Saturday, 14 June 2014

RSA: How they caught the copyright pirate

Mybroadband ran a short but fascinating piece earlier this week considering how the first person convicted for peer-to-peer copyright piracy in SA was caught.  For those interested in the technical side of the investigation, the piece is well worth a read.  For background on the case and the basis for the conviction, see Dr. Caroline Ncube’s informative post on this blog here.

What I found particularly interesting is how the police couldn't simply rely on linking the IP address used to upload the film to the suspect.  The IP address of the uploader of the film was easy to obtain given that the peer-to-peer network in question makes the IP addresses of uploaders publically available.  The IP address was then linked to this particular suspect by serving a subpoena on the internet service provider responsible for that IP address in terms of section 205 of the Criminal Procedure Act.  However, the police still had to prove that the suspect was the person who used the computer associated with that IP address at the time the film in question was uploaded (i.e. at the time the offence was committed).  This was apparently achieved, at least in part, by obtaining affidavits from residents confirming that the suspect indeed used the computer during the relevant period. 

To those SA lawyers who paid attention in Crim Proc class (I can’t imagine there are too many of you who read this blog), you’ll recall that section 205 empowers a judicial officer to require any person who is likely to have information relevant to the commission of an offence to appear before him/her.  It has also been the subject of much controversy given its use to compel journalists to reveal their sources. 

Moral of the story – if you’re a pirate, don’t trust your neighbours!


Kingsley Egbuonu said...

Jeremy, do I understand it correctly that this case wasn't tried?

First, I'm all for legitimate IP enforcement & the courts/law should make it easy for IP owners to enforce their rights. I make these comments because I've heard/witnessed how innocent people can get caught up in online copyright infringement claim. In any case, I know this is a peculiar case.

I can remember a UK IP/IT barrister telling me that it's not just about discovering the IP address etc, but that one has to go further to conduct forensic analysis of the actual PC/equipment used for the act and so on. In short, it's an expensive/time-consuming exercise, as I understand it.

I'm aware that South African lawyers/courts often look towards Europe (particularly, the UK) for guidance in certain areas and really hope they're doing so in this nascent area of IP enforcement practice.

It's crucial that the SA law is tested because this IP address evidence point, from what I've seen, is not as clear-cut in most cases and there are implications/worries with these things - one of which might be found in the last sentence of your post :-)

Perhaps, I'm sounding too soft or out of sync with what's really going on in this RSA case. Do let me know, thanks.
You'll already be aware of examples from the U.S and Europe:


Jeremy Speres said...

Hi Kingsley

Thanks for the interesting comment.

The suspect in this case pled guilty. He was presumably advised to do so in light of the prosecution's apparently strong evidence discussed in the Mybroadband piece.

The host of cases you link to can be distinguished from the SA case in one important respect. In the SA case, the police anticipated the difficulty highlighted in the cases you link to, that is, the difficulty of linking a specific individual to an offence committed using a specific IP address. In the cases you cite, the claimants were missing the crucial link between the IP addresses and the specific individuals concerned. In the SA case, the police established this link by, in part, obtaining affidavits from residents confirming that the individual in question controlled the computer associated with the IP address in question at the relevant time. Accordingly, the evidence in the SA case seems to have established the link between the IP address and the suspect, which appears to be have been missing in the cases you cite. The suspect's advisors surely appreciated this, hence the guilty plea.

Kingsley Egbuonu said...

Thanks, Jeremy. I thought as much: the plea was imperative.

I've only read those examples & not the actual judgments, so unsure of the 'link establishment' point. Here are my last few pennies:

Yes, the UK ones involving Golden Eye (GE) were, in my view, fishing exercises i.e. failed the link. In fact, I dealt with one those involving the same claimant. The other examples seem to have done better to succeed at trial.

The U.S case example did better than the GE ones as it established link, but the court wanted more. Probably, it would've benefited from SA's strategy. Talk of U.S/U.K learning from SA :-)

It will be interesting to see how the UK/U.S courts would treat such evidence/strategy used in the SA case, and equally, how the guilty feels about his/her neighbours LOL

Jeremy Speres said...

Thanks Kingsley. I'd love to hear about the matter you were involved in sometime.

I'd imagine the suspect won't be having them over for dinner anytime soon!

Rick Shera said...


Interesting to see developments in this area in other jurisdictions. You and your readers may be interested to know that in New Zealand, our legislators decided to create a whole new level of vicarious liability for an IP address account holder. Changes made to our Copyright Act in 2012 mean that the copyright owner does not need to worry about the pesky requirement to match an IP address to areal person using the device - if the infringement occurs at that IP address, the account holder is liable, whether or not they even knew the account is being used. In a particulalry eggregious case, a soldier serving in Afghanistan was held liable for the actions of someone minding his house who infringed by filesharing three songs.

Jeremy Speres said...

Hi Rick

Many thanks. Fascinating stuff!

I was aware that NZ was one of the first to introduce graduated response mechanisms but had no idea that one could be found liable without the "link"!

I had a quick read of your sections 122A-U. Three points. Firstly, if similar provisions were enacted in SA I'd expect them to face a constitutional challenge before long, on the basis of, perhaps, the right to equality before the law or another right in the Bill of Rights, given the unfairness that can result from holding the account holder, as opposed to the actual infringer, liable. Not being familiar with your constitutional set-up or the ability to challenge legislation on the basis that it is unfair/unjust, has a similar challenge to the legislation been contemplated over there?

Secondly, how do these NZ provisions affect WiFi hotspot operators or other access providers who utilise a single account for multiple users? It seems that they would be liable for the acts of a user?

Thirdly, I can to an extent appreciate why the legislature would choose to hold the account holder, as opposed to the actual infringer, liable - it can be very difficult if not impossible for rights holders to prove the "link" given the way the technology works. However, as we saw in the SA example, there are ways of doing this. Perhaps a more just alternative than the strict liability route adopted by NZ would be to require fault based liability for account holders. In other words, account holders should be liable where they are negligent or fail to take reasonable steps to prevent their account being used to infringe. That would seem to offer a better balance between the competing rights.

Love to hear your thoughts.