MONOLITH LAW OFFICE+81-3-6262-3248Weekdays 10:00-18:00 JST

MONOLITH LAW MAGAZINE

Internet

Is it Impossible to Identify the Culprit of Copyright Infringement on Twitter and Instagram?

Internet

Is it Impossible to Identify the Culprit of Copyright Infringement on Twitter and Instagram?

It is generally understood that if you post illegal content on the internet, you could be identified and potentially face claims for damages. However,

  • In cases of posts on Twitter, Facebook, Instagram, etc.,
  • that infringe on intellectual property rights such as copyright and trademark rights,

it may be impossible to identify the person responsible. From the perpetrator’s perspective, this means,

If you post such content on the aforementioned sites, there is no chance of being identified, no matter how many times you do it. At most, your post will be deleted or your account will be banned. So, you can just keep posting such content with a throwaway account.

This is a problem that is still unclear in terms of how it will be handled in the future. Of course, we are not encouraging such illegal posts, but we will explain what the problem is and why there is such a possibility.

To give an overview, the situation is roughly as follows:

  1. The Provider Liability Limitation Act, which allows for the identification of posters, can be interpreted to mean that you cannot request the disclosure of a person’s name and address unless you know the IP address at the time of posting.
  2. Twitter, Facebook, and Instagram do not record the “IP address at the time of posting” due to their system design, and only retain the “IP address at the time of login”.
  3. As for whether you can request the disclosure of a person’s name and address based on the “IP address at the time of login”, courts dealing with intellectual property matters tend to take the stance that “legally, this is not permissible”.

We will discuss each of these points in turn below.

The Issue of “IP Address at Login”

The legal provisions and the process of identifying the poster become problematic.

What is the Flow of Requesting Disclosure of Sender Information?

Firstly, the process of identifying the origin of so-called illegal posts, or in legal terms, the request for disclosure of sender information, follows the flow below:

  1. Request the site administrator, where the offender made the post, to disclose the “IP address at the time of the illegal post”.
  2. Receive disclosure of the “IP address at the time of the illegal post”. If the IP address is known, the provider can be identified.
  3. Request the relevant provider to disclose the “address and name of the subscriber who was assigned the IP address at the date and time of the illegal post”.
  4. Receive disclosure of the address and name from the provider.

Both of these are permitted based on the following provisions under the Japanese Provider Liability Limitation Law:

Those who hold logs related to illegal posts that infringe rights (logs “related to the infringement”) must disclose information about the poster that can be understood from the logs. (*)

For the actual text and other details, please refer to another article that explains in detail about the request for disclosure of sender information.

https://monolith.law/reputation/provider-liability-limitation-law[ja]

The Meaning and Content of the Legal Provision “Related to the Infringement”

Now, the issue here is the phrase “related to the infringement” mentioned above. Typically, this refers to the communication at the time of the post, for example, when an illegal post was made on 5chan. It follows the flow mentioned above. However, sites like Twitter, Facebook, and Instagram do not systemically record the “IP address at the time of the post”. What is recorded on these sites is only the IP address at the time of login. In other words, if an illegal post is made on Twitter, for example, the user:

  1. First logs in from a certain IP address
  2. Maintains the login status and makes an illegal tweet

Although the IP address log at the time of login related to the above 1 is recorded, the IP address at the time of the tweet (post) in 2 is not recorded. This is the same for Facebook, Instagram, and others.

Flow of Identifying the Poster in the Case of Twitter, etc.

Therefore, when identifying the poster for illegal posts on Twitter and others, the flow is as follows:

  1. Request the site administrator (Twitter Inc.) where the offender made the post to disclose the “IP address at the time of the illegal post” & “IP address at the time of login of the account”.
  2. Since the “IP address at the time of the illegal post” is not saved in the log in the first place, Twitter Inc. discloses only the “IP address at the time of login of the account“. If the IP address is known, the provider can be identified.
  3. Request the relevant provider to disclose the “address and name of the subscriber who was assigned the IP address at the date and time of login before and after the illegal post”.

The issue is whether the above 3 is permitted. Part 1 is a common story, so if it is a law firm with know-how, it is possible in the same way as usual reputation damage related lawsuits, and our firm has a track record like the following:

https://monolith.law/reputation/instagram-spoofing[ja]

“Person who logged in” ≒ “Person who posted”

The issue is whether the poster can be identified based on the IP address at the time of login.

Common sense would suggest that the:

  • Subscriber who was assigned the IP address at the date and time of login
  • Subscriber of the line at the time of the illegal tweet

are very likely to match. Services like Twitter require login to post, and normally, there is only one user using a certain account. However, the legal provision has a description like the above (*), and the issue is whether the log at the time of login, which is the problem, can be said to be a log “related to the infringement”.

And in fact, Twitter, Facebook, Instagram, as mentioned above, do not record the IP address log at the time of posting in the first place, so if it is said that “the log at the time of login cannot be said to be a log related to the infringement”, the disclosure of the address and name in the above 3 becomes impossible, and no matter what kind of illegal post is made, it becomes impossible to identify the offender.

Whether or not a court will allow the disclosure of names and addresses varies

Each court makes its own independent judgment

To state the conclusion at this point, regarding this issue, the Tokyo High Court and the Intellectual Property High Court (Japanese Intellectual Property High Court) have shown different (interpretable) judgments.

Generally speaking, in court, for example, there may be a situation where the Tokyo District Court and the Osaka District Court show different judgments on a certain issue. Since each judge independently examines a certain issue, it is possible for judgments to diverge. In such cases, as the case progresses to the second and third trials, the Supreme Court (Japanese Supreme Court) will eventually state its opinion, which becomes a “precedent”.

Courts generally follow the judgments of the courts directly above them. Therefore, for example, the Tokyo District Court follows the judgment of the Tokyo High Court, and all courts other than the Supreme Court follow the judgment of the Supreme Court, so the judgment of the Supreme Court effectively becomes a rule, a “precedent”, that all subsequent courts follow.

Handling of general cases and intellectual property-related cases

Intellectual property-related cases are handled by specialized departments and high courts.

To make matters more complicated, the courts in Tokyo, broadly speaking, have two major systems:

  • For general cases: Tokyo District Court (department handling general cases) → Tokyo High Court → Supreme Court
  • For intellectual property rights cases: Intellectual Property Department of the Tokyo District Court → Intellectual Property High Court → Supreme Court

General cases and intellectual property rights cases are handled by different high courts even up to the second trial. As a result of this,

Even within the same Tokyo courts, there are cases where the Tokyo High Court and the Intellectual Property High Court diverge in their judgments, and in such cases, even at the first trial, the department handling general cases and the Intellectual Property Department may also diverge in their judgments

This phenomenon can occur.

…The story is complicated, so the introduction inevitably became long, but regarding the issue of “IP address at login”, the Tokyo High Court and the Intellectual Property High Court have each made the following judgments.

Tokyo High Court Affirms Disclosure of Names and Addresses

The “Impersonation” Case of 2017 (Heisei 29)

The Tokyo High Court made the following judgment in a case involving so-called “impersonation” on Twitter, a case of infringement of the right to a name and the right to one’s likeness.

① The mechanism of Twitter involves logging into a set account (sending login information) and posting while logged in (sending infringement information) (the entire gist of the argument), and the sending of login information is essential for the sending of infringement information. ② Article 4, Paragraph 1 of the Japanese law does not specify “information on the sender of the infringement information,” but rather broadly stipulates “information on the sender related to the infringement of rights.” Therefore, not only the sender information that can be understood from the infringement information itself, but also the sender information that can be understood about the infringement information, can be disclosed. In light of this, even if the sender information is understood when the login information is sent, it can be considered as “information on the sender related to the infringement of rights” specified in Article 4, Paragraph 1 of the law.

Tokyo High Court, 2017 (Heisei 29) (Ne) No. 5572

It’s a bit complicated, but essentially,

  • Due to the mechanism of Twitter, you cannot post without logging in
  • The wording of the law does not necessarily limit it to “at the time of posting,” and “related to the infringement” is a somewhat broad provision

Therefore, even in cases where only the IP address at the time of login is disclosed, the provider should disclose the name and address, according to the judgment.

For a detailed explanation of why so-called “impersonation” can be considered illegal, please refer to the following article.

https://monolith.law/reputation/spoofing-dentityright[ja]

On the Possibility of a Discrepancy Between the Person Who Logged In and the Poster

Of course, in abstract terms, there is a possibility that the person who logged in and the person who posted may not be the same. Regarding this issue, the same judgment states,

The IP address, etc., held by the defendant is only a part of the IP address and timestamp when the account in question was logged in, and it is recognized that there are a considerable number of IP addresses and timestamps when the account in question was logged in, other than the IP address in question.
However, generally, it is not uncommon for the same person to continue logging into the same account for more than a year while being assigned IP addresses from multiple providers. And, as mentioned above, the mechanism of Twitter involves logging into a set account (sending login information) and posting while logged in (sending infringement information). Therefore, regardless of the temporal order, it can be recognized that the probability is high that the person who logged in and the person who posted are the same. On the other hand, there are no circumstances that would hinder the above-mentioned identity, such as the account in question being used by a corporation for business purposes, the account user being changed, etc., while the profile of the appellant himself, who was impersonated, etc., continued to be displayed on the top page, and the tweets were used as private.

Tokyo High Court, 2017 (Heisei 29) (Ne) No. 5572

To summarize,

  • Even if the account in question is logged in from various providers’ IP addresses, it is not uncommon for the same person to use multiple lines (e.g., home line, company line, smartphone line, hotel line at a travel destination, etc.)
  • There doesn’t seem to be any reason to think that the account is used for business by a corporation, or that the account user has changed, etc.

Therefore, the judgment is that disclosure should not be denied based on the above abstract possibilities.

The Intellectual Property High Court Denied the Disclosure of Names and Addresses

The Intellectual Property High Court has also made a judgment on a similar case.

The Case of Unauthorized Photo Posting in 2016 (Heisei 28)

In response to this, the Intellectual Property High Court made the following judgment in a case of unauthorized photo posting (copyright infringement) on Instagram:

Article 4, Paragraph 1 of the Provider Liability Limitation Act (abbreviated) stipulates that the “IP address related to the infringement information” in Ordinance No. 4 does not include those unrelated to the transmission of the infringement information, and the timestamp unrelated to the transmission of the infringement information does not fall under “the date and time when the infringement information was sent” in No. 7. It is appropriate to interpret it this way.

Intellectual Property High Court 2016 (Heisei 28) (Ne) 10101

In simple terms, “related to the infringement” means “at the time of the illegal post” if you read the text straightforwardly, and it is judged that it is not possible to allow the disclosure of names and addresses based on the IP address at the time of login.

Is the Conclusion of “Unable to Disclose Names and Addresses” Unfair?

However, in reality, if judged in this way, it would be concluded that it is impossible to disclose names and addresses in services that do not save the IP address log at the time of posting, namely Twitter, Facebook, and Instagram. The plaintiff made such an argument in this case, but the Intellectual Property High Court stated the following about this issue:

The (law) is a provision established to balance the rights and interests of the sender, such as privacy, freedom of expression, and secrecy of communication, with the interests of the victim, such as injunction and damage compensation. The Provider Liability Limitation Act recognizes the right to request the disclosure of sender information within its scope. And, (abbreviated) the latest login IP address and its timestamp are not included in the rights to request disclosure under the Provider Liability Limitation Act and the Ordinance. Even considering the provisions of the Constitution and their purposes as claimed by the appellant, it is not possible to interpret that the appellant has the right to request the disclosure of sender information not stipulated by law. Therefore, the appellant’s claim remains a legislative argument and is inappropriate.

Intellectual Property High Court 2016 (Heisei 28) (Ne) 10101

To summarize simply,

  • Those who post on Twitter, Facebook, Instagram, etc. have rights and interests such as privacy, freedom of expression, and secrecy of communication
  • Victims who have been infringed upon by such posts also have interests in damage recovery such as requesting deletion and damage compensation

Therefore, the right to request the disclosure of sender information under the Provider Liability Limitation Act was established to balance these, and regardless of the discussion of whether to change the law, it is not possible to interpret that disclosure should be allowed even by distorting the wording of the law.

Although it may be difficult to understand, even if the disclosure of names and addresses is not allowed, it is natural that copyright infringement is illegal. Therefore, it is possible to request deletion.

https://monolith.law/reputation/copyright-infringement-on-instagram[ja]

There is no Supreme Court decision, and recent cases have divided opinions

Regarding this issue, the Supreme Court has not yet made a decision. As mentioned above, the Tokyo High Court and the Intellectual Property High Court have made different (interpretable) decisions in the relatively recent years of Heisei 28 and 29 (2016 and 2017), resulting in divided opinions in the first instance since Heisei 30 (2018).

We will introduce recent case examples.

The case in Osaka in Heisei 30 (2018) recognizes disclosure

Generally, when companies and various organizations own Twitter accounts and post articles about their activities, it is easy to assume that multiple members of the organization or group will post from the same account, or that multiple people will log into the same account at the same time. However, it is difficult to recognize that the account in question is owned or used by any group or organization (from the account name or username). Also, considering the continuity of the content of the posts in question, it is hard to think that multiple people made these posts separately. There are no specific circumstances that suggest that multiple people were using the account in question to post together, or that multiple people were logging into the account at the same time.

Osaka District Court Heisei 30 (2018) (Wa) No. 1917

The Osaka District Court made the decision that “if it is an account that appears to be used by the same person, the disclosure of the name and address should be allowed even with the IP address at login.”

The Tokyo District Court Intellectual Property Division in Reiwa 2 (2020) does not recognize disclosure

The wording of the (law) is clearly aimed at the information of the infringer himself from its text and logic (omitted), and if the personal information such as the address and name related to the IP address of someone other than the person who made each post is disclosed, it would result in unjustly infringing on the secrecy of their communication and privacy. Considering this, it is difficult to immediately derive the above interpretation from the necessity to secure the possibility of the victim’s legitimate exercise of rights beyond the text and logic of the provision.

Tokyo District Court Reiwa 1 (2019) (Wa) No. 14446

The Intellectual Property Division of the Tokyo District Court, in a case of unauthorized posting of photos on Instagram (copyright infringement), did not make a judgment on whether it is an account that appears to be used by the same person, but prioritized the wording of the legal text.

At least in the courts of Tokyo,

  • The general civil divisions other than the Intellectual Property Division do not necessarily adhere to the wording of the law, and they make judgments while considering the possibility of allowing the disclosure of the name and address even with the IP address at login
  • The Intellectual Property Division prioritizes the wording of the law and considers not allowing the disclosure of the name and address in the case of the IP address at login

It can be said that there is such a tendency.

Summary

The state of being unidentifiable is clearly unfair

If this judgment continues, it can be said that there is a high possibility that services such as Twitter, Facebook, and Instagram, which do not hold logs of IP addresses at the time of posting and only save logs of IP addresses at the time of login, will not be able to receive disclosure of names and addresses in the Intellectual Property Division of the Tokyo District Court and the Intellectual Property High Court. Furthermore, the Supreme Court has not accepted any appeals on this issue, so it is unclear when we can seek the Supreme Court’s judgment.

It is clearly unfair to conclude that no matter how much copyright (or intellectual property rights) is infringed on Twitter, Facebook, and Instagram, the poster cannot be identified. This article does not intend to encourage copyright infringement on these sites, but as a law firm that handles many such cases, we must admit that there is currently no clear answer to how to identify the perpetrator of copyright (etc.) infringement on Twitter, Facebook, and Instagram.

Abstractly, there are the following possibilities:

Possibility of criminal proceedings

If you can receive disclosure of the login IP address, the provider is known, so it seems possible to sue for copyright infringement and have the police investigate the provider. The above-mentioned Japanese Provider Liability Limitation Act is intended to receive disclosure of names and addresses from providers by civil means, and the police can request log disclosure from providers with their investigative authority.

However, there are concerns about:

  • How seriously the Japanese police will investigate in cases of copyright infringement, etc.
  • Since it has been judged at the civil level that “it cannot be said that the person who logged in and the poster are the same”, there is a possibility that the same judgment will be made in criminal trials (as a result, the police may tend to avoid handling and investigating cases).

These concerns exist.

Possibility of legal amendment

The current Japanese Provider Liability Limitation Act is:

  • First of all, in principle, victims do not have the right to request disclosure of offender information under the Constitution or the Civil Code.
  • The Provider Liability Limitation Act is an exception to the above principle, and exceptionally allows disclosure in “certain cases”.

This law was created with the structure that the “certain case” is too narrow, which is the essence of the problem. Although legal amendment is the most fundamental solution, it is not easy in practice.

Managing Attorney: Toki Kawase

The Editor in Chief: Managing Attorney: Toki Kawase

An expert in IT-related legal affairs in Japan who established MONOLITH LAW OFFICE and serves as its managing attorney. Formerly an IT engineer, he has been involved in the management of IT companies. Served as legal counsel to more than 100 companies, ranging from top-tier organizations to seed-stage Startups.

Return to Top