Tell Congress to Protect Our Personal InformationLearn More About Unauthorized Access to Data
Torrentfreak recently ran a fascinating pair of opinion pieces from two lawyers regarding whether or not someone could be liable for copyright infringement if someone else used their open WiFi connection. One attorney, Nicholas Ranallo, walks through the established law of direct and secondary copyright liability, and comes to the conclusion that generally, no, you're not liable for someone else's infringements using your connection. The other attorney, Marc Randazza, doesn't discuss copyright liability, but instead starts drawing out hypotheticals about the law of negligence.
The first and most immediate problem with this is that a civil action for negligence that led to copyright infringement would be preempted by copyright law. The civil penalties and causes of action for copyright infringement are all laid out in federal statutes already. You can't work around this by layering a negligence tort claim on top of a copyright claim. In addition to the preemption, there are numerous statutes that specifically insulate providers of Internet access from liability, as Corynne McSherry points out on the EFF blog. Legally speaking, that should be the end of the story.
But there's more to this hypothetical, I think, because Randazza's ideas around negligence illustrate some of the differences in perspective that can make the copyright debate so intractable, and often can lead policy debates in odd directions. The major differences here deal with the purpose of computers and Internet connections, and how these factors affect a user's duty of care to society.
Before we go into some of these differences of perspective, let's have a quick review of negligence. In a legal sense, negligence isn't just casual carelessness, it's a civil cause of action—something that you can be sued for. To win a case for negligence, a plaintiff has to show that a defendant had a duty of care in a particular situation, that she violated that duty somehow, and that this breach of duty actually caused damage to the plaintiff.
We might think of a duty of care as an aspect of the social contract—an implied promise to not act dangerously, stupidly, or carelessly. If we violate that duty, and that violation leads directly to someone getting hurt, then yes, we're responsible for it. But first, we have to establish what those duties are, and just as importantly, whether or not a breach of those duties was the motivating (or "proximate") cause of the harm, not just one in a series of events that led up to the harm.
Randazza uses an analogy to bring out some of the basic concepts—to him, leaving a wireless access point is like leaving your car with the keys in the ignition. If someone comes along, steals the car, and gets into an accident, he says, you are responsible, at least in part, for the damages resulting from that accident.
I'm not sure that that's as much of a truism as he asserts. First of all, it's pretty counterintuitive that merely leaving your keys in the ignition makes you responsible for a car thief's bad driving. While some jurisdictions have that rule, it's by no means universal. For those jurisdictions where leaving the keys in can lead to liability, the rationale seems to be that the burden of taking those keys with you is so small compared to the potential harm that could result—and that you therefore have the duty to take that step.
As I said, this isn't the rule everywhere in the U.S. Many (if not most) states don't naturally assume that leaving your keys in the ignition will lead to a recklessly-driven stolen car—case law abounds with exactly this situation all over the country, with judges and juries agreeing that the car thief's intervening theft and reckless driving sever that chain of causality from the owner.
Plus, the equation of burden versus risk isn't as simple as it might seem on paper. Every thing we do, every day, contains some element of risk. If the duty of care is something that we're bound to at all times, it governs every possible act and omission through our day—did I lock my car, or my front door? Could someone trip over the bicycle I've locked to a lamppost? Did the supermarket clean up that spill on aisle 4? What about the shopper who saw it and didn't say anything? How heavy is that backpack full of books I'm wearing on a crowded sidewalk? Who's taking the box of free stuff I'm leaving on the curb as I move (books, hangars, old baseball bat), and what are they going to do with them? Each of these situations can result in someone getting harmed, and could be fixed without much burden, but the legal duties in each can very widely.
What we don't have, though, is a society that is totally padded and insulated. There's stuff I trip on all the time, and for which there shouldn't necessarily be any civil liability. And we don't see everyone within a two-block radius sued every time there's a car accident. There's an omnipresent duty of care, but it isn't able or intended to prevent every negative eventuality. It's not my duty to babysit anyone who might remotely be touched by my actions or my property. Honking at every intersection to alert others of my car's presence isn't much of a burden on my arm, but I'm not obliged to do that just because someone could possibly run a stoplight. Plus, that safety measure doesn't exist in isolation—it brings with it other costs to society.
This leads to the first difference in perspective I wanted to draw out—the question of each user's duty. We often see calls for "the Internet ecosystem" to "take responsibility" for infringements. But aside from infringers and inducers actually stopping or owning up to their infringements, my duties to scour the web to protect others' copyrights just aren't there. Just as it's not my duty to make my front yard completely inaccessible to possible troublemakers, it’s not my responsibility to prevent my router from all possible abuse. Even if it's foreseeable that someone might use an open WiFi connection, and even it it's foreseeable that they might infringe copyrights over that connection, the proximate cause of that infringement is, well, the infringer. (If at this point, you want to talk about my duties as someone who controls the router, or is contributing to the infringement, you're right to do so—but that's not a negligence analysis, that's the proper secondary infringement analysis.)
Let's go back to the keys-in-the-car example. Randazza uses this analogy over another one—that of an abandoned, loaded gun—because he notes that comparing open WiFi to a loaded weapon is absurd. But why it's absurd actually goes a long way to showing why we can't assume an owner's liability for an unlocked car or an unlocked wireless router. The gun is a more readily dangerous thing—it's far more foreseeable that someone getting their hands on a gun might hurt someone with it. A car, despite its potential for harm, isn't a mayhem machine—and neither is an Internet connection an infringing machine.
This gets us to the other difference in perspective—the uses of a general-purpose machine. This is the sort of blind spot that comes up when you hear about Internet disconnection as a penalty for infringement—lots of people seem to assume that the penalty is proportional to the violation—you infringed on your broadband connection, you lose it. This loses sight of the fact, of course, that cutting off an Internet connection cuts off a lot more than the penalty for infringement. Seizing a car does a lot more than prevent speeding.
None of these considerations, though, would be relevant in a court—the issue would be decided under federal copyright law, not state tort law. But moving the discussion away from the existing structures and complexities of copyright law can be a useful thought experiment, highlighting not just different arguments, but differences in starting assumptions and values. Even if the law doesn't accommodate Randazza's negligence theory, seeing how it might succeed or fail in its own framework should give us valuable insight into the realities that policymakers need to understand, both about what it means to have and to provide Internet access, and also what burdens they would place on all users.