UK: Privacy V. Piracy

While the title suggests some inherent conflict between ‘privacy rights’ and ‘intellectual property rights’, this isn’t necessarily the case. In most situations, privacy rights and IP rights don’t compete with each other. This is because privacy rights are focussing on protecting the private life of individuals (broadly speaking), while IP rights are often focussing on the protection of publicly distributed materials and information (the law of confidentiality, perhaps being a slight exception to the latter). So, for a long time, their paths haven’t needed to cross all that often. However, the distribution of intellectual property content such as books, films, and music is increasingly electronic and new technology, such as Digital Rights Management (DRM), is becoming more popular amongst copyright owners, enabling the monitoring of private ‘consumption’ of their content. Also, the possibility of significant IP infringing acts taking place at home is increasing, through the popularity of Peer-to-Peer (P2P) file-sharing networks. Now, more than ever before, both sets of rights need to be considered together. Are they heading for a collision?

To someone who sees the world in terms of privacy rights, it’s all about protecting intellectual freedoms – the freedom to have one’s own thoughts, ideas, likes and dislikes, which privacy rights attempt to protect by restricting access to, and use of, private information (which may also be ‘personal data’ in data protection terms). The fear is that if others have access to details of the books a person reads, the music he listens to and the files he downloads, it will shape that person’s behaviour, his freedom, and taking it to its extreme, ultimately his identity.

To someone who sees the world in terms of IP rights, it’s all about rewarding creativity and investment. The argument goes: why would anyone go to the trouble of writing a book, making a film, or writing a computer program (ignoring open source software for now…), if everyone else is able to take advantage of their work for free? Generally speaking, IP rights seek to reward a person’s investment of time, energy and creativity by restricting access to, and use of, the results of him exercising his intellectual freedom.

Before identifying new areas of potential conflict, it’s important to recognise that privacy rights and IP rights can also compliment each other in certain situations. For example, a company may regard its customer mailing list as an important commercial asset, protected by various IP rights, such as confidentiality, copyright and database right, any of which could be used to prevent the unauthorised use of the customer mailing list by a third party. In such a case though, privacy rights in the form of data protection obligations, may also prevent a third party from making use of the mailing list. Privacy and IP are pulling in the same directions.

Equally, privacy rights, albeit in the form of a "private" confidentiality right, may be relied upon to prevent the unauthorised publication of, say, family photographs – but so could the IP rights subsisting in the photographs (assuming their ownership is with the family concerned). Again, privacy and IP are pulling in the same direction.

The prospect of tension between privacy and IP increases though particularly in connection with copyright works distributed electronically, for example, via the Internet, either as legal downloads protected by DRM technology, or illegal copies distributed via P2P file sharing. This was highlighted recently by the Article 29 Working Party in its paper entitled "Working document on data protection issues related to intellectual property rights" (WPP 104), where it said, "the Working Party acknowledges the necessity of implementing measures to safeguard the rightful interests of holders of intellectual property rights against alleged fraud". While the owners of IP rights may take comfort from the use of strong words such as "fraud" and "necessity", the WPP went on to say that, "as far as investigation powers are concerned, the Working Party deems it necessary to recall that investigations performed by [copyright holders] must be performed in a clear legal framework." The implication is that the anti-piracy measures of some copyright owners infringe unjustifiably on the privacy rights of some users.

In relation to the enforcement of IP rights, nowhere is the tension between privacy and piracy more acute than in relation to illegal P2P downloading. To the average teenager, P2P file sharing probably seems like Christmas come early. All he needs to do to get ‘free’ music is download some file-sharing software, like Grokster or Kazaa (also free and readily available), and he’s fully equipped to download music from the Internet. If he’s feeling ‘public-spirited’, he may also decide to share his music collection with others by making his MP3 files available from a shared directory on his machine, uploading in other words.

To download a particular song, a user searches for it using the search functionality built into the file-sharing software. How the search mechanism works depends upon the type of file-sharing network used. These days, unlike the Napster system, perhaps the most well known of the file-sharing networks, most P2P networks use a distributed computing architecture, which does not rely on a central server containing a list tracks available for download. Instead, tracks are located via a process of cascaded queries sent to the individual computers comprising the P2P network. So, for example, if a user searches for a track his computer asks its immediate neighbours (neighbours in P2P file-sharing terms) whether they have the track or not. If they don’t then the query is forwarded to the next few computers connected to each of the computers originally asked. In this respect, the user’s original query fans out across the P2P network until a computer containing the track requested is identified. Perhaps several will be found if it is a popular track. The user who initiated the search is then sent a list of the computers from which the track is available for download. An extract of the results of a search on "Elvis" might look something like this:

Once the user has selected which machine to download the track from, perhaps on the basis of file size, connection speed or sound quality, etc. his computer makes a direct connection to that machine and a direct download commences. The intermediate computers involved in cascading his initial query are not involved in the actual download process. (Note that this is a simplistic description of a "typical" P2P network and several variants exist, some of which do not involved the sharing of IP addresses in quite the same way, nor require the whole track to be downloaded from one computer).

So, it’s ‘free’ music for all, at least through the eyes of our teenaged user.

But of course the activity described is illegal. The act of creating a local digital copy of a CD on one’s PC (ripping) is copyright infringement. What’s more, since the implementation of the Electronic Copyright Directive (2001/29/EC), it is a specific "restricted act" to communicate sound recordings or films to the public, which is to say that it is an act that only the copyright owner may do or authorise. Accordingly, uploading – moving mp3 files into a shared directory that can be accessed by other P2P users – is itself an infringing act. This is the case whether or not any of the files are actually downloaded. Such an act can even amount to a criminal offence in circumstances where the communication is in the course of business or to such an extent as to affect prejudicially the copyright owner.

Being illegal in theoretical terms is one thing. Being able to enforce one’s rights as a copyright owner is another, particularly when the Internet is involved. How would a copyright owner even identify that illegal downloading is taking place? Well, in fact, its relatively straightforward to do so. To identify an "uploader", all one has to do is to search for your own copyright work. As shown in the table above, the search results identify the IP addresses used by those machines where the track is stored and from which it is available. Identifying a "downloader" is slightly more difficult as it isn’t possible to search for users who have downloaded your copyright work. However, a copyright owner may include decoy files of their work works in a machine enabled to form part of common P2P networks (i.e. so that they are queried for tracks in the manner described above). Not only might a decoy file describing itself as, "Take Me Out" not be by Franz Ferdinand, it’s likely to include a copyright warning and, more importantly still, allow the copyright owner to identify the machine seeking to download such a track, via it’s IP address. Remember, the uploader’s and downloader’s machines make a direct connection while the file is actually downloaded, so the downloader’s IP address in data protection terms is "collected" by the copyright owner.

Which raises an interesting question about IP addresses: are they personal data? Because if they are then surely the copyright owner should be complying with the applicable data protection laws, which may require that notice of the data collection be provided (unless a relevant exemption applies). This would make surreptitiously collecting the IP addresses of uploaders and downloaders rather difficult. Well the answer is it depends.

It comes down to the question of whether an individual user is "identifiable" from the IP address he is using, the IP address being the 4 to 12 digit number assigned by his internet service provider (ISP) to the account holder’s device that is connected to the internet (e.g. 194.178.86.66). Recital 26 of the Data Protection Directive requires "…account [to be] taken of all means reasonably likely … to identify said person." And for many the fact that the user’s ISP always knows an account holder’s "real world" identity from the IP address allocated to him is sufficient. As the influential Article 29 Working party put it, "The Working Party emphasises that IP addresses attributed to Internet users are personal data."

But that’s not to say that the question is beyond doubt. While in the hands of the ISP the account holder is of course identifiable from an IP address, what about when the IP address is merely in the hands of the copyright owner, as in the situation above? For reasons that are explained later, it’s unlikely that an ISP is able to disclose the account holder’s identifying details to the copyright owner, a fact which surely be taken into consideration when assessing the "reasonable likelihood" referred to above. Moreover, much has been made of the distinction between "dynamic" IP addresses, where the account holder is allocated a new IP address each time he makes a dial-up connection, and "static" IP addresses where the IP address allocated to his device is more persistent, such as with broadband connections. It’s argued that dynamic IP addresses are less likely to be identifying (and so personal data) due to their transient nature and, in particular, the fact that the copyright owner may not even be able to recognise (a lower standard than "identify") a persistent uploader or downloader due to their use of different IP addresses on various occasions (unless of course they choose to use a username, as many do). Nor is it necessarily the case that a static IP address equates to personal data. As wireless broadband grows in popularity, situations where several users are sharing an Internet connection via a wireless router are increasingly common. In these situations, even the ISP does not know the identity of the actual user, only the account holder. Indeed, the ability of users to connect to any open wireless network makes it likely that even the account holder will not know the user’s identity. At some point, as the prospect of a link to the "real world" identity of a particular user from an IP address ceases even to be theoretically possible, the IP address used must surely cease to be personal data.

Armed with a list of the IP addresses used by uploaders and downloaders, what can a copyright owner find out? If the IP address relates to a website, as opposed to an individual user’s machine, then a reasonable amount simply by consulting any of the online domain name registries or "Who is?" databases. (In connection with P2P file sharing, a website is only likely to be involved if the user promotes the availability of their MP3 files or makes the file-sharing software available for download).

What about an individual user, a ‘mere’ downloader, where no website is involved? There are numerous online search sites (see, for example, www.dnsstuff.com) from which it is possible to find out the name of the ISP that allocated the IP address and, roughly speaking, the user’s physical location (e.g. London).

These online search tools have recently attracted the attention of the Article 29 Working Party which, "insists on the legal restrictions applying to the re-use of personal information". The "re-use" restriction they’re referring to is the "purpose limitation" principle – that the information made available via these databases was originally collected for a different purpose and so should only ever be processed in a manner compatible with that original purpose – despite the information being publicly available. A difficulty arises though because, as the Working Party acknowledges, it’s not entirely clear what the original purpose of the Whois? databases was -- or is. To enable queries, technical or otherwise, to be made of the domain name owner, perhaps regarding his registration of a particular domain name? Probably, but given that many domain queries end up in a domain name or trade mark-related dispute, who’s to say that contact with the domain name owner in connection with other forms of IP dispute, such as online copyright, is not also within the original purpose? The position is far from clear, but can a copyright owner really be expected to turn a blind eye to publicly available information that may enable it to enforce its legitimate IP rights?

In any event, to get to the actual uploader or downloader, the copyright owner clearly needs to get in touch with that user’s (alleged infringer’s) ISP. Say he does. Can the ISP simply disclose the user’s identity? No, or at least, it’s very unlikely that the ISP will want to or can do so lawfully. The ISP is likely to be (in the language of the E-Commerce Directive) a "mere conduit" that has no involvement in, or prior to being contacted by the copyright owner, knowledge of their subscriber’s infringing acts. It’s likely that they will have made certain contractual commitments to the subscriber regarding confidentiality in their subscriber agreement. Accordingly, responding to a copyright owner’s requests by simply providing the details requested is likely to put the ISP in breach of data protection legislation restricting disclosure on the grounds of "fair and lawful processing" and "purpose limitation" and in breach of its subscriber agreements. Moreover, most ISPs appreciate that any suggestion that they will disclose their members’ details at the drop of a hat is likely to damage confidence amongst their membership.

Of course there are exemptions under most data protection laws for disclosures made in connection with legal proceedings, which the copyright owner will no doubt argue apply in the P2P infringement situation described above. And they may well do. Indeed, even the ISP may be persuaded that disclosure is "necessary in connection with legal proceedings" (broadly speaking, the language of the most relevant exemption), as the party disclosing the personal data need not be a party to those proceedings. Nevertheless, since it is the ISP that would be in breach if the exemption does not adequately cover their disclosure, and perhaps in order to defuse any potential complaints from its members, it’s likely, indeed wise, for the ISP to require the copyright owner making the request to obtain a court order. What’s more, the Article 29 Working Party has expressed the view that it should always be the court, rather than the ISP, which decides upon the application of exemptions in these sorts of cases.

But to get a court order, the copyright owner must sue the ISP. How can it when the ISP has done nothing wrong – a "mere conduit"? By applying the principle established by the House of Lords in the Norwich Pharmacal case [1974] that "if through no fault of his own a person gets mixed up in the tortuous acts of others so as to facilitate their wrongdoing he may incur no personal liability but comes under a duty to assist the person who has been wronged by giving him full information and disclosing the identity of the wrongdoers." It’s a principle that has been applied by the courts in many situations, including those where the identities of IP infringers are unknown, and against ISPs. Until 2001 though, an ISP (and, equally, others on the receiving end of a Norwich Pharmacal application) had a dilemma: if the ISP requires a copyright owner to obtain a court order – for all the valid commercial and legal reasons explained above – it might nevertheless find itself liable for the copyright owners’ legal costs of obtaining it, assuming that the copyright owner is successful. While the award of legal costs is discretionary, often in adversarial proceedings, the loser pays a large proportion of the winner’s costs. In Totalise plc v Motley Fool [2001], the Court of Appeal was sympathetic to the ISPs position, at least in situations where the ISP wasn’t just being difficult for the sake of it. The court recognised that it was reasonable for an ISP to require the copyright owner to obtain a court order and yet not have to pay costs where the ISP:

• had a genuine doubt that the person seeking disclosure was entitled to it

• was under a legal obligation not to reveal the information

• could be subject to legal proceedings if the disclosure was made voluntarily

• might suffer damage by voluntarily giving the disclosure

• disclosure might infringe the legitimate interest of another

Accordingly, if the legal costs downside can be avoided, ISPs would be well advised to require a copyright owner seeking disclosure to obtain a court order requiring the ISP to do so.

The end result? Copyright owners can use existing legal theories and procedures to enforce their IP rights in connection with online piracy. This provides little in the way of relief for many copyright owners, however, considering the scale of the problem they face. Illegal downloading is rife. It’s simply too easy. In the digital world, even any potential loss in sound or image quality, which might deter some, is something that would-be uploaders and downloaders can control. Perfect copies can be made these days, in contrast to older tape-to-tape systems, or recording Top of the Pops off the television. Because copyright owners can’t sue every downloader many are looking to technology to prevent unauthorised copying occurring in the first place – a technology broadly referred to as Digital Rights Management (DRM).

Definitions of DRM abound and often it gets confused with cruder copy-protection mechanisms. Basically, it compromises a system, perhaps both hardware and software, that specifies, manages and enforces a set of "rules" in relation to digital content, the distribution (i.e. copying) and use of that digital content in particular. It may involve copy protection and/or it may involve ensuring the inclusion of a copyright notice in all digital forms of the work, or it may involve the collection of certain information about the user – what songs they played, when, how many times, how many copies they have made, all of which may be combined with details about who they are, depending on the type of DRM implemented. DRM should be thought of as enabling the use of digital content to be controlled after it is in the hands of the end-user, which makes it quite unlike "traditional" (i.e. offline) forms of content distribution, such as books, CDs, magazines and videos. Usually, the DRM-protected content is distributed in encrypted form, which in order to be played or watched or read or whatever requires the user to have a "key" enabling his hardware and/or software to de-encrypt the content. The user acquires this key when the digital content is acquired (i.e. downloaded or streamed), and it is this key that both allows and limits the user’s use of the content, matching in technical terms the scope of the licence terms granted to the user by the copyright owner.

For many copyright owners, the emergence and increasing sophistication of DRM is exciting for reasons beyond preventing, or at least inhibiting IP infringement. It opens up a new world of possibilities in terms of business models for the distribution of digital content that go beyond the traditional one time "sale" of a copy, be it a book, CD or DVD. And it would appear that consumers too are excited about the possibilities for acquiring content via new means, as evidenced by the number of songs downloaded from iTunes, Apple’s online music store, exceeding one billion recently. Users of iTunes point to the convenience of being able to buy individual tracks, as opposed to whole CDs, and the ability to play free 30 second snippets of tracks before purchasing them. By contrast, Napster (in its new legal incarnation) uses a subscription-based business model where for a flat monthly fee users can enjoy unlimited "streaming" of tracks to their computer (think of this as similar to an Internet radio where the user chooses which tracks are played) or download them to their computer and play them for as long as their subscription is valid. Alternatively, for a higher flat monthly fee, tracks can be downloaded to mobile devices or burnt to a CD for a fee calculated on a per track basis. There are numerous other legal music sites, all adopting similar yet subtly different pricing and distribution models.

DRM is not without its controversies and opponents, however. Critics, for example, object to DRM’s impingement on users’ "fair dealing" rights, which is to say users ability to make lawful use and copies of copyright material by preventing access even in situations that are recognised as lawful under most copyright laws, such as copying for the purposes of private study. But critics of DRM and champions on privacy are also concerned about the impact of DRM on the privacy rights of the individual.

This article started by describing the importance of intellectual freedom to someone who sees the world in terms of privacy rights, their desire to read and watch and listen to whatever they want without fear of their intellectual consumption being monitored. In the offline world, such content can be enjoyed anonymously, particularly if acquired via cash purchase, and for many it is important that the possibility of doing so exists in the online world too. The continuous link between the user’s activities and the copyright owner enables the copyright owner to know which track the user played, how many times the chorus was played, whether an attempt was made to make an unauthorised copy of the material, and so on, resulting in what many regard as unprecedented levels of surveillance where a user’s own computer may "dob him in" to a copyright owner! A copyright owner also acquires a detailed and powerful profile of users’ consumption habits, with all the attendant marketing possibilities that brings. But perhaps worst of all, many would say, much of this monitoring takes place in the user’s private space – their home.

These fears are sufficiently justified for the Article 29 Working Party to offer their view in WPP 104. They highlighted the need for "fair and lawful" processing – are users being told what information about their use of DRM content is being collected, by who and what’s done with it? For some uses consent will be necessary, particularly where use of the information for direct marketing would amount to "repurposing" the data. Perhaps their most significant remark though was their reminder that the "proportionality principle" applies – that only the minimum amount of personal data for the particular purpose should be collected i.e. collect what you need and no more, a principle which cannot simply be "cured" by obtaining the user’s consent. The Working Party "seriously" questioned the collection by copyright owners of data about all forms of content usage, including legal usage, just in case it would enable copyright owners to identify the source of unauthorised use in the future. It also urged the development of DRM technologies that operate anonymously on a "platform" level rather than an "information level", systems that are recognised as "trusted" and entitled to access certain content, which technically prevent unauthorised acts, yet do not monitor content consumption on a track-by-track or page-by-page level.

As DRM starts to gain traction amongst copyright owners distributing content online, developers of DRM-related technologies need to ensure that their systems incorporate sufficient flexibility while the privacy versus piracy debate continues. It’s only just started. The data protection regulators, via WPP 104, have voiced some preliminary concerns. The millions of undeterred users who access legal DRM content online are having their say too, but it’s early days. Right now, it’s easy enough to enjoy content anonymously, at home or wherever. As and when the Internet becomes the norm for how we access our content though, consumers may start to pay more attention to how much of their intellectual freedoms they are prepared to give up and how much reach they are prepared to allow copyright owners into their homes. It may be a surprisingly large amount if in exchange for added convenience and lower cost.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.