User identity behind dynamic IP addresses - a minefield for authorities and ISPs

18 March 2008

Dr Jan-Peter Ohrtmann, Bastian Cremer

Generally German law does not entitle rights holders to request disclosure of information about customers who have taken illegal actions (i.e. copyright infringement by sharing protected material) from an internet service provider ("ISP"). As a result, rights holders have resorted to initiating criminal actions against the unidentified individuals behind certain IP addresses. In the course of such actions, prosecution authorities will generally ask the ISPs to reveal the personal data of the relevant individuals and to provide such information to the authorities. The rights holder will then request access to the criminal investigation file (it is entitled to do this due to its justified interests as a person whose rights are infringed) which contains details of the infringer's identity. After having obtained the identity in this way, the rights holder can then initiate civil actions against the infringer.

There have been some recent decisions limiting the use of this method to obtain the infringers’ identity. A recent court decision and further decisions of public prosecutors' demonstrate that authorities have began to question whether the potential criminal charges against copyright infringers justify disclosure of personal data.

On 20 July 2007 the Local Court ("Amtsgericht") of Offenburg denied the public prosecutors' request for the identification details of file sharing users who had allegedly made copyrighted material available for downloading. It held that the intrusion to the users' privacy was "obviously disproportionate".

In two other cases, the public prosecutors even refused to take action against users of a file sharing network. Copyright holders of pirated material had filed complaints and submitted the infringers’ IP addresses to the authorities. The public prosecutor in Celle refused to disclose the relevant personal data. The copyright holder appealed, but the decision was later upheld by the competent supervisory authority. It was argued that it was unclear whether the copyright holder genuinely intended to initiate criminal proceedings or whether its intention was instead to obtain the identities behind the IP addresses in order to engage in civil proceedings. Arguments were put forward by Berlin's supervisory authority after the local prosecutor refused to disclose the names behind more than 9,000 IP addresses submitted by a rights holder.

These decisions show (at least in cases involving copyright infringement) that rights holders’ ability to request IP addresses may have some limits – even if issued by public authorities. It must be noted, however, that despite a high number of criminal proceedings initiated, the number of individual infringements was relatively low. In the case referred to above at the Local Court of Offenburg, the accused had only uploaded two songs to a file sharing network. These decisions suggest that the public authorities are seeking to put an end to the allocation of vast amounts of prosecution resources to prosecute such minor offences. Therefore, rights holders seeking to avoid rejection of their requests are advised to pursue cases of severe copyright infringement only.

From an ISP’s perspective, the legal framework does not provide much room for manoeuvre for dealing with information requests, ISPs are therefore advised to carefully consider what data is requested and whether they are bound to disclose such data to the inquiring authority.

As regards disclosure of the identity of the user behind a dynamic IP address, it appears reasonable for an ISP to reject a public prosecutor’s request to provide such data since such information cannot be provided without an analysis of traffic data. Except in cases of emergency, analysis of traffic data is generally not covered by the prosecutor's authority. ISPs should also consider to what extent they are entitled to retain IP addresses at all (at least until 1 January 2009 when the German implementation of the Data Retention Directive comes into force).

In practice it is advisable to contact the official handling the relevant case. However, court orders or enquiries should be followed without undue delay, to the extent that they are not obviously unlawful.