Something bad happens online. I can tie that something-bad back to an IP address. Do I know who did the bad thing?
According to the Federal District Court in Arizona, I don't. An IP address may identify the owner of an Internet access account; it does not identify who was online at that particular time and who may be responsible for the actions in question.
In Breaking Glass Pictures v Does, DAZ 2013, Plaintiff brought a claim for copyright infringement, wants early discovery, but the court is refusing. Plaintiff wants an ISP to identify the owners of accounts that are matched to certain IP addresses, so that Plaintiff can then go sue those defendants in place of the "Does."
In a previous order, the court concluded that this effort 'was not "very likely" to uncover the identities of individuals who could legitimately be named as Defendants.' Connecting an IP address to a subscriber gets you only the name of the owner of the account, not the name of the person who was engaged in the conduct at issue. To put it simply, Plaintiff cannot merely guess at who engaged in the conduct - Plaintiff must allege some basis that the defendant named in the complaint is the person engaged in the bad conduct. Lacking that, Plaintiff does not get to just keep suing until he gets it right.
[T]he complication that Plaintiff fails to discuss is that it is not enough to simply identify the subscribers behind particular IP addresses to state a plausible claim for copyright infringement against those individuals. Instead, a plausible claim must be supported by factual allegations establishing that the particular person identified as a defendant was, in fact, the individual who engaged in wrongful conduct. In other words, discovery to identify the ISP subscribers is only the starting point. Plaintiff will also need to conduct discovery to determine who was using the Internet connection at the time the alleged infringement occurred. Plaintiff will then have to amend its complaint to allege the facts supporting its claim against each individual. The fact that Plaintiff needs discovery to unearth the factual basis for its claims is precisely the conundrum referenced in the Court's prior order regarding recent Supreme Court authority.
According to the Supreme Court, "a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face." Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009) (quotations omitted). It is not enough for a complaint to plead facts "that are merely consistent with a defendant's liability." Id. at 678 (quotation omitted). Instead, the complaint must go further and "nudge [the] claims . . . across the line from conceivable to plausible." Id. at 680 (quotation omitted). And "where the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct, the complaint has alleged — but it has not shown — that the pleader is entitled to relief." Id. at 679.
Plaintiff's current complaint alleges the subscribers, identified as John and Jane Does, engaged in direct copyright infringement. (Doc. 1 at 14). But the complaint contains no factual allegations setting forth that the subscribers were, in fact, the individuals using the Internet connections at the relevant time. Thus, it is conceivable that the subscribers were using the connection but it is equally plausible that someone other than the subscribers were using the connection. In fact, the motion for reconsideration concedes this point. (Doc. 10 at 7). Thus, the complaint does nothing more than make vague allegations that are consistent with the subscribers' liability for copyright infringement. Because those allegations are also consistent with the subscribers not being liable, Plaintiff has not stated plausible claims against the subscribers.
It is not enough that the subscriber associated with an IP address might have been the person engaged in the questionable conduct - the Plaintiff must have sufficient evidence that the person named as defendant actually was the person that engaged in the questionable conduct. Suing until you get it right does not work.
Defendant then trots out an old argument that the owner of an Internet access account is responsible for everything that happens on that account. In other words, the subscriber would be negligent for letting bad things happen; the subscriber would be negligent for improperly securing their Internet access.
The courts that have addressed this issue, however, have concluded there is no duty to secure your Internet connection. See, e.g., New Sensations, Inc. v. Does 1-426, 2012 WL 4675281 at *6 (N.D. Cal. Oct. 1, 2012) (rejecting negligence claim based on failure to secure Internet connection by stating "common sense dictates most people in the United States would be astounded to learn that they had such a legal duty"). And absent a recognized duty, the negligence claim is fatally flawed.
Even if the Court were to assume the subscribers had a duty to secure their Internet connections, Plaintiff's negligence claim likely would be preempted by the Copyright Act or barred by the Communications Decency Act. See, e.g., AF Holdings, LLC v. Doe, 2012 WL 4747170 at * (N.D. Cal. Oct. 3, 2012).
The subscriber to an Internet account is an intermediary. It is the person who negotiates with the ISP and pays the bill. But who uses that account can range in the multitude. And as we have seen time and again over history, it can be extremely difficult if not impossible for that intermediary to monitor and control everything that transpires over that connection. That is why Congress prudently passed 47 USC 230 which makes clear that online services (including subscribers) are not responsible for what other people do and say online. To hold otherwise would be to so encumber Internet access that there could be no public WiFi points, no sharing your Internet with your guests, and ridiculous indemnity forms for checking your email. It's just a bad idea.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Neustar DNS Services
Minds + Machines
Neustar DDoS Protection