oreilly.comSafari Books Online.Conferences.
Articles Radar Books  

Commentary: What's Real and Make-Believe with the RIAA Subpoenas?

by Lisa Rein

What's real and what's make-believe about the RIAA's recent subpoena campaign and it's newly announced "Amnesty" program?

A recent decision by the 9th Circuit Court of Appeals finds that a party using "patently unlawful" subpoenas to obtain access to another party's stored electronic communications could be liable for violations of electronic privacy and computer fraud statutes. This could have serious implications for the RIAA's mass subpoena campaign in that, if such subpoenas were also determined to be "patently unlawful," for whatever reason, the organization could be held liable under electronic privacy and computer fraud statutes for accessing user data under false pretenses. (Read a summary of the decision.)

Does this mean, if the RIAA's subpoenas are determined "invalid," that they are illegally snooping? It's extremely possible. However, the DMCA subpoena law is new and there aren't many decisions on it, so the RIAA could try to hide behind the "newness" of the law to avoid liability for misusing it.

If the RIAA's subpoenas were determined to be "patently unlawful," file sharers could potentially retaliate with lawsuits for alleged electronic privacy and computer fraud violations if the RIAA's counsel knowingly misuses the subpoena process in order to gain access to file sharers' private information.

Any lawyer has the authority as an Officer of the Court to serve anyone they wish with a subpoena, but such authority must not be abused. According to the decision, the subpoena was a clear violation of the Federal Rules. Although Kozinski implies that NetGate should have known that, he also says that even if they didn't, the lawyers who issued the subpoena should have and therefore knew or should have known they were deceiving NetGate:

"The subpoena power is a substantial delegation of authority to private parties, and those who invoke it have a grave responsibility to ensure it is not abused. Informing the person served of his right to object is a good start, see Fed.R.Civ.P. 45(a)(1)(D), but it is no substitute for the exercise of independent judgement about the subpoena's reasonableness."

Most larger ISPs have legal departments, but smaller ones often can't afford to hire a lawyer, especially for every subpoena they get. In the decision, Kozinski points out that recipients are often being cowed into compliance:

"Fighting a subpoena in court is not cheap, and many may be cowed into compliance with even over broad subpoenas, especially if they are not represented by counsel or have no personal stake."

Since June 2003, the RIAA's mass subpoena campaign has been serving ISPs in an attempt to find out the identities of file sharers. So far, 1300 subpoenas are in the EFF database system, and more are being added all the time. "ISPs" ranging from large-scale service providers (such as Comcast, SBC, Time Warner, Verizon, Earthlink, and America Online) to educational institutions (such as New York University, Boston College, MIT, and Columbia) have been served. (View the complete list as compiled by the EFF database.)

Difficult for ISPs, Especially Smaller Ones

The reactions from the ISPs have been varied, depending on the size and caliber of the institution. MIT and Boston College were able to have their subpoenas quashed after it was discovered that they had been incorrectly filed out of jurisdiction. (The RIAA was trying to cut costs by filing all of their subpoenas from a single court in Washington, D.C., when in fact such filings must be done within 100 miles of the offending party.) Some of the larger ISPs, such as Pac Bell and Verizon, have challenged the validity of the subpoenas in any court, asserting that they violate constitutional Due Process and various federal rules and statutes.

Theoretically, subpoenas are filed with discretion, often during "discovery" after a lawsuit has already been filed. However, the DMCA specifically departs from this common practice by allowing the RIAA to issue subpoenas before having to file even a single lawsuit; in fact, all that the RIAA needs to subpoena someone's personal data is a "good faith belief" that the person is infringing their copyrights, which, when it comes to file sharing, is pretty much every one of the 60 million users, in the eyes of the RIAA. This "pre-emptive" subpoena power is exactly what privacy advocates and defenders of Due Process feel is unconstitutional and inappropriate about the DMCA subpoena provision. This gives the RIAA the right to spy on 60 million Americans, even if it never ends up suing a single one of them.

Because subpoenas are ordinarily filed after a lawsuit has begun, valid subpoenas typically are limited to requesting information related to the subject matter of the lawsuit and the parties to the lawsuit. (This was part of the basis for Judge Brazil's finding in the Kozinski case -- that the subpoenas requested information beyond the scope of the lawsuit.) Parties to the lawsuit are also required to give copies of any subpoena they issue to the other parties. Because of the relevance limitation and the requirement to send copies to others, all affected parties in a litigation get notice if their information is being requested from a third party; this allows them to move to quash any subpoena that might invade their privacy. (As was the case in the Kozinski case.)

However, when it comes to the DMCA's pre-emptive subpoenas, there is no lawsuit; therefore, there are no opposing parties that the RIAA is required to send copies of the subpoena to. Thus, the users never find out that their information is being sought and never have a chance to oppose, unless the ISP voluntarily notifies them.

O'Reilly Emerging Technology Conference.

Under current law, it's up to the ISP to notify the customer if they want to. When an ISP is served with one of these RIAA subpoenas, the larger ISPs who have legal counsel, such as Verizon and Pac Bell, would know if the subpoena itself is lawful or not. However, for smaller, "mom and pop" types of ISPs, the subpoenas are often handled by administrative personnel. Often, such ISP won't even consult legal counsel, for doing so every time could result in large legal bills.

With the RIAA issuing DMCA subpoenas at it's current rapid rate (over 1500 in the last two months), and taking into account that such subpoenas require a response within seven days, even a well-staffed legal department could not adequately respond to such a barrage of subpoenas. This is another reason that many feel the RIAA should be forced to file lawsuits that would cost them several hundred dollars a person, rather than be allowed to send out mass subpoena mailings that only cost them less than $50 a piece.

How would a file sharer know that their privacy had been violated in this way? The first thing one would have to do is look up their user name or IP address using The EFF's Subpoena Database Query Tool to see if it shows up in the EFF's subpoena database. Even if it doesn't come up in the database, you could ask your ISP directly if they have been served and whether or not they have complied with it. You could ask them what information they've made available. The ISP is not under any obligation to tell the user if and what they did, but it's a good business practice to do so. It could depend on the ISP's user agreement as well.

Ironically, the DMCA allows the RIAA to subpoena user info pre-suit, but if an ISP refused to tell a user whether or not it had given up their info to the RIAA, the user would have to sue his ISP in order to get that information via discovery.

Computer users are at a significant disadvantage under the DMCA subpoena provision process. If they don't know they've been served, and the ISP just hands over the info and doesn't tell the user, the user can't complain about the subpoena being invalid in time to stop the information transfer, and the damage has been done. And if the ISP doesn't even consult its attorney, it's not going to complain or challenge the validity of the subpoena.

Legislation has been proposed to require ISPs to notify their customers when a third party has subpoenaed their information. The legislation is mostly meant for state defamation suits where someone has anonymously posted something on a message board or in a chat room. Companies will often subpoena the hosting service to discover the identity of the person. The hosting service is not currently under any obligation to notify the person that their identity is being subpoenaed.

The new law proposed by the Electronic Frontier Foundation (with assistance from the Samuelson Clinic for Law, Technology, and Public Policy at Boalt Hall), would force ISPs to notify their customers and give 30 days to challenge the requests in court. However, such legislation would not have any affect on the DMCA subpoenas, which take place at the Federal level. However, if the law passes, many would like to see this same requirement in the DMCA subpoena provision. Arguably, something of this nature is constitutionally required on Due Process grounds.

Senator Norm Coleman (R-MN) is investigating the techniques and methods used to issue subpoenas and collect information from ISPs, noting that numerous clerks in the U.S. District Court in the District of Columbia have already had to be reassigned just to deal with the paperwork. He requested copies of all of the subpoenas filed by the RIAA and "a description of the methodology the RIAA is using to secure evidence of potentially illegal file sharing by computer users." According to an interview with Senator Coleman in Future Tense Now Magazine, Coleman's worried about the disproportionate penalties being proposed by the RIAA (at $100,000 per song) for the kinds of copyright infringement that file sharing sometimes involves. "My concern is to make sure that the penalty fits the crime," Coleman said, "And that in the end, we're not wiping out some families' savings because some kid downloaded, for his own use, some songs over the Internet."

Pages: 1, 2

Next Pagearrow

P2P Weblogs

Richard Koman Richard Koman's Weblog
Supreme Court Decides Unanimously Against Grokster
Updating as we go. Supremes have ruled 9-0 in favor of the studios in MGM v Grokster. But does the decision have wider import? Is it a death knell for tech? It's starting to look like the answer is no. (Jun 27, 2005)

> More from O'Reilly Developer Weblogs

More Weblogs
FolderShare remote computer search: better privacy than Google Desktop? [Sid Steward]

Data Condoms: Solutions for Private, Remote Search Indexes [Sid Steward]

Behold! Google the darknet/p2p search engine! [Sid Steward]

Open Source & The Fallacy Of Composition [Spencer Critchley]