Protecting privacy from the 'new spam'
By Peter Swire for the Boston Globe.
Overlooked in the heated rhetoric has been a victim of the RIAA's campaign - the privacy of all those who surf the Internet or send e-mail. On the RIAA view, your sensitive personal information on the Web would be available to anyone who can fill out a one-page form. Congress can and should step in to fix this problem immediately.The problem began in late 2002, when the RIAA demanded that Verizon Online, an Internet service provider, identify one of its customers based on an accusation that the person may have violated copyright laws by swapping files.
Verizon declined, citing the threats to customer privacy, due process, and the First Amendment. Was Verizon overreacting? No.
The new process starts when any website operator, recipient of an e-mail, or participant in a P2P network learns the Internet Protocol address of the home user. These IP addresses are automatically communicated by the nature of the Net, but until now only the ISP could usually match an IP address with a user's identity.
When a copyright holder fills out a one-page form, however, a federal court clerk must now immediately issue a subpoena. That subpoena orders the ISP to turn over the name, home address, and phone number that matches the IP address.
This procedure violates due process. There is no judicial oversight and only the flimsiest showing of cause. Furthermore, Internet service providers risk large penalties if they even question the validity of a subpoena.
Privacy is destroyed because it becomes so easy to reveal the identity of Internet users. The First Amendment is undermined because of the chilling effect if every e-mail and every post to a Web page can be quickly tracked back to a home address and phone number.
The early use of these subpoenas has shown startling mistakes by copyright holders. One recording industry subpoena this spring - based on a patently incorrect allegation - nearly closed down a college astronomy department's Web server in the middle of exam week. A major studio has sought a subpoena based on the careless assertion that a tiny computer file was a copy of a Harry Potter movie. (It was a child's book report instead.)An even greater risk is putting this subpoena power in the hands of anyone willing to pretend to have a copyright claim. These fraudulent requests will be impossible to distinguish from legitimate ones.
This flood of legally sanctioned harassment will quickly become the ''new spam,'' with the kinds of abuses as limitless as the Internet itself:
The most common use may be that of website operators who want to identify their visitors for marketing purposes or for more nefarious reasons, including identity theft, fraud, or stalking.
Here is the full text of the article in case the link goes bad:
http://www.boston.com/dailyglobe2/208/oped/Protecting_privacy_from_the_new_spam_+.shtml
Protecting privacy from the 'new spam'
By Peter Swire, 7/27/2003
THE BATTLE is heating up between the recording industry and those who download copies of their favorite music. the Recording Industry Association of America is bringing hundreds of lawsuits nationwide against home users of peer-to-peer (P2P) software, including students at Boston College and Massachusetts Institute of Technology.
Republican Senator Orrin Hatch of Utah recently used a Senate hearing to suggest that copyright owners should be able to warn home users once or twice, and then actually destroy the computers if the apparently infringing songs were not removed.
Overlooked in the heated rhetoric has been a victim of the RIAA's campaign - the privacy of all those who surf the Internet or send e-mail. On the RIAA view, your sensitive personal information on the Web would be available to anyone who can fill out a one-page form. Congress can and should step in to fix this problem immediately.
The problem began in late 2002, when the RIAA demanded that Verizon Online, an Internet service provider, identify one of its customers based on an accusation that the person may have violated copyright laws by swapping files.
Verizon declined, citing the threats to customer privacy, due process, and the First Amendment. Was Verizon overreacting? No.
The new process starts when any website operator, recipient of an e-mail, or participant in a P2P network learns the Internet Protocol address of the home user. These IP addresses are automatically communicated by the nature of the Net, but until now only the ISP could usually match an IP address with a user's identity.
When a copyright holder fills out a one-page form, however, a federal court clerk must now immediately issue a subpoena. That subpoena orders the ISP to turn over the name, home address, and phone number that matches the IP address.
This procedure violates due process. There is no judicial oversight and only the flimsiest showing of cause. Furthermore, Internet service providers risk large penalties if they even question the validity of a subpoena.
Privacy is destroyed because it becomes so easy to reveal the identity of Internet users. The First Amendment is undermined because of the chilling effect if every e-mail and every post to a Web page can be quickly tracked back to a home address and phone number.
The early use of these subpoenas has shown startling mistakes by copyright holders. One recording industry subpoena this spring - based on a patently incorrect allegation - nearly closed down a college astronomy department's Web server in the middle of exam week. A major studio has sought a subpoena based on the careless assertion that a tiny computer file was a copy of a Harry Potter movie. (It was a child's book report instead.)
An even greater risk is putting this subpoena power in the hands of anyone willing to pretend to have a copyright claim. These fraudulent requests will be impossible to distinguish from legitimate ones.
This flood of legally sanctioned harassment will quickly become the ''new spam,'' with the kinds of abuses as limitless as the Internet itself:
The most common use may be that of website operators who want to identify their visitors for marketing purposes or for more nefarious reasons, including identity theft, fraud, or stalking.
Porn sites and gambling sites could track down visitors and demand payment not to reveal the user's identity, all under the pretext of enforcing the site's ''copyright.''
Private investigators will gain an unstoppable way to turn an e-mail address into a person's name and physical address.
Fortunately, a better alternative is clear. Courts have already used ''John Doe'' procedures where one party tries to learn the name of an anonymous Internet user. In these cases, users can object (anonymously) to having their identity revealed. The judge looks at the facts. If the person is engaged in illegal piracy, then the judge reveals the name and orders effective sanctions. If the copyright holder or scam artist does not have a winning case, then the user names remain private.
John Doe legislation of this sort is being considered now in California and should become a priority in Congress as well. The RIAA lawsuits against users are beginning now, long before the appeal of the Verizon proceeding will be decided.
Before the ''new spam'' proliferates, we should have fair procedures in place that will protect intellectual property while protecting privacy, free speech, and due process as well.
Peter Swire is professor at the Moritz College of Law of the Ohio State University, and was the Clinton Administration's chief privacy counselor.
This story ran on page E11 of the Boston Globe on 7/27/2003