Wednesday, December 26, 2007

Has RIAA expert Doug Jacobson contradicted himself in UMG v. Lindor?

A year and five months after examining the defendant's hard drive in UMG v. Lindor, the RIAA's "expert" witness, Dr. Doug Jacobson, has issued a "supplemental report" which appears to contradict his earlier "reports" alluding to the hard drive inspection.

In view of the superb job the Slashdot community and the Groklaw community did in helping first to prepare for, and then to vet, Jacobson's deposition, I have submitted to both communities, and herewith humbly submit to my readers with technical background, for your learned review, the now three (3) versions of the "expert's" opinions based on the hard drive, for your analysis.

As with almost all federal litigation documents nowadays, they are, unfortunately, in *pdf format:

(a) December 19, 2006, declaration;

(b) unsigned October 25, 2006, report, awaiting approval from RIAA lawyers; and

(c) December 15, 2007, version.

The initial observations of commentators here on "Recording Industry vs. The People" are located here.

Followup: Dec. 28, 2007, 11:10 A.M.: In an incredible response, the Groklaw community have responded with over 500 comments, and counting, with extremely insightful analysis into the "junk science" of the RIAA. For some really good reading, go to this link. To PJ and to all those who gave of their valuable time to read Dr. Jacobson's multiple "reports", and to point out their many flaws, on behalf of Marie Lindor and all of the other victims of the RIAA extortion campaign, THANK YOU FROM THE BOTTOM OF MY HEART.

Groklaw Discussion

Commentary & discussion:
Groklaw (12/27)

Keywords: digital copyright law online internet law legal download upload peer to peer p2p file sharing filesharing music movies indie independent label freeculture creative commons pop/rock artists riaa independent mp3 cd favorite songs intellectual property

To contribute to Marie Lindor's legal defense, see below.

The above donation button links to a PayPal account established by Marie Lindor's family for people who may wish to make financial contributions to Ms. Lindor's legal defense in UMG v. Lindor. Contributions are not tax deductible.


Anonymous said...

you have asked if Doug Jacobson has contradicted himself, well I guess you can't ask it that way.
This guy has no clue at all, does not state how he comes now to the new conclusions and admitted that he kept no records of his findings while he had done his "first" (?) inspection back then.
In this new report, all we have is just one new sentence and beside that much unnecessary filler with explaining glossary so that the "news" make more then jsut one sentence that could have been send with a short text message from Rich's bLackberry to chambers which would have the same substance and validity.

I mean come on, a guy that has a "Pappkamerad"* (don't know the english word for it right now) of himself, how can anyone take such a guy even the slightest bit serious and assume that what he states is substantial and structured enough to make it even able for him to contradict himself?


P.S. the first round of comments about his contradictions while he was deposed was here:

Anonymous said...

First he gives us forensics 101. But this ONLY applies to ONE item, the examination of the defendant's computer. ALL those other things, including the "MediSentry Trace" have no such authentication because he did not forensically examine the hard drives of ANY MediaSentry computers. Don't let him hornswaggle people into thinking that the standard forensic practices somehow apply to MediaSentry's investigation unless he actually examines the computers used to produce the evidence in items 14 (a)-(h) when he only used that methodology on item 14 (i).

All this "I will testify" stuff is ridiculous. Why didn't he do that in depositions if he was so knowledgeable? How can he testify to the chain of evidence of which he has alleged no personal knowledge? How can he authenticate data when he has no personal knowledge of the source and no chain of evidence to rely upon?

How does a lack of evidence of copyright infringement on the hard drive favor the hypothesis that the defendants were guilty rather than innocent?

Item (21) brings a new claim, that there was a 100 GB USB drive plugged in at some point. How do you know that this drive is owned by the defendants? Is it because of item 24, assuming yayahq = yayagq?

What relevance does the fact that these people used email have? Most people use email.

I also note that he'll review additional materials "as they become available." What reason did he have for waiting until now to supplement his claims given that he's been able to examine this drive for the entire litigation.

P.S. Thank you for allowing those of us without accounts to comment, Ray.

Anonymous said...

There are at least two major problems with the Mr. Jacobsen's proposed testimony, and more minor issues.

1. Conclusion #16

He might as well testify that "the computer had a public IP address and was not connected to the Internet via a flying teapot".

So, what was the public IP address?

2. Conclusions #18, #19, #22, #23, #24, #25

It would appear that in order to make these conclusions, the hard drive image examined must have been the system drive for the computer (ie, the drive that Windows was installed on).

So, what version of Windows was installed?

3. Conclusion #20

Oh boy. If the hard drive examined is the system drive of the computer, and it had no trace of KaZaA ever being installed on it, then this may be a direct contradiction of Conclusion #15.

4. Conculsion #21, #22

Whether or not there was another hard drive (external or otherwise) is moot. There seems to be the implication that KaZaA was somehow installed and run from anther hard drive. However, any installation or running of KaZaA from any other drive would still leave traces in the form of registry entries, which are always located on the system drive.

So, if the "other" hard drive were somehow to have been accessed by KaZaA, then one of the following must be true:

a. The "other" hard drive was accessed by KaZaA from another computer system.

b. The "other" hard drive was accessed by KaZaA from this computer system, but a computer expert subsequently uninstalled KaZaA and manually removed all traces of it from the system drive.

c. The "other" hard drive was accessed by KaZaA from this computer system, but Windows was subsequently re-installed on a new or reformatted system drive.

5. Conclusion #22, #24

The file path given may be inconsistent with the user names provided in Conclusion #24, unless there is a typo in "yayagq" or a typo in "yayahq".

Or, if these are not typos, what is the link?

Furthermore, evidence of the use of Windows Media Player is hardly evidence of the use of KaZaA.

What link is there between the directory path provided, and the paths that KaZaA uses or can be configured to use?

6. Conclusion #23

If the version of Windows installed is XP Home or an earlier, then it is likely that all users were adminsters [sic] of the computer.

Not sure how this relevant to anything else.

Sure would have been nice if he had testified to the version Windows installed.



Anonymous said...

Responses to Conclusions from the last two reports in your list:

13) Have you actually even met with the MediaSentry investigators to review their procedures? Name every MediaSentry person you've met, and each of their jobs as described to you.

14) What proves to you that it is impossible for a wireless router to have been used. Also that this is the only possible computer that could have been connected at the time and place in question?

15) What makes usernames to be "of interest"?

16) Why is it a crime to not use your computer very much? Isn't this an opinion on your part?

17) If this is not the correct hard drive, see #20 below.

18) See #26 below.

19) Given your later "additional" conclusions, what additional discovery materials did you review between your October 25, 2006, and your December 15, 2007 reports that led you to make the additional statements you did? Are you learning on the job? Are you simply incompetent and missed all this stuff the first, or is this the second, time around? Why did you go back and investigate further after your last initial declaration?

- - - - - -

15) While you may identify a ISP account from a TCP/IP address if not spoofed, please specify how you can identify a specific computer from a TCP/IP address. Even if you were to find the exact same files being shared out of the exact same directory, how can you say with certainty that this was the computer actually connected and actually performing the file sharing at the time in question. Specify what logs, registry entries, or other data exists to allow this conclusion.

16) Specify how you can testify with certainty that the TCP/IP address on the computer when examined is the same TCP/IP address that was detected during the alleged file sharing, and only TCP/IP that this computer has ever used. Also how it is absolutely impossible for this computer to have ever been connected to a wireless router. Explain for the court and jury what the "DMZ" of a wireless router is, how it's used, and what TCP/IP addresses a computer can use when placed in the "DMZ". Also list every IP address that this computer has EVER used, and not just the latest one? Answer the question that if a wireless router was connected at some previous time, wouldn't that router have shown the same IP address to the Internet at large?

17) Were there other usernames as well? What makes some usernames of "interest" and others not?

18) And this is proof positive because? And if you're looking for known shared music files in known shared directories, why are you looking at personal e-mails? How many of them did you read?

19) Why is accessing the Internet a crime, and how is it relevant to the issue of file sharing at hand? Isn't this just an attempt to tar the people with those names? And while you're at it, how do you prove that those usernames were actually used by the real life people with the same or similar names for the entirely legal process of accessing the Internet?

20) If this is not the hard drive used to share the alleged files using the KaZaA program, then how can ANY of the contents on it have ANY relevance to this trial at all, and why are we listening to you drone on about what you found on THIS hard drive? If this is not the hard drive that did the sharing, none of its contents are relevant here.

21) How does the ISP account holder Defendant have any more idea over what hard drives may have ever been plugged into this computer, than any ISP account holder sued by these Plaintiffs has about how their Internet account was used in their absence. Also, with absolutely NO traces of the KaZaA program found on the drive supplied, including the registry where installed programs leave traces, how does the plugging in of any external drive once facilitate file sharing. How can you run the KaZaA program from an external drive in a way that leaves no traces on the main drive installed. And since you insist that this mysterious external drive, which may not even have been owned by any of the Defendants, was plugged in to the computer in question BEFORE 7/8/2004, how does this square with your previous testimony that this is NOT the drive used in any file sharing, although it appears to have been in the computer from before any file sharing was detected by the Plaintiff's illegal investigation? And VERY IMPORTANTLY, isn't the date recorded that this external hard drive was first plugged into the system completely dependent on the computer's system clock being set accurately to record this timestamp? How do you know that prior to 7/8/2004 that this computer's internal clock was set correctly?

22) What does the fact that an unknown individual, using the account Woody, played some music from an external drive, using Windows MediaPlayer, from files under another user's name, have to do with file sharing on the Internet itself?

23) Are you saying that user Woody is now the administer[sic] of the computer, or was the administer[sic] of the computer when the alleged crime of file sharing was being committed. How quickly can someone become, or cease being, the administer[sic] of a computer? Can you document when this might have been changed? And how does being the administer[sic] of a computer connect to file sharing being performed in the absence of the KaZaA program at all?

24) What do e-mail addresses have to do with file sharing?

25) What does accessing a yahoo[sic] account of username "jeanlindor" have to do with file sharing?

26) Why are you reading personal, private document files on a computer that clearly have no connection to file sharing? Why have you not limited your investigations to items specifically identified by MediaSentry's illegal unlicensed investigation, most specifically the presence (or not) of the KaZaA filesharing program, and any music files located on the hard drive supplied?

27) Does mean that you will continue to bring forth new "discoveries" that the Defense has no time to investigate or locate counter-experts for right up to the point of your testimony? Do you have any "surprise" findings that you haven't sprung on us yet? What other discovery documents to you actually expect to review in the course of your employment in this case? And why are you so incompetent in your investigations that you have to keep revising your findings?

>Anon #1

Anonymous said...

I'm not sure that Dr. Jacobson is contradicting himself so much as equivocating to avoid the inevitable. Dr. Jacobson concedes in paragraph 20 of his conclusions that Kazaa was not installed on Ms. Lindor's computer. Yet, in paragraph 15, he still argues that this specific computer he examined was used to share music. It seems that they are angling to draw in Ms. Lindor's son, but if Dr. Jacobson is willing to argue, under oath, that Ms. Lindor's computer shared files, could he be precluded from making that same argument against her son in any future litigation? After all, if he insists here that both the forensic and investigation evidence suggests that THIS computer was used to distribute music, one could conclude that the MediaSentry evidence cannot reliably identify who shared what.

Assuming for the sake of argument that there is and has only been one computer used by the Defendant, the ISP and MediaSentry logs might be decent evidence if the MAC address belonging to that computer was contained within the logs. But if this is the case, why doesn't Dr. Jacobson's report flat out say it? The best case for the record company would be that he sandbags this claim in a deposition or at trial.

Dr. Jacobson's new report seems to set up three possible arguments: that either a) the hard drive was replaced on this system to hide evidence of file trading, b) that all of the file trading occurred on this external drive, or c) that another person downloaded the files, then placed them on an external hard drive and connected that to Ms. Lindor's system. The first scenario is implausible without any evidence that the hard drive was replaced. The second scenario is implausible because if Kazaa was installed and run on Ms. Lindor's computer via the external drive, there would be some evidence in the Windows registry and elsewhere that Kazaa was installed (see paragraph 20). The third scenario vindicates Ms. Lindor, because it indicates that she did not download music onto her computer, but rather, someone else downloaded the music on another computer.

To restate all of this, it may not be that Dr. Jacobson is contradicting himself, so much as that the best evidence vindicates Ms. Lindor. Even if the ISP logs and MediaSentry logs are competent evidence, the actual computer is the best evidence, because it indicates that Ms. Lindor never installed Kazaa, which means she never "made available" any songs. It also indicates that the system was rarely used, which decreases the likelihood that this computer was used to download and/or share music. The RIAA may try to go for a backdoor route and argue that if the external hard drive had illegal files, that she may have listened to them so she should be liable, but this seems like a weak argument. If person A downloaded a CD from the Internet, burned it onto a disc, and then played that CD at a friend B's house, why should B be punished when she did not download or share the music?

Anonymous said...

From the supplemental:

15) I will testify to the procedures used and results obtained by MediaSentry coupled with the information supplied by Defendant's ISP, to demonstrate the Defendant's Internet account and computer were used to download and upload copyrighted music from the Internet using the KaZaA peer-to-peer network.

From his deposition:

Q. Do you know what processes and
procedures MediaSentry employed?
A. I do not know the inner works of
MediaSentry processes and procedures.
Q. Do you know what software they used?
A. No.
Q. Do you know if it was well known
off-the-shelf software or if it was proprietary software?
A. Again, I do not know the inner
workings of MediaSentry's operations.

How is he going to testify to MEDIASENTRY's procedures used and results obtained?


Art said...

(Referring to latest report unless otherwise noted.)

Item 13: he is now trying to show that he is using "methods and procedures" from the "International Association of Computer Investigative Specialists". Is this his new credential? Why didn't he mention it in the deposition or the original filings?

Item 15: note that Dr. Doug proved (see item 20) that defendant's computer did not have KAZAA installed. He has no proof of defendant owning any other computer. So he can't testify that defendant's computer was used for any illegal activity.

Item 16: this conclusion is based on the MediaSentry logs that allegedly shows the actual IP address of the computer used for the illegal activity (transcript page 65 (not the PDF page #), lines 5-9). He has no forensic proof that the Lindor computer was using this IP address at the time, or that any illegal activity happened on the Lindor computer, or that any other computer under Lindor's control even exists.

Items 17 and 19: which one of these user IDs belonged to Marie Lindor?

Item 20: Dr. Doug does not prove the existence of any other computer under Marie Lindor's control. So the only reasonable explanation is that Marie Lindor is not the infringer.

Items 21 and 22: OK this is the only new "information" offered by Dr. Doug but it proves nothing. It is impossible for KAZAA to be used with a USB hard drive without it having registry entries on the C: drive (or else Dr. Doug would have found evidence of it). There is no evidence that "Woody" is Marie Lindor. There's no evidence the USB drive was under Marie Lindor's control. It could have been plugged into her computer by PC techs when she had the computer serviced somewhere. There's no evidence the USB drive had any copyrighted works. In 2004, a 100GB external USB drive was relatively expensive. (Here is a 250GB that was $400 in 2004 and here is a 80GB that was $150 in 2004.) How could Marie Lindor afford such a device? How could Gustave make enough working at Long John Silver's to afford such a device? A computer and broadband is expensive enough for these folks. What will the RIAA come up with next, that this poor lady had all of the illegal songs on her Beowulf-cluster-based-NAS?

Item 23: proves nothing. Everyone is Administrator on XP/Me/95.

Items 24-26: How is this relevant to Marie Lindor? If the infringer is not Marie Lindor, drop the case against her and go after the real infringer. There's definitely no evidence to support a case of secondary infringement against her.

Ray, Marie is obviously not involved, and the RIAA can't prove she was the "KAZAA infringer". So why wouldn't a motion for summary judgement based on failure to state a claim against Marie Lindor be granted at this point? The RIAA is still making motions so it doesn't appear a motion for summary judgment would be untimely...


Anonymous said...

He states the drive was "Western Digital 100 GB USB external hard drive". He talks about a specific song that was played by windows media player. Since he admits he does not have the external drive, he does not have a copy of the file played, therefore he can NOT make any statement that this song matched ANY song in exhibit A or B.

I agree with others, his weak point is that he has NOT proven the "KaZaA" program was ever installed or used. Without that, how can he allege your client or their computer was used for any form of filesharing. Other than the file on the removable drive, I did not hear him mention that he found ANY of the listed songs on the drive or computer at all. Sounds to me that this witness is almost speaking in favor of the defense position...

BTW, since KaZaA, like most windows programs installs DLL libraries and registry entries on the system (c:) drive, it is highly unlikely that KaZaA could be installed on that portable drive, dont let them imply that....

I think I have stated this before to you, but in #14, he can state that the computer had a public IP address. However, this does NOT prove there was not a router, wireless or otherwise. Almost all routers made can be programmed to allow 1 computer to be assigned the public IP, this being called in most routers the DMZ mode. Sometimes also called gaming mode because many online games require the computer to have the public IP. This mode allows connection sharing, while allowing one workstation to operate using the outside address. The router still has a set of internal addresses available for other computers to use (192.168), even though the DMZ computer has the public IP assigned. In effect, the router keeps track of all the connections that have been originated by the internal network, and when packets are returned to those Connections (port numbers), they are re-routed to the internal network. All other packets are sent to the DMZ computer unchanged. The router can keep track of this because the WAN side (DSL/Cable) connection is on a different interface than the internal (LAN) side which is connected to all the computers which connect to the router, either wired or wireless. and can keep track of all the computers or other devices connected to the network.

The witness claims a computer running the program KaZaA was detected at a certain date/time, on an IP that the ISP claims was assigned to your client. The witness also states that your clients computer has no traces of ever having the KaZaA program installed.

If all that is true, one of the only way that this set of facts could have happened is if another computer, which was not your clients WAS connected to the connection (maybe via a wireless router) and that non-client computer was running the KaZaA program and had the listed songs in its share folder.

Verizon is normally thought of as a DSL provider, which leads to these other possiblilties:

DSL is often transmitted by PPPoE or PPPoA and a username and password is used by the broadband gateway to authorize use. In other areas I am aware of (Bellsouth), it is possible to sign onto the network with a username/password not belonging to the connection, as long as that UN/PW is valid. Thus, it is possible on many PPPoE/PPPoA networks for another customer to sign on with your clients UN/PW and thus put all the blame on your client. When they look thru the RADIUS logs, they might be identifying your client SOLELY by the username used, and not the actual connection node (Specific DSL connection/phone number). If this is the case, your client might get the blame for someone else. This is why you need to have Verizon appear and testify. The Username around here is generally the same as the email name, and the password is usually based on the phone number, both which could be easily guessed by others. Many RADIUS servers only log by username, so it might not be possible for the Verizon witness to say if another connection used your clients UN/PW. If your client did not have a router, based on the other evidence, I wonder if Verizon or MediaSentry is off by a digit on the IP, and the actions were that of another customer.

If the connection is Cable Modem, the system acts as one big Wide Area Network, and another user can spoof your clients MAC address whenever they are turned off, and in some cases might be able to take over the connection even if it is left on. In this case, since all the logging is done by MAC, the ISP cannot say if this happened or not, their logs will not show it.

#16 is meaningless, today the majority application on computers is the internet. Most consumer email is done in a browser, NOT on a program like outlook or Eudora. So what about local file use, the browser I use erases its cache and history every 9 days by default (Firefox). If only browsing is done, the fact that there is little activity is NORMAL....

#17 says KaZaA not installed, which supports your client. #18 supports that the computer has evidence of use during the timeframe the filesharing was detected, which blunts any attempt to suggest the OS was reloaded or any such to hide KaZaA. Also seems to be a bit strange of a statement since Gustave Lindor, Jr is not a defendant, and any actions of this person is NOT the responsibility of your client.

In #13, the most he can say is the Connection assigned to your client was used to operate KaZaA. Of course, this is not direct knowledge, but based upon the Verizon letter. His own testimony about KaZaA excludes your clients computer as the one that was used, since the computer did NOT have KaZaA installed.

In short, the Plaintiffs case is very weak. I hope you find a good expert to testify and nail this guys untruths.

Albert the Network Admin.

raybeckerman said...

Art, are you under the impression we haven't made such an application? We did so not once, but twice.

Anonymous said...

I don't know what you can ask exactly. Certainly everything I am about to suggest you get, you can get from your own experts examining the disk image.

Presumably the expert claims that the USB drive was connected during the alleged filesharing and was used for the filesharing.

He states that the USB drive was attached on a certain day. I'm not an expert on removable storage, but this seems to me that he should be able to produce the times that the
USB hard drive was connected to the

Ask for a list of the times that the USB drive was connected to the computer.

Art said...

I looked back and saw the second request for a pre-motion conference for a summary judgement. It appears the judge has accepted the RIAA's catch-22 that discovery remains open until "the infringing hard drive is found", and so he refuses to hear the summary judgement motion until discovery is over. Unfortunately Marie Lindor has to fund the RIAA's search for this likely non-existent drive.

Back to Dr. Doug. The media sentry material is the basis for much of his conclusions (absent the "infringing hard drive") and will be the core of the RIAA case. Notice that in exhibit 6 ("DownloadData" file), there is metadata that they will use to "prove" which files were being offered by KAZAA. Now KAZAA uses the FastTrack network, which in turn uses the UUHASH algorithm to uniquely identify files. UUHASH is easily corrupted, and has been used by anti-p2p organizations to distribute polluted files (see here). As reported on this very blog, emails within media defender (an RIAA agent hired to pollute p2p networks) have shown that media sentry can't tell the difference between the polluted and actual files. (Can the media defender emails somehow be made exhibits in the Lindor case?)

I think it would be very enlightening for the jury to see a polluted file that has the exact same metadata and UUHASH hash value as one from exhibit 6 get transferred over KAZAA. When they see the metadata is the same, but hear an obviously polluted file, they should understand how flimsy the RIAA's "evidence" really is.


Jadeic said...

Is it possible to exploit Dr Doug's latest 'findings' as a refutation of the RIAA's simplistic concept of the P2P 'shared folder' as he now seems to be saying (without any substantiated evidence) that the files in question were located on this mysterious USB drive and not the computer system drive. If we can demonstrate that the shared folder is an abstract concept then it weakens the RIAA's already arrogant assertion that merely placing files in such a folder is a copyright infringement.


Anonymous said...

I'm late to this discussion, and I see all my major issues with the documents in question have already been covered in the previous comments (other than boy, the author sure didn't bother to proofread his document very carefully, did he? In one spot he refers to "hard drive" merely as "hard," which provides an amusing sexual allusion. If I submitted such a poorly written document in my line of work, I'd have my butt kicked. This is an embarrassment. But, anyway).

It's hard to refute much of this document because it provides so few details on his forensic methodology. Every time he asserts that he will testify to this or that fact, I want to ask "how exactly do you know this to be the case?" I can think of five or ten different ways he might "prove" that he has found fact a, b, or c to be so; but he does not provide any great detail about the technique he used so it is very difficult to (1) figure out the truth-value of his claim and (2) thus prepare a counter-argument against it, or to know even if such is warranted. That is, the evidence he provides in this particular document is not true evidence at all, only assertions, as others have already noted.

I don't know if this sort of legal document is supposed to rise to this level of evidentiary (sp?) detail or not. I am trying to imagine myself validating this guy's claims and it could only be done through a great deal of clarification. I guess this clarification will have to be elicited by the defense at the time of testimony. It puts the defense in a weaker position because it takes some true and rather deep technical knowledge for the interrogator to be adroit enough to cross-examine knowledgeably about such minutia of technical possibilities on the fly, on the spur of the moment in open conversation, say when said expert witness is on the stand and in front of a possibly unsympathetic judge.

In other, simpler words, there are a hundred different questions that arise in my mind when reading this report, none of them which are answered by the report, but all of which contribute in my mind to the question of whether music was illegally distributed from this machine. I'd like to have a chance to grill the witness about the details, and pointing out different interpretations of the data, before coming to a conclusion. But I am not sure the judicial process will allow this.

That all said, I will once again point to a major argument that has been brought up time and time again, but is still very critical: so the guy "proves" that a certain account was logged into the machine at a certain time. This in no way "proves" or even suggests that a particular individual was at the keyboard at the time of supposed infraction. In my house, for example, everyone uses everyone else's account and none of them are password protected. My sister could come over some day when I'm not at home, log in on my account and download all sorts of nefarious materials. It's not like a handgun on which you find fingerprints, and a suspect on which you find flashburns/gunpowder on the trigger finger. It ain't DNA evidence.

Unknown said...

OK, here is what I see:

1. In July 2007, Plaintiffs subpoenaed Verizon for additional documentation. I have not seen anything disclosing the results of this subpoena to the Defendant. This could be relevant because it is mentioned in Dr. Doug's Declaration paragraph 14-h.

2. Previously Dr. Doug's role in this case was that of an "Expert Witness" who analyzed documentation provided by MediaSentry. In paragraph 12, he admits that he is an "Investigator". He has still not claimed to possess a Private Investigator's License as part of his qualifications.

3. In paragraph 13 Dr. Doug appears to admit that he made an additional Copy(s ?) of the harddrive he was examining. This was not authorized by Judge Levy's order of 8/3/2006 or the stipulation signed by both parties on which the order was based. He should have been examining the Plaintiff's Mirror Image harddrive created for this purpose.

4. Much ado has been made about no Wireless Router being used. My interpretation of the evidence is that they are actually claiming that no Router (wireless or otherwise) was used. He in no way shows that a Wireless Bridge was not being used. (A Router requires at least 2 IP addresses on 2 different networks. A Bridge does not require IP addresses at all, and will typically forward all IP information unaltered. Devices with bridge capability are readily available in the SOHO/Home market and have been for some time.)

Everything else seems to be an attempt to implicate non-parties. I am not a lawyer, but it would seem to me that such allegations should be made against those being accused rather than in an unrelated case. The evidence as presented clearly shows that Ms. Lindor could not possibly have infringed the Plaintiffs Copyrights.

Anonymous said...

Well, while others may speak to the technical finer points I've always been shocked that the RIAA and Dr. Doug expect to get away with a medieval witch trial standard of proof. Dr. Doug's assertion that the lack of evidence on the hard drive is proof of guilt is similar to the idea that you can test if someone is a witch by attempting to drown them. If they sink and drown then, alas, they were innocent but if they float then they are a witch and must burn. Except the RIAA takes this one step further, if they sink they are guilty and if they float they are guilty. The RIAA can't have it both ways, though they are trying.

Anonymous said...

Have they ever copied down the computer' in question's MAC address while imaging its hard drive? Is that information stored anywhere on the computer's hard drive to be found? Are they able in any way to tie this computer's MAC address to the IP packets received by MediaSentry? (Hint: MAC addresses don't travel beyond the next switching/routing point in the IP network.) If they can't identify the MAC address of the computer sending the IP packets then THEY HAVE NOTHING! Or more specifically, they have no possibility of identifying any specific computer by any of the information supplied by MediaSentry. This is why their court cases depend on grabbing the ISP subscriber's computers and looking for true incriminating evidence. If they can be stopped before this point because they have no real proof to start with, the case ends.

Note: because wireless home routers were intended to be inserted "invisibly" into existing Internet connections, and some broadband ISP's tried to tie a customer's account to a single MAC address to prevent multiple users from only having to pay for a single broadband connection (yes, major ISP's like Comcast once prohibited routers to home users, though even they couldn't verify that an actual router was in use nearly all of the time). To get around this absurd restriction on how people used their paid-for broadband connections, common inexpensive routers have easily changeable MAC addresses. You connect to your router through your web-browser, and can type in any MAC address you desire. This is the MAC address then presented to your cable or DSL modem as the "computer" connected, which matches the MAC address of the expected computer. In short, you don't know from the other end if you're talking to a single computer, or a router with multiple computers behind it - including wireless ones.

So does the Defendant own a router?

>Anon #1

Anonymous said...

Here are a few questions I would ask, but first a few comments. The link one and only link that has been shown between the defendant and the alleged file sharing is the IP address submitted by MediaSentry. This IP address was submitted to the Defendant's ISP along with the time frame during which the IP was captured. The ISP looked through its logs and determined that the defendant was assigned that IP during the time listed. There is a lot of room in that for mistakes to have been made. Even a single digit error in either the time and date the IP was recorded or in the IP its self could mean that an entirely different person was responsible for the file sharing. There seems to be no real chain of evidence followed in the collection of this data either by MediaSentry, or by the ISP. This is where I would focus a line of questioning. Something like this.

Q: You have testified that you have no intimate knowledge of the internal workings of how MediaSentry's gathers its information on individual file sharers. How they make their determination of which IP the sharing is occurring from, and what time. Is that correct?

A: gotta be yes that's what he said before

Q: Do you have any direct knowledge of how the defendant's ISP collects and maintains its data on who holds what IP and when?

A: probably no as well

Q: You then have to take at face value the information provided by MediaSentry and the defendant's ISP. Information that states that not only is the IP in question the one used to connect to Kazaa, but also whether or not this IP actually belonged to the defendant at the time that it was allegedly collected by MediaSentry. Is that correct.

A: probably yes

Q: If MediaSentry gathered the incorrect IP address, then that could lead to an incorrect identification of who shared the files?

A: yes (not much he can argue about)

Q: If the ISP incorrectly recorded who owned the IP gathered by MediaSentry, then that could lead to an incorrect identification of who shared the files?

A: yes (again not much he can argue about)

Q: If some how either MediaSentry or the defendants ISP got the time that the IP address was owned incorrect, then that could lead to an incorrect identification of who shared the files as well could it not?

A: (maybe some argument here) (you might have to as further questions about how the ISP determines who owns a non-static IP at what time)

Q: Do you have any direct knowledge as to the chain of custody of this information, the reliability, or the accuracy of this information?

A: Probably no (but if it's anything else, refer to his above response)

Q: I would like at this time to examine the possibilities raised by this. Hypothetically, let's say, just for the sake of argument, that a mistake were to be made in the identification of the IP of a file sharer. Due to this mistake lets say that a person who had not shared files was mistakenly identified as a person who had. Do you follow me so far?

A:yes (just a pause to let him absorb what you said)

Q: How would that mistakenly identified person go about proving their innocence? Would submitting their hard drive for forensic examination, be a step in the right direction to proving that they were not in fact the ones who shared the files in question?

A: (obviously yes that would be ONE way) (don't let him ramble too much here, just let him answer the question)

Q: So this falsely accused person submits their hard drive for forensic evaluation, and it comes back showing no signs of the program that they are accused of using. Other than that, there are very few other options for a falsely accused person to defend themselves. Wouldn't you agree?

A: (he will likely argue that point, but he has to be careful. If he says to much he could open the possibility that another computer was on the network, or possibly other options that would help)

Q: Now back to the case at hand. Given what you have just testified to. The facts that you do not know the either the collection procedures followed by MediaSentry or the procedures followed by the ISP, nor do you know the handling of this evidence once collected, and given the fact that you yourself, using strict forensic evidence handling procedures were unable to find any evidence that either the program allegedly used of the files allegedly traded existed on the hard drive, can you say with 100% certainly that despite all of that, the defendant did indeed upload the files she is accused of uploading?

A: it will likely be the same answer as in his first deposition
(The computer whose IP address has been identified as being registered to Ms. Lindor has been shown to have made songs available, copyrighted material available to the internet community through peer-to-peer software.)

Q: Did you or did you not just testify that you have no intimate knowledge as to how either MediaSentry or the ISP maintain their records or collects their data?

A: Yes

Q: And this data that was collected by MediaSentry and by the defendant's ISP represents the only link between the defendant and the alleged act of uploading or making available copyrighted material on the internet. Is that correct?

A: can only be yes

Q: Then how can you testify directly as to whether or not link is conclusive?

A: he can't tho he may argue

Q: In fact the only thing you can testify to directly is the forensic investigation you preformed on the defendant's hard drive, which showed that not only were the files allegedly shared non-existent, but that the program that was allegedly used to share the files was never installed. Is that correct?

A: can only be yes

There's way more you can do with this, but really this guy can only testify with 100% certainty about what he knows, and that is that no evidence of the file sharing was found on the hard drive. He can offer up his opinion, but you can show that that was based on possibly flawed information, and limit his testimonial effectiveness to only something that will help your case.

CodeWarrior said...

Ray: I wasn't aware that the RIAA had a habit of citing our poor postings to judges. Had I had affirmative knowledge of that, I would have included more terms like "pray for relief", "affirmative defense", and the always popular "including but not limited to". How honored am I that the RIAA holds us in such high regard :).

I haven't read Doug's Terrible Three yet, but if I find time this evening, will probably have something to add on the topic.
~CodeWarriors Thoughts

James said...

"How does a lack of evidence of copyright infringement on the hard drive favor the hypothesis that the defendants were guilty rather than innocent?" -friendly slashdotter

It's pretty simple, if you're looking at it the way the RIAA is looking at it. The case was based on speculation from the getgo, and this is just more of it. The only way to reconcile this with rationality is that Dr. Doug is under the assumption that a different hard drive was used, which with a lack of evidence to the effect is not very rational at all. Dr. Doug have conceded they have no case against Ms. Lindor and presenting that concession as evidence for the RIAA's case against Ms. Lindor. I suppose only an "expert" could arrive at such a conclusion.

If Dr. Doug was an "expert" meteorologist, he might say that Switzerland's lack of a coastline makes it likely to be struck by a hurricane, or that the Blizzard of '78 was evidence of global warming.

Ryan said...

So it's been mentioned, but we have (as I see it) 2 options here. Either the HD the Lindors gave to the RIAA was the the one that she has been using as claimed by the defense. In that case there is no evidence of Kazaa on the computer, case closed. The additional HD being rather irrelevant because Kazaa still leaves a trace in the registry and main system drive even if "installed" to another drive.

Second, we take the original RIAA claim that the Lindors did an evil switch on the drives and gave him some random bogus drive. In that case it would not matter if he had found a letter saying "we did it, and we stole your cookies too" because it would be The wrong drive. Making his statement that a external HD was connected to the wrong computer rather irrelevant.

So all in all my question would be at what point do you get to ask for sanctions? (Yes, I know Ray can't / shouldn't answer that one but I'm curious :P) This seriously reeks of eating my cake and having it too. Well at least having YOUR cake :D

Anonymous said...

Ray: Thank you for taking on RIAA. I think you have enough comments on how poor the expert testimony is.
Anonymous comments are critical to a free society. However, even anon bloggers get sued, etc. No privacy on internet, unless you run the show.
Google for a blog, grr, well I understand your busy and at least getting things done, however TOP quality IT is needed for good facility of ideas and intergration with busy experts, who don't have time to jump through the hoops or websites for documents.
I am thankful for the website RIAA vs The People, and your blog, but better information systems would go a long way for getting things done.
best of luck putting up with the ugly informational issues in IT.

Note: this blog is hard to use under lynx, about the only secure [with modifications perhaps] acceptable browser out there. Firefox for legal work on the internet is NOT acceptable, along with many operating systems, they should be laughed out of the court room. But then again, most lawyers are still stuck on .pdf, go figure who should be laughed out first.
Happy holidays, and best of luck.

12345678910 = all that fits on line in lynx with this blog system.

raybeckerman said...

It's not that lawyers like *pdf. It's that the court system adopted *pdf as the uniform standard. So we're stuck with it.

Anonymous said...

Seeing the mention of the USB drive having been attached to the PC does bring up another possibility.

On the assumption that the PC was running Win XP (as older versions required a user to enter their log-on details, most PC's just logged on automatically to a default log-on rather than one log-on account per user), every time a user logs on or off the PC (or Win XP starts/shuts down), a record should have been written to the event log. This being the case, it may be worth asking the RIAA expert for evidence that the PC was switched on and with a user "logged on" at the time of any and all alleged file sharing activities. After all, if the PC wasn't on, how could they have done it?

This is something I would have expected to have been done at a very early time by the expert, probably after:
1) checking for files supposedly shared.
2) checking for presence of KaZaa software.

Failure to provide any evidence of having checked this (or to provide evidence that the PC was running with a specific user logged on) would, I assume, have to have some detrimental effect on the RIAA's case, as they have not made all possible efforts to ascertain that they do in fact have the correct defendant in this case. In addition, overlooking such a simple item would tend to lower the credibility of their expert's "expert" status.

Anonymous said...

Question about the USB drive. Suppose a friend plugged in their external drive with a legal ripped copy of the song on it? The friend took the external drive away and is now gone.

The other question is how would Dr. Doug know that Media Player used a song in 2004, I'm not sure but I don't think Media Player keeps any kind of MSE that long.