Saturday, December 23, 2006

Ms. Lindor Seeks Deposition and Documents from RIAA's "Expert"

The defendant in UMG v. Lindor has demanded a deposition and documents from the RIAA's "expert", Dr. Doug Jacobson:

December 22, 2006, Notice of Deposition of Plaintiff's Expert Witness Dr. Doug Jacobson and Request for Production of Documents*
Supplemental Request for Production of Documents to Dr. Doug Jacobson*

Dr. Jacobson has submitted two documents so far in the case:

April 12, 2006, Expert Witness Report of Dr. Doug Jacobson*
Douglas Jacobson Declaration in Support of Plaintiffs' Motion to Compel*

* Document published online at Internet Law & Regulation

Keywords: digital copyright online download upload peer to peer p2p file sharing filesharing music movies indie label freeculture creative commons pop/rock artists riaa independent mp3 cd favorite songs

6 comments:

Alter_Fritz said...

RAY, private tutoring for free again please!

"Please take notice that pursuant to Fed. R. Civ. P. 26 and 30, the defendant will
take the deposition of DR. DOUG JACOBSON,[...]
Please take further notice that pursuant to Fed. R. Civ. P. 26 and 34, the said
witness is required to[...]"

I'm to lazy to read the FRCP now, translating this in layman english is this move from the defendant equivalent as to saying "Dougie you better show up there as we say you do or else..."?

Ray Beckerman said...

He has to show up. Fed. R. Civ. P. 26 guarantees us the right to this.

Also, since it's now appearing that in addition to being their internet "expert" he's also their hard drive "expert", the Magistrate specifically ordered that we were entitled to take the deposition of the hard drive expert.

I guess Dr. Jacobson is very versatile. I would have thought their internet expert and their forensics expert were two different people. Now I am starting to think they are one and the same person.

Anonymous said...

Forgive the ignorant question, but a lot of what he says he will testify to seems to be that other people did or said things. I would have thought that, for example, testifying as to what Verizon said in response to a subpoena would be hearsay. Shouldn't Verizon's testimony stand or fall on its own rather than an internet "expert" testifying as to what Verizon said? Am I just hopelessly confused?

Ray Beckerman said...

Mara said..."Forgive the ignorant question, but a lot of what he says he will testify to seems to be that other people did or said things. I would have thought that, for example, testifying as to what Verizon said in response to a subpoena would be hearsay. Shouldn't Verizon's testimony stand or fall on its own rather than an internet "expert" testifying as to what Verizon said? Am I just hopelessly confused? "

It's not you that's ignorant and confused, mara....

Anonymous said...

Paragraph 5:
You mention information about IP address. What IP address(es) are you referring to and how were they attained? Could you please explain how a wireless router or other NAT ( Network Address Translation ) router work? Could you please explain how they hide the address assigned to an individual system and allow multiple systems to all appear to be using the same external route able IP address. Could you please explain how the NAT device takes IP address and port used by the computer and re-writes the IP address so that it matches the IP addresses assigned by the Internet Server Provider and how it takes data destine for the ISP assigned IP address and after consulting it's internal translation table re-writes the IP address and port and passes the data to the computer using the private IP address? Could you please explain how you made a determination that NAT was or was not being used?

Paragraph 6:
You stated in paragraph 5 that you do not believe a wireless router was used based on IP address and you state in this paragraph that you do not believe that this hard drive was used to share data as accused. You however make no determination or even mention of IP address, is this because there was no evidence of IP address on the harddrive? If there was no information about IP address assigned to the defendant's computer on the hard drive does that mean that all the evidence concerning IP address was based on data external to the defendant's location and if that is the case how would/did you make a determination that there was not a NAT device (as explained above) between the defendant's system and the monitoring. And if you can not rule out the possibility of a NAT device then how can/could you rule out the possibility that the NAT device allowed wireless access and the computer traffic that actually was observed was NATed by a wireless router and hence used the IP address assigned to the defendant by theft of service?

You further speculate that the computer showed little use during the time in question, could this also indicate that it would have been less likely that the defendant would have noticed that their internet connection was being stolen by someone else via a wireless connection?

paragraph 7:
As a computer security professional, do you teach about the importance of maintaining back ups of data? Would you not recommend that something as important as a resume be kept in multiple locations so that it does not get 'lost'? Additionally you indicate that the resume showed activity during the time in question, would that indicate that it was being maintained? And hence that the computer itself was in fact being used during the time in question, just not for the speculated purpose?

General:

You mentioned the data MediaSentry provided including screen shots. Could you tell please explain how your verified how you determined that the screen shots had not been altered? If I were to provide you with 5 copies of the screed shots after altering the copies using a graphics editing program, would you be able to determine which was the original and which were altered? If so, how? If you are relying on the source that provided you the data, could you please provide his or her contact information so that we can question them about the screen shots? (re-peat till you get to the person who actually made the screen shots)

Could you please tell us how MediaSentry works? Since it obviously interacts on the Internet could you please tell us what IP address it used during the time that it gathered this supposed data? Was it a passive observer and if so, how did it observe traffic from the defendant's machine? Could you please explain about network address (IP addresses) and the difference between directly connected hosts, local networks, and routed networks? Are the IP address used by MediaSentry and the IP address used by the defendant directly connected or on the same local network? If they are not, could you please explain how data traveled between them? As a security professional are you familiar with IP spoofing attacks and the general concept? Can you make a determination as to approximately how many different networks the data passed though between the defendant's system and MediaSentry? How secure are those networks? Is it true that any network device that handles IP traffic on any of those networks could easily both observe the IP traffic as well as modify it? Is this the same principle that a NAT router uses or a firewall or proxy server? Does MediaSentry work in a similar manner? If MediaSentry does not work as a passive observer, does it in fact make copies of and/or distribute copy righted material? If does make copies or distributes copy righted materials, does it have license to do so? If you are unable to tell us how MediaSentry works, how can you make any determination as to the data that it provides? Are you familiars with the computer expression "Garbage in, Garbage out?" Could you please explain it to us and explain how the data provided to us by MediaSentry is not in fact Garbage?

There is also an issue that while I don't know where this information is...there should be a location on the file system were the dhcp lease information is kept (at least the current lease), so the disk image should have information as the current IP address that it used. So, this should be available and may match the IP address from the ISP logs if there wasn't a NAT router... Either way... this information should be out in the open and that it wasn't referenced should be addressed.

Anonymous said...

Anon nailed a bunch of my issues. Screen shots != evidence. Also, there are number issues - in one place, it is "over 700'', elsewhere it is precisely 624. This may be immeterial.

Another angle I'm interested in is his explication of network technology. On what basis does he assert that there is no evidence that a wireless router was in place? Can he assert under oath that a toaster wasn't present? I'm rather baffled by the evidence he claims to have reviewed, and worry about chain of custody for them, but I assume that's covered. But logs? Even if he has DHCP logs pointing to a particular person, how does a jury know those records are not a sysadmin typing things? I run servers. I could fake logs (P2P, email, login, take your pick) if I wanted to. I have a sense of ethics, and consider being a sysadmin a priviledge, but put that aside. The legal system should no more deputize me (and elevate "evidence" I might provide) than it should plumbers who might see people smoking pot.