According to a report which has flown almost completely under the radar, last year an ISP sent out around 300 “first strike” warning letters wrongfully accusing innocent subscribers of Internet piracy. ISP Eircom implemented the scheme in partnership with the recording industry and is now being investigated by the Irish Data Protection Commissioner.
In February 2009, IRMA – representing EMI, Sony, Universal and Warner – reached an 11th hour out-of-court settlement with Irish ISP Eircom on the issue of illicit file-sharing. The deal would see Eircom introduce a graduated response system for dealing with errant subscribers.
“Eircom is proceeding with implementation of the protocol which could result in the suspension and ultimately disconnection of broadband service for those customers who deliberately and persistently infringe copyright,” the company said in a December 2010 statement, reiterating their commitment to the scheme.
But little did we know that the fears of “3 strikes” opponents had already come true.
From deep inside the “how the hell did the majority of the media miss this department”, it now becomes clear that by October 2010, Eircom had already sent out around 300 warning letters to completely innocent subscribers.
The company seems to have tried to play down the error saying that computer clocks were incorrectly adjusted to compensate for daylight saving time, some comfort to the unlucky letter recipients.
According to TJ McIntyre at digital rights site EDRI.org, as a result of this failure the Irish Data Protection Commissioner is now investigating the entire Eircom scheme.
“The significance of this case goes well beyond simple technical failings however, as the complaint to the Data Protection Commissioner (DPC) has triggered a wider investigation of the legality of the entire three strikes system,” he writes.
The DPC is said to be not only investigating the complaint but also “whether the subject matter gives rise to any questions as to the proportionality of the graduated response system operated by Eircom and the music industry.”
McIntyre says that when the Eircom/IRMA deal was being agreed, the DPC expressed concerns with it, not least over the question of whether or not IP addresses are personal data. However, until someone raised a complaint, that issue was put on the back burner. The delivery of 300 false “first strike” warning letters appears to have met that criteria.
“The complaint in this case has now triggered that action, and it seems likely that the Commissioner will reach a decision reflecting his previous views that using IP addresses to cut off customers’ internet connections is disproportionate and does not constitute ‘fair use’ of personal information,” McIntyre explains.
“If so, the Commissioner has the power and indeed the duty to issue an enforcement notice which would prevent Eircom from using personal data for this purpose – an outcome which would derail the three strikes system unless Eircom successfully challenges that notice before the courts, or unless the music industry were to succeed in its campaign to secure legislation introducing three strikes into Irish law.”
The way this story has flown largely under the mainstream tech news radar will have been a relief to Eircom and IRMA. Something tells us that is about to change.
As detailed in our earlier reports, anti-piracy company Trident Media Guard (TMG) recently failed to secure some of their systems. Blogger and security researcher Olivier Laurelli, aka Bluetouff, originally reported the breach which included a wide open virtual ‘test’ machine containing various tools. These, of course, spilled into the wild.
Those who’ve been reading our blog for long enough may remember how the MPAA and RIAA accused a printer at the University of Washington of copyright infringement a few years ago.