This week, copyright trolls in Sweden announced they’ll start sending extortion letters later this year to people who have been sharing music and movies. It follows an all too familiar pattern from other countries, where these fraudsters have eventually had to give up their scheme as plain unprofitable. But beyond the press releases and posturing from the copyright industry, what does the legal and practical situation look like?
Assuming the holder of an exclusive right can show that somebody else has performed the action they have a monopoly on – in cleartext, shared music and movies in violation of the copyright monopoly – then that holder of the exclusive right has, under the current legal framework, right to damages. The morality of this is highly questionable and dates back to suppression of freedom of speech in the 1550s, but let’s leave that part aside for now.
So there are two things needed in this equation for damages to come into play: the holder of the exclusive distribution right must be able to identify the person sharing, and they must show that this person actually did share. Usually, what the holders have are IP addresses and nothing more.
Let’s see how this plays out in the legal landscape of Sweden, now that the copyright industry has announced their intention to start sending speculative invoices.
In the years 2007–2010, the copyright industry pushed heavily for two things: first, the Data Retention Directive, which forced ISPs to log all IP address allocations for at least six months, in order to combat crime; and second, an overimplementation of a European directive called IPRED, which gave them the right to demand such log data from ISPs on request. This two-pronged approach, it was theorized from the copyright industry, would enable the industry to harass ordinary people sharing music and movies until their distribution monopoly was respected again. But it didn’t go quite that way.
Two things are noteworthy already: first, that the Data Retention Directive – the first legalized mass surveillance, created on behalf of the copyright industry – was taken out and shot unceremoniously by the European Court of Justice in 2014. They didn’t just void the Directive; they went so far as to cancel it retroactively, saying that it had never existed. Second, that IPRED detail where the copyright industry got the power to break anonymity for mere infringements of copyright meant that the private copyright industry actually had more powers than the Police. (The Police couldn’t get this data without suspicion of a crime carrying at least six months in prison, which sharing a movie never does.)
However, a lot of ISPs didn’t appreciate the bullying from the copyright industry at all, especially given that the Data Retention Directive had given the ISPs a significant extra operational and financial burden, so many of them decided to protect their customers instead. In fulfilling the first step of the two-step requirement above, identifying the subscriber behind a particular IP address, the ISPs in Sweden are acting quite differently (and it’s interesting to see which understand who their customers are):
The first type of ISP logs aplenty, required to by law or not, and give the copyright industry any subscriber data they want, even though this is highly questionable – not to say probably illegal – under the various Data Protection Acts. (This ISP behavior is trivially defeatable by using a good VPN.)
The second type of ISP logs only as minimally required, and has noted that the Data Retention Directive – still in force in Sweden pending a court challenge – only applies to criminal investigations. Therefore, they have used a legal technicality with dual sets of logs, where they keep the required logs for criminal investigations and leave them to Police only, and delete the other set of logs immediately (negating requests from the private copyright industry).
The third type of ISP does everything the second type does, and in addition, throws every wrench they can into the copyright industry’s machinery. The Bahnhof ISP is particularly stellar in this category in Sweden, but Tele2 also deserves a mention for their consistent legal challenges.
However, there’s also another dark cloud on the horizon here. As Hax observes (in Swedish), these new Swedish copyright trolls are paying off a lot of ISPs, according to their own numbers. That begs the question if there are ISPs with “business development” that see it as a business to sell such subscriber data to the copyright industry, as a secondary revenue stream (obviously disregarding that it would kill their primary business if – no, when – found out)?
Assuming a subscriber identity can be obtained by the copyright trolls, they still need to prove one of two things: that the subscriber was either the one doing the sharing, or is legally liable for anybody else doing such sharing.
This is, in two words, not possible – at least not without a search and seizure of the actual equipment used, and the private copyright industry doesn’t (yet) have the right to invade people’s homes and carry off computers. There is no way to show remotely that the person listed as subscriber was the one doing the actual sharing, not even if they’re alone in their household: they may have opted for having an open wireless network to be a good neighbor, like I have, and since I’m on the 9th floor, my two access points in windows on opposite sides of my apartment are visible for several hundred meters in all directions. Literally thousands of people can access them. Sharing is caring.
The only country which has – or had – a liability preventing open access points was Germany, where the subscriber was liable for everything that happened on the network if they had an open access point. But following the European Court of Justice declaring this practice grossly illegal in a preliminary opinion, German lawmakers are in a hurry to remove this liability. Speculative cases in the US to establish such weird liability have been firmly shut down as well.
In Denmark, neighboring both Germany and Sweden, the copyright lobby did this kind of trolling for a while. Once the Open Wireless Defense was established, they practically ceased trolling overnight – there just wasn’t any winning. In Denmark, according to unconfirmed data, three people were sentenced to damages out of 560 brought to court – and those three were all sentenced because of their own admittance to sharing.
Of course, the copyright trolls in Sweden are well aware of all this. They don’t have a leg to stand on, even if they do get subscriber data, and will still send out threatening invoices. Legally, these are quite likely invoices (or “offers to settle”) of the “mail fraud” type.
So as a final note, in the coming week, I will personally look for a prosecutor in Sweden who wants to take on the case of charging the CEO of this troll company with preparing for advanced mail fraud (förberedelse till grovt bedrägeri), a crime that carries a prison sentence equivalent to assault with a deadly weapon. Filing a police report is one thing, but you also need a prosecutor interested in pressing those charges: without the latter, the former becomes a pointless effort.
Privacy remains your own responsibility.