Top EU Court Says There’s No Right To Online Anonymity, Because Copyright Is More Important
from the copyright-exceptionalism dept
A year ago, Walled Culture wrote about an extremely important case that was being considered by the Court of Justice of the European Union (CJEU), the EU’s top court. The central question was whether the judges considered that copyright was more important than privacy. The bad news is that the CJEU has just decided that it is:
The Court, sitting as the Full Court, holds that the general and indiscriminate retention of IP addresses does not necessarily constitute a serious interference with fundamental rights.
IP addresses refer to the identifying Internet number assigned to a user’s system when it is online. That may change each time someone uses the Internet, but if Internet Service Providers are required by law to retain information about who was assigned a particular address at a given time, then it is possible to carry out routine surveillance of people’s online activities. The CJEU has decided this is acceptable:
EU law does not preclude national legislation authorising the competent public authority, for the sole purpose of identifying the person suspected of having committed a criminal offence, to access the civil identity data associated with an IP address
The key problem is that copyright infringement by a private individual is regarded by the court as something so serious that it negates the right to privacy. It’s a sign of the twisted values that copyright has succeeded on imposing on many legal systems. It equates the mere copying of a digital file with serious crimes that merit a prison sentence, an evident absurdity.
As one of the groups that brought the original case, La Quadrature du Net, writes, this latest decision also has serious negative consequences for human rights in the EU:
Whereas in 2020, the CJEU considered that the retention of IP addresses constituted a serious interference with fundamental rights and that they could only be accessed, together with the civil identity of the Internet user, for the purpose of fighting serious crime or safeguarding national security, this is no longer true. The CJEU has reversed its reasoning: it now considers that the retention of IP addresses is, by default, no longer a serious interference with fundamental rights, and that it is only in certain cases that such access constitutes a serious interference that must be safeguarded with appropriate protection measures.
As a result, La Quadrature du Net says:
While in 2020 [the CJEU] stated that there was a right to online anonymity enshrined in the ePrivacy Directive, it is now abandoning it. Unfortunately, by giving the police broad access to the civil identity associated with an IP address and to the content of a communication, it puts a de facto end to online anonymity.
This is a good example of how copyright’s continuing obsession with ownership and control of digital material is warping the entire legal system in the EU. What was supposed to be simply a fair way of rewarding creators has resulted in a monstrous system of routine government surveillance carried out on hundreds of millions of innocent people just in case they copy a digital file.
Follow me @glynmoody on Mastodon and on Bluesky. Originally posted to Walled Culture.
Filed Under: cjeu, copyright, data retention, eprivacy directive, eu, ip addresses, privacy
Comments on “Top EU Court Says There’s No Right To Online Anonymity, Because Copyright Is More Important”
“Wait, we’re supposed to be surveilling people for copyright infringement?” — some cop in the EU, probably
But IP addresses…
But IP addresses do not necessarily identify an individual, nor a household, nor an accurate location or jurisdiction.
Re:
Yeah, this is confusing. IPs can be spoofed, either deliberately or through VPNs, etc., which are themselves vital to infrastructure. Even if it’s accurate, the IP only identifies a device, and those can be shared, hacked, or otherwise used without knowledge or permission. On top of that, there are cases where people have been penalised because the ISP themselves misidentified the current owner of the IP due to timezone or other issues interpreting logs.
Meanwhile, the people committing crimes are going to be incentivised to fake the identity of who is using the connection, and given that there’s numerous high profile examples of router firmware being compromised…. This is less than useless.
Re: Re:
VPNs have basically nothing to do with spoofing. And spoofing is impractical for most people, because unless they’re fucking around with BGP or similar ISP-level stuff, they won’t be able to receive data at the address they’ve spoofed.
All they need to do is get an address that’s not tied to them. There’s little benefit to figuring out who owns the connection they’ve compromised, and then trying to frame the person; I’ve never heard of it happening.
Re: Re: Re:
Filesharing used to be impractical for most people, too. Give people the impetus, and mechanisms through which people can freely change their IP addresses to avoid detection will be utilized more frequently.
The Tanya Andersen case comes to mind – the IP address used to infringe copyright was tied to her, but not the username attached to the act. The actual offender was tracked down by that username and he admitted to doing it to Tanya… but not to law enforcement, who then proceeded to hound her for years.
From what I’ve seen of law enforcement, they are dumber than a sack of hammers at the worst of times. It would not be out of the question for them to go after wrong targets. They’ve already proven themselves willing to be convinced that it was grandma who downloaded hardcore porn.
Re: Re: Re:2
Sure, they’ll use alternate addresses. But VPNs do that with consent and help from the address-owner, not via spoofing.
I hear there’s a lot more sex happening in retirement homes than the general population. Why not porn?
Do you have a reference for this? And if someone wanted to “do this to” Tanya, why wouldn’t they spoof the username too?
As far as I can tell, it’s just a case of malicious prosecution against an innocent person; maybe someone used their open wi-fi router or randomly faked an IP address (I can’t find any technical details), but that’s not the same as faking the identity of the connection’s legitimate user.
Re: Re:
The correct phrase is “worse than useless,” which makes more sense.
Re:
In this case, i.e. Hadopi in France, only the IP addresses known to internet providers were kept, and listings from internet providers where requested to provide the format identify of the subscriber (because you need to provide your ID when subscribing to internet or mobile phone access).
(If you rent an housing in France with some shared internet access, you may have to sign some document promising you’ll not download copyrighted stuff, but nobody would ask you to not download an other illegal things.)
Now, if someone (anyone) used your internet access to download copyrighted material (mostly based on a broad list from big music and movie producers) and you get caught (as the legal owner of the access), you need to prove that it wasn’t you (to you’re guilty). Since the procedure to do so has never to acted so your basically guilty by default.
I’m trying to figure how that squares with the right to be forgotten.
I guess if you have a rape conviction (or any kind of serious crime) we need to remove that after a few years. But, data that might show potential copyright infringement will be kept as long as the authorities might want it.
Re:
That’s certainly a set of priorities.
Sadly, we’ve been arguing this for a long time. A copied file does not necessarily mean a lost sale, and in the spirit of mixtapes and movies recorded from TV could actually mean increased sales from some people.
The best option is giving people access to what they wish to access, at a reasonable price level. But, between confusing licencing agreements, regional restrictions and regular price hikes, I’m hearing more and more people just saying “f**k it, I’m pirating again”. When Netflix first came to Europe and when Spotify started, my selling point for people was saying that it was easier than piracy. I can definitely say that removing peoples’ privacy will not cause them to do anything other than work out how to use security features, and that peoples’ lives will be ruined unnecessarily by concentrating on people who copy files vs. people who refuse to give people what they will pay for.
“Piracy” is a good excuse, but it’s usually a cover for other things. That was true in the days of mixtapes, VHS tape trading and floppy disk trades, and it’s true now.
Re:
Pluto TV has taken Netflix’s crown for as long as it remains unenshittified, especially since it doesn’t cost any money.
Re: Re:
“unenshittified”
That’s really just opinion, though. Netflix has was more stuff that I want to watch than I can get through that’s in my wheelhouse every month and that justifies my sub.
Pluto, Tubi, and other free services deserve a shout out, but they’re not available everywhere.
Ya know what. I can only hope that one day EU officials will be “hurt” after their private data was hacked because it was so important to keep that data incase a corporate lord was butthurt. Cause assuming only the good guys will have all that data is pretty dumb.
Re:
Remember, corporations are people and they have more rights than normal people.
Sigh…
There’s a significant detail which is missing from this analysis. The law which puts copyright over privacy is a French law, not an EU law. The EU court found that the French law doesn’t contradict any EU law.
So the EU court did not determine that copyright is more important than privacy. It determined only that the French parliament is allowed to decide that question for France.
The closest analogue for US politics would be if the SCOTUS decided not to strike down a state law. It wouldn’t necessarily mean SCOTUS endorsed that law, only that they found it not contrary to the federal constitution. However, the EU has a lot less power over its member states than the US federal government has over its. The EU members generally do not want a federal government that is as powerful as the US’s. As such, France has the responsibility to decide questions like this for itself, and France should take the blame for deciding poorly.
Re:
Oh, ah, is that the missing detail? If so, this basically doesn’t change anything. Back in 2020, when the ECJ struck down the data retention directive as unconstitutional – in their infinite wisdom they let the countries that already implemented it, keep it.
I’m not sure how the fuck they squared that circle: letting countries keep legislation they forced into place, and then found unconstitutional, but yeah, they did.
So, this is just reinforcing the status quo then? The ECJ is again finding that the countries can keep their laws, despite them being found unconstitutional?
I mean… this is disappointing, but frankly, to be expected.
Re: Re:
Two errors. First, the ECJ didn’t strike down anything as unconstitutional because unconstitutionality relates to the US Constitution. Second, although ECJ did declare the Data Retention Directive invalid due to its inevitable clashes with data privacy directives, it did so in 2014, not 2020.
GDPR says, “What?”
Also: Criminal offense? Really?
seems like important context to the article for sure!!
Anti- ̶p̶i̶r̶a̶c̶y̶ privacy
Now imagine this imbued with “Investigatory powers act”.
One day, if too many punctures on privacy protections, the opposite thing happens on a CallMeMoneyBags-like case.
Oh look...
More lemon socialism.
Quit pandering to the ultra-rich, EU. Be willing to stab the ultra-rich in the proverbial back. They do not need your help.
Possibly of appeal?
As bad as it is, does anyone know if this ruling is going to be appealed?
Re:
AFAIK, it can’t be appealed. The CJEU is essentially the SCOTUS of the European Union. This is the final ruling. Online privacy is dead in the EU because some corporations are scared their bottom line will be harmed by a few people who dare copy a digital file without permission.
Re: Re:
Well…
“EU law does not preclude national legislation authorising…”
This is basically the same ruling as in 2020, I think? Sort of?
They struck down the EU-wide data retention directive in 2020, but let countries that already implemented it keep it, which makes no god damn sense to most people. Sounds like they are reinforcing this, claiming the national laws on the matter trumps the ECJ’s decision.
So, they aren’t claiming the data retention is legal by European law; they are claiming there’s no legal way to force the member countries to fall in line with the 2020 verdict? I think? Semantics I know, but still. This is effectively where we been since 2020 anyway.
I’m curious to see if this has any downstream effects: can countries now start making laws that violate the EU constitution in other fields as well? If not, it’ll be “fun” to hear the ECJ justify why not.
Re: Re: Re:
It’s like weed in Colorado!
It’s illegal under federal law, but the supreme court seems to just look the other way and let the states do what they want. Makes no god damn sense but, here we are.
Re: Re: Re:2
State’s Rights, no longer just for bigots.
Re: Re: Re:2
Weedheads are scum who’re ruining our downtown areas, polluting open air spaces with the noxious stink of their disgusting, degenerate habit!
Re: Re: Re:3
“Weedheads are scum who’re ruining our downtown areas, polluting open air spaces with the noxious stink of their disgusting, degenerate habit!”
You do not live in Colorado do you?
How, exactly, do these weedheads ruin areas downtown? The smell of weed? lol, like you can smell that above the noxious exhaust or the cow smell from Greeley.
Re: Re: Re:3
Hey Herman have you ever met a person who didn’t immediately dislike you?
Re: Re: Re:
Incorrect. The ECJ did declare the Data Retention Directive invalid due to its inevitable clashes with data privacy directives, but it did so in 2014, not 2020.
So how long until someone orders up the IP addresses associated with the Judges to show everyone what they look at online.
I’m sure that they will still claim it is not a violation of privacy when anyone can make a claim & be handed all sorts of information because a quarter might nto have been made.
This comment has been flagged by the community. Click here to show it.
The only people who operate anonymously online have something to hide, or they’re purveyors of pro-State propaganda.
Re:
…says the Anonymous coward.
Re: Re:
I will never get tired of anonymity-hating anonymous cowards. /s
Re:
“The only people who operate anonymously online have something to hide, or they’re purveyors of pro-State propaganda.”
Why do you hold this to be true?
Are you repeating something heard elsewhere and you simply like the idea that it could be the case or is there some data analysis that has lead some foolish person to reach an obviously wrong conclusion?
Re:
The irony of your statement has been noted.
Didn’t copyright start out as a way for the British Monarchy to give monopolies to those it favored?
Re:
No. It started out as a way for publishers to make all the money, which still occurs with the one-sided contracts in the music business today.
This is scary. In Denmark, where I live, we still have this retention of IP addresses which the EU Court has said is is a violation of the European Human Rights when done on a blanket basis.
And here the top use of these IP addresses have been for copyright trolls sending out speculative invoices. My numbers are not completely up-to-date, but there has been more than 300.000 cases where the use was for copyright trolls, and about 22.000 cases where the use was for other purposes, like investigating serious crime. 300.000 cases is a lot in my small country with less than 3 million households.
In 2004 copyright lawyer and lobbyist Johan Schlüter managed to get the law changed, so information of the subscribers name and address could be given to claimants in civil cases without the normal due process. Johan Schlüter later started the first speculative invoicing campaign in Denmark, which lasted about four years until a higher court ruled that an IP address alone cannot be used to prove. Later Johan Schlüter was convicted to years of imprisonment for aggravated fraud in a copyright case.
Since then we have seen one wave after another of copyright trolls popping up here in Denmark. Getting the names and addresses of internet subscribers was extremely easy and cheap for the copyright trolls: They only had to approach a court and pay a fee of about $50. The ISP could dispute the claim of the copyright trolls, but that would be expensive for then, so they never did. This “court case” (which was not a real court case) did not involve the internet subscribers whose information was about to be handed over – they were not even informed. And a single case with the low fee of $50 could be used to hand over more than 100.000 subscriber identities, so the price was really low for the copyright troll.
The last wave of speculative invoicing was really bad: The lawyers here asked the ISPs for tens and hundreds of thousands of subscriber identities per case, making it such a burden for them that they finally pushed back: They elevated one of the cases to a proper court and later to an appellate court who decided that the IP addresses were stored to combat terrorism and serious crime, and thus could not be used in cases no more serious than a parking ticked, as the court stated.
This did not stop the copyright trolls in the last wave, as they already had name and addresses of more than a hundred thousand internet subscribers, which the new court ruling did not restrict them from using. What stopped them was when they could find no more people they could scare into paying to avoid a court case. Thousands of court cases were started, and the outcome of these cases differed wildly due to no good precedence on the new legal theories the claimants used. So it was decided that five test cases be bought to an appellate court before the other cases in the lower courts could move forward. The conclusion of the appellate court was the same in all five cases: The claimant did not even have the copyrights they claimed were violated, This finally stopped the last copyright trolls here from trying the speculative invoice scam.
It has been peaceful in Denmark for almost two years because the speculative invoice scam is no longer possible here. But this new ruling might overrule the court decision that stopped copyright trolls from doing speculative invoicing.
Re:
You’d think after Strike 3 hit a legal brick wall in the US, back in 2019, where the court reminded them that they have to actually own the copyrights to content they’re suing over, that copyright enforcement would have learned a thing or two. But no, it’s the same bullshit everywhere. “Actually having proper evidence is too haaaaaard!” they cry, begging the courts to let them pursue the innocent carte blanche.
Unfortunately for them, they haven’t managed to convince everyone. And they can thank the overstepping of the RIAA, the MPAA, Prenda Law and Malibu Media for fucking up their scheme.
Wouldn’t there be easy way to avoid this outcome? Like by not copying the digital file?
It is this attitude that we must have all the files copyable that gives rise to all these infringements of fundamental rights. Just stop pirating our content and the issue goes away.
Re:
Even the RIAA has been caught appropriating copyright photos without citing or compensating the original creator, so no, it’s not as easy as you think if even the gods of stricter copyright can’t avoid copying original files.
Re: Re:
I’m sure RIAA fixed this mistake as soon as you managed to mention it to them? I would be suprised if RIAA used pirated record covers when the infringement has been found and appropriately mentioned to the RIAA. Probably their best solution is to stop selling the material from where the infringing copies have been found. But it leaves unclear how to compensate the authors of the past infringenement, there could be millions of money reward coming to the person who snapped the picture, if the record cover managed to sell significant amount of records.
Re:
Here’s the problem: whether I purchase an audiobook from Audible or get a Public Domain ebook from Project Gutenberg, copying the original file is unavoidable, shit-for-brains maximalist shill.
Re: Re:
You just need a permission from copyright owner.
You still haven’t learned that the copyright’s permission mechanism creates local area around the author and depending on how many forums he can be active/giving away permissions and gathering money determines how large area of the world is allowed for the product he created.
Authorised vendor requirement is essential for authors to receive the money from the markets. Anything beyond that (including pirate operations) are just illegal. You either need to find the original author’s representative or you need to choose different product. But using the product via pirate’s reach is illegal.
Re:
“Just stop pirating our content and the issue goes away.”
Oh, I doubt that. ‘The issue’ never goes away, it morphs into the latest ‘n greatest nifty new way to lie cheat and steal from the unsuspecting public.
side note: it is impossible, presently, to operate the world wide web without copying files as that is the way it works. You request a web page, it is delivered with accompanying files whether you want them or not they are copied to your cache where they sit until you remove them. You probably do not even know they are there. I realize this is not the piracy you are looking for, but it is the piracy you will get.
This is indeed how web browsers are working. And the browser was considered illegal until legal folks noticed the amount of protection in the scheme: while the system internally makes a copy, its still setup in a way that users are not allowed further copies, i.e. the copying will stop at the cache. This way correct designation for the practise is not “copying”, but instead it’s “copy protection”.
There has been heated arguments where deniers of copy protection technology’s improvements to status quo claim that browsers do not have copy protection implemented. But in this case, the browser cache is a form of copy protection.
As such, legal scolars crafted exception to their legal statues, in such way that cached copies are free from copyright infringement evaluation. This only applies, if the storage space where the cached copy is stored is sufficiently protected from further copying. A simple encryption or encoding is sufficient to ensure that pirates cannot use browser cache as a seed location for thousands of infringing copies. Basically browser vendors cannot prevent the copies, but they can ensure that the copies are not useful to anyone who receives them.
There is another copy protection technology implemented in browsers: The download bar. While it allows individual files to be downloaded, it simply fails to download all the data from the site that it points to. Thus it has strict one-file limit of how much data can be transferred via that technique. This data is coming from browser cache or from the internet, and thus should be considered when deciding browser cache’s status as a copy protection technology.
Re:
Yet if I choose to save a page for offline reading on the PC here at the library and transfer that page to my SD card so I can indeed read it offline on my tablet later, all the various files that contribute to the look of the webpage are transferred to my SD card, and copying hasn’t stopped at the cache at all. In fact, the exception exists because of the fact that under ordinary usage, cached copies are transient and incidental. No wonder Meshpage didn’t sell that well. You really have no idea how anything works, do you?
Re: Re:
Yes, but this is completely separate service from the browser cache. Not all cached files are included, and especially the server logic cannot be reproduced. i.e. you don’t get working copy of the web page. As far as law is concerned, when these copies are not working — i.e. they don’t reproduce the main behaviour of your web page, the copies are not replacements of the original content created by the copyright owner.
i.e. if you seriously break a copy, the copying is ok.