Most readers of this blog will be aware that the recent 4Chan / Anonymous attacks against various websites associated with the enforcement of copyrights have been followed by ISPs claiming, in some cases hypocritically, that the current process for investigating intellectual property infringement claims does not adequately protect their customers.
By way of recap, the process used for the last several years has been that rights holders: identify IP addresses that they contend are the digital fingerprint of an Internet connection that has been used to unlawfully copy media files across the Internet or to make those files available; request from the ISPs responsible for those IP addresses the names and contact details of the customers to whom they were allocated at a particular time; and, if the ISP does not provide the information requested (as they usually would not), apply for a court order obliging the ISP to disclose the information sought, in contemplation of future litigation (a Norwich Pharmacal Order (“NPO”)). ISPs were not in the habit of contesting these applications, meaning that if the potential litigant met the threshold for the NPO, the ISP would be ordered to supply the details. Ancillary issues, such as the format of the data, including whether it should be encrypted, would also be included in the order.
That was the case until a few months ago.
Claiming to be perturbed by the way in which some rights holders were aggressively using the system to identify potential infringers and threaten them with legal action unless they paid some money to settle the claim (which, in itself, is no more than the everyday cut and thrust of the real world of litigation), but never actually following unsettled claims through to litigation, a group of cyber terrorists / freedom fighters (take your pick) began organising and recruiting massive computing power to issue DDoS attacks against lawyers, rights holders and even the UK IPO (which was a strange choice given how copyright works in the UK). Anyone suggesting that those responsible for these torts (and possibly crimes) are as unable to engage in human interaction as any other bully, and who believe that the real motivation behind this is the stubborn belief that once a digital item has been acquired once it can be copied indefinitely, would not be alone. But it’s beside the point.
After one particular set of attacks, customer details were leaked online and were distributed around the globe, in some cases by the same people who laud themselves as privacy champions. Go figure. Anyway, the PR for ISPs was not good, and BT’s response to the increasing scrutiny of the existing system was an 11th hour request for the court to defer hearing an NPO application on behalf of the Ministry of Sound until January 2011, so that they could respond to the application in their customers’ interests. The court granted their request.
(It should be mentioned that the leaked customer data included information that BT was ordered by the court to send only in encrypted form, and that BT failed to encrypt it. Accordingly, they are potentially in contempt of court for failing to comply with a court order. It should also be noted that no ISP, so far as I am aware, has been targeted by a DDoS attack.)
Then came the news last night that the Ministry of Sound has withdrawn its application, for an unexpected reason: having asked for a stay to allow it to consider the application, it turns out that BT has deleted 80% of the data covered by the application. According to the BBC, BT:
“said 20,000 of the 25,000 requested details had been deleted to comply with data retention policies. BT said it held data for 90 days before deleting it.
‘The Ministry of Sound and its solicitors are well aware of this,’ said a spokesperson for BT.
‘Upon request from Ministry of Sound, we saved as much of the specific data sought as we reasonably could and any not preserved must have been too old.’
But Ministry of Sound CEO Lohan Presencer said that it was ‘very disappointing that BT decided not to preserve the identities’ of the alleged file-sharers.”
The last point is of particular interest to a litigator. Once litigation is contemplated, parties are immediately placed under an obligation to preserve all information likely to have to be disclosed in the course of the litigation. In the UK, the Civil Procedure Rules make this point explicit in Practice Direction 31B Para. 7:
“7 Preservation of documents
As soon as litigation is contemplated, the parties’ legal representatives must notify their clients of the need to preserve disclosable documents. The documents to be preserved include Electronic Documents which would otherwise be deleted in accordance with a document retention policy or otherwise deleted in the ordinary course of business.”
If it turns out that BT has deleted this data after receiving notice of the potential litigation, they could not only face contempt proceedings for the sending of data in unencrypted form, as well as enforcement proceedings by the Information Commissioner for failing to safeguard personal data (although both of those are very unlikely), they might also have breached their preservation obligations under the CPR. If their lawyers failed to advise BT of those obligations, then they too may have breached the obligations they owe to the Court.
I think it is more likely that what BT actually means is that 80% of the data requested had already been deleted when their preservation obligations kicked in, which would mean they haven’t done anything wrong. But the story provides two good reminders:
1. Firms must move quickly when dealing with personal data. Depending on the industry and the jurisdiction, personal data may (have to) be deleted after being held for no more that 90 days.
2. Lawyers on both sides of a dispute must inform their clients of their preservation obligations, particularly where electronic documents (or a likely counter-claim) are concerned. I recall working on a case where the other side’s lawyers had not adequately informed them of their obligations, with the result that all copies of the software at issue had been over-writtten by subsequent versions. Even if this happens due to a genuine mistake, you can guess how it will look to a court.
Ministry of Sound has said it has no plans to stop enforcing their copyrights, and we await to see the first test case to come before the courts.
If you like to share, why not share this?