Thursday, October 02, 2008

University of Oregon's motion to quash is granted; Court will, however, permit subpoena of names and addresses

Thanks to Lory Lybeck and Eric Bangeman for bringing this to my attention.

In Arista v. Does 1-17, the "John Doe" case targeting students at the University of Oregon, the Court has granted the motion to quash made by the Oregon Attorney General on behalf of the University, agreeing that the subpoena as worded imposed an undue burden on the University by requiring it to produce "sufficient information to identify alleged infringers", which the Court agreed would have required the University to "conduct an investigation to determine whether persons associated with IP addresses or others infringed copyright protected sound recordings".

The Court allowed the RIAA, however, to serve a new subpoena which could demand the identities of "persons associated by dorm room occupancy or username with the 17 IP addresses listed in Attachment A to the first subpoena".

The Court also

-decided to "presume" that the RIAA's lawyers' misrepresentation that the University would have destroyed the data was an "honest mistake",
-denied the AG's request for discovery into the RIAA's investigative methods,
-rejected arguments made under state and federal privacy laws, and
-did not comment on the fact that the RIAA's investigators were unlicensed.

September 25, 2008, decision granting motion to quash, but authorizing second subpoena

[Ed. note. Is it just me, or does this decision make no sense whatsoever? The Judge recognizes that the RIAA's investigation is insufficient to actually point to a copyright infringer, and that the only way to determine that there was a copyright infringement is to conduct a further investigation....but is directing the University, anyway, to turn over names of people who the Court recognizes may be completely innocent? -R.B.]

Commentary & discussion:
Oregon Commentator
Ars Technica
Furious Angels
No Rock and Roll

Keywords: lawyer digital copyright law online internet law legal download upload peer to peer p2p file sharing filesharing music movies indie independent label freeculture creative commons pop/rock artists riaa independent mp3 cd favorite songs intellectual property portable music player


Anonymous said...

On your ed note, I have had some experience with this judge, Judge Hogan. He is not one who is terribly concerned with intellectual consistency within his opinions.
I'm staying anonymous so as to not bring myself into ill repute with this judge, since I have a few cases pending with him at the moment.

Anonymous said...

**Ed. note. Is it just me, or does this decision make no sense whatsoever?**

Can I assume that is a rhetorical question.

Anonymous said...

So can this second subpoena be challenged when it's served on various grounds such as the use of illegally gathered information? And whether or not MAC addresses are dictionary information?

Seems to me that the RIAA is hell-bent on just getting a list of names to harass regardless of the fact that they will end up with more names than original John Does in their suit (i.e. they sued one John Doe at a given IP address, yet will get back more than one resident of that room).

If my name was turned over to the RIAA Witch Hunt simply because my dorm room was identified by the RIAA's faulty methods and procedures I'd be mad as hell and looking to sue the university for falsely accusing me and costing me $$$ to defend myself from those baseless accusations.

It's distressing that the Oregon AG is not allowed to inquire into the RIAA's methods and procedures. This judge appears very one-sided in this regard.


Anonymous said...

What if all 10000+ students from the university identified themselves and each demanded a jury trial?

Anonymous said...

Well we can only hope that this judge will give the RIAA enough rope to really hang themselves. Otherwise, the RIAA will become more obnoxious than ever thinking that "We beat a state attorney general, we really are gods!"

I can only hope that this judge will eventually see through the RIAA's lies and deceptions.

Not Telling said...

A) RIAA knew that the University wouldn't destroy the data.

B) Non-parties have no right to discovery of parties. That is obvious. But the Judge didn't make a citation with respect to this determination, and I can't find it in the FRCP.

C) FERPA requires the University to notify students before disclosing personal information in compliance with a subpoena. But it doesn't prohibit the University from complying with a subpoena.

"§ 99.31 (9)(i) The disclosure is to comply with a judicial order or lawfully issued subpoena."

D) The case should have been thrown out because the investigators are not in compliance with the law. The IP addresses were obtained by investigators.

But I guess that issue will be left to trial. Any evidence derived from unlawfully obtained evidence is inadmissible in court.

Asking the University to identify the students who could have accessed the computer is an invasion of privacy. Now, there is no certainty as to who, if anyone, shared the music files.

In Canada, an situation similar to this didn't stand up to trial.

The Court agrees with the University that it can identify "practically" none of the Defendants. It's on the record. So anyone who is sued can argue that they were mis-identified and are not involved. That would be grounds to dismiss the case.

Of course, the RIAA will want to conduct "limited discovery" in response to a motion to dismiss. Limited discovery means obtaining all of their harddrives, which would be a further invasion of privacy. Hopefully that would be denied, otherwise this RIAA scheme will really get out of control.

raybeckerman said...

I wonder if the Judge realizes the RIAA will not conduct an investigation, it will just sue the kids who get named.

I wish he would read the IT guy's affidavit again where he explains:

7. [We] have attempted to identify all seventeen alleged infringers and have been unable to do so.
8. Five of the seventeen John Does accessed the content in question from double occupancy dorm rooms at the University. With regard to these Does, the University is able to identify only the room where the content wis accessed and whether or not the computer used was a Macintosh or a PC. No login or personally identifiable information, i.e. authentication, was used by the Does to access the University's network because none is required. The University cannot determine whether the content in question accessed by one occupant as opposed to another, or whether it was accessed instead by a visitor.
9. Two of the seventeen John Does accessed the content in question fiom single occupancy dorm rooms at the University. No login or personally identifiable information, i.e. authentication, was used by the Does to access the university's network because none is required. The University cannot determine whether the content was accessed by the room occupant or visitor.
10. Nine of the seventeen John Does accessed the content in question from the University's wireless network or a similar system called the "HDSL Circuit." These systems do record a user name associated with the access. For these John Does, the University can determine the identity of the individual who bas been assigned the user name, however, it is unable to determine whether the content was accessed by the individual assigned that user name or by someone else using the computer associated with the user name.
11. In the case of sixteen of the seventeen John Does, I believe it is not possible for the University to identify the alleged infringers without conducting interviews and a forensic investigation of the computers likely involved.

Anonymous said...

I noticed the word "joinder" does not appear in the order. Was this issue not raised by the AG, joining unrelated cases?

If the RIAA member companies are now stating a lawsuit against all the residents and guests of a given dorm room, is not a suit for each room in order? And a seperate lawsuit with enough John Does to cover all residents and any guests. Of course the school will not be able to help identify the guests.

I can see joinder for a given room, but clearly each "room" is a different case and the Plaintiffs should not be permitted to put all rooms in a single case. And as observed by others, I would think it would be wrong to allow them to receive more names than the number of John Does sued.

The way I read the order is the quash order was granted because it required the University to determine WHO was the copyright infringer, and that was determined to be an undue burden.

The way that I read the FRCP, my understanding is that ONLY information regarding the actual DEFENDANTS is obtainable.

Best case for Plaintiffs, is they will be given 9 names for the wireless circuit access, 2 names for the single rooms and 10 names (5 rooms, two people) for the double rooms.

The only problem with the above is that there are 21 names, but only 17 John Does. It does not seem proper to allow this.

Other Problems:

How many of the 9 usernames are shared with MANY MANY computers. It is quite common for wireless usernames to be shared in that enviroment, I would not shock me to find out that 1 or more of these names are shared among 100's of devices.

Who says a wireless access point was not plugged into 1 or more of the jacks in the dormrooms, and of course under that condition ANYONE in range could be the Copyright Infringer?

Im also waiting for a "Perfect Alibi" defense from 1 or more of the dorm rooms. A "Perfect Alibi" would be 1 (or both in the case of 2 person rooms) person says the following regarding their computer/connection:

1) A wireless device was connected to the jack. (Actually this part is optional, but if present would explain HOW they might have seen the files.)

2) All the residents of the room use a MAC, LINUX, or some other non windows computer that is incapable of running the p2p software in question.


raybeckerman said...

The misjoinder issue was not raised.
If the students now get involved, they can raise it.

Anonymous said...

i wonder if these students could sue the uni for disclosing their information without a fight (no request to treat it per case for ex.)...


raybeckerman said...

anonymous /ntt

Have you missed the whole point? "Without a fight"? The University of Oregon put up a GREAT fight!!!!!!

Anonymous said...

I just hope when the next round happens, that they continue to put up a fight.

Actually Id like to see more ISP's and Universities be more like The University of Central Arkansas.

From the EFF report of another article:

The University of Central Arkansas defies the RIAA in another way, by designing their network so that IP addresses change constantly and are not recorded; as a result, even with a subpoena there is no way to find out who did what on their network, so no act can be tied to a specific person.

Would it not be nice for more schools and ISP's to do this...... I have suggested this before. Other than this school and Bright House Networks (Cable) in Central Florida, not many do this simple way to get rid of the RIAA.


Anonymous said...

To albert:
Colombia vs Bunnell has to be considered here. If UCA cannot provide a solid techinical reason why their network is configured the way it is, the court might deem it a deliberate attempt to thwart discovery.

Don't know exactly what would happen then.

Anonymous said...

Firstly, a University is likely to use ethernet, rather than adsl or pppoe/a.

Thus a sniffer set to the logon port (35?) should be able to scrape the logon details of a lot of people.

Then it is VERY easy to get a session with someone else's ID. Much easier than other connection types.

Easy to demonstrate in court, unless the university has hidden a ringer like private keys for all student PCs.

As far as UCA is concerned, get an opinion from a Lawyer, a PI and a computer security professor that holding the IP address logs more that say a day is forensically unsound.


Anonymous said...


There are many good reasons to not log user and IP address data.
1. Protect free speech. This is the single best reason, though many universities ignore it ... after all, this is about their students and faculty, not the sysadmins.
2. Cheaper because you don't have to maintain logs.
3. Cheaper because you can't fill subpoenas for data that was never gathered.
4. Less downtime because the servers themselves can't be seized in order to fill subpoenas for data that was never gathered.
5. The university has no need of it.
6. It's legal.
7. Better for privacy and identity theft issues, because criminals can't hack into servers and collect logging information. This could save money too.

If universities want to save money and protect the free speech of their students, faculties, and employees, they would be wise to:
1. Not log IP address and user name information.
2. Not register cards for the wired network.
3. Decide whether they need to register wireless cards ... many universities rightly worry about bandwidth theft, but some don't need to.