Friday, November 14, 2008

Duke University tells RIAA that it will no longer forward pre-litigation 'settlement letters' if RIAA can't show evidence of actual transfers of files

According to a report in p2pnet.net, Duke University has told the RIAA that it will no longer forward the RIAA's 'early settlement' letters to its students unless the RIAA submits 'evidence that someone actually downloaded from that student', and said that 'if the RIAA can’t prove that actual illegal behavior occurred, then we’re not going to comply':

Duke University to RIAA: put up or shut up

p2pnet news view | RIAA News:- Duke University has joined the growing list of schools balking at following Vivendi Universal, EMI, Warner Music and Sony BMG’s RIAA sue ‘em all instructions.

Put up or shut up, Duke University for VP for student affairs Larry Moneta ... has told Vivendi Universal, EMI, Warner Music and Sony BMG’s RIAA, in effect.

And the same goes for Hollywood’s MPAA.

Duke will now require agencies like the aforementioned entertainment cartel enforcement organisations, “to provide evidence of copyright infringement before forwarding pre-litigation notices to students,” says the school’s Duke Chronicle.
Complete article.

[Ed. note. While it is good news that a university is requiring the RIAA to put up or shut up, the forwarding -- or not forwarding -- of letters is pretty insignificant. What I want to know is this: 'When the RIAA comes knocking with its Star Chamber, ex parte, 'John Doe' litigation to get the students' identities, is the University going to go to bat for the students and fight the litigation on the ground that it's based on zero evidence, and on the ground that the students weren't given prior notice and an opportunity to be heard?'. -R.B.]

Commentary & discussion:

Slashdot
Slyck
Duke Chronicle (11/20/08 Followup)





Keywords: lawyer digital copyright law online internet law legal download upload peer to peer p2p file sharing filesharing music movies indie independent label freeculture creative commons pop/rock artists riaa independent mp3 cd favorite songs intellectual property portable music player

16 comments:

Anonymous said...

If Duke really wants to end the whole affair, it can simply assign IPs dynamically and not keep logs of who has what IP. Any college that places a strong value on free speech would want to do something like this anyway. -yt

Anonymous said...

This man is left to ponder what constitutes actual "evidence"?

The statement that our unlicensed investigator MediaSentry downloaded infringing material from this IP address at this time should hardly be compelling. For starters, it isn't even illegal for MediaSentry to perform these downloads since they're being paid to do exactly that by the copyright holders through the RIAA.

Providing of an alleged downloaded MP3 audio file is hardly evidence either. Who knows where it came from, or if it qualifies as an infringing work.

A complete capture of all download packets along with the MP3 file is also far less than absolute proof. Who knows how the packets were captured, if they were altered, if the times are correct, and how well the unknown packet-capture software actually works.

Of course this all goes back to MediaSentry once more who don't qualify as illegal downloads in the first place.

This man sees MediaSentry as a bunch of goofs and scam artists selling The Emperor's New Clothes (a work out of copyright) to their ignorant masters. Of course they don't ever want their methods investigated, or their personnel deposed. The RIAA isn't nearly as technically savvy as they pretend - Carlos L. included. They don't understand that they're paying big bucks for a few free downloaded files and some monkey smart enough to hit the Print Screen key on occasion. The reason that the evidence never shows up is that it never properly exists. This is why hard drive forensic examinations are required because there is no admissible "evidence" otherwise. Even with that examination all it can actually "prove" is that, at most, some music files are on a hard drive and that filesharing software with a given user name now exists. Actual distribution has to be invented.

Has Duke, like other universities, been given IP addresses and timestamps that are clearly bogus insomuch as they don't map to any user on the system at the time specified? If so then Duke should question *every* IP address that does actually map to some user since that could be equally wrong.

So this man calls the question: What evidence would actually be sufficient?

Anonymous above has it correct. Don't keep logs that you're not required to keep.

{The Common Man Speaking}

Matt Fitzpatrick said...

Duke gets what the courts often don't when approving the RIAA's ex parte applications. When the RIAA demands action on the basis of downloads performed by their authorized agent, Duke realizes those downloads are not evidence of infringement. The "making available" theory no longer flies at Duke.

The real question, now, is how far Duke will press that point when the ex parte subpoenas start coming in.

Anonymous said...

The Common Man Speaking: You claim the RIAA doesn't know how MediaSentry actually works. What evidence do you have that (a) MediaSentry, (b) the RIAA attorneys, and (c) the record companies don't know what's going on here?

I think the RIAA knows what's going on but believes current legal efforts advance its goals by creating disincentive for P2P use. That the numbers belie this claim is irrelevant, because they see no better option.

XYZZY

Anonymous said...

#1 Anonymous and Common Man Speaking, while not keeping these logs sound like an easy solution it would not work. These types of logs are stored so that the various IT personal can have an understanding of what is going on with the network. We have many things to deal with besides copyright issues. Performance, security, viruses are daily issues for us and the ability to link an MAC or IP back to a PC or user is apart of that. Our networks are too large and we have too many computers connected to it that we do not control, to monitor everything in real time. Logging is unfortunately a necessity for us. We also do not keep the logs for any longer than we realistically need too. When you are dealing with the size SAN arrays (drive storage) we are dealing with, drive space is actually expensive and a premium.

What the RIAA needs to understand is we never intended for these logs to be used in a court of law. We do not have redundant logging system that hash checks the logs or encrypt them to verify integrity; we also do not log a lot of systems in real time but in snap shots. Many of our logs are not cross referenced to look for discrepancies. Depending on the structure of the institution, you may have several different departments involved with various standards.

Unfortunately, from my perspective, the solution is for us [Universities] to stop acting like ISP and providing students with internet access, but instead to just provide the infrastructure so that they can get their internet service from who ever they please. Another option is to separate the students off our main network and setup an external separate company from our selves to deal with these issues. Acting like an ISP just puts us in too many really bad positions.

Also everyone should keep in mind that Universalities receive two different types of notices from the RIAA. The first and most common is the stock DMCA notice, which the RIAA has admitted is a totally automated system prone to errors. The second is the subpoena. Most universities treat the DMCA notices as a disciplinary issue (i.e. Loss of network access for a period of time, required to attend a class on copyrights, etc), but typically never actually investigate if a copyright volition had actually occurred. I am pretty sure it is these types of notices Duke is talking about. Basically they are going to stop punishing their students just because the RIAA says they did it. When it comes to the subpoena, we only have two chooses. Give them the information or file a motion to quash. Once the student is sued, it is out of are hands and there is typically no disciplinary actions or judgment of the validity on our part.

Anonymous said...

Re "while not keeping these logs sound like an easy solution it would not work":

The problem for innocent defendants in these cases (and others) is that universities retain enough data to (inaccurately) answer the one dangerous question: "Who was using IP address ~ on date and time ~?"

You claim it's necessary for universities to retain this information, but when last checked many universities don't (or don't much of the time or don't for very long). The question is, how important is anonymous internet use compared with IT staff desires.

-yt

Anonymous said...

XYZZY (PLUGH to you),

The RIAA doesn't know what's going on because:

1: The declaration of one Carlos Linares is fraught with the kind of errors of somebody who heard something secondhand that he didn't fully understand when he tried to explain it to the court.

2: If the RIAA knew what MediaSentry was actually doing they'd realize that they could do it themselves saving a heap of money and a heap of trouble by no longer employing an unlicensed investigator.

Anonymous #5,

1: Do you really need to keep your logs longer than 48 or 72 hours to accomplish your stated needs of maintaining your network? Truly?

2: The RIAA doesn't truly care how accurate your information actually is. As has been demonstrated time and again they just want a name – any name – to extort. Even when computers they've insisted were the ones involved in the illegal acts proved completely clean to detailed forensic examinations, they concoct wild theories about file sharing programs installed on never seen external drives that left no traces on the main disc or registry. Or that there has been unproven spoliation of the evidence because it had to be there, and wasn't found. And when a dorm room contains multiple inhabitants, it's give us a name, any name, and we'll take it from there. Their flimsy evidence never has to stand up an any court of law since the cases never get that far, and you are the first cog in the chain that allows them to commit this damage on tens of thousands of people by admitting that you have any discoverable logs at all.

Maybe when students start suing their universities for improperly identifying them to the RIAA due to faulty logs and investigative procedures those universities will finally start feeling enough pain to stop these subpoenas where they should be stopped.


{The Common Man Speaking}

Anonymous said...

(*The problem for innocent defendants in these cases (and others) is that universities retain enough data to (inaccurately) answer the one dangerous question: "Who was using IP address ~ on date and time ~?" *)

As I said in previous post, we have reasons for it and how long (not all of which are determined by IT, some of it is legal, polices set from above, etc). It is not just us wanting to log and monitor stuff, just to do it.

Can we actually say who was using the IP? No the most we can say is this computer or this username was using it. The only way to actually know is to physically witness the person sitting at the computer. I would love to be called to the stand and say that in a court of law and I hope one day someone gets a chance.

(* You claim it's necessary for universities to retain this information, but when last checked many universities don't (or don't much of the time or don't for very long). *)

Actually that is precisely what I claimed in my post, that we don’t store much of it and typically not for very long. The question of not have it really comes down to the University not having a full picture of what information is where and what can be linked with what, something which is quite common in our dysfunctional world.

(* The question is, how important is anonymous internet use compared with IT staff desires. *)

The very nature of how computer networks work prevents true anonymous network usage, plus we do not have just Internet usage on our network (hence the problem). Network traffic is just network traffic until it hits our edge router and out onto the Internet. If we where to take the internet out of the picture (or as I suggested in my post, physically separate it) would you still feel that we should be giving people unfiltered anonymous accesses to everything on the private network?

Anonymous said...

(*1: Do you really need to keep your logs longer than 48 or 72 hours to accomplish your stated needs of maintaining your network? Truly? *)

It depends on the system in question and what requirements it has. Access to student records and financial information is typically stored for 7+ years and if a student accesses one of these systems, that alone can be enough for us to tag an IP back to a username during a certain period of time. Others are often compliance issues, that while the law may not spell out that we have to log something; it does require us to be able to prove we are in compliance, which in turns leads to us to logging stuff. The DMCA safe harbor provision is one such case. The issue is not just what is in our routers, DHCP server etc. It is the fact that everywhere you go on our network has the possibility of leaving a foot print or crumb.

(*Maybe when students start suing their universities for improperly identifying them to the RIAA due to faulty logs and investigative procedures those universities will finally start feeling enough pain to stop these subpoenas where they should be stopped. *)

I actually suggest something like that on this blog. Thanks to the courts declaring MAC addresses as directory information according to the letter of the law, we are failing to disclose that to students as a part of FERPA. If enough Universities get sued, maybe congress will change a lot of the crappy laws. There is/was actually a law floating around congress to shift even more of the burden of investigating and controlling P2P onto the Universities, which is only going to make matters worse. Not sure what its current status of it is.

Anonymous #5

Anonymous said...

Anonymous No-Handle Given:

The very nature of how computer networks work prevents true anonymous network usage, plus we do not have just Internet usage on our network (hence the problem). Network traffic is just network traffic until it hits our edge router and out onto the Internet. If we where to take the internet out of the picture (or as I suggested in my post, physically separate it) would you still feel that we should be giving people unfiltered anonymous accesses to everything on the private network?

Okay, I'm sitting in my dorm room with 253 of my closest buds. We've all got computers and we all want to connect with each other so I've got a little Linksys NATting wireless router plugged into the wall network connection with a MAC impersonation address that doesn't correspond to any of the MAC addresses on any our computers. I also have a lot of hubs, and a bunch of us are wireless. One of us is detected making files available by MediaSentry.

To this man, we may not be anonymous to each other but we're sure anonymous to you out at your office in the campus data center on the other side of the campus.

You can't even pin us down to 254 individual students or 254 MAC addresses (which can be all changed the next day). You only know (maybe) that this dorm room was tracked back to by a supplied IP address and timestamp and might be able to give the RIAA the MAC address of the Linksys.

The Big Question: Who is the actual file-making-available-er?

{The Common Man Speaking}

Anonymous said...

Let me answer for anonymous no-handle given:

THEY CAN'T

-Another anonymous

Anonymous said...

In every case no in some cases yes, for example if the student in question happens to run remote helpdesk request software, then their local IP, MAC address, the port that the NAT device is plugged into, among other things helpful to help desk staff are put into the help ticket. If we are subpoenaed, that information is fair game to the RIAA. Also it is possible to detect most SOHO NAT devices because they have such poor implementations. That does not mean we can see past them, but we can see they are there and take action against them.

Most students, who are running a P2P application, do not run it alone. They start it up and while they are downloading are doing other things on their computer. These things may end up leaving a trace.

University, while they have always provided Internet service to their students it has only been recently that we have begun to think about our selves as ISP. Partly thanks to the RIAA. In the past student PCs have been treated as just another computer on the Enterprise network. An ISP network is setup totally different from Enterprise networks, and in some cases uses totally different equipment than we do. There are many things we do on an Enterprise network that an ISP would never think about doing, for example deep packet inspection for viruses (well excluding Comcast). ISP don’t worry about viruses as much as we do because your connection is isolated, unlike that in most dorms, where you are plugged into a switch and can see and talk to every other computer on the same subnet. If your PC gets infected you can spread it to everyone else, which is one of the reasons we want to have the ability to contact you.

There is one University I am aware of that makes you run a client application to connect to the network. It forwards all kinds of things about your computer onto them. Its job is to make sure you have all your security patches in place; virus scanner is up to date. You have a firewall etc. Since none of this information is consider an educational record, it is fair game for the RIAA. People should also be worried about FOIA.

Something else to consider for any students we may have reading this blog. Remember that some (NOT ALL) Universities are run by professors who have worked their way up to very powerful policy making positions. These people often have patents and copyrights that they make money off of and feel very strongly about and support the RIAA. Ray, you may want to consider adding a part to your website to list those schools who are at least trying to fight back.


Anonymous #5

Anonymous said...

Anonymous #5:

If you're actually investigating a lot of log files on different servers, it sounds like (a) the subpoena is an undue burden, and (b) you now know what logs are a threat to student privacy and can act accordingly. To start with, tell your students what information you log, and for how long.

I don't know what you mean by referencing FOIA. Perhaps you can explain?

Remember that the university is selling a service to its students. If you as an IT department roll over on your students, you are lowering the quality of your university. In that case, some students will not come, leave, or never give back to the university later. And rightly so. I imagine you already have this in mind, though. :)

-yt

Anonymous said...

The subpoenas are unduly burdensome. Of course the RIAA feels we should just have this information at the touch of our fingers, and some schools have actually done that to ease the situation, other still have to mount this expatiation, since the subpoenas requests we look everywhere. Thus far the courts have been deaf to our situation.

As for trying to inform and educated students, it is an active and ongoing issue and I know a lot of schools now include a lot of this information during orientation. There is also a lot of discussion going, not just inside institutions but among institutions about what to do. Opinions very all over the place (some in favor of the students and others not), one place that will help is just getting the students involved and have them demand to know. Also as you have suggested, hit us where it counts, our pocket books and let us know why.

FOIA is Freedom of Information Act. While most people think of it as a federal law, most states also have such a law. The key to it is, one knowing the information exists and two knowing how to ask for it. There is a lot of information out there that many people just assume is confidential but can in fact be requested. Information may be protected under various laws (FERPA, HIPPA, etc) when they are in filling cabinet A, but that same information is not protected when it is in cabinet B.

Anonymous said...

Anonymous #5: Do you have any evidence that the RIAA has obtained personal student information for the sake of lawsuits through FOIA requests? -yt

Anonymous said...

No, was more of a general statement that people should be aware of it.