Monday, July 02, 2007

Groklaw and Slashdot Communities Help Again: This Time to Analyze Carlos Linares Declaration

We have asked the Groklaw and Slashdot communities to give us their opinions of the technical validity of the Carlos Linares declaration the RIAA is using:

Published in Groklaw:

A Lawyer Would Like to Pick Your Brain Once Again
Monday, July 02 2007 @ 04:51 PM EDT

Ray Beckerman of The Recording Industry vs. The People would like to ask you to look at a declaration that the RIAA has filed with the court in the case of Arista v. The Does -- the Does are college kids in Boston. Is what this declaration tells the court technically valid? Here's his request:

Is RIAA's Linares Affidavit Technically Valid?

In support of its ex parte, "John Doe", discovery applications against college students, the RIAA has been using a declaration by its "Anti-Piracy" Vice President Carlos Linares" (pdf) to show the Judge that it has a good copyright infringement case against the "John Does". A Boston University student has challenged the validity of Mr. Linares's declaration, and the RIAA is fighting back. Would appreciate the Groklaw community's take on the validity of Mr. Linares's "science".

So, have at it, if you wish to lend a hand and this is an area you are qualified to analyze.

Go here to see responses.
Here is the Slashdot article and responses.

Additional commentary & discussion:

Keywords: digital copyright online download upload peer to peer p2p file sharing filesharing music movies indie label freeculture creative commons pop/rock artists riaa independent mp3 cd favorite songs


DreadWingKnight said...

I believed I mentioned RFC1918 a few times before. Private address space is capable of MASSIVE replication around the globe.

I also mentioned that MIT has more public address space than all of China.

I am able (and willing) to demonstrate the "IP address does not identify an individual" point (My demonstration would work best with an internet-based videoconference with multiple people at each end).

AMD FanBoi said...

Paragraph 5: Clearly he admits that the Internet has substantial, if not overwhelming, non-infringing uses. Also, if a digital file is copied in its, there is no-degradation in sound quality. His comment of "without significant degradation" is not accurate, and he should be held to account to specify just what degradation might occur. While this lack of degradation might strengthen his case, it certainly weakens his credentials as an expert.

Paragraph 6: How does he know that P2P is the source of "Much of the unlawful distribution...", as compared to other methods of trading files and CDs, bootleg sales by authentic pirates at swap meets/flea markets etc.? This sounds like a blowhard attempt to make the this "biggest villain" of the moment. Perhaps at other times other methods of distribution will be his biggest villains. One should always challenge vague conclusions like this one. Also, is "copyright piracy" a legally defined term, as opposed to filesharing or file copying?

Paragraph 9: Why can't the scope of online piracy (his definition) be underestimated? It certainly appears to be overestimated at times. Also, this seems to reiterate the old saw that attempts to equate every file download with a lost sale. This is clearly not true, yet seldom goes challenged.

Paragraph 10: Equates making available with infringement. This, I believe, is also shown not to be true. Actual infringement would involve copying files between one computer and another, and this is something Plaintiffs clearly CANNOT do, despite the claim that they are observing this infringement occurring on the Internet. The only copying of files that Plaintiffs can observe are those to and from their own computers, and under copyright law that does not constitute infringement. All they can know about other users is the number of uploads that user might be providing. Not the file names being uploaded.

Paragraph 11: Nobody knows exactly what MediaSentry is doing, except MediaSentry themselves. Are they using the actual, buggy, ad-ware/spy-ware ridden programs most often out there, or their own hacked or homebrew solutions? So say that MediaSentry only does what any P2P user does, and by implication, uses the same software in the process of doing so, is yet to be demonstrated.

Paragraph 12: IP addresses do not necessarily identify a specific computer, and cannot at all identify who is sitting at that computer. They are not unique (many computers behind a single NAT-ing – Network Address Translation – router will all have the same external IP address), and don't prove what computer you are actually talking to, since you may be connected to a proxy computer, rather than the final source or recipient of any data packets. Two computers can most definitely have the same IP address on the Internet at large, so it's an outright inaccuracy to have claimed otherwise here. And NAT-ing is very common, not rare at all.

Paragraph 13: Again is the claim that MediaSentry operates "just as any other user on the same P2P networks". This is not yet proven at all. Nor is it proven that the MediaSentry computers might not be contaminated, as many computers have been, by malware during the course of their investigations. They should be required to provide a hard drive image of the drive used in their investigation, said image taken AT THE ACTUAL TIME that the evidence was gathered, to so that said evidence exists, and isn't subject to contamination from computer worms, viruses, Trojans, and other malware. Any "evidence" without this image to back it up should be considered highly suspect.

Paragraph 14: Who has seen these downloaded files so far, except for MediaSentry? Do we even know that they match that the file listing says they should be (length, type, meta data, actual contents)? Also, for any non-downloaded files, are you claiming that they are also exactly what their titles claim? What about fakes that your, yourself, as the RIAA have hired companies to spread as widely as possible. Is downloading and/or sharing a fake or intentionally damaged music file also actionable infringement?

Paragraph 15: You provide the oversight of MediaSentry and attest to the veracity of the file name list provided. What are your computer forensic related credentials? Were you present when the data was collected?

Paragraph 16: How can you identify the "computer" from which the infringement came by an IP address, with, or without, date, from just an IP address? Answer: YOU CAN'T! You can no more identify a specific computer plugged into the Internet at a specific IP address than, to use your telephone analogy, knowing which model of telephone is plugged into a telephone line. Over the course of even minutes, many different telephone handsets – or computers – might be plugged into the same line, and you won't know which one it is. This inaccurate talk on your part either shows your ignorance of what you're talking about, or your belief that no one else realizes what you're saying is simply wrong. Nor does knowing the account holder's name tell you who actually controls a computer. And we're not even talking about unsecured – as the majority are – wifi access points that anyone can log into with a wifi enabled computer and send and receive data on the same IP address.

Paragraph 17: You should not be joining unrelated Doe defendants in your subpoena process.

Paragraph 18: By this admission, they only "distributed" these particular files to you, which is legal. There is no indication or evidence that these files were ever downloaded to any other person. In fact, it's likely that many files on P2P networks are not ever downloaded by other users, but are simply file names in a shared directory. Also, you claim here that the files were offered for distribution by each "Defendant". WRONG! You have tried to identify the account holder, which may or may not have been accurately done by the ISP, but that does not get you to whatever person is actually owning and operating the computer offering up the files in question. ONE OF THE GREAT WEAKNESSES of all your cases is your attempt to claim that the account holder is the one doing the file sharing. And if they're not, to scare them in to telling you who it must be. You too often sue the wrong person, and attempt to put them under duress to make them incriminate someone else. THIS SHOULD NOT BE THE PURPUSE OR PROPER USE OF THE LEGAL SYSTEM!
Paragraph 19: You have recently sued students with as few as 100 files allegedly shared.

Paragraph 20: Why? Is this your justification on why this must all be ex parte, and not contested at the point where your case is the most fragile of all?

Paragraph 22: Are you willing to admit that the sources of these not yet publicly distributed works are most often industry insiders?

Paragraph 23: Must discovery be expedited – rushed by with no chance to contest – in order to discover your victims – er, Defendants? Maybe it does need to be, before critical eyes can examine your "evidence".

Paragraph 24: And this has happened how often so far? Or are you only being theoretical here? You're very short on actual facts, Mr. Carlos Linares.

The RIAA is suing an IP address. IP addresses don’t file share. They are then trying to attach that IP address to an account owner, and claim that the account owner is the actual filesharer, and that it's all being done on a specific computer that they can identify without error. This simply does not follow, as a growing number of case dismissals will attest to, and no amount of smooth words on the part of Mr. Linares will ever make it true.

Virtualchoirboy said...

I didn't want this to get lost in the flood of comments at Groklaw, so decided to post here. I think it comes back again to point #12 making some rather flawed assumptions:

12. Users of P2P networks who distribute files over a network can be identified by using Internet Protocol {"IP") addresses because the unique IP address of the computer offering the files for distribution can be captured by another user during a search or a file transfer. Users of P2P networks can be identified by their IP addresses because each computer or network device (such as a router) that connects to a P2P network must have a unique IP address within the Internet to deliver files from one computer or network device to another. Two computers cannot effectively function if they are connected to the Internet with the same IP address at the same time. This is analogous to the telephone system where each location has a unique number. For example, in a particular home, there may be three or four different telephones, but only one call can be placed at a time to or from that home. Each computer or network device is connected to a network that is administered by an organization like a business, ISP, college, or university. Each network, in turn, is analogous to an area code. The network provider maintains a log of IP address allocations. An IP address can be associated with an organization like an ISP, business, college or university, and that organization can identify the P2P network user associated with the specified IP address.

A specific user CANNOT be identified, only a specific machine. To use their own example from within this point:

This is analogous to the telephone system where each location has a unique number. For example, in a particular home, there may be three or four different telephones, but only one call can be placed at a time to or from that home.

Given that a single phone number could be connected to a single residence, if there were 10 people living in that residence, how do you identify the actual person making the call with only the phone number? To clarify, assume that the "investigator" on the receiving end cannot hear the conversation, but can only see the Caller ID number. How do we use this Caller ID to specifically identify the one out of ten people using the phone at that moment? How do we know it is not a friend that is visiting? How do we know it is not a stranded motorist who stopped in to call for help? The assumption that an identification of a particular connection conclusively points to a specific person is flawed at best.

Unknown said...

Hi, Ray!

"...Users of P2P networks can be identified by their IP addresses..."

IP addresses do not identify users, they identify computers.

"Two computers cannot effectively function if they are connected to the Internet with the same IP address at the same time."

... Sigh ... I've got (counting off my fingers) four computers all connected to the Internet, right now, on one IP address. The first one is downloading Fedora ISO, off Bittorrent. The second one I'm using to post this message. The third one is actually an Internet-enabled Nintendo Wii, that's downloading the local weather and news, and the fourth one is another server, running MythTV and downloading my local TV listings.

The rest of the affidavit is heavily predicated on this assumption that IP address=user, which is not true. Furthermore, the affidavit fails to mentions the well-known issues concerning hacked/hijacked PCs, used to distribute copyrighted material without the owner's knowledge.

The affidavit also acknowledges that they do not verify every file for infringing content, just a "representative sample". I'm reminded of a well-publicized incident, several years ago, of a university receiving a takedown notice from Microsoft, concerning a file named "OpenOffice.tar.gz", which Microsoft claimed was pirated MS-Office.

Alter_Fritz said...

and I thought it was month ago already established that IPaddress does not equal one specific computer and even more it does NOT equal one specific person.
amd fanboi pointed a few weeks ago out that even cartoonists understand this point by now.
so why not this RIAA lawyer! Perjury anyone?!

AMDs link gone in the meantime. Here in color the source I guess:

asldkj said...

I am truly at a loss in regard to the way judges handle these cases.

How can a judge allow a plaintiff to assert some of the claims without evidence?

Moreover, when a defendant does ask for substantiating evidence to support a claim, the RIAA fires another salvo.

Do judges not "get" what is happening, or are they to inept to do anything about it?