RIAA subpoenas
The RIAA is sending subpoenas to a lot of ISPs to try to identify people. As we previously explained in an amicus brief, the procedure they're using for this, created by 17 USC 512(h), lacks a lot of procedural safeguards normally associated with subpoenas.
I've looked at a large number of the subpoena requests. They're obviously generated by a script -- "mail merge", as they used to say -- and that's a good thing from a certain point of view, but it's kind of frightening. Your identity is essentially being requested by a computer, and then Yvette Molinaro is in the loop seemingly for the sole purpose of signing her name to attest, in effect, that the computer was programmed properly.
It's almost as though you could have XML-RPC or some other function call through which the RIAA could get the user's identity.
In fact, there are many press reports to the effect that the D.C. District Court is overwhelmed by having to process all of these subpoenas -- already in the dozens per day -- and if the court is having so much trouble just stamping and scanning and docketing, think about the compliance burden for the ISPs. Perhaps RIAA hopes that ISPs will eventually decide to create automated mechanisms, through private agreements with RIAA, in order to keep this out of the courts and lower everyone's costs. An ISP could set up a particular e-mail account. RIAA would send signed e-mail attesting that a particular user's identity was sought for the purpose of enforcing copyrights; the ISP would respond automatically, identifying the user. It could work.
This has happened in other contexts. Under the current 512(h) regime, there would seem to be a strong incentive for ISPs to negotiate private alternatives, which would be cheaper but typically even less privacy-protective than the status quo.
It is troubling to think that a single typo would now result in the automatic exposure of an Internet user's true name and contact information. Suppose the RIAA transposes two digits in the IP address. Now the ISP is likely to disclose that other user's identity instead of the identity of the person who was actually sought, and there is likely to be no review and no recourse. In fact, the user who's wrongly identified might never know (unless he or she is subsequently sued).
These errors are pretty easy to make, and the subpoena power is very strong. There are lots of ways to mitigate this harm somewhat, but those which don't involve politics mainly involve effort by ISPs. The cheapest course for the ISPs might just be to give up and not do anything to protect their users' privacy. That would make the entertainment industries' frequent claim that you aren't anonymous when you use the Internet become much closer to the truth.
Anyway, I got to do some fun coding as a result of this and learn about Python's modules for CGI scripting and MySQL access. It's surprisingly easy. Dan Moniz created a nice front-end to the database we built, and now you can search to see whether your identity has been subpoenaed.
I think it's silly that people are only searching for their KaZaA usernames and the like. The ISPs won't identify you by your KaZaA username, even if you're a KaZaA user, because the ISP doesn't know your KaZaA username or whether you're a KaZaA user. The ISP will identify you by your IP address, because that's what the ISP knows. And the ISP will identify you by your IP address whether you're a KaZaA user or not, whether you're a copyright infringer or not. The risk of misidentification is extremely great -- especially with this prelitigation subpoena process -- and all Internet users should be concerned, not just copyright infringers.
Bill Frantz has a signature file which says "Due process for all used to be the American way". I don't think he has these subpoenas in particular in mind. But you are now, right this moment, a single typographical error away from being identified, possibly without your knowledge.
