Thursday, January 31, 2008

MediaSentry document response received in UMG v. Lindor

In UMG v. Lindor, MediaSentry has served its initial response to Ms. Lindor's subpoena duces tecum.

The initial response consists exclusively of MediaSentry affidavits which have previously been publicly flled by the RIAA's attorneys.

MediaSentry's attorney has indicated that he is not seeking confidentiality as to any part of the initial response. Accordingly, we are able to make them available here, at this time, to practitioners.

MediaSentry Subpoena Response Part I*
MediaSentry Subpoena Response Part II*

* Document published online at Internet Law & Regulation

Commentary & discussion:


Keywords: digital copyright law online internet law legal download upload peer to peer p2p file sharing filesharing music movies indie independent label freeculture creative commons pop/rock artists riaa independent mp3 cd favorite songs intellectual property

To contribute to Marie Lindor's legal defense, see below.

The above donation button links to a PayPal account established by Marie Lindor's family for people who may wish to make financial contributions to Ms. Lindor's legal defense in UMG v. Lindor. Contributions are not tax deductible.


Scott said...

On the one hand, Tom Mizzone states that "... MediaSentry does not do anything that a user of a peer-to-peer network cannot do and does not obtain any information that is not available to anyone who logs onto a peer-to-peer network." But that contradicts his company's claim that their methods are proprietary. If anyone can do it, then it can't be proprietary. It seems like they want it both ways.

Igor said...


I think the second document is huge here even with the limited answers it provides.
A) So there multiple IP Addresses that the defendant had over a period of 6 days. This would imply several things but most importantly that the Inet company switched IP addresses pretty frequently for each user. This would necessitate massive logging on their part to keep track of who has what IP address at what time. Perhaps through discovery the log for all IP address leases can be discovered for the 6 days in that time window--to see if it even exists and if they could even identify a person from that log. As a point of comparison, in the two places where I help manager home routers comcast has not changed to the IP address in over a year.

B) The other interesting thing is that it would seem that this inet company is very liberal in their IP address assignments. That is most of the time when my inet provider gives me a new IP address (which as I've stated is not frequently at all) they usually only change the last 3 numbers. So for example for an IP addresses only xxx would normally change and more rarely yyy would change. It's very odd that a computer in the same physical location would have zzz change within a 6 day period as it requires updating a lot of routing tables (though this does appear to be a DSL IP Address so they may work a little differently--but I don't think that much differently).

C)They confirm that they got it for free and that they were an agent of the copyright holder.

D)More interesting technical note is that they say downloaded the file. If this is the same case as the packet logs you got earlier they definitely did not record this download (or rather the packets with the actual parts of songs were not disclosed). Also they say they gave the files to the RIAA. How did they do this? Where are the files they gave?

E)"They recorded screen shots showing the computer distributing hundreds..." That is an agregiously false statement. In fact INAL that is perjury. Their screen shots showed a list of files that they received over their internet connection. They did not show "distribution" as that would require an actual screenshot from the alleged infringer's computer and even still would require to tap their actual internet connection to actually show that it's distributing and not just a graphic on a computer showing a progress bar. All their screen shot shows is that a list they got from an alleged infringer not "distribution". So IMO while RIAA can claim distribution in their law suit, Media Sentry cannot with their screen shot as it is blatantly false (evident to even a first year computer science student).

F)In point 6. Notice they said copied and not downloaded. I think that's an interesting thing to keep in mind.

G)Media Sentry never actually listened to the MP3 files to check if they were files nor did they perform any checksum on them (according to this very incomplete affidavit). Which means they can't actually verify that these were in fact music files or just files that had a name similar to the music files.

H)What is downloading a "number" of files on each of the 3 occasions. How many? How many did they give to the plaintiff? Were they all different files? Which files were downloaded when? Which did not belong to the plaintiff or were fakes thanks to MediaDefender?

*Note this is only my analysis of the first (or first 2 if you count the duplicate) declaration.

Igor said...

I'll have more later when I have a chance to read the files fully but three more things struck me skimming the other documents:

a) Kazaa and "i2hub" were based on two distinct protocols and work completely differently yet MediaSentry cut and pastes the text describing both.

b) I2Hub was limited to a research network and not available over regular internet. So how did media sentry get access to i2hub. If they refuse to say then there should be a motion to dismiss claiming they made their access to i2hub as it's using Internet 2 mostly used by research universities.

c)I2hub was not a program. The program was called Direct Connect (plus)...DC+.

d)If Media Sentry does nothing a normal user cannot do with the functionality of the sharing is their data proprietary? Everything they do is easily done with COT software (wireshark, paint, etc). One of the few things that they could possibly have that is proprietary is their script they wrote to do this automatically (which is a big question). If it is the case, what oversight it there by humans to all of this and what is automatic?

raybeckerman said...

Thanks igor. You are a gem.

Anonymous said...

There is no justification in placing this substantial burden and expense on SafeNet, a non-party in this proceeding.

According to SafeNet, you're simply not allowed to investigate the investigators, and their illegal, inaccurate, secret methods.

SafeNet objects to the definition of "Digital Data" as vague and ambiguous.

And I object to the term: Media Distribution System each and every time I see it. Get over yourself! We all know what Digital Data is. It's anything on your hard drive, backup tapes, CDs, DVDs, or other computer memory devices.

In gathering evidence of infringement, MediaSentry does not do anything that any user of a peer-to-peer network cannot do...

Wiggle-Worded Crock! Here is where you really need to see what SafeNet actually does in their investigations. Sure they can say that they have an Internet connection and computer like everyone else so that makes them like any other user of a P2P network. But they're probably not running any programs that a normal user uses, and as a result get different results than any normal user might. In short, SafeNet may well find files no other user could ever download because of their different methods of searching for them. For example, a normal P2P user never sees the IP addresses of those uploading or downloading from them. SafeNet does. Ergo, they're not doing things like a normal P2P user, even if they're using the same hardware and connection.

MediaSentry detected hundreds of digital audio files being distributed for free from a computer connected to the Internet using a specific Internet Protocol ("IP") address on the following occasions..."

At least they're honest enough to say that they detected a "computer" and not an "individual". The RIAA seems to have that part lost in translation. Of course, they're dishonest in saying that every file was an audio file containing copyrighted content, since they only sampled a few of them.

MediaSentry's methods for detecting copyright infringement over the internet are a trade secret and constitute confidential commercial information. MediaSentry has invested tens of thousands of man-hours developing its investigative software, tools, and methods of applying its software of the five years of its existence.

And here all along I thought they just went out onto the internet like any other P2P user to find and download files. In fact, didn't they just say something like that above?

Of course Elizabeth Hardwick then says: In gathering evidence of infringement, MediaSentry does not do anything that any user of a peer-to-peer network cannot do..."

I guess she means any user after they've spent tens of thousands of man hours over five years developing software and tools not available otherwise. Sure, that kind of user.

Tens of thousands of man hours at 2000 man hours per year over 5 years sure doesn't sound like any other peer-to-peer user I've ever heard of. SafeNet must be briming full of secret software they use, all of which needs to be reviewed and audited (think of radar gun defendants in traffic court) for proper and accurate results, since we're talking about ruining peoples lives here otherwise.

MediaSentry's process for identifying potential infringers and gathering evidence of infringement has multiple fail-safes to ensure that the information gathered is accurate.

Trust us! We just told you we never make mistakes about this!

…screen shots captured by MediaSentry on August 10, 2004 showing the list of files that the computer connected to KaZaZ with the IP address of was distributing 816 audio files…

Oh really? Actually distributing? All 816 at once? Or might this be more accurately and truthfully called, "potentially making available for distribution"? Did any of your fancy software actually catch this computer in the act of actually distributing anything to anyone but you? This is the reason you can't be allowed to hide behind declarations. You need to be called out on these inaccuracies to your face.


Anonymous said...

If I was practicing in this case, I would make an immediate motion for perjury against Mr. Tom Mizzone.

There are three principal reasons:

1) He never conducted the test himself.

2) No chain of custody or how electronic records were/are protected from alteration.

3) False statements: (eg, "traceroute log files are not automactivcally produced, on any system. Thus, and human being (operator) had to type a specific command-line in order to produce the results.)

4) In order to collect evidence, you need to be a licensed investigator in every state you operate. I've checked with ten states and neither Tom Mizzone or media Sentry have such licenses. Thus he is now an admitted criminal and should be prosecuted.

I hope Mr. Tom Mizzone has a good personal attorney, he is in need of one.

Virtualchoirboy said...

I may have figured something out as I'm reading through the first document, but since we all know the "opposition" visits here, I will send it directly to you Ray. That being said, I'll give everyone a hint - it all comes down to semantics.

Art said...

These documents show that MediaSentry investigated without a license, trespassed on other people's computers, and took private property off of those computers' hard drives.

Also, they disclose that they have no evidence of continuing infringement, nor that the files they stole (RIAA says copying is stealing) were ever listened to by anyone to verify they were not polluted files.

Under penalty of perjury they falsely declare that "distribution" has ocurred, when at best the facts only support "making available".

RIAA only uses MediaSentry (as far as we know based on court filings) and RIAA is a virtual monopoly. Who exactly are MediaSentry's competitors? Can they name one? Who would their competitors work for if they're not working for the RIAA?

They also show in their response to item 25 that they can't understand plain English:

25. All documents identifying, evidencing, referring to, or otherwise concerning the date, time and location that downloaded files with respect to The Account were listened to.

SafeNet objects to this Request on the grounds that it is unintelligible as written.

This submission from MediaSentry would all be laughable if it wasn't the evidential basis for the RIAA's "campaign of terror".


Anonymous said...

This excerpt is cross-posted here upon request to make an important point about SafeNet's contradictory declarations. The case referred to is Warner v. Lewis, which is posted just above this blog entry.

This case seems like an excellent for an amicus curie to ensure that the judge is fully aware of all the issues relevant to the incomplete, illegal, illogical, and plain outright faulty "evidence" that the RIAA routinely presents. Starting with the very first line of the RIAA motion that states in Background: Users of peer-to-peer networks who distribute files over a computer network can be identified by using Internet Protocol ("IP") addresses because of the unique IP address of the computer distributing the files…Of course, actual "users" can never be identified in this manner.

In Warner v. Lewis the RIAA contends: When available, MediaSentry invokes this feature of a peer-to-peer program, just as any other user could do…

Yet here, SafeNet has already declared that the programs and methods they use are a result of tens of thousands of man-hours over five years of effort to develop. Doesn't the RIAA even read the declarations of their investigators?


Anonymous said...

I'd have to disagree with your point B about the frequency of changes for zzz assignments in addresses. For the providors I've worked with in the area I live this is pretty common for both Dial-up and DSL. In fact, I can't say I've ever seen a DHCP assignment change that involved only xxx on anything other than private networks. zzz changes are highly common with even occasional aaa changes. For our DSL here at home we usually get but once in awhile .

I do agree, though, that for these changes to happen a number of times within a 6-day period is highly unusual for an 'always-on' connection, at least in my experience.

Anonymous said...

I'm not sure how helpful this is, but here's a link showing each state and whether there is a license required to be a private investigator.

TwoCents (or maybe just one)

Virtualchoirboy said...

At Ray's request, I am posting my direct comments to help further the discussion here:
While reading the response from MediaSentry, aside from the rampant "pay no attention to the man behind the curtain" and "just trust us" type replies, I believe I've hit upon the truth of what they are saying. It started in the "Declaration of Tom Mizzone" at item 4 (pg 13 of the first PDF)

4. In gathering evidence of infringement, MediaSentry does not do anything that any user of a peer-to-peer network cannot do and does not obtain any information that is not available to anyone who logs onto a peer-to-peer network. Thus....
... it is using functionalities that are built into the peer-to-peer protocols that each user has chosen...

The critical terms that I've tried to highlight above are "network" and "protocols". In this point, they have taken care to be very specific and yet specifically vague about what they are doing. The way I now read this is that yes, they do have proprietary software, but that software purports to follow the defined protocols for accessing the P2P network and requesting information. The first thing to understand is that they are using the "protocols", not the software. The protocol defines how software that connects to that specific type of network is supposed to behave. What commands it is supposed to accept and what replies it needs to give to said commands.

I think the best way to help understand this is with Windows Explorer and any file in a directory of your choosing. As long as the directory contains a single file, you will be able to follow along.

If you open Windows Explorer and navigate to that directory, you'll see a list of files. You'll definitely see the filenames. If you change the view to the "Details" view (View menu, Details), you'll also get to see the "Type" of file, it's Size and the date the file was last Modified or changed. This would be analogous to what the average KaZaA user sees when searching for files. They see the filename and some additional limited information - type, size and for select media files, run length/time.

However, there is a lot more information available. If you pick any file and right-click on it, a "context menu" will appear. On this list of options will be "Properties" (usually at the bottom). On the screen that appears, you should now be able to see the date the file was created, when it was last accessed, attributes such as Read Only or Hidden, and two different sizes - the raw file size and how much space it actually takes up on your hard drive.

This would be analogous to the software that MediaSentry has created for their use in "searching" peer-to-peer networks. Since the user being "investigated" is running software that uses the standard protocol, MediaSentry's software gives them (MS) a way of using the defined commands within the protocol to do the equivalent of the right-click in Windows Explorer. Their software automatically captures the IP address, files being shared, and so on. While this is bad news to the quality of data they have captured, it should open them up to certification/quality questions that they likely cannot answer.

The question I would ask relating to their "any user of peer-to-peer" is:
- Can MediaSentry identify any software, either free or commercial, that is generally available to consumers that could collect the exact same information they collected in their investigation without modification. In other words, is there any "off the shelf" program out there that can do the same thing.

I would expect them to object to this on the grounds that it's too vague or burdensome, but the reply is that since they have repeatedly stated in many cases that ANY USER can do it, we're looking for examples of similar investigation capabilities. My idea here would be to try to get them to admit that they are using specialized/custom software that the general public has no access to. The next step would be to make the analogy to a licensed private investigator and tools they are allowed to posses due to the nature of their license that the general public cannot. The first thought is "bugs", "wiretaps" or, more properly, "concealed listening devices".

Some additional questions that come to mind regarding the "investigation" process are:
- How many people participated in the investigation at the search data collection stage? In other words, before the information was handed off to the RIAA, how many people had a part in finding and collecting the information on this specific case?
- What technical training did the investigator(s) receive and when did they receive it? Was there an associated certification and if so, was it still in force at the time of the investigation?
- What logs does the software make? What security measures does their software implement to safeguard against modification of said logs?
- What sort of information or data does the software store in order to be able to recreate the information capture? For example, packet logs, screen shots, files downloaded, etc. What security measures are used to safeguard this information from modification?
- Using the logs, information and/or data saved, can the software re-create the reports attached as Plaintiffs exhibits?
- Are the reports attached as exhibits created by the software or by a person? If created by a person, what safeguards are used to prevent errors?
- What sort of testing/quality assurance has the software been subjected to? If automated, what testing suite was used?

And finally, some questions on this particular case:
- Were the sample files downloaded one at a time (sequentially) or all at once (parallel)?
- Approximately how long did the overall download process take, to the nearest second?
- If files were downloaded sequentially, how long did it take to download each song, to the nearest second?

If you get them, the download times should be compared to the overall size of the files downloaded divided by the "upload" speed of the Internet connection. A significant discrepancy (e.g. 30 second download vs 150 second calculated download) could show that the files were NOT downloaded from a single source.

I know that's a lot, but wait... there's more...

7. Metadata may include a wide range of information about a file
- And just where does this Metadata come from? How is this information associated with the file? What guarantees are there that the information is accurate?

8. Once MediaSentry has found a user disseminating files that appear to be copyrighted works...
- What specific facts are used to determine whether or not a file is a copyrighted work? If the facts are arbitrary and determined at the time of investigation, what training is given to the investigator to reduce or eliminate errors whether due to personal prejudice or ineptitude?

9. ...the individual was distributing for download...
- (I know they're not, but...) Are they implying they have evidence of actual distribution between the user being investigated and other users on the network OTHER than MediaSentry?

11.+ approximately 6:15 A.M. EDT
- Don't they have logs that can show them EXACTLY what time? If they do not have exact times, how can they be certain they are requesting the correct information from the ISP?

11.+ ...file captured by MediaSentry
- Define captured. Do they mean created automatically by the proprietary software as a log? Do they mean downloaded from the remote computer?

What I also found interesting was the edited version starting on page 22 of the PDF. Was the time 6:12 A.M. or 6:15 A.M. ? There seems to have been some confusion.

And now, on to the declaration of Thomas Carpenter...

6. Much of the unauthorized copying and dissemination....
- It's a minor point, but define "much". This is especially important in light of the recent admission by the MPAA that their numbers regarding piracy on college campuses were significantly flawed:

9. Peer-to-peer software allows users to choose what files they wish to distribute to others.
- Wasn't during Congressional hearings that the RIAA participated in that they admitted the software typically searches and selects the files on behalf of the user without their knowledge and automatically shares them? Based on those statements, wouldn't a more accurate description be "The peer-to-peer software typically searches the users hard drive and marks most audio and video files for immediate sharing. It would then require action from the user to disable this sharing, assuming they were informed by the software that it had been set."

10. {missing}
- The part that's missing is that in addition to receiving the file in pieces, the software will also try to connect to additional computers that have the same file and download pieces from them as well. This is done because most consumer Internet connections can receive files faster than the computers they are connected to can transmit. By connecting to multiple computers to download pieces, the download can proceed at a much faster pace. While this does make the piracy sound worse, it can be an important point to make when questioning the downloading from a defendant as I pointed out above.

Most of the remaining comments I have are exactly the same replies/questions I have to the Tom Mizzone declaration because the text is virtually identical. I do have one additional comment though:

- In relation to what factual criteria are used to determine whether or not the file is a copyrighted recording, if it's just filename, the follow-up question would be "So any user that decides to trick people by naming their files the same as a copyrighted song could potentially be targeted by your investigation?"

Of course, the most striking thing I could say about the Thomas Carpenter declarations (both PDFs) is "what the heck does this have to do with the Lindor case?" As near as I can tell, all of the declarations from him are for different cases. While the statements about the process are interesting, they represent statements and facts in other non-related cases.

The same can be said for all of the declarations of Elizabeth Hardwick. In fact, the only "proof" all those declarations provide is that the Plaintiff attorneys know how to use the cut-and-paste features to copy the generic "boilerplate" text at the beginning of each declaration and supply miscellaneous additional details at the end.

(I guess I had a lot to say, huh?)

Anonymous said...


Also, they disclose that they have no evidence of continuing infringement, nor that the files they stole (RIAA says copying is stealing) were ever listened to by anyone to verify they were not polluted files.

Excellent catch! I missed that one on the reading through until you pointed it out.

That means that the RIAA is inventing the continuous infringement argument (possibly as a dodge against statute of limitations, and possibly to make their case sound more urgent -- we being damaged still further even as we speak, you Honor -- in their demand for expedited discovery) with no evidence from their only investigator. They really need to be punished for that lie -- and these punishments can't be held in abeyance until the trial, since these first cases never go to trial.


Scott said...

Are there any cases where a court has ruled on the admissibility of evidence gathered by secret, proprietary methodologies?

Reluctant Raconteur said...

What are the protocols for challenging third party investigators?

I am certain there is a large body of precedence regarding the use of third parties (ie PI) to gather evidence. That evidence must have been challenged. They cannot hide behind the fiction that they just provide a service and therefore are immune from examination.

I fail to see how this inquiry is burdensome. If it is to meet evidential standards, they should be able to hand over a binder/folder with all the paperwork. This is not rocket science, this is SOP.

Anonymous said...

Reading these declarations brings up the obvious point, the RIAA must have provided an initial set of music files to MediaSentry to search for. MS wasn't just poking around at random about whatever interested them, or searching for every file in existence. Then, when they had hits on files on the list, they dumped the rest of the directory to make their case larger, and the potential infringer (remember no actual infringing activity was ever witnessed) appear even more guilty.

So what was this original list of files? And what have been the revisions to it since.

Additionally, MS has claimed in the past if the public knew exactly how they performed their investigations, they could be easily evaded by the average user. How would this evasion be done? (Goes to the heart of how effective, accurate, and legal, the MS methods are.)

And you still want to find out what IP addresses MS used. Did they use "illegal", "borrowed", or otherwise non-registered to them IP addresses? Did they engage in IP spoofing to bypass protections against them? If they can fake their own IP addresses, how can they maintain that they have gathered accurate evidence of IP addresses from other computers?

Beyond that, what other search parameters were in use? Were only recognizable KaZaA usernames pursued for further investigation? Were only files in directories marked \Share considered as obvious evidence of the user's intent? What else defined and refined the MS search methods and results? Did MS turn over evidence of every user discovered to the RIAA for them to sift through, or were only selected results against a set and agreed criterion provided to avoid burying the RIAA in too much data? What was that criterion?

Lastly, can MS evidence support the RIAA claim of "continuous and ongoing infringement"?


Anonymous said...

From the NY law
§71. Definitions
1. “Private investigator” shall mean and include the business of private investigator and shall also mean and include, separately or collectively, the making for hire, reward or for any consideration whatsoever, of any investigation, or investigations for the purpose of obtaining information with reference to any of the following matters, notwithstanding the fact that other functions and services may also be performed for fee, hire or reward; crime or wrongs done or threatened against the government of the United States of America or any state or territory of the United States of America; the identity, habits, conduct, movements, whereabouts, affiliations, associations, transactions, reputation or character of any person, group of persons, association, organization, society, other groups of persons, firm or corporation; the credibility of witnesses or other persons; the whereabouts of missing persons; the location or recovery of lost or stolen property; the causes and origin of, or responsibility for fires, or libels, or losses, or accidents, or damage or injuries to real or personal property; or the affiliation, connection or relation of any person, firm or corporation with any union, organization, society or association, or with any official, member or representative thereof; or with reference to any person or persons seeking employment in the place of any person or persons who have quit work by reason of any strike; or with reference to the conduct, honesty, efficiency, loyalty or activities of employees, agents, contractors, and sub-contractors; or the securing of evidence to be used before any authorized investigating committee, board of award, board of arbitration, or in the trial of civil or criminal cases. The foregoing shall not be deemed to include the business of persons licensed by the industrial commissioner under the provisions of §24-a or subdivision 3-b of §50 of the Workers’ Compensation Law or representing employers or groups of employers insured under the Workers’ Compensation Law in the State Insurance Fund, nor persons engaged in the business of adjusters for insurance companies nor public adjusters licensed by the Superintendent of Insurance under the Insurance Law of this State.

One overlooked detail is that it doesn't matter HOW they're investigating someone. Anyone can take pictures, or dig through trash, but when you're doing it to find out information about one party for a court action, and you're paid by another party, then you're doing private investigation. It doesn't matter if they're using sophisticated software, New York law seems pretty clear.

If they can't produce a license then their evidence is not admissible. Of course, the lack of admissible evidence in (request 1), suggests there is no license.


Art said...

Mike makes the excellent point that MediaSentry is working at the protocol level and not the P2P client application level. I'd add that this creates some doubt as to the accuracy of their method. E.g., the information they extract from a packet via the protocol may be unused, unreliable, or may represent data leftover from a previous packet processed by the P2P server. E.g., say the P2P server had a bug where a race condition caused the IP address within the packet to be the value taken from a previous packet transferred. Then the IP address could implicate the wrong source. Do they get a guarantee from the P2P vendor that all of the data they are collecting at the API level is reliable and accurate?

Another issue is whether they are breaking a law or license by reverse engineering the P2P protocol. E.g., DMCA anti-circumvention provisions, or the P2P software vendor's license terms. There was a case recently in North Dakota where requesting a DNS zone transfer was ruled a criminal offense (see article here. If using a public internet API is criminal, wouldn't "hacking" a P2P vendor's proprietary P2P protocol be more so (or at least a civil liability)?

Here are some gems from the Kazaa license:
[You cannot:]

2.3 Impersonate any person or entity or falsely state or otherwise misrepresent your affiliation with a person or entity;

2.5 Transmit, access or communicate any data that you do not have a right to transmit under any law or under contractual or fiduciary relationships (such as inside information, proprietary and confidential information learned or disclosed as part of employment relationships or under non- disclosure agreements);

2.11 Collect any information or communication about the users of the Software by monitoring, interdicting or intercepting any process of or communication initiated by the Software or by developing or using any software or any other process or method that engages or assists in engaging in any of the foregoing;

2.12 "Stalk" or otherwise harass another;

2.14 Collect or store personal data or other information about other users;

[You agree:]
3.2 Except as expressly permitted in this license, you agree not to reverse engineer, de-compile, disassemble, alter, duplicate, modify, rent, lease, loan, sublicense, make copies, create derivative works from, distribute or provide others with the Software in whole or part, or otherwise transmit the Software over a network. You also agree that you will not attempt to decompile, reverse engineer or hack any communication initiated by the Software or to defeat or overcome any encryption and/or other technical protection methods implemented by Sharman or its third party partners with respect to the Software and/or any data or file transmitted, processed or stored on or through the Software.

3.4 You may not use, test or otherwise utilize the Software in any manner for purposes of developing or implementing any method or application that is intended to monitor or interfere with the functioning of the Software.

3.6 You may not use unlicensed or unauthorized copies of the Software for any purpose, including, without limitation, to obtain information about other users of the Software.

Another of Mike's excellent points is about the possibility that the files they downloaded came from multiple sources. There appears to be no methodology used by MediaSentry, and no evidence collected by them, to determine whether or not the files downloaded by them came from multiple sources.


Anonymous said...

I'd like to point out that just because a P2P program allows for the dissemination of material, it does not necessarily follow that browsing some one else's computer directory is allowed. I point out the recent case where executing a "zone transfer" was considered hacking. Link:

In this light, perhaps the investigators are crackers. After all, they claim to have spend tens o thousands of hours developing their tools. If so then the information they are gleaning from other peoples computers is "not public" and amounts to the crime of "hacking."

I might agree with a more reasonable approach to publicly available information, but that's not the precedent set.

raybeckerman said...

People who log in anonymously, please give us something to call you so we'll know who you are in terms of the ongoing dialogue.
Best regards

raybeckerman said...

Since I have to use comment moderation there's a built-in delay on comments going live. I apologize for that, and will do my best to pay special attention to this thread and to keeping the delays to as short as I can.

Anonymous said...

Just a follow up to the comments Mike made about the "metadata." IMO the metadata can become an important issue. Possibly because many people have seen it, in some form or other, and so feel more familiar with it. Unfortunately, this may translate to a sense that the information has some accuracy to it, which isn't necessarily true.

I have been in a courtroom where a witness spoke about certain information contained in file metadata. Unfortunately, everything they said was false. Thankfully, it didn't end up making any difference.

The judge had no idea, but perhaps felt that the assertions were reasonable, given the information in the metadata. The judge just didn't have the actual knowledge to know better, and neither did opposing counsel. It is also trivially easy to change file metadata, so questions about how such data has been preserved are definitely worthwhile.

Also, does anyone know if P2P programs actually create a text file of metadata in the shared directory?

TwoCents (or maybe just one)

Anonymous said...

> Are there any cases where a court has ruled on the admissibility of evidence gathered by secret, proprietary methodologies?

Yes, actually. The "source code defense" has become very popular among people who want to test their DUI convictions because the brethalyzer makers are VERY reluctant to give out any information on how their products work, even under a court order protecting them.

I think that's shady, personally. They ought to be able to prove their reliability if these devices can ruin someone's life and if they're not willing to, that means they're automatically suspect to me. I hate DUIs, mind you, and I can count every time I've ever had alcohol on one hand, but I *really* hate the notion of convicting someone with secret evidence produced by people with no accountability for inaccuracy.

Hmmm, I wonder if there are any useful precedents over there that could be used against SafeNet? Of course, that's all criminal and these are all civil.

Anonymous said...

Two points I want to make.

1) The RIAA attorneys and Media Sentry personnel, are using improper terminology for the purpose of deceit. There is no other explanation. Now let me explain. Statement of fact: An IP address identifies at best a computer process and at worse an application layer relay (again a computer process), and nothing else, nothing more! It does not and can not identify a computer. It can not identify a user (human being). It can not identify a network device. There is not and can not be any basis to say anything else.

Note: with bots, netbots, rootkits, ssh, and other hacker tricks, it is possible the computer process is neither the originator nor the terminator of any internet traffic, but merely a relay, there is nothing that can be used to determine otherwise from only a single internet connection point. And any person who says otherwise is lying. It is really that simple. Unfortunately, judges are not network engineers, protocol experts, electrical engineers, digital investigators, so don't have the required background to make informed decisions. It is a sad but true statement about American justice!

Thus when either RIAA or Media Sentry substitute the word (user) or (computer) in any claim that an IP address identifies they are being knowingly deceitful.

Analogy; Several people live at a house only one of them is doing something illegal, which one is it. They are using guilt by association to obtain discover to which they are not legally entitled to.

If IP addresses are such a reliable means of identifying a person, why does the FBI have so much trouble with spammers or terrorists?

2) The requirements for Digital Records to be used as evidence require a complete list of things missing in the "so-called" evidence the RIAA and its attorneys present. What is most telling is how both the RIAA and Media Sentry fail to address these issues. Notice there is no information on the personnel involved, training, certification, licensing, or collection and preservation methods used by either Media Sentry or RIAA attorneys. The rules of evidence for Digital Records just are not being ignored. Where is the chain of custody documentation? Why judges don't have a better grasp of these issues I still can't explain. The most critical issue is prevention and preservation methods and techniques to prevent alterations including both additions and omissions of digital records. On this basis alone, all Media Sentry evidence should be excluded. If that evidence is excluded, lacks proper foundation, then the discovery is improper and should be exclude, ergo the RIAA does not and and can not show proper grounds for bring any legal action. Again, why judges haven't put a stop to this is beyond me!

Anonymous said...

I believe that the New Jersey Supreme Court just recently forced a breathalyzer maker to give up it's source code. Good thing the attorneys fought for it, because apparently the source code was riddled with significant problems. A great example of why you shouldn't trust that technology is "always right". Make them prove it.

TwoCents (or maybe just one)

Virtualchoirboy said...

Art, unfortunately, they likely did NOT reverse engineer KaZaA or any similar application. While we do commonly chide them for an immense lack of common sense, even they are not that foolish. You have to remember that KaZaA and other similar P2P applications use the FastTrack protocol. That is actually an Open Source protocol available for free and anyone can develop applications with it. You can find the original developers with a quick Google search.

And before anyone starts claiming "open source means they have to release the source code", that's not entirely true either. They are only required to release the source if they distribute it beyond their company AND if so, only the recipient needs to receive source code to remain compliant.

I still believe the repeatability and security methods can be a huge angle. As an example of a company that does it right, take a look at the makers of MobilEdit (software package to connect computers to cellular phones). They have a "Forensic" package used by law enforcement around the world. It's very enlightening to see right on their website where they describe IN GENERAL some of the security measures used to ensure the reliability of the data. For more info, check the bottom of this page:

- Mike

Anonymous said...

"And you still want to find out what IP addresses MS used. Did they use "illegal", "borrowed", or otherwise non-registered to them IP addresses? Did they engage in IP spoofing to bypass protections against them? If they can fake their own IP addresses, how can they maintain that they have gathered accurate evidence of IP addresses from other computers?"

I think that is a very interesting point. All of the RIAA cases rely on the idea that IP addresses can be reliably traced back to a liable party. The extent to which MS hides or spoofs IP addresses to conceal its identity contradicts this contention.

Plus, MS' assertions of the burdensomeness of the requests is a remarkable bit of hubris. They are (unlicensed) investigators who apparently think that they may selectively provide only inculpatory evidence and exclude all exculpatory evidence from scrutiny, and hide the method and means by which they create their alleged evidence.

Reluctant Raconteur said...

A slightly different tact.

Been a long time since I used kazaa but I believe that there was the ability to limit the number of uploads at any one time. If you set it to zero, you were an anti social leech, but nobody could upload anything from your computer no matter what you had in your shared folder.

I don't know if a computer configured in that way would show up on their searches but does the proprietary software respect that configuration setting or bypass it?

Hard to be in continual infringement if you have the application set to share with none.

Reluctant Raconteur said...

I have to agree with the point about the need to examine the source code and processes. The examples that I can think of are evoting machines and the mentioned breathalyzers. In both cases the software was found to be less than advertised.

Anonymous said...

Conversation I'd like to eavesdrop on:

Settlement Support Center: The evidence of your guilt has already been secured. Now send us the money.

Extorted Citizen: I'm with the [fill in state] Consumer Protection Agency. Please give me the license name and number of the investigator who has provided you with this evidence.

Settlement Support Center: Uh…


Unknown said...

Another point, how can Dr. Doug testify about what someone else is doing unless he has direct (read first hand) knowledge and without it being hearsay?

Lior said...

Regarding the "any user"/following protocol and the "DNS case" discussion:

I think the decision in that case is wrong, and that, as a matter of policy, interacting with a computer connected to the internet according to the protocols should never be considering cracking or be illegal (as "computer misuse" -- I say nothing about conducting investigations without a license). If the user chose to install software on their computer that communicates with the rest of the world according to certain protocols, then that should be in principle an invitation for the world to interact back with the user's computer according to the protocols.

The way to attack MS's behaviour here is via: 1. investigating without a license 2. violating Kazaa's terms of use, to the extent that they are applicable to someone who doesn't use Kazaa software. The fact that they had to connect to Kazaa severs to get referred to individual uploaders may be the hook that would subject them to the TOS.

Lior said...

also posted to slashdot: suggesting to the jury that files with titles matching copyrighted music may not have been in fact copyright music would be the way to go in a criminal trial ("reasonable doubt" standard) but would only alienate the jury in a "preponderance of evidence" trial (they will react to this as a conspiracy theory unless you have pretty solid statistics that many titles on Kazaa are misleading). I think Jammy Thompson's lawyers tried to creates doubts of this type and this backfired against their client.

On the other hand, what should resonate with the jury is: "You say you didn't bother to check if the files you downloaded were valid MP3 files, let alone whether they actually contained the music their titles seemed to imply they contained. Would a careful investigator in your position have also failed to take these steps? Are there other places where you expect us to draw conclusions from the evidence you gathered, but where you could have easily checked the real situation? You say you followed industry-standard procedures in your investigation. Is this kind of sloppy work the industry standard?

Lior said...

Regarding the "Intoxylizer" cases, read the excellent analysis by Ed Felten. Extract:

So this issue is not about open source, but about ensuring fairness for the accused. If they’re going to be accused based on what some machine says, then they ought to be allowed to challenge the accuracy of the machine. And they can’t do that unless they’re allowed to know how the machine works.

You might argue that the machine’s technical manuals convey enough information. Having read many manuals and examined the innards of many software systems, I’m skeptical of such claims. Often, knowing how the maker says a machine works is a poor substitute for knowing how it actually works. If a machine is flawed, it’s likely the maker will either (a) not know about the flaw or (b) be unwilling to admit it exists.

As Felten points out, the solution to the claim that the software (or methods) are proprietary is a protective order, not relief from the subpeona. It doesn't matter if the software is a trade secret, if it contains components that they only got under an NDA or if they need to hide their methods from other potential targets to investigate. Your particular client deserves to know what they did and how they did it.

Also, the real goal should be kept in mind here. You are trying to show their methods are unreliable, but they are the ones under obligation to show their methods are reliable. Giving you the source code is one way for them to support their assertion of reliability, but it isn't the only possible way, and actually it is a pretty bad way.

The point is that you, your hired experts, or even all of us checking the source code looking for bugs [if there's no protective order] would be an extremely inefficient and unreliable way to demonstrate effectiveness, and it would put the burden on the wrong party. Not that it shouldn't be done, but it's important to realize that just because you can't find bugs in their code doesn't show that it does what it's supposed to do.

Things are really supposed to work the other way around: they are the ones who should be busy proving their methods work. And proving that by source code review is really hard. A much better way is by experiment and experience: "here is a double-blind experiment where we used the software and got the right result 99.5% of the time" would convince me much more than: "here's our source code which is supposed to do X. Since you couldn't find bugs in it it must do X".

A final thought: their evidence-gathering methods seem sloppy enough that there must be errors in the software too, and this makes getting the source code worthwhile. But don't paint yourself into a corner where they can say "defendant couldn't impeach our source code so our methods much be reliable".

Anonymous said...

"also posted to slashdot: suggesting to the jury that files with titles matching copyrighted music may not have been in fact copyright music would be the way to go in a criminal trial ("reasonable doubt" standard) but would only alienate the jury in a "preponderance of evidence" trial"

I dunno. If neither MS or the RIAA will cough up the allegedly downloaded files, I'd ask them at trial, "You said you downloaded music. Where is it? Where is this key piece of incriminating evidence you swear repeatedly you downloaded? If you downloaded music then you'll have a music file. Play it for us so we can hear it."

Of course, the temptation to provide a music file would be very high and they could easily "produce" one, claiming it was the one downloaded from the defendant by copying a file and saying it is the one. So, they need an air tight chain of custody to prove the continuity. We already know with reasonable inference from their omissions that they didn't spend any of those thousands of man hours programing in authenticateable chain of custody logs and that all of their logs are likely editable without a leaving a trace. That is especially important since no defendant has been able to make a forensic image of the accusing computers whereas the RIAA has made many forensic images of defendants hard drives--regardless of how much private, proprietary, copyrighted, patented, privileged and trade secret information defendants may have on their hard drives, thus defendants are inherently at an inequitable state of affairs re: forensic discovery. Goose, yes, Gander, no.

I'd also like to know if MS has a checklist of zip-codes and names of people not to go after. I assume Washington DC, LA and the hometown of their chief litigation firm would be on such a list to avoid embarrassing suits that might cause even more of a backlash.

Igor said...

arizwebfoot from my understanding of the rules of evidence otherwise inadmissible hearsay maybe admitted as underlying facts or data of an expert opinion. So if you buy the premise that Jacobson is the an expert he can testify to the underlying things he's used to base his conclusion on (as foundation).

That being said I do not see Media Sentry as a lab he sends information in the normal course of business to get analysis/results and also their methods and them are not normally relied upon by experts in the computer science field.

Igor said...

Lior makes a good point. One that's been made before...without packet logs of them actually downlaoding there's not proof the file the RIAA played in court in that case was the actual one they downloaded other than the testimony of the witness they played it under.

Anonymous said...

Wow, all those declarations and always the time listed for the "detection" of a user is specifically called approximate--and any data on how or if they calibrate their clocks is privileged!

Also, in all the declarations there is only mention of screen shots and text files alleged to be made available. The declarations by Hardwick never mention which of those songs MS supposedly downloaded, nor are any downloaded songs referenced in the documents. They claim to download the songs as a test. What do they do with them? Do they erase them? Are they destroying evidence? (Not that a digital song file has much evidentiary value to begin with antiques, provenance is everything...and MS isn't much on verifiable provenance.)

If they don't have any of the song files they allege to be infringing then they don't have the actual evidence that should be required to show actual infringement. If the police claimed to have seized a warehouse full of pirated CDs but refused to produce any at trial the case would be dismissed. No one could overlook such a basic lack of evidence, even if they claimed to have a screen shot of unverifiable origins made using unverifiable secret software and methods.

One thing MS may be avoiding is that the RIAA can't authorize their agent to download songs for which they do not own complete rights to. Since the lyrics, composition and sound recording are all separate copyrights it is quite probable that the RIAA does not have the legal right to download many of the songs which they may be authorized to market. Just because they can show that they have registered copyright on the sound recording doesn't mean that they own all the copyrights to the work.

Additionally, it is highly probable that Media Sentry has downloaded songs during their thousands of man hours of development that they were not specifically authorized to do so, even if by accident. They don't know for sure what they are downloading from a peer computer regardless of what the file name may be, as they full well know. They also know that such downloaded files could bite them in the arse. The files could be completely innocent, they could be Media Defender decoys (does MS get a realtime list of MD decoy IPs?) or they could be songs copyrighted by parties other than the RIAA. For instance, if a song were mis-labeled and MS downloaded it thinking it was on their authorized hit list but, in fact, it was not an RIAA hit list song then they would have just, under their reasoning, committed infringement. It is possible that this, and similar scenarios, are why MS deliberately does not save or listen to the songs they claim to download as tests--that is, they know they may hoist themselves on their own petard if they do so and have to testify to that effect under oath and so deliberately seek to retain a willful ignorance of one of the most important claims they make, that the files they claim to have been available were in fact the song files they claim. This and other strategies may be among the documents they seek to hide under the guise of privilege.

So, does MS download the songs and match them to a "signature" file to confirm the infringing nature, though we know that such signatures can be spoofed? If they do use some sort of matching scheme, what do they do with the files that don't match? And are, therefore, probably copyright by somebody else? And that they weren't authorized to download--even to check against a signature file. While I might argue that such a use is de minimus, their absolutist position estopps them from making a similar claim, especially since the volume of their work must mean that they download thousands and thousands of songs, guaranteeing that they'll download many songs they are not authorized to. How much in fines do they owe per instance? $750? $150,000? Who should be suing MS for infringement?

Scott said...

Thanks for the the insights. The difference between the Breathalyzer cases and the issues surrounding Media Sentry's methods are pretty substantial.

In the Breathalyzer cases, the issue was probably whether or not the software contributed to inaccuracy of detecting blood alcohol content. The device was a "black box" and its makers wanted to keep it that way.

With MediaSentry, however, it doesn't seem that the function of their software is an issue at the code level. It's already been established that their methods lead to false results. Instead, it might be more productive to step back one level of granularity. Stipulate that it is not necessary to know what the software does at the code level. Instead, the functions that the software automates -- the functions that Tom Mizzone says anyone can do -- need to be flowcharted, and the business processes surrounding them need to be analyzed.

It seems that MediaSentry is taking a (perhaps) small defensible claim -- that their software is proprietary -- and expanding it to a blanket immunity from discovery of damn well anything they do. This beggars belief.

So stipulate that you don't care to examine the code. They can keep their black boxes shut. All Tom needs to do is show us the stuff he says anyone can do, and detail step-by-step how he does it.

Art said...

The "approximate" time thing got me thinking. The RIAA subpoenas the ISP to get user account information related to a particular IP at a specific time. Do they also get the time window for which that IP address was allocated to the user? If RIAA's time is different than the ISP's logs (e.g., even if by only one minute), and the IP address was reallocated during that time, then the wrong person would be identified. RIAA has no evidence to prove the times are in synch.


Art said...

The failure to produce the allegedly downloaded songs, the lack of a responsible chain of custody, and unlicensed investigators means that there is no possible way to determine if the allegedly downloaded songs were not polluted.

Here is a paper that claims that on Kazaa that as many as 50,000 versions exist for many popular songs, and that over 50% of such songs are polluted. That is, there is a large number of files out there that are not playable, or are not "identical copies" of copyrighted works.

Even if one accepts the claim that the defendants in such cases are sharing files over P2P, the RIAA has shown no reliable evidence that the files are their copyrighted property. If the files are not RIAA's, then they are someone else's property, and RIAA is infringing that party's copyright by downloading.

To illustrate, say I create a file named "Michael Jackson - Beat It.mp3" that contains my own voice saying "This is my copyrighted material. All rights reserved. The RIAA should beat it." I could even manipulate the file so it has a specific size and date, or even match some specific checksum. I could even pretend to be working for MediaDefender. This would obviously be a polluted song for which I own the copyright. If this file became available on a P2P network, and the RIAA downloads it, then they have infringed on my copyright.

"Your honor, I move for immediate dismissal of this case based on the fact that the plaintiff is unable to produce the mp3 files they allegedly downloaded, and if they could produce such files, there is no reliable chain of custody and no licensed investigators to certify that such files are not polluted or have not been manipulated or replaced by the plaintiffs. Plaintiffs cannot meet the burden of proof that they own the copyright to anything downloaded from defendant's computer."


Anonymous said...

Guys, step a bit away from the "provide files" track.

IIRC, Ray was provided with files from RIAA, and while there is everything wrong with the "evidence" since there is no reliable chain of custody and this stuff, I think its reasonable from what we have seen so far from Mr. T. and L. that these files are good enough for them for a conviction.

Who "caught" the alleged infringer Mrs Lindor at 6 am. Mr. Mizzone, a student that works for him like those young guys that work for the german equivalent of MS or just some automated process which one one hand took so many manhours to secretly create while everybody allegedly can do what they do?

And please someone call them out for their blatant lie about the txt files that are allegedly existent on the harddrives of the infringers and are not created by them as they claim!!
(Yeah, assuming for this argument for a moment that Mrs. Lindor is an infringer; she surely has a .txt. file on his harddrive with her name on it that MS downloaded from her instead of have it created by MS!)
This lie is so blatantly even the stupiest judge must see this, musten't he not?!

Anonymous said...

All these declearations by SN/MS, and all these posts here, make one thing abundantly clear. BEFORE expedited discovery, or any discovery, should ever be permitted, SN/MS and the RIAA should be required to hand over ALL evidence gathered to date to show its sufficiency. And if something "new" shows up at trial, they should be booted with sanctions immediately. Only then, once and for all, will it be shown if they're for real, or just a cardboard scarecrow!

And regarding using both other people's IP addresses, and even unallocated (i.e. nobody yet has the right to use them) IP addresses, the leaked Media Defender (not to be confused with Media Sentry) e-mails showed that MD did this a lot in attempts to avoid PeerGuardian and Blocklists. Why should MS have been any different?


Anonymous said...

"IIRC, Ray was provided with files from RIAA, and while there is everything wrong with the "evidence" since there is no reliable chain of custody and this stuff, I think its reasonable from what we have seen so far from Mr. T. and L. that these files are good enough for them for a conviction."

I've been careful to qualify my statements. There is no single magic bullet in these cases because of the way judges and juries can vary. The Lindor case should have been tossed on any number of occasions, including the fact that MS is not a legitimate "fact" witness but an expert witness who gets a free pass because of the disingenuous claim that they are only doing what "any user" can do. By that standard all expert witnesses are "fact witnesses" because they are only doing what any person could do--if they were an expert witness with specialized knowledge, methods and equipment!

The "produced the files" take is only one aspect of the types of evidence the RIAA needs to produce to prove their case. However, one has to be careful about asking a question where you don't know the answer in advance since such things can bite you in the arse. Thus, while I would consider a failure to produce the alleged files as a positive lack of evidence, I wouldn't consider producing the files to be reliable evidence due to the lack of custody.

The Thomas case just goes to show how little "evidence" is required for a hostile jury to find culpability. The RIAA showed not one single instance of unauthorized downloading or distribution. Thomas atty should never have allowed the making available instruction to go insufficiently challenged and the judge was hell bent on a quick trial.

But, back to files. Where do all the files go that don't match??? Surely MS has downloaded many files without authorization. I'd like to ask them how many.

FAIsyl. said...

Another important point is completeness of the transfer. For example, if I was sharing a file and MS figured I had made it available for sharing, would a chunk (say a few kbytes) of the media transferred constitute an infringement ? I mean if I was allowed to photocopy a page of a book, would I be infringing the copyright ?

So, for MS to conclude that I was actually causing infringement, wouldn't they have to at least prove one instance where a substantial amount of the file was made available for copying and was actually copied ?

Ah well - just a question.