Raid against ISPs

28 April 2005

Ida Smed Sörensen

Click here to read an update to this article.

Background

When the staff on Bahnhof, Sweden’s oldest ISP, came to work on 10 March 2005 they where met by some 15 officers from the Swedish Enforcement Administration. They had come to search for and seize servers containing illegally copied materials. They found and seized two servers on the premises that contained large amounts of illegally copied films, games and music. Bahnhof was unaware of their existence. The raid was initiated by STIM, an organisation of music writers, Universal Music AB, EMI Music Sweden AB, Sony Music Entertainment Sweden AB and Antipiratbyrån (APB). APB is an anti-piracy organisation supported by copyright owners, and they filed an infringement claim with the City Court of Stockholm, claiming that Bahnhof had participated in illegal file-sharing.

Angry Young Hackers took revenge

Shortly after the raid became known, a group of hackers called Angry Young Hackers (Arga Unga Hackare) hacked into and took control of APB’s homepage to show their frustration over APB’s actions, and to publish personal information such as addresses and social security numbers. When hacking into APB’s e-mail server, the group found out that a person named “Rouge” was working as APB’s infiltrator at Bahnhof, and by tracing his internet communication with APB, they claimed to have managed to identify Rouge as the person named by them on APB’s website. In addition to publishing personal information, Angry Young Hackers also published Rouge’s internet communication.

Accusations backfired on APB

After an internal investigation carried out by Bahnhof, the company came to the same conclusion as the Angry Young Hackers and accused APB of having planted files on its servers with the help of Rouge and two of his friends, who are employees of Bahnhof. The internal investigation showed that Rouge was active for more than 2 years and conducted 68,111 uploads and downloads from the seized servers. Rouge went so far as to purchase new hardware to the cost of SEK 20,000 for the servers to ensure that there was enough memory to store all the files. Following the raid, APB’s lawyer admitted that APB had paid Rouge to gather the evidence. Bahnhof has released copies of its log files that support this to the media. "It's like handing out matches and petrol to a pyromaniac and then reporting him to the police when he has burnt down the house" said Bahnhof MD Jon Karlung.

Secret settlement closed the civil case

Bahnhof and APB and the copyright owners have just recently reached a secret settlement, but two of Bahnhof’s employees, currently suspended, are still being investigated in order to establish if their handling of the two seized servers constitutes a criminal act.

5000 anonymous reports on breaches of data protection law

Following this ordeal, the Swedish Data Inspection Board (the “Board”) received more than 5000 anonymous reports in March concerning alleged breaches of the laws governing the protection of personal data. The extreme number of reports is probably due to a campaign by the pro-file sharing organisation Piratbyrån, and the fact that APB’s working methods have been heavily criticised.

According to the reports, APB is collecting the IP numbers of the file sharers. IP numbers can be described as addresses used on the internet to indicate the internet location of the sender and receiver of files. Thus, by collecting the IP numbers of the file sharers, APB can identify the computers used for file sharing and therefore, in some cases, may be able to identify the persons sharing the files. According to the Swedish Personal Data Act (the “Act”), all information that either directly or indirectly refers to a living person constitutes personal data. Therefore, IP numbers may fall within the definition of personal data.

Investigation initiated by the Data Inspection Board

The Board has decided to investigate APB to establish whether the methods used by the organisation in tracking down illegal file shares are in breach of the Act. Since collecting and storing information regarding electronic communication might constitute a breach of electronic communication legislation, APB was also investigated by the National Post and Telecom Agency. The investigation was carried out by the Board on 8 April 2005 and the Board’s decision will be published in one to three months.