Three strikes – you’re out(?)

I’ve recently been pondering the 3-strikes process which is used by eircom to police illegal content uploaders and the Data Protection implications of same. [By way of full disclosure, I used to work there in a role that involved me analysing processes and finding out where they were broken and potentially non-compliant with host of regulations. That said, given that when employed there a big part of my job was to call b*llshit on defective processes and get them fixed or killed, I would not consider myself an apologist for eircom].

The process (as I understand it) is this.

  1. A person goes onto torrent site and seeds a torrent with copyright protected material.
  2. As part of seeding the torrent, their IP address is published in the torrent service.
  3. A 3rd party company monitors torrents and flags to eircom IP addresses and details of copyrighted materials that are being seeded.
  4. eircom checks the IP addresses provided against the IP addresses in use by customers at the time of the seeding and a letter is produced informing the customer that copyright protected content was being distributed illegally via their account. They are given three chances to prevent this distribution before their account is suspended.

So. What is happening here? An illegal act is being committed in a public place (IP addresses are published in the torrent service). This public data is passed to an ISP who seeks to associate the IP address with a named ‘controller’ of the service, who is then advised that an illegal act was committed using their service and advising them to ensure that the activity ceases.  Music labels are not told of the offenders. Personal data of eircom customers is not transferred to music labels.

No data is passed about individual customers to any 3rd party by eircom. eircom acts on public data compiled and processed by a 3rd party on their behalf. Eircom processes this information in order to enforce sections 5.5 and 5.6 of the Terms and Conditions which govern their Broadband service.

The analogy I would draw is with the system for enforcing speed limits using traffic cameras. If your car is on the motorway doing 135kmh and you are snapped by a traffic camera in a GATSO van operated by a private company working on behalf of the authorities, your car registration number and the record of the speed you were doing when snapped is sent for processing against the vehicle licensing database which associates the registration number with a named person (the registered owner of the car). A few weeks after you are snapped you receive a letter in the post with a copy of the photograph, details of the speed, and details of the fine you will have to pay.

An illegal act, in a public place, where a publicly visible identifier can be recorded, which can then be associated with other information to identify the nominated responsible person for the conduct of that vehicle. The parallel is, at least to me, very clear.

It is also very clear that in both the Broadband case and the Traffic camera case that there are certain evidentiary controls that need to be in place to ensure that data is being processed fairly and accurately and appropriate safeguards need to be in place to ensure that data is not processed or disclosed unlawfully.

For example, eircom recently had an issue where a number of customers received warning letters about downloading which did not relate to them. The root cause was a failure of a server to update to Summer Time from Daylight Savings time, meaning the timestamps associated with IP addresses were out by an hour. Accurate timestamping and recording of location data of traffic cameras is also important, as the Australian State of New South Wales and the US  city of Long View discovered recently.

Of course, it is important to point out that eircom did not send personal data about Customer A to Customer B. They simply attributed, erroneously, the actions of Customer A to Customer B.

The Data Protection Acts do not provide a shield behind which people who commit offences can hide. The right to Privacy is not an absolute one and must be balanced. So long as the processing of the data is done in a manner which does not infringe privacy or result in unwarranted disclosure of personal data companies have a legitimate interest in ensuring that they can enforce the terms and conditions of contracts that are entered into.

Where people chose to commit an illegal act in a public manner, or where through neglect or lack of domestic control they allow such acts to be committed, then a polite but firm reminder of their duties as parties to the contract is to be expected. Where that reminder is provided without personal data being disclosed to 3rd parties (as was the case previously) then this is a half-way house that balances competing rights but which must be kept under constant scrutiny to ensure that there is no scope creep, function spread, leakage or abuse.