Voltage’s Teksavvy Subscriber Shakedown: What’s a Good ISP to do?
Tomorrow will be a big day in a federal court in Toronto. At 11am, the court will hear a motion by Voltage Pictures to have Canadian indy-ISP and darling of the open internet community, TekSavvy, disclose the subscriber names and contact addresses associated with a list of 2000 IP addresses that Voltage alleges have been used to upload and share its films and tv programs in violation of copyright law.
At the end of the day we may know whether Voltage has prevailed and TekSavvy forced to hand-over the subscriber account information linked to those 2000 IP addresses. But while we wait, there is another question that I want to address in this post, and that is whether TekSavvy has done as much as it should to oppose Voltage’s motion?
As TekSavvy’s CEO Marc Gaudrault stated in DSL Reports last December when the case first erupted into public view, “we will not be making a case against the merit of what they are alleging. That’s for those affected and others to do if they wish to.”
That refusal to take a stand, to put it mildly, has displeased many of its subscribers. It has also unleashed a roiling discussion thread on DSL Report as well as the blogosphere. Respected copyright lawyer, Howard Knopf (here, here and here) and Jason Koblovsky (here & here), one of the co-founders of the Canadian Gamers Organization, have been highly critical of TekSavvy, arguing that it should be doing more to push back against Voltage’s shake-down of the ISP.
Drawing on his experience as legal counsel to CIPPIC in a close parallel to the motion now in front of us — the BMG case in 2005 — Knopf argues that TekSavvy should take the lead in opposing Voltage’s motion for at least three reasons:
- First, since it is the only entity that can resolve the link between IP addresses and subscriber identities, it is in the best place to challenge the technical evidence that Voltage and its forensics contractor, Canipre, have put forward;
- Second, in the BMG case, Telus and Shaw actively stood in opposition to the record labels’ bid to obtain subscribers’ identities on just this ground and TekSavvy should do no less in the present case, especially given that it holds itself out as being more attuned to its subscribers’ interests than its corporate cousins – a point that Koblovsky also relies on heavily;
- Third, it is too much to ask of CIPPIC, an organization with a skeletal staff and limited resources, to take the lead in the case.
The criticism of TekSavvy has led to a lot of soul-searching, mostly because, to most observers, the indy-ISP has been on the side of angels. The little-ISP-that-could, for instance, led the charge against the CRTC’s hated UBB decision in 2011, has intervened time and again in a myriad of regulatory decisions in which the fate of indy-ISPs has been on the line, held itself up as a plucky alternative to the incumbents with more affordable services, bigger caps or none at all, and has been a patron of Open Media, probably the most successful group this country has ever seen in terms of opening up arcane telecom, media and internet policy issues to a much bigger audience.
So, not surprisingly, others have come to TekSavvy’s defense. Most notably, in addition to denouncing Voltage’s mass copyright litigation (here and here), the other day David Ellis chastised TekSavvy’s critics. As Ellis sees it, TekSavvy has being working hard on behalf of its subscribers for two months. Moreover, TekSavvy quickly joined CIPPIC to ask the court to postpone the matter to give the ISP more time to notify its subscribers, for the court to consider CIPPIC’s request to join the proceedings and to give Voltage and its hired-gun, Canipre, more time to clean up their data. Ellis also suggests that the distance between pushing for a delay and outright opposition might not be that far, and we could still see it take on a more active oppositional role yet.
He also argues that TekSavvy’s reticence to take a stance is probably due to concerns that doing so could jeopardize its claims to being a neutral, common-carrier. In this view, by staying neutral, TekSavvy avails itself of ‘safe-harbour’ provisions that get ISPs off the hook in terms of their own liability in copyright infringement cases.
While I agree with Ellis that TekSavvy could yet change its stance, and that it has done much to buy its subscribers time to arrange their own defense, I do not think it has done enough. I also think worries that actively opposing Voltage’s motion could jeopardize its ‘safe-harbour’ defense are misguided. As a common carrier, ISPs already have limited liability for what their subscribers do, and what TekSavvy does in the courtroom will have no effect on that.
I agree with Knopf that TekSavvy should be taking the lead in opposition to Voltage’s shake-down because it is in the best place to do so from a technical point of view. That there may be problems with the technical data that Voltage is presenting is evident in the fact the company cut their initial list of 4000 IP addresses down to 2000 at the last minute – a good sign that things are not quite in order. Given the weight the BMG case put on the quality of the data in determining whether privacy would be trumped by other pressing concerns, this is essential (see para 21).
Second, ISPs are common carriers and this means their liability for what subscribers say and do is very limited, both by law and by tradition. The basics of what that means is set out in the Telecommunications Act of 1993 (see sections 27-29 and 36). Common carrier principles are also carried over into the new Copyright Modernization Act, as the following passage indicates:
A person who, in providing services related to the operation of the Internet or another digital network, provides any means for the telecommunication or the reproduction of a work or other subject-matter through the Internet or that other network does not, solely by reason of providing those means, infringe copyright in that work or other subject-matter (sec. 31(1)).
Incumbent ISPs have always reserved the right to aid copyright claimants (read your Terms of Service agreement) and, indeed in 2011 Telus said that it was sending out 75,000 notices a month of alleged copyright infringement to its subscribers. The new Copyright Modernization Act has parlayed this informal arrangement into a notice-and-notice regime that now requires ISPs to do the same thing as a matter of law, and to retain and disclose subscribers’ information for a period of six months after receiving notice of copyright infringement.
There is nothing in the new act or the old legislation, however, that prevents or even discourages ISPs from taking a stance against a motion for disclosure. Again, as Knopf observes, when mass copyright litigation first hit Canada in the BMG case, Shaw and Telus stepped up to oppose BMG and the rest of the recorded music industry arrayed against them. Moreover, while Bell and Rogers were less committal in the opposition, ultimately they did line up foursquare with Shaw and Telus behind the view, as the court stated, that ISPs should step forward to “protect the privacy of their customers whom they were obliged to protect by virtue of the Personal Information Protection and Electronic Documents Act (2000) (para 13). They won.
TekSavvy should do the same. Going out on a limb a bit, at least one seasoned lawyer that I have spoken with suggest that the case could be fought and won easily, for five figures, i.e. under $100k.
Beyond the BMG case we can also look further afield to the United States at a recent example of what a real stance opposing a motion of disclosure looks like. Thus, when faced with a request from the Department of Justice to hand-over account information for three of its subscribers, without telling them, as part of the DOJ’s investigation of Wikileaks, Twitter refused. The company obtained a court order allowing it to disclose the request to the users in question. It also put them in touch with legal counsel at the Electronic Frontier Foundation.
Finally, Twitter fought the request tooth and nail, all the way to appeal, but lost because, according to the ruling, the social media company’s business model is based on the unbridled collection of user data for advertising purposes in return for free access to the service. The upshot of that, in turn, is that users have no reasonable expectation of privacy and thus Twitter had to hand over subscribers’ account information to the state.
Whether Twitter won or lost is not the key point; the fact that it stood up to the plate, and fought to the bitter end in support of its subscribers and a principle – privacy – is. Moreover, while a loser in the court of law, in the court of public opinion, it won: Twitter’s chief lawyer, Alex MacGillivray, was named by The Guardian as one of its top twenty “champions of the open internet” last April. The Electronic Frontier Foundation offered its own honorifics.
The last point that I want to make is that TekSavvy has another option at its disposal: minimizing the collection, retention and disclosure of subscriber data as a matter of company policy. Apparently there has already been some discussion of this, with the ISP at one point in time before the Voltage motion hit the fan thinking about increasing the length of time that it keeps data logs from three months to six. That is now off. And that is certainly a good thing.
There are many reasons that ISPs need to keep data logs, not least of which are billing and network management. However, there are also ways of meeting these needs that limit the data kept to just these narrow purposes and which otherwise minimize how much data is collected, how long it is retained, and when it is disclosed. Billing data, for instance, can be kept separate from traffic data, with the former retained, and the latter tossed.
There are two excellent examples along these lines that I’ll close this post with. The first is Sonic.net, a San Francisco Bay area ISP with 45,000 subscribers. It keeps subscriber data logs for only two weeks and has been the recipient of copious amounts of praise and a four-star rating by the Electronic Frontier Foundation in the latter’s annual “Whose got your back” scorecard because of this practice. TekSavvy could take some lessons from Sonic.net.
Lastly, in 2009, several Swedish ISPs, including one of the top 3 – Tele2 – began erasing “traffic data” in order to protect their subscribers privacy. They did so in response to the Sweden’s own new copyright law, IPRED, and in order to avoid precisely the kind of predicament that TekSavvy now finds itself in.
In my view, such a minimalist data collection, retention and disclosure policy is part and parcel of what a full-throated defense of principles and its subscribers would look like. The point is not to turn TekSavvy into a scofflaw, or a ghetto for copyright infringement abuse. The case of Sonic.net, Tele2, Twitter, and others demonstrate well that strong privacy and subscriber protections are not tantamount to such things, and indeed are good business and good for people’s rights.
Minimizing the collection, retention and disclosure of subscriber information embodies practices and values that apply across domains. Today it is copyright; tomorrow, lawful access and the son-of-Bill C30 (lawful access). Such values and practices will serve us well in that context, too.
We are in the midst of many events and choices that will be made that will set down the firmament in which the internet establishes deep roots. In my mind, we need to realize that these decisions and events will determine whether we can develop an internet fit for democracy, or whether we will see trade-offs all down the line to the point that an open internet and democracy are just a dream. Good night.
* Note: revised January 14th to acknowledge that Bell and Rogers were far more tepid in their stance than Telus or Shaw in the BMG case, while Quebecor (Videotron) actively sided with the record labels.