Judge hits gavel

Film companies lose battle to unmask Reddit users

An interesting case marking the limits of what data big business can expect to dig up has concluded its day (or to be more accurate, many days) in court. Ars Technica reports that film companies have lost their battle to make social site Reddit identify anonymous users discussing piracy. No fewer than 20 popular movie producers felt they needed this information in order to show that ISP Grande is liable for their subscriber’s copyright infringement.

Reddit was urging a US court to maintain the anonymity of six Reddit users who’d mentioned piracy all the way back in 2011 and 2018. Reddit argued that the First Amendment “protected their right to anonymous speech” in one of several similar cases which the movie industry had previously lost. From the relevant court filing:

Plaintiffs’ Motion seeks to unmask six anonymous Reddit users that Plaintiffs assume to have committed copyright infringement using Grande, an Internet service provider (ISP). If these Reddit users did engage in copyright infringement on Grande’s networks, then Plaintiffs hope to learn whether the users were drawn to Grande for the ease of infringement. Weeks ago, this Court denied a nearly identical motion by these same Plaintiffs… But rather than returning with better facts capable of meeting the applicable First Amendment standard, Plaintiffs here offer worse facts–expressly acknowledging that they have no need to identify these Reddit users at all.

As it happens, we’re now right back in our own movie industry Groundhog Day: Another case, another loss. The Reddit users here are stepping stones in a battle against an ISP called Grande. The movie producers are trying to prove liability for user piracy because the ISP “allegedly ignores piracy on its network”.

The justification for needing to know the identities of said reddit users comes from comments like the below:

In a 2018 Reddit thread titled “Texas ISP [Grande] slams music biz for trying to turn it into a ‘copyright cop,'” one user says, “I have Grande and torrent a lot. Always thought it was pretty cool of them to not snitch.” a user said, “[l]ike everyone else I miss Grande and I’m stuck with Spectrum or AT&T in my area. I use Spectrum. Those [expletive deleted] have turned my connection off completely on one occasion and would not turn it back on until I agreed to stop pirating media.”

According to Ars Technica, the most recent Reddit users were in the firing line for having their identities revealed for similar posts made in 2011. One individual posted that “I have Grande. No issues with torrent or bandwidth caps”. This was seemingly enough to gain the attention of the movie producers.

You’ll note that the post does not mention piracy, nor do they specify what they were doing. There are plenty of instances where Torrenting something (download files using the BitTorrent peer-to-peer protocol) is absolutely legal and above board. You may be downloading a large piece of software or a game broken up into chunks, for example.

Despite this, the film industry had another go anyway.

US Magistrate Judge Laurel Beeler observed that although users of Reddit and other sites do have their details turned over when appropriate, it would not be in this particular situation. 

The film companies claimed that user comments demonstrated Grande’s lack of policy implementation with regard to terminating the account(s) of offenders. They also went on to claim that they’d obtained 118 of Grande’s “top pirating IP addresses” in May but had little success communicating with said alleged pirates.

The Judge had this to say:

As with the last subpoena, the plaintiffs have not shown that the identifying information is directly or materially relevant or unavailable from another source. This is a high standard. The plaintiffs already have 118 subscribers’ identifying information: they primarily resist serving those subscribers with subpoenas as burdensome and inconsistent with their August expert-disclosure deadline. They are the top pirating IP addresses, and they are from a more recent time period: it is not obvious why subpoenaing even a subset of those addresses would not yield information at least equivalent to, if not better than, information from the six Reddit subscribers. The information may be relevant, but it also is attenuated: it is at best weak evidence about Grande’s insufficient policy regarding repeat infringers or its appeal to pirating subscribers.

Essentially: Dredging around the internet for the slightest available slice of data from a decade or more ago, in relation to specific data you have now which still isn’t really helping, is likely not going to help you very much either.

There’s no real way to know the specifics of what people in 2011 were talking about, or what they downloaded. The ISP may not even carry records for that far back. Maybe the Reddit accounts are abandoned, or perhaps some of the users have died. All in all, it seems like an incredible amount of work to put in for what would almost certainly be zero useful result.

This case is a valuable reminder that every single thing you post online, no matter how innocent (or otherwise) could end up rattling around a court of law many years down the line.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.