Wednesday, August 08, 2007

Experts Challenge RIAA Claims in Boston, on Behalf of Boston University Student

Two expert witnesses, one being the Chairman of Boston University's Computer Science Department, have submitted declarations supporting the reply papers of Boston University students who have moved to vacate the RIAA's ex parte discovery order in Arista v. Does 1-21. These declarations attack the underpinnings of the RIAA case set out in the declaration of Carlos Linares.

These declarations were referred to in Arista v. Does 1-11, in which several Oklahoma State University students have attacked the Oklahoma order permitting the RIAA to subpoena their names and addresses from the university.

These filings come on the heels of rulings in New Mexico and Virginia denying the RIAA's ex parte discovery motions.

Reply Memorandum in Support of Motion to Vacate and Quash*
Reply Declaration of Jesse Robert Stengel*
Reply Declaration of Prof. Azer Bestavros*

* Document published online at Internet Law & Regulation

Commentary & discussion:

Keywords: digital copyright online law legal download upload peer to peer p2p file sharing filesharing music movies indie independent label freeculture creative commons pop/rock artists riaa independent mp3 cd favorite songs


Chris said...

Well, it won't matter whether the copies were legally or illegally obtained by the defendants; the question is whether the defendants were distributing copies (which we cannot answer on the evidence presented) and whether the defendants had an agreement with the copyright holders to distribute (which presumably they don't).

Now, whether the copyright laws are just, that's completely a different question. I think they were paid for by the RIAA members, which makes them a little one-sided.

Reluctant Raconteur said...

What is the value of probability. Civil doesn't need to meet beyond reasonable doubt.

These IP defenses are based on the fact that there MAY be alternative end points for a particular IP. But the probability is that a particular IP IS associated with a single end point and that end point is the possession of someone.
This defense introduces reasonable doubt but is that a sufficient standard to prevail?

AMD FanBoi said...
This comment has been removed by the author.
Alter_Fritz said...

"Chris", you must be new here! ;-)

"the question is whether the defendants were illegaly distributing copies to the general public (which the plaintiffs have not answered with the evidence presented)" [Corrected your statement for you]

And that is something that the plaintiff have not proven in any way to count as a prima facie claim for copyrightinfringement.
All plaintiffs have proven (if we believe their evidence to be genuine) is that their investigators were able -with methodologies they keep as secret even before the inspecting eyes of judges- to hack their way into computers that were oviously not good enough secured against certain outside intruders.
But being a student and having legally obtained soundfiles on ones computer harddisk isn't a violation against copyrightlaw, and that plaintiffs agents with their secret methodologies can access those files isn't copyrightinfringement by the student after all.

But to be more correct what the purpose of these expert declarations was;
As I read them, their purpose was to show among other things that Mr. Linares was lying in his declaration under penalty of perjury when he claimed that RIAA listens (not he himself(!) so furthermore to the fact that most of his declaration is factual incorrect, it is even just irrelevant hearsay from so far nonidentified Does identified by him only as "RIAA") to digital soundfiles and can then identify them as illegal copies just by listening tio them.

If I would play devils (aka RIAA's) advocate here

-and would point out, as defense against this accusation that Mr. L. is a lyer, that he was just a bit sloppy in this declaration and that he meant that the files of course not being identifed as illegal just by listening to them, but that he meant they identify them as illegal by listening AND in connection with the "metadata" (p 14 in his declaration)-

I would fail miserably since this meatadata is not something unique for illegal copies since this metadata is in one part perfectly identical in every tens of thousands of plaintiffs store sold CDs due to the nature in which the sound is stored on them and in the other part can be downloaded legally from public databases which makes the metadata identical for each and every single legal copy of a students own CD if student chooses to use such databases to apply the metadata to his legally owned files. All this data can not be used to track the movement of the files through the internet and can not be used to identiy a given copy of a soundfile as illegal copy.

Beforementioned non-uniqueness of metadata and its inability to use it to determine the legal status of soundfiles was pointed out already in other cases by real experts that know more about the subject then me, so thanks that I just played RIAA's advocate in this little mind excercise without actually being it and that it is not my duty to defend this clearly not the accurate truth telling Mr. Carlos Linares.

Unknown said...

alter_fritz wrote:

All plaintiffs have proven (if we believe their evidence to be genuine) is that their investigators were able -with methodologies they keep as secret even before the inspecting eyes of judges- to hack their way into computers that were oviously not good enough secured against certain outside intruders.

Perhaps I've misunderstood your argument, but as I read it, your comment amounts to nothing more than handwaving and fails completely to counter the (well-taken) point that Chris makes.

From a high-level view, the essence of the RIAA's argument here is this:

1) We found a computer at the IP address xxx.yyy.zzz.www that was running a peer-to-peer application (or had a publicly accessible area via an FTP server, etc.);

2) From this computer, we downloaded one or more tracks that we were able to conclusively identify as copyright-protected works to which we hold the copyrights;

3) The owner of the computer we accessed does not have our permission to make these works publicly available in this manner. We assert that "making publicly available" is legally equivalent to "distributing," and that therefore this person has engaged in copyright infringement; and

4) We are trying to prove that the IP address mentioned in statement (1) is uniquely and unambiguously related to a particular individual.

As I read it, Prof. Bestavros' declaration simply says that it is not possible to distinguish a track someone ripped from a legally-purchased CD and then made publicly available (via P2P, FTP, etc.) from the same track, downloaded from someone else's computer (again via P2P, FTP, etc.).

That's all it says. In particular, it makes no statement whatsoever regarding the reliability of the process in step (4)—which is one of the bigger weaknesses of the RIAA's argument, mostly due to stuff like dynamic IP addresses, NAT, and so on. There are plenty of other weak points, too, including the equivalence asserted in (3)—but this declaration says nothing about those, either.

As for your comment about "secret methodologies": it is true that some of those methods have been attacked in other expert declarations, but there's nothing secret about logging on to an open FTP site and downloading a copyright-protected file (or grabbing that file from a P2P network).

Virtualchoirboy said...

As for your comment about "secret methodologies": it is true that some of those methods have been attacked in other expert declarations, but there's nothing secret about logging on to an open FTP site and downloading a copyright-protected file (or grabbing that file from a P2P network).

While it's true that there is no secret to the ability, one of the key points to their P2P investigations that we've never seen explained by the RIAA is how they prevent their "off-the-shelf" version of the software from downloading a single file from multiple sources.

Most consumer Internet connections have a large pipe for downloads and a significantly smaller pipe for upload. For example, I've got 6 Mbit DSL download, but only 768 Kbit upload. P2P software in general accounts for this by downloading parts from multiple sources simultaneously and rebuilding the file locally. Since this is a basic and built in feature to virtually all P2P software, how can the RIAA say with any certainty that 100% or even 10% of the file they say they downloaded from a suspected infringers computer actually came from that source?

Since the methods have never been exposed to the light of day (i.e. they are secret), nobody except the RIAA and MediaSentry can say for sure. This puts the Defendant at a significant disadvantage since they do not have the ability to question the methods. In essence, it gives the Plaintiffs experts a free pass allowing them to say whatever they want and have it accepted as fact. In my very limited understanding of the legal process, that does not qualify as due process.

Virtualchoirboy said...

To further comment on Heywood's points, he does make an excellent summary, but I think our overall objections are along these lines:

1) Finding the computer is easy. Associating it with a specific IP address is more difficult. The method of this identification has never been shown and is suspect.

2) File downloads were started, but again, there has been no information regarding the method other than "same as every other user". Going on that premise, please refer to my earlier post about basic P2P software functionality. We cannot guarantee that the full file downloaded actually came from the computer supposedly identified.

2a) Identification of the files as copyright protected works is only part of the issue. While the files can easily be identified as such, the RIAA chose to use terms such as "illegal copies" and it's that terminology that is being disputed.

3) The point of "no distribution agreement in place" is not in dispute, but the identification of "owner" IS in dispute. They have made the assumption that the account holder associated with the IP address at the time is ALSO the owner of the computer they accessed AND assumes the owner of the computer accessed is the actual user running the P2P software at the time of suspected infringement. Here is one possible scenario which points out how wrong they can be: User A connects to the University network in his dorm room and sets up a WiFi router. User B has a wireless network card and connected his laptop to the router to use User A's connection. User C borrows User B's laptop, installs P2P software and starts downloading and sharing files. In this setup, the RIAA still goes after User A.

4) See #3 above... :-)

I hope this helps you understand the position put forth by alter_fritz.

Alter_Fritz said...

heywood and mike, you are both right in part in interpreting what I have written, what reasoning I might actually wanted to explain with that and what might be my overall position I tried to set forth with this little piece. (If I had done it in german It would have been clearer I guess, maybe not for you non-natives though) ;-)

Heywood, your 4 points summary of the RIAA argument is well on point, but it is in 3. where the problem lays. And that's what I wanted to address when I "corrected" chris' sentence.

Just because a copyrightowner can get ("download" ) copyrighted works from an so called unauthorised source (here the student which is the responsible guy for the content of the HDD) does not make that act on behalf of the Student that gave the copyrighted works to them a violation of copyrightlaws since owners can not infringe their own works and they don't count at what your copyrightlaw defines as "distributing [...] to the general public"
Since plaintiffs know that and because they have no proof of actual distributing to anyone else then their agents themself they come up with this "making available aka. having files in a specific place is itself a violation of the exclusice distribution right"- argument.
So far Ray has not reported that a sane judge/jury gave their OK to this argument in a full blown real trial.
Taking this part of plaintiffs argument out of the cyberspace and into a real live student dorm easily shows how stuipd their argument is.
Student A keeps his CDs on the top of his desk. (the physical desktop that is).
Student C from one floor below him comes up when A is at a party at B's room, C copies all the CDs that are accessable for him in the unlocked room. Is A liable for violation of the copyrightsowners exclusive distribution right? I think not, and I hope that no sane judge would think different, Otherwise you poor americans would need to treat your CD's like dangerous weapons or something like that and could only keep them in a safe so no one else can access them.

Plaintiffs other part of their claim is that student A is in violation of copyrightlaw because he is in posession of a certain soundfile (aka he would be student C in my above example).
They claim they know and can proof that part of their complaint (the downloading part) because they listen to a song and that's how they know that it is an "illegal copy".
That is the point that was attacked here by the expert declaration; from listening to a file and looking at its metadata you can not determine if their target Student A (which is now due to the boilerplate complaint wording of "and/or" Student C in one person) got those files from his own legally bought CDs on his desk or not.

So if you guys will was chris' argument only partly on topic in so far that he is wrong if it matters if copies are legally or illegally obtained because that is one of the core arguments in the plaintiffs complaint before the "and/or" part of the allegations. And the part behind the semicolon (the thing which I "corrected") Is only relevant when it comes to distribution to the general public in ways of sale rent or lease. Not every kind of distribution aka. sharing is unlawful even if you don't have an agreement with the copyright holders to distribute.

If you guys will, what we have seen so far in this case RIAA vs Students isn't all the beauty of counterarguing their boilerplate complaint, but it is just an easy ( but important and postworthy one that those other universities should take as inspiring example) exercise by Prof. Bestavros to show that the RIAA guy Linares is (just as "Expert" Jacobson or MediaSentry guy Millin) an incompetent hearsay guy at best and a liar at worst whose declaration(s) have no value what so ever to determine if an ex parte discovery order is warranted.

Unknown said...


Thanks for the thoughtful comments. A couple of quick responses while my brain is still working (numbered corresponding to yours):

1) Not sure I understand this. Any bidirectional TCP connection between two machines requires each machine to know how to address packets to the other, regardless of the routing in between. If you're saying that the possibility of masquerading (e.g. using Tor, or NAT behind a router) makes it impossible to know the true IP address of the other machine reliably, then fair enough. But I've seen far too many people make this argument in a vague and imprecise way, by simply waving their hands and saying "... but an IP address isn't a reliable indicator!" The reality is that unless one takes specific steps to mask that IP, it can be a reliable indicator in some cases (e.g. when combined with DHCP lease logs, etc.).

2) A properly designed P2P protocol generally has robust file integrity built into it. If it didn't, the whole process would be useless, since you have to at least allow for the possibility of some members of a swarm having corrupted file data. This, in turn, means that even though some particular P2P node (say, the accused seeder) may not have actually transferred an entire file to some other node (say, the accused leecher) in a given transaction, it does have to have the intact file available (as verified by an MD5/SHA-1 hash, etc.) to work correctly. If a given copy of the file is made available for sharing via P2P but is corrupted or hashes incorrectly for some other reason, then any properly functioning tracker for that file will exclude the given copy.

2a) This seems to me to be a distinction without a difference, and a semantic one at that. The point isn't that it is illegal to have a file ripped on one's computer or other device (since thankfully RIAA v. Diamond Multimedia was decided correctly), but rather that willfully making such a file publicly available (again, either through an open FTP server, via P2P, etc.) amounts to copyright infringement.

3/4) Both good points, and I see that I needlessly blurred the two issues here. The first is whether or not "making available" amounts to "distributing" (and further, whether passively putting something in an accessible place, like a shared directory, is equivalent to actively advertising the availability of a file via a P2P tracker, indexing service, etc.). The second is whether or not the identified IP can be reliably matched to an individual, which is a much trickier problem as your example with the WiFi router illustrates.

In your example, I suspect the RIAA might argue that User A was responsible for his access point and failed to secure it appropriately, or violated the university's AUP by hooking up the router that way. (Of course, the latter argument could be shot down by observing that one could walk into any coffee shop with free WiFi, jump on their access point, and do the same thing.)

The more correct thing to do, I suppose, would be to subpoena the router's DHCP logs and try to identify User B's machine by MAC address, and so on. But then User A would claim that the logs are wiped on a daily basis; User B would claim that MAC addresses could be spoofed (technically correct, but somewhat unlikely unless this were happening at Caltech or something); and so on.

Come to think of it, the logical conclusion of all this is that if the RIAA gets their way (heaven forbid), then every computer user will be required by law to preserve IP logs for some minimum length of time, failing to do so is prima facie evidence of malicious intent, and so on... at which point we can kiss what little privacy we have left goodbye.

In any case, my take is that there are sufficient substantive holes in most of the cases the RIAA has brought to date that mounting a robust defense is certainly possible. What concerns me is when people put forth highly disingenuous (and technically flawed) and/or hyper-legalistic defense arguments (and I respectfully put the proprietors of this site into that category at times), because that makes the subsequent efforts (i.e. convincing judges and, to an extent, public opinion) much more of an uphill climb.

Virtualchoirboy said...

Sorry for the delay in responding, but I has some family stuff to deal with. I appreciate the thoughtful response and see your position. I do have some responses as well:

1) TCP connections: I guess I could have explained this a bit better, sorry about that. The heart of the problem I have is how a specific machine is identified? Without ever being able to see the methodology used, we cannot examine the reliability of the method. Additionally, what sort of "proof" is captured and what safeguards are there that once the "proof" has been collected, it cannot be tampered with? Did they capture packet logs so that they could prove that even one packet of data came from the suspected IP address. How are the timestamps determined? Do they synchronize with a public time server before determining the time of infringement? If not (or even if so), how do they verify their time against the time the ISP may have had in their IP/Billing logs? So far, all we have is "this is the IP, this is the time, just trust us on this one...".

As for TCP connection, the machines do NOT need to know the EXACT endpoint. They just need to know the last NAT router endpoint. For example, the PC I'm typing this on is behind a NAT router (Network Address Translation). It's IP address is not known (and will not be known) by when I hit the submit button on this post. And yet the post will still be made. To make this possible, the NAT router keeps track of what this machine sends out and matches up responses to the transmissions. Once it finds a match, it sends it along to the appropriate machine. To use this example, the RIAA could possibly identify my account from the IP address assigned to my NAT router, but how could they know if it was me, or one of my two neighbors that are close enough to connect to my router?

2) Good point and I think we tend to ignore that, but you're assuming "proper" when that may not be the case. That is one technical angle that has not been argued and not being a P2P expert myself, will not comment until I know more. That being said, what if 0% of the file actually came from the identified IP address? User A has files available and his P2P softawre alerts the local node as to the list. RIAA comes along and sees this list and selects a file for download. Due to technical issues with User A's computer, not even one packet of data is sent, but instead 100% of the file comes from other users. Is User A still guilty of infringement since his PC can't send the files requested by other users?

2a) You've brought this back to one of the central arguments that has yet to be decided. It appears that you agree with the RIAA in the thinking that having the files available, willfully or not, is infringement.
First, I use "willfully or not" because as has been proven time and time again, most of the P2P software packages out there will automatically share ALL media files on the users PC as a default setting. Unless the user took the time to specifically exclude files, they would be shared without their knowledge. Before you reply with "they should have learned about the application first", can you honestly tell me that you know the advanced features of all the applications you use? I, for one, do not. I'm a developer and can create dynamic Excel workbooks that might amaze you, but don't have a clue what the Auditing functions are for (Tools menu if you're curious). For the average computer user, "advanced functions" are exclusively for their geek friends to play with - the user just wants the program to work.
Second, I believe there is already case law on this point, but not being a lawyer, cannot provide a handy link. If memory serves, existing case law states that for distribution infringement to occur, actual dissemination must occur. Just having the files available is insufficient.

3/4) You seem to have the beginnings of an understanding as to why so many of us in the IT world have a problem with these lawsuits. They are generally filed against the "easy" target instead of the "correct" target. As far as DHCP logs, the problem there is that only gets you who was connected, not what they were actually doing at the time. Additionally, the "log" may not give you what you are thinking. The DHCP "log" on my wireless router just gives IP, MAC address and Machine Name... no timestamps. It's got connection information in there from co-workers who stopped by to work on a project, some as long as 6 months ago.

Finally, while the RIAA might relish a world where IP traffic is logged, the only people who would truly benefit are the identity thieves and the drive manufacturers. The latter for the obvious storage needs that would explode exponentially. Watch 10 seconds of video on YouTube, store a Megabyte of IP traffic information for the video alone, not counting comments and thumbnails of "related" videos. Stream an online radio station for a couple hours... hope you have a couple Gigabytes free. As for the identity thieves, all they would have to do is write a virus that reads the IP logs looking for connections to specific sites... say... a bank? Have the virus send that info along and off they go to shop at the poor users expense.

There are no easy solutions here. I understand where they are coming from in wanting to protect their assets, but I think they could do a much better job of how they go about it. Instead of clogging the courts with thousands upon thousands of lawsuits and alienating their customers, take the time to analyze the problem and find a real solution. It's obvious that someone at the top is letting the lawyers run the business, and that's a bad thing. Nothing against you Ray, but lawyers generally go to law school to practice law, not to business school so they can run a business.

raybeckerman said...

chris, we do know that the RIAA failed to present evidence of distribution.

russell, plaintiff has burden of proof.

mike, your understanding of the legal process is not so limited. It is absolutely true that they cannot use their secret proprietary mumbo jumbo as evidence in a federal court.

mike, your taking time off from this compelling discussion to take care of important family matters is unacceptable... next time you have to ask alter_fritz for permission.... where are your priorities?

mike, heywood, chris, alter_fritz.... thanks for some good cerebral stuff there....