UPC Liability

CptSternn

I run a small ISP and hosting company and recently found a user on the UPC.IE network was sending death threats, not obscure, but outright death threats to a user on my network.

The user who was sending these death threats was doing so via a form on a webpage of a website I host.

I checked the web logs, mail logs, and of course firewall logs and have the exact time and IP of the user:

Date/Time: 10:05 PM – 31-Jan-09
IP used: 89.101.***.***

I sent this information to UPC and they responded with this:

Ref: 399222
Dear ***,
Thank you for your email.
Having consulted with our broadband department, they have advised that unfortunately we are unable to track the sender of this email as we us dynamic system our IP address changes frequently.
If you have any further queries, please do not hesitate to contact us on our freephone number 1908 or email us on customer.support@upc.ie
Kind regards,
Elaine
Chorus ntl Customer Support Team


I mean, seriously, do they expect us to just accept that? Sending death threats is illegal. Actually lots of things are illegal. Does Chorus not have any way to identify their network users? If that is the case, then it looks like open season on UPC internet! I mean, seriously, are they just lazy or is it really the wild west and they have no logs on their users to tell who used which IP when?

jor el

CptSternn wrote: »

Having consulted with our broadband department, they have advised that unfortunately we are unable to track the sender of this email as we us dynamic system our IP address changes frequently.

That sounds like BS to me. It's a "Go away, we don't care" response. Even with dynamic addresses, they should know who has what IP at any given time. I believe it's actually the law that they keep this information on file.

You may need to get your company's solicitor to send your request in an official solicitors letter to get any response. It's unlikely that they would be able to give you any information, without some sort of legal intervention anyway.

PaulieBoy

So what's it to UPC ? They are not the law.
The person who got the death threats would need to contact the gards, they go and contact UPC in order to get the user details and take it from there.
That would be the proper normal course to take.
It's right and proper that UPC do not give details to any Joe who happens along with a story, if that where the case you would be complaining that UPC where handing out user details to anybody with a gripe.

We don't do kangaroo courts here!!

BaconZombie

Hmm,

This document could come back and bit them in the ass if they jump in bed with the music company's like Eircom did.

Did you get this via email or post?

CptSternn wrote: »

I run a small ISP and hosting company and recently found a user on the UPC.IE network was sending death threats, not obscure, but outright death threats to a user on my network.

The user who was sending these death threats was doing so via a form on a webpage of a website I host.

I checked the web logs, mail logs, and of course firewall logs and have the exact time and IP of the user:

Date/Time: 10:05 PM – 31-Jan-09
IP used: 89.101.***.***

I sent this information to UPC and they responded with this:

Ref: 399222
Dear ***,
Thank you for your email.
Having consulted with our broadband department, they have advised that unfortunately we are unable to track the sender of this email as we us dynamic system our IP address changes frequently.
If you have any further queries, please do not hesitate to contact us on our freephone number 1908 or email us on customer.support@upc.ie
Kind regards,
Elaine
Chorus ntl Customer Support Team


I mean, seriously, do they expect us to just accept that? Sending death threats is illegal. Actually lots of things are illegal. Does Chorus not have any way to identify their network users? If that is the case, then it looks like open season on UPC internet! I mean, seriously, are they just lazy or is it really the wild west and they have no logs on their users to tell who used which IP when?

jor el wrote: »

That sounds like BS to me. It's a "Go away, we don't care" response. Even with dynamic addresses, they should know who has what IP at any given time. I believe it's actually the law that they keep this information on file.

You may need to get your company's solicitor to send your request in an official solicitors letter to get any response. It's unlikely that they would be able to give you any information, without some sort of legal intervention anyway.

dub45

jor el wrote: »

That sounds like BS to me. It's a "Go away, we don't care" response. Even with dynamic addresses, they should know who has what IP at any given time. I believe it's actually the law that they keep this information on file.

You may need to get your company's solicitor to send your request in an official solicitors letter to get any response. It's unlikely that they would be able to give you any information, without some sort of legal intervention anyway.

Just curious do the need your ip to monitor the amount you are downloading or do they use some other way to monitor that?

What information do they gather when someone logs on?

Also given UPC's draconian terms and conditions you would imagine that they would be concerned as a Company as to what their service was being used for. Even if they did not want to go along with supplying information you would think that as a responsible company they would indicate the proper course of action to the complainant. As in something to the effect of ' we regret we cannot supply information blah blah but if you are still concerned about threatening behaviour and so on this matter should be pursued with the Gardai etc etc'

bk

CptSternn, while I'm not a solicitor, I believe it would be illegal for UPC to release this information to you per the Data Protection Act. The user on UPC has a right to their privacy. As an ISP yourself, I hope you understand the details of the DPA yourself and that you don't release private information to just anyone who asks either?

The correct course of action here is for the user who is receiving death threats to contact the Gardai, the Gardai then contact you to get the IP address, data and time, etc. and then the Gardai contact the UPC with this data * to get the details of the person sending the death threats.

* I'm not sure, but I assume the Gardai will need a court order to get this information from UPC.

This is all right and proper, as people have a right to their privacy and the correct channels and procedures need to be followed in cases like this.

BTW if the correct procedure isn't followed, there is every change that any court case taken would be thrown out of court.

BBTW CptSternn you are skating on very thin ice, talking about this on a public forum and in particular putting up the IP address and date and time in a public forum, you may already be in violation of the DPA.

jor el

PaulieBoy wrote: »

So what's it to UPC ? They are not the law.

If someone is using UPC's network to issue death threats, then they should be quite concerned about it. This is not only illegal, but would also be against UPC's terms of use.

PaulieBoy wrote: »

The person who got the death threats would need to contact the gards, they go and contact UPC in order to get the user details and take it from there.

I'm not sure how serious the Gardai will take this issue. It is one possible course of action available to the user in question.

PaulieBoy wrote: »

It's right and proper that UPC do not give details to any Joe who happens along with a story, if that where the case you would be complaining that UPC where handing out user details to anybody with a gripe.

He's not just any Joe though, he's the owner of an ISP, who received a complaint about a death threat being issued by someone on UPC's network. It's right that he's investigating it, and completely wrong hat UPC are claiming they have no way to identify this person.

I would have no problem with them not handing personal information over, as they can't, but I do have a problem with them claiming there is nothing they can do, and they have no way to identify the user, based on IP and date/time of the offense.

jor el

bk wrote: »

BBTW CptSternn you are skating on very thin ice, talking about this on a public forum and in particular putting up the IP address and date and time in a public forum, you may already be in violation of the DPA.

Since an IP address is public, I'm not sure that it would be considered personal information. There's no real way for anyone here to trace that IP back to an individual. I've edited it out though, just to be safe.

java

UPC are fobbing you off. UPC, as a service provider is obliged by EU law to retain customer "communication" for a period of years. 2 I think. They are a member of the Internet Service Providers Association of Ireland - you might find some further info their website ispai.ie

Death treats are a serious matter and you should report to the Gardai.

GigaByte

jor el wrote: »

If someone is using UPC's network to issue death threats, then they should be quite concerned about it. This is not only illegal, but would also be against UPC's terms of use.

I'm not sure how serious the Gardai will take this issue. It is one possible course of action available to the user in question.

LOL! You say its illegal and UPC should be concerned but you don't think that Gardai will take it seriously?? That maybe the case on planet backwards!

Death treats are reported to the Gardai regardless of were they originate.

Onikage

The user should contact the gardai. But that is up to them.

You should make a note of all the details (user ip, time, email to UPC) and contact the gardai. You have witnessed a crime, it is your civic duty to report it. There is no point in contacting UPC as they are not answerable to you in any way, in fact they CANNOT answer by law.

watty

You need to get a court order, ideally have Garda investigate.

No ISP will release details to a 3rd party otherwise.

java

watty wrote: »

No ISP will release details to a 3rd party otherwise.

UPC don't have to release their customers details to a third party. They only need to take action against their customer once CptSternn has provided them with the evidence.

Cabaal

PaulieBoy wrote: »

So what's it to UPC ? They are not the law.

They however should suspend the a/c being used as death threats would be against their T&C's, the e-mail they replied with is very clearly from a support monkey who has no clue what they are on about.

jor el

GigaByte wrote: »

LOL! You say its illegal and UPC should be concerned but you don't think that Gardai will take it seriously?? That maybe the case on planet backwards!

I said I wasn't sure how seriously they would take it, not that they wouldn't take it seriously. Our laws are seriously outdated, when it comes to the Internet, and I for one am of the opinion that the Gardai do not take Internet crimes as seriously as they should. Maybe I'm wrong, but that's the impression I get.

If I rang my local Garda station, and made a claim that someone on the Internet threatened to kill me, I would not be surprised if I got a laugh from the desk Sargent. That's why UPC should be investigating this, as they will be able to identify the user, and if they determine that there was a death threat made, they will be able to contact the relevant people.

Onikage

jor el wrote: »

If I rang my local Garda station, and made a claim that someone on the Internet threatened to kill me, I would not be surprised if I got a laugh from the desk Sargent. That's why UPC should be investigating this, as they will be able to identify the user, and if they determine that there was a death threat made, they will be able to contact the relevant people.

A bit unfair, there is a cybercrime unit in the Gardai. They are the people who deal with these investigations, not 3rd party ISPs.

GigaByte

Onikage wrote: »

A bit unfair, there is a cybercrime unit in the Gardai. They are the people who deal with these investigations, not 3rd party ISPs.

Exacto!

If anything the OP is responsible for allowing it to happen not UPC. Who do you think would be responsible if it happened on Facebook, bebo, myspace, etc..

http://www.belfasttelegraph.co.uk/news/local-national/man-accused-of-bebo-threats-denied-bail-14125824.html

http://www.independent.ie/national-news/death-threat-posted-on-bebo-site-lands-mechanic-in-prison-1439681.html

paulm17781

GigaByte wrote: »

Exacto!

If anything the OP is responsible for allowing it to happen not UPC.

The OP is responsible because someone on his network got threatened by someone on another network???

jor el

GigaByte wrote: »

Exacto!

If anything the OP is responsible for allowing it to happen not UPC. Who do you think would be responsible if it happened on Facebook, bebo, myspace, etc..

http://www.belfasttelegraph.co.uk/news/local-national/man-accused-of-bebo-threats-denied-bail-14125824.html

http://www.independent.ie/national-news/death-threat-posted-on-bebo-site-lands-mechanic-in-prison-1439681.html

If anyone is responsible, it is UPC, and not the OP on this thread. UPC have been informed of the threat, and are washing their hands of it. This could leave them in a very bad situation, should the user who is being threatened decide to take legal action. The OP is acting as best as he can, by informing the ISP of the originator of the crime, and trying to get it stopped.

I would assume that the threat has been removed, if it was some form of blog entry or comment, as it was on one of the sites he hosts. This is as much as he can do, apart from monitoring every single comment made, which, as the Crown Council in the links you posted pointed out, is not feasible.

BendiBus

If a courier delivered you a parcel containing a death threat who would you call first, DHL or the Gardai? Personally I'd go for the ones who might be able to prevent my untimely demise!

Fighting Irish

What was the actual death threat? In before something stupid

bk

jor el wrote: »

If anyone is responsible, it is UPC, and not the OP on this thread. UPC have been informed of the threat, and are washing their hands of it. This could leave them in a very bad situation, should the user who is being threatened decide to take legal action. The OP is acting as best as he can, by informing the ISP of the originator of the crime, and trying to get it stopped.

It is no more UPC's responsibility then it would be Eircom/vodafone/an post/ church newsboards responsibility if you phoned/posted in a death threat.

In Ireland we have something called innocent till proven guilty, how do UPC know the threat isn't just a joke between two friends? UPC aren't the law, only the Gardai and a judge can take the necessary steps to sort this issue.

thund3rbird_

firstly - the email you got from them is a load of bollocks

all ISPs have ways of tracking the IP addresses

all they need is a date/time stamp and the IP address
their dhcp records will tie the ip to a MAC address, the MAC of the modem
the modem can be traced back to the subscriber

the unfortunate thing is you contacted their customer service

do a whois lookup on the ip
you should see an abuse@ emailaddress - thats who you need to send it to
(possibly abuse@chello.nl ? possibly .ie)

if it was by email via a form then the email headers will have the timestamp

send BOTH the content and the email headers to the abuse address


secondly, if you check this link, Section 4: Prohibited Conduct refers to exactly what happened

ie - the threat maker is going against UPCs T&Cs

your best bet is to also report it t the gardai - the more info you have to give them the better




just read this in the t&c - last paragraph

Section 20: Complaints and Enforcement
Complaints regarding abusive conduct will be accepted by email provided a valid return address is included. UPC must be able to verify each instance of abuse, and so each complaint must include the COMPLETE TEXT OF THE OBJECTIONAL MESSAGE, INCLUDING ALL HEADERS. Please do NOT send excerpted parts of a message; sending a copy of the entire message, including headers, helps to prevent misunderstandings based on incomplete information, or information used out of context. Full headers demonstrate which path the message has taken, and enable us to determine whether any part of the message has been forged. This information is vital to our investigation.

this is them admitting they CAN trace it

jor el

bk wrote: »

It is no more UPC's responsibility then it would be Eircom/vodafone/an post/ church newsboards responsibility if you phoned/posted in a death threat.

I was replying to the person who said it was the OPs responsibility for allowing it to happen by saying IF it's anyone's responsibility, it would be UPC. UPC had the responsibility to investigate the claim, and didn't.

bk wrote: »

In Ireland we have something called innocent till proven guilty, how do UPC know the threat isn't just a joke between two friends? UPC aren't the law, only the Gardai and a judge can take the necessary steps to sort this issue.

The person who received the threat, made a complaint to the OP, his ISP. Hardly going to be a joke if the recipient is making a complaint now, is it? UPC do have a responsibility here, and they are just shrugging it off.

Onikage

CptSternn wrote: »

I run a small ISP and hosting company and recently found a user on the UPC.IE network was sending death threats, not obscure, but outright death threats to a user on my network.

The user who was sending these death threats was doing so via a form on a webpage of a website I host.

I checked the web logs, mail logs, and of course firewall logs and have the exact time and IP of the user:

jor el wrote: »

The person who received the threat, made a complaint to the OP, his ISP. Hardly going to be a joke if the recipient is making a complaint now, is it?

@CptSternn: Did they make a complaint? This is not mentioned in the OP.

GigaByte

paulm17781 wrote: »

The OP is responsible because someone on his network got threatened by someone on another network???

On his website if you read it, The threat was made by using his webiste!

CptSternn

A user on my network alerted me. I then checked the logs, checked the email header, and matched the IP from the logs to the IP listed on the email (all emails sent via web forms attach the IP and RDNS info automatically).

I was able to see that same IP was on the site at the same time the email was sent, verifying the users account of the story. I also checked the mail system and verified the email was real and not created by the user.

So I was able to verify from the mail server, web server, and firewall that the IP in question did send a death threat, as the user explained to me originally.

I then went to the UPC.IE website looking for contact information. I could have went through RIPE to get the contact information, but felt going through the normal website might be the best course of action since I thought as an ISP they would have seen this before and had some type of default action in place to handle this sort of thing.

Obviously, I was very wrong.

A follow up on this,

I emailed them back and asked why exactly they do not have the resources to track this sort of thing and asked what exactly is their liabilty in this case or any other case with users on their network engaging in illegal activity. I also added that if any harm comes to the user on my network I would make damn sure the media as well as every TD I know sees their original email reply.

They responded in a very short email reply saying I should take this up with the local Gardai and they were not going to investigate nor even look into the issue unless the Gardai themselves ask.

I will post that email here, its on me other laptop.

That being said, I got a death threat via a web form about a year and a half ago from an anonymous user on Irish Broadband. They were much more accommodating. They took it very seriously and said they would start their own internal investigation into the matter. They then said they couldn't tell me any more than that and I would need to file a complaint with the Gards before they could actually start this internal investigation. So I filed a complaint with the local Gardai, gave a large three page statement, and never heard anything back.

I called and asked about the status a few weeks ago and the officer there said the Gard who took my statement had been moved to another county and they couldn't find my statement and asked if I would like to file another one.

So basically even if I convince the user to go file a complaint and help him by providing logs and what not I have a total lack of faith in the Gards to do anything other than sit on their hands and ignore the issue, as they did the first time I went through this very situation.

GigaByte

jor el wrote: »

See your quote where you quote me, and re read it

On his website if you read it, The threat was made by using his webiste!

Next you'll be posting up more garbage like, "apparently he was using a Dell computer to post his threat"
Using your logic this is ture.

GigaByte

CptSternn, What steps have you taken? and what reports have you filled? Have you posted any warnings on your website? Whats the website in question?

bk

CptSternn wrote: »

They responded in a very short email reply saying I should take this up with the local Gardai and they were not going to investigate nor even look into the issue unless the Gardai themselves ask.

Which is absolutely the correct thing for UPC to do. Remember UPC are likely getting legal advice on this matter or have formed a policy for this situation based on legal advice.

UPC have a legal responsibility to protect the privacy of their customer and not reveal details of their customers to some random guy who emails their support.

UPC also have a responsibility not to go looking into their customers private information without a court order. Otherwise they could open up a whole can of worms see, RIAA, Safe Harbor and neutral carrier legislation in the US.

Also don't forget UPC snooping in their customers data could cause any court case later taken to be thrown out on a technicality.

It is in UPC's best interest to completely ignore your request, not look at any of their customers data and wait for a court order from the Gardai.

Personally I'm really happy that UPC seem to be doing the right thing and are following the right procedures and respecting our laws.

seamus

CptSternn wrote: »

So basically even if I convince the user to go file a complaint and help him by providing logs and what not I have a total lack of faith in the Gards to do anything other than sit on their hands and ignore the issue, as they did the first time I went through this very situation.

Your faith in the Gardai is irrelevant.

UPC cannot do anything or release any information unless they are contacted by the Gardai.

Imagine if your broadband service was suspended because some random user on another network chose your IP at random and decided to say that you were sending death threats. For anyone who's really determined, logs and email headers are easily forgeable.

IP addresses are covered under the DPA. Although an IP address is public, there is no way for a member of the public to chose an IP at random from an ISP's pool and use that IP to identify a user on that ISP's network. Likewise, there is no way to pick a user at random and find out their current IP address.
This is the key to DPA - it protects any information which is specific to an individual and which isn't otherwise possible to obtain without the individual supplying it. Boards.ie stores IP addresses, but they aren't available for users or Mods to see, for precisely this reason.

Send your user to the Gardai and promise that user your full co-operation. There is nothing you can or should do until you're contacted by the Gardai.