It’s been a vague threat for years, but in six weeks it’ll become a reality. On Nov. 28, at least one of the biggest Internet service providers (ISPs) in the U.S. will begin policing users who use peer-to-peer filesharing software, according to leaked documents obtained by Torrentfreak.

Under the heavily criticized Copyright Alerts System (CAS), users who are suspected of repeatedly pirating files will have to complete an “educational” course before visiting certain websites. Four other major ISPs have pledged to use the system—Comcast, Verizon, Time Warner, and Cablevision—and are supposed to debut it around the same time as AT&T, Jill Lesser, executive director of the CAS, told the Daily Dot.

She couldn’t give a firm date for the other ISPs—“not an attempt to obfuscate or not be transparent,” she said. “Locking in any dates from someone’s training material is just really impossible.” She continued, “Certainly you’ll see it before the end of the year.”

The CAS has been repeatedly delayed and has seemed erratic and disorganized at times. (Its official Twitter account hasn’t posted since July 18, and its website hasn’t been updated since April.) Also referred to as the “six strikes” system, the CAS will gradually dole out stronger and stronger punishments to customers accused of pirating copyrighted material. With the first offense, the ISP will just send out a warning email. By the fourth, they’ll require customers to complete an “educational course” before visiting certain websites. By the sixth offense, the copyright holder can take legal action against customers.

Is the CAS the same as France’s infamous “Three strikes” law, which can kick users off the Web ?

Many fear that the CAS could force ISPs to cut off users’ accounts entirely. That’s how it works in France, where a system called HADOPI, introduced in 2009, sends rapidly escalating warnings to alleged pirates. By the third “strike,” the government can completely shut down their Internet access. But Lesser stressed that the CAS has no mandatory instructions to cut off service. Besides, HADOPI is a national law, whereas CAS is a voluntary agreement between corporations.

The fact that ISPs won’t be forced to cut off users, however, doesn’t mean that they won’t. After an alleged pirate clearly isn’t responding to re-educational tools, the ISP steps back to let the copyright holder go to court against their customer. In the case of AT&T, for instance, “the content owner may pursue legal action against the customer, and may seek a court order requiring AT&T to turn over personal information to assist in the litigation.”

However, that’s nothing new. In fact, under current a U.S. law, 1998’s Digital Millenium Copyright Act (DMCA), ISPs are encouraged to cut off a pirate’s service to ensure that the copyright holder doesn’t sue the ISP instead. Perhaps because ISPs don’t want to lose customers, though, that rarely, if ever, happens.

How copyright-holding corporations shaped the CAS

Since it might be bad for business, why are ISPs doing this in the first place? While none of the five ISPs responded to the Daily Dot’s request for comment on this story, it’s important to note that under the DMCA, ISPs aren’t liable for users’ illegal filesharing activity as long as they have policies in place to deal with “repeat infringers.” In short, ISPs don’t want to invite lawsuits against them instead of their customers.

And copyright lobbyists have openly had a say in the development of the CAS. In fact, leaked documents from the Recording Industry Association of America (RIAA) indicate that cutting off repeat infringers was a priority for the music industry, and disagreements between industry groups and the ISPs may have been what delayed the CAS.

The RIAA, which relentlessly cracks down on music piracy worldwide, is a particular villain for many Internet activists. It occasionally takes legal action to wreck individuals who pirate songs, like Joel Tenenbaum, whom the RIAA was successfully sued for $675,000 because he downloaded 30 songs. The group’s lobbying was also a driving force behind the notorious Stop Online Piracy Act (SOPA), a bill many feared would “break the Internet,” even though the RIAA privately admitted SOPA was “not likely to have been an effective tool for music.”

Liability: How the CAS is going to affect you

A fundamentally important aspect of the CAS is how it defines liability. Regardless of who actually infringes copyright, it’s the person who pays the bill on a given Internet connection who gets punished. “Customers are responsible for how their High-Speed Internet connection is used, even if they did not personally download any content themselves,” the leaked AT&T document says.

The CAS and HADOPI treat liability the same way. The French system issued its first penalty in September, fining a man €150 ($193 USD) for downloading Rihanna songs. Though he testified that his estranged wife did all the downloading using his Internet connection, the court said that was technically a confession. Because his name was on the bill, he was responsible for all content on that account.

The method that systems like CAS and HADOPI use to find pirates in the first place, though, is both simple and problematic. All computers are identified by their Internet protocol (IP) addresses, which are easy to fake or misread. Someone who leaves her wireless router unprotected, for instance, might be inviting neighboring pirates to infringe using her account.

Anyone who uploads files using peer-to-peer filesharing software makes their IP address visible to downloaders. So copyright holders hire third parties to hunt for people who are uploading their content, and in turn pass that information to ISPs, who issue a warning to the account holder.

There are plenty of ways the process can fail, though. Those third-party pirate hunters could be wrong. Customers can challenge an alert, but it costs them $35 to do so (the money is refunded if the customer is proven right). That might not satisfy skeptics, though: Under the DMCA, copyright holders frequently issue takedown notices to sites like YouTube, and those sites often get the appeals process wrong. And if someone cracks your wireless password and starts pirating from your connection, tough cookies. The CAS says the account holder is nevertheless responsible, even though one U.S. judge has already ruled that IP addresses can’t be used to identify individuals in court.

On the other hand, users can simply fake an IP address, a relatively easy practice which, if widely adopted, would probably render the CAS moot.

Photo via Wikimedia Commons