as four songs.  People who downloaded few songs and innocent persons alike were threatened with lawsuits seeking thousands of dollars.  In one case the RIAA sued a 12 year-old girl who was paying to use a music downloading service.[35]  In another case it sued a sixty-six year old schoolteacher whose computer was unable to run the software that she was alleged to be using.[36]  In another case it sued a 71 year-old grandfather who didn’t even know how to download.[37]

The reason why the RIAA has sued innocent people is because the inherent nature of the Internet makes it is difficult to determine who is downloading the copyrighted works.  To catch downloaders and uploaders of copyrighted works, the RIAA hires investigators to go onto websites and to use programs that facilitate downloading.  The investigators use the programs to search for certain copyrighted works, and record the IP address of the individuals who have offered to share the music file.  The IP address is supposed to correspond to a certain computer, and thus to a certain Internet user who owns the computer.  By discovering to whom the IP address was assigned when it was offering copyrighted works, the copyright holder can ascertain whom to sue.

In a perfect world, the IP address would always match up with the infringing computer owner.  Reality, however, is not perfect.  For a number of reasons, it is possible, even probable, that the IP address will not ultimately lead the interested parties to the true infringer.

a.       How the RIAA targets the wrong people.

It is said that the road to hell is paved with good intentions.  The RIAA does not intend to target innocent people for lawsuits.  Actually, the RIAA hires private investigators to find the culprits for them.  The process of connecting a username or IP address to an infringer, however, is fraught with error and opportunities to “miss the mark.”  The unintended consequence of the RIAA’s search for direct infringers is that innocent people are caught in their dragnet.  The evidence contained herein suggests that this is a relatively large class of defendants.  Furthermore, since many innocent people settle their cases,[38] it is likely that the class of innocent defendants is even larger than any data would indicate.

There are four reasons why a suspected IP address may not lead the RIAA to the correct infringer.  First, and most significant, hackers exploit unprotected wireless networks to download music and the downloading or uploading is traced to the Innocent owner of the network.  Second, hackers use techniques called spoofing and utilize Bot networks to infiltrate people’s machines and use them for nefarious purposes such as downloading or uploading copyrighted works.  Third, dynamic IP addresses, IP addresses that change regularly, are not reliable and oftentimes don’t lead to the infringer.  Fourth, many computers are accessed by more than one user and there is no way to tell who is engaging in the downloading or uploading.

                                                               i.      Unprotected wireless networks.[39]

Wireless networks create unprecedented problems in targeting direct infringers.  Because society is trending towards using wireless networks, the problem is growing on a daily basis.[40]  New York, for instance, has begun to implement a plan that would allow its residents to access the Internet wirelessly all over the city.[41]  Unprotected wireless routers make it simple for any layperson in the general vicinity of the router to “borrow” the connection and use it to surf the Internet.  The widespread use of computers that can facilitate this process and the general ease at which it can be done make unprotected wireless networks the most prevalent problem that affects the accuracy of the ISP subpoenas.  Almost every new computer comes with wireless capabilities.  These computers can automatically sense wireless networks and have user-friendly programs that list the available networks and even indicate whether the network is protected or unprotected.  With two clicks of the mouse, the user can log on to any of the listed unprotected wireless networks.[42]

            Wireless routers allow computers to connect to the Internet without physically connecting to the Internet.  The router itself is physically connected to either a phone line or cable line.  The computers that are “connected” to the router, however, use network interface cards (NICs) to communicate with and transmit or receive digital information from the router.  By communicating with the router, these computers are able to use the Internet.

            Wireless networks can be divided into two categories: protected or unprotected.  Protected networks utilize encryption[43] to prevent unwanted computer users from connecting to the router and using the Internet connection.  Unprotected networks either do not have firewalls, or as more often the case, do not implement them.  It is simple for any person with a computer to connect to an unprotected wireless router and use the Internet.[44]  This person’s activities on the Internet, including illegal file sharing, would be attributed to the owner of the network.

The uninvited user’s activities would be attributed to the owner of the network because wireless routers use Network Addressing Protocol (NAP).  With NAPs, the router itself will use an IP address to send and receive information through the Internet.  The router uses its own method to collect and distribute the information from and to computers that are connected to it.  The end result is that Internet users who interact with other users who are situated on a wireless network can only see the IP address of the wireless router.  Any downloading or uploading by uninvited users on the network, therefore, can only be traced to the owner of the network.

                                                             ii.      IP Spoofing.

Internet hackers originally used spoofing to wreak havoc on the Internet by spreading computer viruses.  Spoofing allows a hacker to disguise his or her computer as a different computer.  In doing so, the hacker is able to access networks that would ordinarily be prohibited.  A sophisticated hacker who is able to spoof can use someone’s network connection and engage in illegal downloading and uploading of copyrighted music.  A less sophisticated hacker could send copyrighted files to a person’s computer without that person knowing.  The infringement would then be attributed to the victim.

Spoofing, on a more technical level, is the manipulation of data contained in IP packets.  IP stands for Internet Protocol, and is the main way in which computers communicate with one another on the Internet.  To communicate with another computer over the Internet, one computer sends an IP packet, which can contain any information (files, pictures, music, etc…), to another computer.  The IP packet header is what ensures that the packet will go to the correct destination.  The header is like the envelope that a person would send a letter in.  While the letter would have a destination address and a return address, the IP packet header has a source IP address and destination IP address.  The source IP address represents where the information is coming from.  The destination IP address represents where the information is going.

A spoofer would manipulate a source address in an IP packet header so it appears that the packet is coming from a different computer.  For example, if a spoofer had the IP address of the author’s computer, he could manipulate his own IP packets to make it seem as if the information sent over the Internet from his computer was being sent from this author.  The difficult part of spoofing for the purpose of downloading music is re-routing the files so that they end up on the spoofer’s computer despite the IP address indicating that they went to the victim’s computer.[45]  This is extremely sophisticated and very few people would be able to actively download and upload music this way.[46]  When they do engage in illegal downloading or uploading, however, the IP address that the investigators would rely on would lead them to the victim and not the hacker.

Spoofing is an extremely sophisticated and technical activity and only those well versed in computer programming are able to do it.  The people who can spoof, however, the RIAA should worry about the most.  It is these people that are likely to be downloading and uploading massive amounts of copyrighted works.  People who download five songs are not likely to have the ability to spoof other persons’ computers.  Since the RIAA itself claims to only pursue actions against “serious infringers,”[47] the issue of spoofing becomes very relevant in determining whether the IP address that they acquire will lead them to the real culprits.

                                                            iii.      Bot Networks.

Bots are programs that let hackers remotely control a person’s computer without the person knowing.[48]  Bot networks are thousands of machines that are all under the control of a hacker.  These networks have been used to steal financial information and other important data from innocent users.  America has the highest number of computers infected with Bots.[49]  Bot networks pose an increasingly serious threat to the RIAA’s mission since one hacker could potentially frame thousands of people by making their computers download or upload copyrighted works.

In order to hijack a user’s computer, hackers use digital tools to search for vulnerable computers.[50]  Once they find an under-protected computer, they use traditional methods to infiltrate that person’s computer.[51]  Computers with broadband Internet access, less sophisticated or updated security tools, and computers that stay connected to the Internet for long periods are particularly vulnerable.  Once the machines are breached, the software hides itself in the computer and awaits further command from the hacker.  The hacker is able to synchronize the machines and use them for profit or for other nefarious purposes without the victim ever knowing.[52]

Bot networks pose a serious threat to the RIAA’s ability to correctly identify infringers by their IP addresses.  Although Bots are most often used to engage in mass identity theft,[53] a hacker could easily use a Bot network to make the infected machines download or upload copyrighted music.  The IP addresses that would be recorded would be those of the infected computers; thus innocent users would be implicated.  One Bot network that was monitored by the Honeynet Project and Research Alliance consisted of 50,000 hosts.[54]  If only one Bot network was used to illegally upload or download copyrighted works, the methods that the RIAA uses to target infringers would be fundamentally damaged.  A hacker who disagrees with the RIAA’s litigation campaign might be inclined to do this to throw a spoke in its wheels.

                                                           iv.      Dynamic IP addresses.

When computers use the Internet, they communicate with other computers with the assistance of their IP address.[55]  There are two different kinds of IP addresses, static and dynamic.  Static IP addresses stay with the computer; the computer has the same IP address every time it uses the Internet.  Dynamic IP addresses do not stay with the computer.  Instead, whenever a computer connects to the Internet, the user’s ISP searches for an IP address from its block of IP addresses to assign to the computer.  The IP address is then used while the computer is connected to the Internet.  When the user disconnects, the IP address is gone.  When the user connects again, his or her computer is given a new IP address.[56]

ISPs have a huge amount of customers whose IP addresses are constantly being shuffled and reassigned.  The amount of data boggles the mind.  Naturally, there is a potential for error in storing, retrieving, and relaying the information.  Right now there are no standards or statutes that require ISPs to keep meticulous records, nor that tell the ISPs how long they must keep the records.  There is no way to know where the information is coming from or how reliable it is.  Furthermore, a computer that is actively downloading or offering music on the Internet might have its IP addressed changed automatically by the ISP.  If another user were assigned the infringer’s IP address, there would be a risk that the temporal proximity of the infringement and the IP address would implicate the innocent user.  While these concerns are not as pressing as with unprotected wireless networks, they still must be considered in the totality of the circumstances.

 

                                                             v.      Multiple users of a computer or network.

In this day and age, it is very common for people to use one another’s computers.  Whether they are members of a family, roommates, or patrons at Internet cafés,[57] personal computers are used increasingly by multiple persons.  The more people that use a given computer, the more unlikely it is that the owner of the computer will have knowledge as to all of the activities conducted on the computer.  In certain situations, such as where a roommate uses a defendant’s computer to download music or where an Internet café patron uses the owner’s computer to download, the defendant could be charged with constructive knowledge and contributory infringement.[58]  Nevertheless, this still poses a problem.  The defendant who did not commit direct infringement is still targeted in the lawsuit.  He or she is then forced to fight the case and get it dismissed or settle the case for a relatively small amount of money.

III.               Innocent persons targeted by the RIAA are more likely to settle their case than fight it.

 

            Initially, it seems absurd that a person who is wrongly targeted in a lawsuit would settle the case if he or she was innocent.  In reality however, principles of logic and economics make it evident that in most situations, it makes more sense to settle a copyright infringement case than to fight it.  From a financial perspective, it is much less costly to settle a case for a few thousand dollars than to spend much more hiring a lawyer and having the lawyer fight the case; this is true even if the case is weeded out in the summary judgment phase.  From a social perspective it makes less sense to settle than from a strictly financial perspective.  This is due to a stigma that attaches to the concept of admitting liability as well as the possibility of having one’s ego hurt by folding under the RIAA’s pressure; this is especially true in the cases where the defendants are innocent.  Despite this, however, it still makes more sense to simply settle the case with the RIAA.

            Most of the lawsuits that the RIAA has brought against copyright infringers allege an enormous amount of damages suffered.[59]  Furthermore, copyright law provides massive statutory damages for direct infringement actions.[60]  Individuals who lose a lawsuit or have a default judgment entered against them become liable for tremendous amounts of money.[61]  These judgments turn the RIAA into creditors- they can garnish the defendant’s wages, and exercise judgments against defendants’ homes, cars, savings accounts, etc…  Judgments in copyright infringement actions against private citizens can be devastating to their lives.

            The RIAA’s settlement offers are much more attractive.  Usually the RIAA asks for a couple thousand dollars, an admission of wrongdoing, and a promise to not engage in illegal file sharing in the future.[62]  It makes sense that the RIAA would offer such an affordable solution for the alleged infringers; the RIAA doesn’t want to litigate the case.  The principal value of the lawsuits lies in the act of accusing people of infringement and the threat of litigation since the publicity given to the cases is thought to create a chilling effect on Internet downloading.[63]  The RIAA seeks publicity, and while it is capable of pursuing a lawsuit in court, that is not it’s main goal.[64]  The main goal is more global: lowering the overall amount of people who download music on the Internet.  The chilling effect accomplishes this much more efficiently than any individual judgment would.

            A defendant in a copyright infringement case would be very lucky to find a lawyer that charges only two hundred and fifty dollars an hour.  When innocent persons are targeted, they must hire an attorney to advocate on their behalf.  Attorneys can deal with plaintiff’s law-firms better than the defendants, they can write effective motions and briefs, and they can appear before a court to argue the merits of the case.  In the case where an innocent person is targeted, it would take an attorney at least thirty billable hours to get the case dismissed.  Therefore, it would cost an innocent person about $7,500 to hire an attorney to get the case dismissed.  There are other, non financial costs as well: the stress incurred in dealing with the case, the time commitment to hire and meet with the attorney and go to court, and embarrassment that emanates from having a civil lawsuit filed against the person.[65]

There are legitimate reasons to fight the case, especially when a person is targeted falsely.  There is a sitgma attached to admitting liability in these cases.  It is insulting to admit wrongdoing when the person knows that in reality he or she did nothing wrong; it is a natural reaction to want to fight the case and get it dismissed.  These concerns must be balanced against the costs associated with pursuing the case rather then the settlement.

It is cheaper and more convenient to settle the case.  Settling the case is quick; it makes the stress associated with the pending action disappear, and ensures that the facts of the case remain private.  A reasonable innocent person, upon balancing the costs associated with fighting the case and settling the case, would settle the case.  This is the unjust effect that is created by the DCMA’s subpoena provision.

IV.              Congress should amend the DCMA subpoena provision to ensure that the subpoenas accurately target illegal file sharers and deter copyright holders from suing innocent persons.

 

Although the RIAA, as the law stands now, is entitled to bring actions against all whom it suspects of infringement, the DCMA subpoena provision goes to far.  In essence, it gives the RIAA a roadside bomb when it should be targeting infringers with laser guided missiles.  While the RIAA hits actual infringers, it also hits innocent persons who are dragged into a legal process that is aggressive and abusive.  The provision should be amended to ensure that the subpoenas issued under its authority will accurately identify the true infringers.  This can be done by requiring the RIAA to file John Doe suits as a sine qua non to issuing the subpoenas and by forcing the ISPs to notify all potential defendants who would have an opportunity to quash the subpoena in an adversarial hearing.[66]  Furthermore, if a copyright owner falsely targets an innocent person, regardless of the owner’s intent, the owner should be required to pay all of that person’s costs as well as treble damages.

The DCMA gives the RIAA a roadside bomb because it grants the organization, and any copyright owner, the authority to issue a huge number of subpoenas to ISPs to disclose the identity of alleged infringers.[67]  Rather than filing a John Doe lawsuit, which is costly and time consuming, the RIAA issues the subpoenas.  There is no judicial oversight in this process that might help weed out innocent persons from the breadth of the subpoenas.[68]  Once the identities of the alleged infringers are obtained cease and desist letters can be sent out and potential defendants can be threatened without the RIAA ever filing suit.  The fact that it is cheap and easy to acquire suspected infringer’s personal information discourages the RIAA to make sure that they are targeting the correct individuals and fails to take into account the privacy interests of the Internet users who might be caught in the RIAA dragnet.  At a minimum, the DCMA subpoena provision should be amended to require the RIAA to file John Doe lawsuits before going forward, which is basically what the court in Verizon[69] did.[70]  That opinion should be codified and incorporated into the DCMA.

Once a John Doe suit is commenced and a subpoena issued, the person whose identity is sought must have an opportunity to quash the subpoena in an adversarial hearing.  This would ensure that innocent persons are not put in the difficult position where they can be intimidated into settling.  This solution is only possible, however, if the persons who are vindicated are granted all attorneys fees and costs as well as treble damages.  The attorneys’ fees would make it less likely that the innocent person will conduct a cost benefit analysis that might favor settling the case since he or she would be fully reimbursed if they are proven to be innocent.  The treble damages would serve as a deterrent to the copyright owner from issuing too many subpoenas without checking the facts.  If these modest amendments were made to the DCMA, it would significantly reduce the likelihood that an innocent person will be strong-armed into an oppressive settlement.

V.                 Bolstering a first amendment claim to quash a subpoena served upon an ISP.

In Elektra,[71] the United States District Court for the Southern District of New York dealt with a motion to quash a subpoena served upon New York University to disclose the identities of it’s students that were suspected of infringement.  One of the defendants, John Doe #7, filed the motion to quash and alleged that the disclosure of his identity would violate his First Amendment right to communicate anonymously over the Internet.

To begin, the court correctly held that the defendant had a First Amendment right to communicate anonymously over the Internet.[72]  The right to communicate anonymously over the Internet necessarily imports concepts of privacy into courts’ First Amendment analyses.  The court then proceeded to balance the need for disclosure against the Defendant’s first amendment interest.  In reaching its analysis, the court considered five factors:  (1) Whether the plaintiff’s have shown a prima facie claim of actionable harm, (2) the specificity of the discovery request, (3) the absence of alternative means to obtain the subpoenaed information, (4) a central need to obtain the subpoenaed information to advance the claim, and (5) the party’s expectation of privacy.  Essentially, the first four factors were weighed against the last.  The court held that the John Doe was only entitled to a minimal “expectation of privacy in downloading and distributing copyrighted songs without permission.”[73]  Giving no real weight in his privacy interests, the court easily denied the motion to quash the subpoena.  The United States District Court for the Southern District of New York came to the same conclusion in Sony.[74]  The court held that although the defendants’ conduct was protected “speech,” they had only a small expectation of privacy in downloading copyrighted music.[75]  When a defendant’s conduct is viewed in this light, it is very easy to deny a motion to quash a subpoena on First Amendment grounds.

To avoid John Doe #7’s fate, it is imperative that the attorney representing the alleged infringer submits information regarding the likelihood that the IP address will not in fact lead the copyright owner to the true infringer.[76]  As it becomes more possible that the person is not the true infringer, that person’s expectation of privacy grows.  A court would no longer be able to dismiss his or her privacy interest as being an interest in “downloading and distributing copyrighted songs without permission.”

VI.              Conclusion

The RIAA, and any copyright owner, is entitled to sue persons who commit copyright infringement.  Its campaign against private downloaders, however, is fraught with error and its heavy-handed litigation tactics put innocent people who are caught in the dragnet in a difficult situation; settle the case or fight it.  As the law stands right now, there is no incentive for these innocent persons to fight the case.  On the contrary, there is a stronger incentive to settle the case.  The risk of misidentifying an infringer must shift to the plaintiff copyright holder who receives such a strong benefit from the DCMA’s subpoena provision.  With moderate amendments that encourage innocent persons to fight their cases and compensate them when they are vindicated, the DCMA would balance more adequately the interests of all parties, regardless of their political clout or lobbying power.



[1] Recording Industry Association of America. See http://www.riaa.com (last accessed May 4, 2006).

[2] Professor Henry H. Perritt Jr., in a forthcoming article, discusses how the economics of music production has changed so much that the law should reflect the realities of today by more appropriately balancing the rights of copyright holders to profit from their music against the right of the public to enjoy it while recognizing the true purpose of copyright law; to “create incentives for creative work.”  He criticizes and methodically undermines the arguments leveled against advocates of more liberal copyright laws, arguing that the music industry is guarding a system that allows it to profit on its outdated technologies rather than guarding its musicians’ interests.  Ultimately Professor Perritt suggests that the copyright law should not seek to punish friends who exchange music with one another, but rather free riders that try to profit off of other people’s creative work.

[3] See Shawn C. Helms, Translating Privacy Values With Technology, 7 B.U. J. Sci. & Tech. L. 288, 295-296 (2001).

[4] In some cases, a computer may be assigned a static IP address, which does not change when the computer signs on and off of the Internet.  Almost all ISP’s, however, utilize dynamic IP addresses which change every time a computer logs on to the Internet.  Interview with Paul Zindell, Network Security Specialist, Computer Discount Warehouse (May 11, 2006).

[5] See Helms, supra note 3 at 295-296.

[6] Id.

[7] ISPs are given blocks of IP addresses that they can assign to their customers.  This information is available to the public at http://www.IANA.org (last accessed May 9, 2006).

[8] 17 U.S.C. § 512(h) (West 2006).

[9] Id.

[10] In Elektra v. Does 1-9, John Doe No. 7 moved to quash the subpoena served on New York University to reveal his personal information.  He asserted that the subpoena violated his first amendment right to communicate anonymously on the Internet.  2004 WL 2095581 (S.D.N.Y. Sept. 8, 2004); see also Sony Music Entertainment Inc. v. Does 1-40, 326 F. Supp. 2d 556 (S.D.N.Y. 2004).

[11] The court in Elektra v. Does held that the first amendment does not protect copyright infringers and thus refused to quash the subpoena served upon NYU to disclose the identity of one of its students.  2004 WL 2095581 (Sept. 8 2004).  The ISPs enjoyed a small victory, however, when the United States Court of Appeals for the District of Columbia held effectively that the RIAA would have to file a “John Doe suit” against an alleged infringer before requiring an ISP to disclose that person’s information.  See RIAA v.Verizon Internet Services, Inc., 351 F.3d 1229 (D.C. Cir. 2003).

[12] A sample letter is attached as “Appendix A”; see also Electronic Frontier Foundation, RIAA v. The People:  Two Years Later, http://www.eff.org/IP/P2P/RIAAatTWO_FINAL.pdf (last accessed May 7, 2006).

[13] The amount is relative in the sense that it not small per se, just much smaller than a potential judgment.  See infra section III.

[14] Id.

[15] Motion Picture Experts Group Audio 3 Layer.  See Revella Cook, The Impact of Digital Distribution on the Duration of Recording Contracts, 6 Vand. J. Ent. L. & Prac. 40 (2003).

[16] The development of the MP3 allowed large music files to be compressed into smaller, more manageable files and downloaded and stored on a user’s computer more efficiently.  See Ryan S. Henriquez, 7 UCLA Ent. L. Rev. 57, 62-63.

[17] The development of the MP3 coupled with faster Internet connections and the ability to transmit more information at a given time helped foster the dramatic societal trend towards downloading music over the Internet.  See id.; see also Phillip S. Corwin & Lawrence M. Hadley, P2P:  The Path to Prosperity, 24 Loy. L.A. Ent. L. J. 649, 651 (2004).

[18] Shawn Fanning, in 1999 created Napster to make searching for music files on the Internet easier.  Napster was a peer-to-peer service where users could search one another’s computers for music and download the music.  See M/Cyclopedia of New Media, Napster, http://wiki.media-culture.org.au/index.php/Napster (accessed May 9, 2006).  The search requests were managed and routed through Napster’s central server.  See A&M Records, Inc. v. Napster, Inc., 239 F. 3d 1004, 1011 (9th Cir. 2002).

[19] See Vickie L. Freeman & William S. Coats & Heather D. Rafter & John G. Given, Revenge of the Record Industry Association of America:  The Rise and Fall of Napster, 9 Vill. Sports & Ent. L.J. 35, 41 (2002).

[20] The major record companies claim that file sharing software has caused a massive decline in CD sales.  Other plausible reasons for the decline include record label consolidations (that result in a large amount of debt), commercial radio consolidation, and shifts in consumer preferences to audio-visual media.  See Corwin & Hadley, supra note 17, at 654-655.  Furthermore, many studies suggest that P2P file-sharing programs actually boost CD sales.  See id. at 655.

[21] The RIAA avoided suing direct infringers at first.  Instead it attempted to “nip the problem at the bud” by suing the makers and distributors of file sharing software.  See Robert J. Delchin, Musical Copyright Law:  Past, Present and Future of Online Music Distribution, 22 Cardozo Arts & Ent. L. J. 343, 386-391 (2004).

[22] 284 F.3d 1091.

[23] See, e.g., Metro-Goldwyn-Mayer Sutdios, Inc. v. Grokster, Ltd., 259 F. Supp. 2d 1029 (C.D. Cal. 2003), aff’d, 380 F.3d 1154 (9th Cir. 2004), vacated, 125 S.Ct. 2764 (2005).

[24] See Matt Richtel, With Napster Down, Its Audience Fans Out, N.Y. Times, July 20, 2001 at A1.

[25] The Ninth Circuit Court of Appeals held that the owners of Grokster, a P2P file-sharing program, could not be liable since they did not have knowledge of infringement by the program’s users and could not monitor the users’ activities.  See Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd., 380 F. 3d 1154 9th Cir. Cal. 2004), vacated, 125 S.Ct. 2764 (2005).

[26] 125 S.Ct. 2764 (2005).

[27] Id.

[28] See Sonia K. Katyal, The New Surveillance, 54 Case W. Res. L. Rev. 297, 321 (2003) [PRINT/ CHECK!!!]; see also TechWebNews, eDonkey Second P2P to Toss in File-Sharing Towel:  A Second Major Peer to Peer File Sharing Service Waves the White Flag, 2005 WLNR 15411843 (Sep. 29, 2005).

[29] See Recording Industry Responds to Congressional Inquiry Regarding Campaign to Target Individual Copyrighted Infringers, 15 No. 11 J. Proprietary Rts. 15 (2003).

[30] See Electronic Frontier Foundation, supra note 12.

[31] See Verizon, 351 F.3d 1229.

[32] See Electronic Frontier Foundation, supra note 12.

[33] Id.

[34] Id.

[35] See CBSNews.Com, Download Suit Targets 12-Year-Old, Sept. 9, 2003, available at http://www.cbsnews.com/stories/2003/09/09/tech/main572426.shtml (accessed May 8, 2006); see also Electronic Frontier Foundation, supra note 12.

[36] See Delchin, supra note 21 at 393.

[37] See Pam Lambert & Tom Duffy & Jane Sims & Johnny Dodd, For Downloaders Like 14 Year-Old Courtnery Fitzegerald, a Rash of Recording Industry Lawsuits Could Cost Much More Than a Song, 60 People Wkly. 71 (Sept. 29, 2003).

[38] See Infra section III.

[39] “Unprotected” wireless networks means that the wireless router (technically called a wireless access point) exchanges unencrypted information with the users who connect to it.  Encryption is used to scramble information sent to and from computers where only certain users can “de-code” it and access the information.  Unencrypted information is information that is accessible to anyone.  Any computer with a wireless Network Interface Card could communicate with a router that does not use encryption.  Furthermore, a relatively inexperienced hacker could access an encrypted network since most personal computers use the least sophisticated level of encryption.  Interview with Paul Zindell, Network Security Specialist, Computer Discount Warehouse (May 11, 2006).  This article focuses on unencrypted networks since they are so prevalent and easy to exploit.

[40] Id.

[41] See NYC Wireless, http://www.nycwireless.net (last accessed May 14, 2006).

[42] This author opened up the “network connections program” on his computer on May 7, 2006 while writing this article in his apartment.  He found five unprotected wireless connections that he could connect to.

[43] See supra note 39.

[44] Almost every computer that is made today is able to find unprotected wireless routers and connect to them.  Furthermore, unlike spoofing it couldn’t be easier for a layperson to connect to an unprotected network.  Usually it can be accomplished with a mere click of the mouse.

[45] Interview with Paul Zindell, Network Security Specialist, Computer Discount Warehouse (May 11, 2006).

[46] Id.

[47] See Frederic Frommer, Coleman Tackles Recording Industry, Duluth News-Trib. (Sept. 20, 2003); see also Scott Mervis, CMU, Pitt Students Targeted in Action Against Illegal Online Music Swapping, Pitt. Post-Gazette (April 13, 2005).

[48] See Red Herring, China Zombie Machines Up 37%, http://www.redherring.com/Article.aspx?a=15988&hed=China+Zombie+Machines+Up+37%25&sector=Industries&subsector=InternetAndServices (last accessed May 16, 2006).

[49] Id.

[50] See The Honeynet Project & Research Alliance, Know Your Enemy:  Tracking Botnets, http://www.honeynet.org/papers/bots/ (last updated Mar. 15, 2005).

[51] The hacker would use the same methods that are used to spread worms or viruses.  The only difference is that a Bot infection, unlike a virus, is designed to avoid detection.  Many users have no idea that there computers are infected with Bots.  See id.

[52] Id.

[53] Id.

[54] Id.

[55] Infra, section I.

[56] Some ISPs regularly change their customer’s IP addresses so even if a computer remains turned on and connected to the Internet, it would still be given a new IP address.  Interview with Paul Zindell, Network Security Specialist, Computer Discount Warehouse (May 11, 2006).

[57] An Internet café is an establishment where people can pay to use computers that are connected to the Internet.  The customers can download files onto the computer and then transfer the files to portable hard drives.

[58] Principles of contributory and vicarious liability in copyright infringement cases could render owners of computers liable for the downloading and uploading on their computer.  To prevail on a contributory infringement claim, the plaintiff must prove that (1) the defendant had knowledge of the infringing activity, and (2) caused or materially contributed to the activity.  Napster, 239 F. 3d at 1019.  The knowledge element can be satisfied by showing that the defendant should have known that infringement was occurring on his or her computer.  Id. at 1020.  It would be relatively easy to argue that a person should know whether his or her computer is being used to download copyrighted music.  To prevail on a vicarious liability claim a plaintiff would have to show that the defendant had a right and ability to supervise the infringing activity and had a direct financial interest in the activities.  Id. at 1022.  While it would be more difficult to show that the owner of an Internet café had a direct financial interest in his customers infringing, a copyright holder could surely hold him or her liable for contributory infringement.

[59] A woman in Chicago lost her infringement case.  She admitted to downloading the music, but argued that she was sampling the music in order to decide whether to purchase the albums.  She was found to be liable for $22,000.  The judgment was affirmed on appeal.  See Aman Batheja, Facing the Music Over File Sharing, File-Sharing Customers Facing Expensive Court Fights, Ft. Worth Star-Telegram at F1 (Mar. 12 2006).  Professor Lawrence Lessig points out that the absurdity of the RIAA’s outright war on downloading is evident when viewed within the context of other legal judgments.  The RIAA sued four students for creating file-sharing networks that could possibly be used for infringement.  They demanded $98 billion.  WorldCom, which engaged in massive fraud which caused its investors to lose over $10 billion and “a loss to investors in market capitalization of over $200 billion- received a fine of a mere $750 million.”  Under possible legislation, a doctor who amputates the wrong leg would be liable for a maximum of $250,000 in pain and suffering.  But the students who innocently create programs that could be used for infringing purposes can be liable for $98 billion.  See Lawrence Lessig, Free Culture:  The Nature and Future of Creativity, 185 (Penguin 2005).

[60] Direct infringers can be statutorily liable for $150,000 per song.  17 U.S.C. § 504(c)(2) (West 2006).

[61] When the RIAA sued 261 people in September of 2003, people were threatened with such enormous damages that they were coerced into settling their case for all that they had.  A 12 year old who lived in public housing was forced to shell out $2,000, her life savings, to avoid a costly lawsuit and an even more costly judgment.  See Lessig, supra note 49 at 200.  If someone is accused of downloading “one CD’s worth of music,” that person could be liable for $2 million in damages.  See id. at 206.

[62] The average settlement amount is $3,000.  See Electronic Frontier Foundation, supra note 12.

[63] Even lawsuits targeting innocent individuals serve the RIAA’s purpose because the lawsuits deter people from engaging in file sharing out of fear that “they may be the next.”  See also Delchin, supra note 21, at 393; see also Corwin & Hadley, supra note 17, at 665.  RIAA spokeswoman Jenni Engebresten has said that the lawsuits against downloaders has “helped arrest the tremendous growth of peer-to-peer use.  See Batheja, supra note 59.

[64] The data makes this abundantly clear.  Since 2003, the RIAA has sued more than 18,000 people.  About 4,000 cases have settled.  As of March 12, 2006, not one had gone to trial.  See id.

[65] The embarrassment associated with a lawsuit being filed against someone can be great.  Titan Media, a vendor of hard core homosexual pornographic videos, used the DCMA to identify people suspected of downloading its movies.  Armed with the alleged infringers personal information, Titan Media contacted them and gave them an ultimatum; settle the case by purchasing the videos or have a public lawsuit brought against them.  This conduct was considered by many to approach extortion.  See Electronic Frontier Foundation, supra note 12.

[66] The court in Verizon held effectively that section 512(h) of the DCMA would be unconstitutional if it was construed to allow the RIAA to subpoena ISPs before filing John Doe suits.  Verizon, 351 F.3d 1229.  This decision should be statutorily codified to prevent the other circuits from interpreting the DCMA subpoena provision more broadly.  Furthermore, the potential defendants already have the ability to quash a subpoena but in order for the ability to have any utility, Congress should make sure that ISPs understand that they have a duty to notify their customers who are sought by the RIAA.

[67] The breadth of the DCMA’s provision is apparent when juxtaposed with Federal Rule of Procedure 45.  Rule 45, in concrete language, established that a subpoena could not be issued unless a lawsuit has been commenced.  Fed. R. Civ. P. 45(a)(1).  The DCMA contains no such language.  Rule 45 contains a section devoted to protecting the recipient of the subpoena.  It outlines numerous grounds in which the recipient can quash the subpoena, including if it fails to give a reasonable time to comply.  Fed. R. Civ. P. 45(c)(3)(A).  The DCMA, on the other hand, mandates that upon receipt of the subpoenas, ISPs must “expeditiously disclose… the information required by the subpoena.  17 U.S.C. § 512(h)(5).  This is particularly troubling.  As opposed to Rule 45, which covers subpoenas in general, the DCMA is used specifically in connection with copyright infringement cases involving illegal downloading or uploading.  In those cases, the ISPs are subpoenaed to turn over their customers’ personal information.  Not only must the ISPs rights be protected, but the rights of the person whose information might be disclosed must be protected as well.  ISPs must have a statutory based opportunity to contest or comply with the subpoenas.  Furthermore, the person whose information is sought must be also be given notice and an opportunity to quash the subpoena.  In comparison, the DCMA seems to allow more subpoenas but less procedural protection than Rule 45.

[68] See Delchin, supra note 21 at 392-393.

[69] 351 F. 3d 1229.

[70] See supra note 59.

[71] 2004 WL 2095581 (Sept. 8, 2004).

[72] See Reno v. ACLU, 521 U.S. 844, 870 (1997).

[73] 2004 WL 2095581 (Sept. 8, 2004).

[74] 326 F. Supp.  2d 556.

[75] Id. at 564-566.

[76] Supra section II(a).  Section II(a)(i) is particularly helpful since using other people’s unprotected wireless networks is remarkably common.