back to article BPI rejects scareletter approach to possible pirates

The tactic of using IP addresses extracted from internet service providers to send scare letters to suspected pirates is not something the British music industry would consider. ACS:Law has made a tidy business from sending out letters to suspected file sharers offering a one-off £500 payment draw a line under further …


This topic is closed for new posts.
  1. cannon

    what horse s**t.

    [quote]The BPI said it did not condone the approach of mass-mailing alleged internet pirates.

    The BPI said it would not be adopting the same approach as ACS: Law if UK legislation on the issue of illegal file-sharing comes into force. [/quote]

    what absolute tosh, so they didnt litigate across the USA demanding huge fees from people on social security, and a you can trust us not to abuse the law to finish!

    BTW if you didnt know the same companies that run the RIAA run the BPI, Sony BMG, Warner, Universal & EMI.

    quote from here:

  2. This post has been deleted by a moderator

    1. david wilson


      >>"The fact is, no matter how hard you try, unless you're physically sat watching the infringer perform the act, there is absolutely no way to tie any one person to an IP address that has been involved in such an incident."

      Well, for a start, with the three strikes - lose your ISP connection approach that some seem to favour, it'd be more a case of taking action against the ISP customer for failing to stop their connection being used for infringing content, despite having had previous warnings.

      There's certainly the possibility of them scoring numerous own goals on the publicity front with that approach, but if they were careful, and sensitive with the earlier warning letters, and dealt well with people who knew/thought they weren't doing anything dodgy, they could probably keep complaints to a minimum.

      Secondly, be careful what you wish for.

      "You can't get good enough evidence without being in my house" doesn't necessarily equate to "You can't prove anything"

      If you bang on about the Magna Carta and demand stronger evidence, it seems like the best practically available evidence would be the machines that the filesharing software and downloaded/shared content are residing on, and to get *that* would require enforceable access to premises.

      Someone going to that much trouble is likely to try and make an example out of a few people, to encourage everyone else to go along with the system.

      Somehow, I don't see there being much public outcry if someone ends up with a sizeable fine after being caught with loads of copyright content having ignored a couple of earlier warning letters, or replied claiming that they weren't doing anything wrong.

      There's doing things one really shouldn't do, and then there's taking the piss.

      1. This post has been deleted by a moderator

        1. heyrick Silver badge

          IP address bollocks

          I am an ADSL subscriber with Orange France. The IP address assigned to my Livebox changes, roughly, every three days. I do not know why, I just know it does. Perhaps this is a side effect of not paying exorbitant amounts of cash for a static IP?

          Point is - unless they also have a way of identifying WHO is using a given IP address at a given time, then IP address alone is not so useful. And given the length of time it took for Orange to sort out the direct debit (and the name is STILL wrong), I don't hold out much hope for the accuracy of said data. Plus, to top it off, I would be highly annoyed if Orange gave out my personal details without a court order...

          My IP address at this moment is The last person could have been a confused granny, an eBay-aholic, or somebody torrenting ripped-off hentai movies. How the hell do I know, and furthermore, why should this be MY problem?

        2. david wilson


          >>"Just stop and think about that for a moment, think about what you're suggesting- what you're suggesting is equivalent to saying people should be responsible for the security of their car, that is, you're saying, if someone steals your car, and runs someone over with it, then you should be responsible for manslaughter."

          No, that's not what I'm saying.

          What I am saying is that if someone habitually left their car parked on the street with the keys in the ignition, whether because that was more convenient, or because they didn't know how to remove the keys, and if their car had been stolen for the third time and used in some nefarious activity (or at least, it had been involved in some nefarious activity and they'd *said* it must have been stolen), then I and many other people would be wondering if they were the kind of person that should be trusted with car ownership.

          >>"This is clearly stupid, it really doesn't matter how many times it happens to people, you cannot hold them responsible."

          If someone can't or won't stop it happening again, it would seem that the only obvious way to stop it happening again is to remove the option of them letting it happen*, unless one was to go down the road of applying some actual punishment, which would seem arguably rather more unfair.

          It's not as if ownership of a car (or an internet connection) is a human right, even when people who can't manage that ownership well.

          Of course, if every possible assistance was offered to the person to help them stop it happening again, and they refused to take up the offer, it'd make it harder for them to argue they were being treated unfairly later on.

          (*For a net connection, it may be that restricting people to a limited service that would be highly unattractive to freetards might be a better solution than no service at all, in some kind of three strikes system.)

          1. This post has been deleted by a moderator

            1. david wilson


              >>"No, you say you're saying that, but clearly you're not, because as I pointed out even secure, encrypted Wifi can be cracked with ease."

              Unless a lot has happened since last August vthat isn;t being much talked-about, when it comes to WPA, there is quite a difference between being able to inject the odd malicious packet if you're in a good physical location (as seems the case with academic attacks to date) and having free and unfettered access to a network.

              Is the cracking of WPA (or better) networks with half-decent passwords *honestly* a likely explanation for more than a tiny amount of filesharing?

              Seems to me like a three-strikes system, if it incorporated a reasonable way of responding for people who really weren't doing something, could be the start of a mechanism for finding out how much cracking of various flavours of network might actually be happening in practice.

              Also, if people are given information that would lead them to conclude, (assuming they aren't responsible for the offending traffic) that their network was being compromised, that seems like a good thing.

              I'd certainly like to have some idea if freeloaders were stealing bandwidth from me, and get a chance to report such activity and/or use extra technical means to stop it happening again.

              If someone was given the opportunity of making a formal report to the police about people repeatedly breaching their network security, but they choose not to do that, or to change their setup, that might make some people wonder whether they were actually concerned about such unauthorised access happening, or even whether unauthorised access had actually happened at all.

              Presumably most people whose connection was being used for filesharing by someone in their house would be bright enough not to lie to the police, and if someone had done all they could to be co-operative and secure, and had reported apparent intrusions to the police, then I imagine in a sensible system*, it would be rather more difficult to cut off their network connection.

              >>"You sir, should consder living in North Korea, you'd fit right in with the ideology."

              You, sir/madam should stop using stupid comparisons.

              It's hardly desperately authoritarian to expect people to take what steps they can to secure their network if they are made aware it is being misused.

              (*Of course, that's not to say that anything involving businesses and politicians *would* actually be done sensibly, but just because people can bugger an idea up doesn't necessarily make the idea itself theoretically unworkable, or in direct opposition to centuries of human rights.)

  3. Dazed and Confused

    False allogations

    I would have thought that the guy who was accused of sharing porn would be in a good position to sue these scum for slander.

  4. Anonymous Coward
    Anonymous Coward

    But how?

    How do this dodgy bunch 'extract' IP addresses from ISPs? Doesn't data protection come in here somewhere?

    1. Maverick

      @ AC 10:27


      there you go, mine's a pint

  5. Anonymous Coward
    Anonymous Coward

    Legalised mugging?

    Quite right too.

    We used to have an offence in the UK called 'Demanding Money with Menaces'. I'm not aware it's been taken off the statute books, and the letters mentioned surely qualify as criminal in my view.

    But then I forgot - UK law is only effective for those who have money....

  6. irish donkey

    BPI rejects scareletter approach.........

    Well if they didn't accept the cheques then they wouldn't be able to do would they.

    Just another form of Wheel Campers making up the rules as they go along and NOBODY is doing anything to stop them

  7. CraigRoberts
    Thumb Up


    Maybe El Reg should send them a letter demanding £500 if they want to avoid further questions/investigation? Helps pay for the Friday lunch time pub "meeting" doesn't it...

    ... Mine's a pint, please! :)

  8. Anonymous Coward

    Tarred with the same brush

    There are so many stories at the moment about letters sent etc by those representing various 'rights holders' that I had missed somewhere in all the mayhem that the BPI weren't doing it. It's a lot easier - and a safer bet - just to assume that any group who makes loud whiny noises about the the public being thieves probably want the gov guillotining the individuals in question, but is resorting to bullying bits of paper as a stop gap. The BPIs statements in general are so uninteresting in any case that by last orders I'll have doubtless forgotten they're not doing the postal bullying thing.

    After all they all seem to assume we are all criminal bastards to a man/woman, spending every waking hour amassing vast silos of their members 'creative' output. So it seems reasonable that we assume they are in their entirety a bunch of greedy, whiny feckless bastards who are to business models what the Hindenburgs designers were to aviation safety**, and who'd rather reach for a lawyer in the hope of a payout than help an old lady cross the street.

    Just to prove how out of touch they are they name themselves after a device not in general use for a century odd.**

    Sad as it may be for the BPI after the apparently magnanimous gesture, I suspect they'll still be seen as just another finger wagging arm of the labour party, with no one any the wiser that they don't sent letters demanding 500 quid to pensioners.

    ** note for pedants: yes, yes, I know.

    The shouty thing looks a bit like a phonograph too.

  9. Anonymous Coward

    A simple solution ...

    ... would be to modify the law so that if a company that writes a letter implying a possible offence is subsequently unable to positively PROVE that the offence HAS been committed, the writer must as compensation for inconvenience pay the recipient at least ten times the amount being claimed.

    Companies should absolutely NOT be writing about "possible" offences, they should be required by law to obtain PROOF of the offence first.

    That includes, most especially, the TV licensing unsolicited nuisance mailing unit, which writes letters willy nilly to people asking them to prove they don't have a TV even if it doesn't have a shred of evidence that they even might have one.

  10. blackworx

    78yo Father

    In my experience at BT, when it came to 0898 porno lines where the bill-payer was contesting (usually with some story like "but my husband is an ordained minister and my three teenage sons are as good as gold") 99% of the time it was someone in the immediate household who'd done it, and the rest of the time it was a visitor.

    I'm not saying this is the case here, what with unsecured Wi-Fi and all, but I'd still be willing to bet a month's wages on a high percentage of those complaints to Which? falling into the same category.

    I'm also not saying that ACS:Law's actions are justified. They are still a bunch of c*nts.

    1. Ben Norris


      The difference is that BT know who they connected the line from and to so are at least quite certain that the call was made. ACS:Law are acting a chain of unproven links and using intimidation tactics because they know they have no evidence to take anyone to court.

      They don't prove that anything was uploaded when they log IPs, they can't prove that the logged IP was genuinely from the right ISP or spoofed, the ISPs records are not reliable enough to tie it to a certain household, when you get to the household there is no record to tie it to a specific PC, there is no way to prove it wasn't a trojan or somebody accessing a wireless AP, and finally there is no way to prove who was using the PC at the time.

      So should we put a stop to their tactics or apply them to other crimes? Maybe next time there is a bank robbery we should just pick some random guy off the street with the same colour shirt and lock him up?

      1. david wilson

        @Ben Norris


        a) They don't prove that anything was uploaded when they log IPs

        b) they can't prove that the logged IP was genuinely from the right ISP or spoofed

        c) the ISPs records are not reliable enough to tie it to a certain household

        d) when you get to the household there is no record to tie it to a specific PC

        e) there is no way to prove it wasn't a trojan or somebody accessing a wireless AP

        f) and finally there is no way to prove who was using the PC at the time."

        I thought that at least some of the tracking *was* waiting for people to be sourcing copyright content before logging their IP address? That way, they can get people for making content available, not merely downloading it.

        If that was the case, that deals with a)

        As for b), if I actually connect to a machine via an IP address to download content from them, how can I keep a connection running in both directions if they have a fake address? Unlessthere's something between my machine and the internet which is doing some redirection, packets I send presumably must end up at the actual IP address.

        Surely it's only if the packets I send disappear *and* someone can generate packets with a fake 'from' address' *and* they can anticipate all the packets I'd expect to get back that they could really spoof the address?

        c) Are you sure that no ISP has reliable records of who had what IP address at a certain time?

        Even for people with dynamic adresses, they don't change that often, and there are all kinds of reasons (including legal ones) for keeping the relatively tiny amount of data needed for a year or two of connection records.

        Also, a lot of people have static IP addresses anyway.

        d)+e) you might not be able to tie traffic to a specific PC from outside, but you *could* certainly do that if you had access to the machines, whether enforced, or with the co-operation of a responsible householder.

        as for f), if you knew the filesharing was happening on a machine authorised to be on the network, that'd be a good justification for suspending network access if the customer had already had clear prior warnings that something was going on which they had done nothing about.

        Even though civil damages don't look like the best way of dealing with everyday filesharing, if someone is unable/unwilling to control people they give network access to, then the buck does eventually stop with them, whether it's a loss of connection or even civil damages.

        If someone is actually being *consistently* reckless as to what they allow to happen on the network they control, then they do have some liability.

        Also, even though I'd say again that civil damages don't look like the best way of dealing with filesharing, *especially* if there haven't been any kind of initial warnings to deter the casual filesharer, for all the talk of the need for perfect evidence, Magna Carta, longstanding freedoms, hard-fought-for human rights, etc, people should remember that the burden of proof in civil cases *is* lower than in criminal cases - 'balance of probabilities' vs. 'beyond reasonable doubt'.

        If there *had* been warnings and someone didn't take any action, they might find it quite hard to defend themselves in a subsequent civil action.

        I think that's one of the major problems with letters out of the blue - they seem much more designed to make money than to stop people doing something, which is seriously unfair when there's a chance that the first thing a target ISP customer knows about someone abusing the network connection is a letter arriving.

        In practice, in the first instance, there's a whole range of responsibility, from people not knowing that their network was insecure or that someone they allowed to use their network was doing something wrong through people who suspected or knew what was happening through to people doing it themselves.

        Giving people warnings does give them the chance to sort things out, and also makes 'We honestly didn't know it was happening' much less of a usable response to future letters or actions.

        Still needs some kinds of safeguards, though, so someone who really isn't capable of securing their network can get some cheap/free assistance if they need it. Which also obviously then makes "I didn't know how to/couldn't afford to fix it" less useful a s response to later letters.

        I guess that's the thing about a more reasonable approach - the more reasonable and helpful it is, the better it is for the innocent customer, the easier it makes it for the casual offender to stop gracefully, and also the harder it makes it for the persistent offender to claim ignorance of what was happening, or a technical inability to prevent it happening again.

        Which is ultimately what I guess many of the music industry people want - to stop people taking the piss, while not getting bad PR in the process.

      2. blackworx


        Next time try reading comments in their entirety before jumping to reply.

  11. jon 72

    Hacked WiFi

    It's an ugly little fact about WiFI that a typical Hub employing a WEP encryption will quite happily reveal the access code to the householders (or business) internet connection in under an hour. ( Under controlled test conditions we did actually manage to break a default key in twenty minutes )

    Sadly, the excuse of ' Hackers Did it ' is no defense and according to the law, the buck stops at the householder. This is largely for deterernt value as far as I can tell and the fact that tracking down the actual culprit(s) is niegh on imposible. Bearing in mind a good directional antenna could place the hacker anywhere within 200 meters of your home WiFi router, simply looking out the window for cars with blacked out windows or somebody hiding in the bushes with a laptop is futile.

    Those of you who are a little more tech-savvy and use WPA encryption and MAC address filtering, wipe that stupid grin off your faces.. it jtakes less time to hijack your connection than to break a 'weaker' WEP key.

    Whilst ACS may be complying with the letter of the law, one wonders how eager they would be to pursue hard targets such as other law firms, judges, or a large PLC for instance who happen to have an insecure WiFi network?

    1. Danny 14

      20 minutes is quite conservative too

      We had a fool about with a live CD and a prism promiscuous card and grabbed our own WEP in a few minutes (64 bit) and certianly no longer than it took to make a brew (128bit). And that was a live CD too - hardly difficult to come by.

  12. Steve Swann

    ...but, but... I'm only REPLYING...

    "So, how do you know he's a file-sharer then?"

    "Well, he weighs the same as a duck....."

  13. Tom 35


    "We don't favour the approach taken by ACS:Law to tackling illegal filesharing"

    I'm sure ACS don't give a fig about filesharing, they just found a way to make money without doing any real work.

  14. Anonymous Coward

    short memories

    You've all got very short memories...

    Has no one noticed how ironic it is that BPI is not advocating the approach taken by ACS Law? They did EXACTLTY the same thing in 2005. They got a 3rd party to grab some IP addresses and time stamps from the sexy P2P networks of the day then got Norwich Pharmacal court orders against the ISPs and wrote letters extorting monies from the ALLEGED infringers.

    It's even reported here

  15. heyrick Silver badge

    Safety and security

    Regarding whether or not ADSL boxes easily divulge the wireless key... if you have a netbook computer, you can plug directly into a Livebox's ethernet port. The default password is "admin" and I bet a lot of people still use it. The Livebox 1.2 (Livebox Mini) login is "admin" and, astonishingly, this is fixed. You can't change it. You can then go to the settings, look at WiFi. Bing! There it is, cut'n'paste it into a Notepad docment, ^S it, close your netbook, put it back in your backpack. You've just ripped off somebody's WiFi while they went for a pee. Oh, and the Livebox helpfully doesn't even bother recording the time of the last administrative log-in.

    However, on the subject of security, there is a trend that people really ought to consider. Earlier today I took my eeePC while my mother went shopping. I sat in the car and "wardrove", sort of. Oddly, Windows own WiFi scanner did a better job than NetStumbler, albeit lethagically. Go figure!

    Most Liveboxes are locked up, while the majority of Free boxes and pretty much every Neuf box I've seen are open. So I connected to a few. About half of these boxes were just somebody's personal WiFi - when I went to the host IP address (often I got the control panel. And, sadly, the Livebox isn't the only unit blighted with admin/admin as a password. These people should be slapped for making NO attempt to secure their network. On the plus side, if they don't know it's wide open, they probably won't know I was ever there. I don't anticipate a honey-trap, but just in case I didn't do any external accesses. I think it is fair to say that if I can reconfigure the box, I can Google through it...

    Then there's the other demographic. The HotSpot. A feature that seems to be built in to more and more ADSL boxes. Going to redirected me to the hotspot login. Some actually wanted a login (mainly those tied to SFR - you can have an interesting time arguing the ethics of purchasing "time credit" for roaming hotspots when you are piggybacking off somebody's connection... do they get a cut of this?) while others were a big smiley-face aimed-at-a-five-year-old welcome display with an embedded frame giving eighty paragraphs of Ts&Cs at six point text, practically unreadable. Whatever, Google worked.

    So, back up and read that again.

    The first lot was an unauthorised connection to an unsecure WiFi box.

    The second lot was an encouraged "welcome online dude!" connection to a WiFi box happily acting as a public AP with somebody probably unknowingly picking up the tab.

    Only a few cared who I was, and that seemed to only be concerned if I had sufficient paid-for credit to do this on somebody else's box.

    In any case, if I downloaded some illegal stuff, on which IP will it be? In every AP I have seen, you are DHCP'd a local network address (192.168.1.x) and the world-facing IP is that of the AP itself. Pretty much like the subscriber's own use of the box. You tell us apart HOW?

    It is one thing to complain about clueless users failing to adequately secure their WiFi, but what about when the box is providing its own hotspot services? How can YOU monitor what somebody ELSE does without your explicit knowledge? Surely in that case you become an extension of the ISP? Is there any sort of "safe harbour"-like provision for this? MP3s are not terribly big (1-8Mb ish) and with 16 megabits, you can do quite a bit of damage in ten minutes. And ten minutes in a town is a long time when you can be in a car (as I was), in a bar, or if it is a deliberate rip-off, there's no reason you can't get your computer to auto-connect to an open AP and have a download manager run on a schedule, so your little netbook can be safely in your backpack with an ice pack beside it (keep it cool) downloading away with the lid closed. I have done this more or less legitimately. Had a meal in a cafe with free WiFi. Windows Update offered some BIG downloads (of which IE8 was one, and about thirty .Net patches). I told the machine to not go standby when the lid was closed. I closed the lid, put it aside, put the newspaper on top of it, had my meal in peace while it got on with updating.

    It could just as easily have been a few Hollywood Blockbusters pulled off an open AP. Who'd suspect somebody that isn't even looking at a computer screen?

    Doesn't the BT HomeHub have an option to do hotspot services? How about YOUR box?

    Hand-grenade icon because open hotspot services, if giving the world the same IP address as the owner of the box, are yet another spanner in the works of the simplistic-minded view being taken for who is responsible for what.

    PS: EPIC EPIC EPIC F**KING FAIL OF EPIC PROPORTIONS to Orange. If you connect to your orange email, your internet/phone account (download your itemised bills as PDFs!), your answering machine... all this stuff is online. All this stuff uses the identify of your Livebox to authorise you. All this stuff is WIDE OPEN to anybody connected to your machine. I discovered this when at my favourite cafe looking to get my own broadband, so I went to "" to check on the current prices and promotions. That's how I found out they were using a Livebox as I was redirected to the owner's private personal homepage. While it is a nifty feature in some ways, it is also a security nightmare. The Livebox has a way to assign names and pictures to connected equipment (it remembers the MAC) so it should also have an option to only permit specific "authorised" boxes to access private account details. If nothing else, it will stop kids ("think of the children!" <g>) from signing up for all sort of cool services from their own computer...

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020