Gnutella Copyright Enforcement?

horos1 writes "Is copyright protection on gnutella enforceable after all? I thought that gnutella users were better off (ie: more anonymous) than napster users in this regard, but this story on zdnet implies otherwise." As I understand it, this app can report user names and IPs of people who download boobie trapped files that the software pretends to serve. Yes, you to can be Lars!

Sure.. why not?

[mindstrm]

Makes perfect sense to me.. I mean, when you do a file transfer, it happens peer-peer, so you do know who the other party is (or at least, their IP).
In fact.. as soon as search results are returned, those results contain the IP address of the host holding the data, no?

So... the only thing anonymous about gnutella is that searches are anonymous until you actually download something.

But really.. the whole point of gnutella wasn't that it was 'anonymous', but that it is decentralized. There is simply no easy way to 'stop' people from using gnutella. we can switch ports easily.. it really doeos need randomized ports....

Now.. personally, I would think that putting up material to be downloaded in order to finger people would ammount to entrapment, as you are basically going somewhere where you *KNOW* that people are tempted to download software, and put up software they might want...

Re:Sure.. why not?

[Tackhead]

> I would think that putting up material to be downloaded in order to finger people would ammount to entrapment,

Not really.

As I understand entrapment, it's only entrapment if you actively encourage the crim^H^H^H^Hvictim to commit the crime.

Gnutella users have plenty of opportunity, once they see that Metallica track on honeypot.riaa.com, to Just Say No.

If they walk away from the bait, they're not guilty -- even if they searched for "Metallica" to find the bait in the first place -- because there's no law against searching for infringing material.

Only when they elect (of their own free will) to download what they reasonably believe to be infringing material, have they committed a crime.

Unless there's a RIAA rep saying "hey man, download that Metallica song from my server, fuck the system man! Be an MP3 r3b3l d00d!" in some chatroom at the same time as the poor bugger finds his way to the honeypot, it's not entrapment.

From law.com:

entrapment, N.: in criminal law, the act of law enforcement officers or government agents inducing or encouraging a person to commit a crime when the potential criminal expresses a desire not to go ahead. The key to entrapment is whether the idea for the commission or encouragement of the criminal act originated with the police or government agents instead of with the "Criminal." Entrapment, if proved, is a defense to a criminal prosecution. The accused often claims entrapment in so-called "stings" in which undercover agents buy or sell narcotics, prostitutes' services or arrange to purchase believed to be stolen. The factual question is: "Would Johnny Begood have purchased the drugs if not pressed by the Narc."

While it's true that the potential criminal in the case of Gnutella has neither expressed nor not-expressed a desire not to go ahead with the crime, it's pretty clear that searching for "Metallica" and downloading "Metallica.mp3" on Gnutella are almost always things that originated with the soon-to-be-criminal, and not the cops, the RIAA, or NetPD.

I have no love for the RIAA and frankly think that this is a pretty disgusting tactic. But as repugnant as it is, it's probably not entrapment.

The moral of the story is that you need a distributed and chained network of anonymizing proxies, as well as strong crypto between each link, to make a truly bulletproof system. Any system where there's direct client-to-client contact renders you visible to the world.

Don't think that this is only a concern for cablemodem users and those with static IPs. If you're on dialup IP, remember that most of those dialup ports resolve to a geographical identifier. If there are 500 Metallica downloads and 400 Frank Sinata downloads from the class C block ipXYZ.yourcity.yourisp.com, odds are good that there are only two violators, and it's a simple process for your ISP, once subpoenaed, to prove it and nail them both.

Napster, GNUTella, et al all have this hole

[gavinhall]

Posted by 11223:

Any distributed file-sharing protocol that is non-encrypted is insecure in this fashion. The reason is simple: Your computer requests the serving computer for the file in question. The other computer obviously knows your IP, then, and a modified client can serve up that info. That's why the Freenet project is so essential.

Here's a simple precaution that can be taken when desiging such a protocol: One computer never directly requests to another. Instead, it gets a piece of information from the serving computer through the network (x, n, and x^y mod n for some x, y, n) and creates a key (x^y^z mod n for some z) and sends another piece of information indirectly (x^z mod n), so that the server can get this number (x^y^z mod n) itself. Then you can establish a two-way encrypted link securly while having your packets be passed through other clients (so that the server never knows your IP). (BTW the encryption is a diffie-hellman key exchange and is one of the neatest things in modern crypto).

Big deal? Who you gonna sue?

[Otto]

So they can get an IP address. That's all fine and happy. But who you gonna sue? They'd have to:

a) trace down everyone serving those copyrighted files, using nothing but their IP.
b) sue each and every one of them.

Good luck, and more power to them. You can't sue Gnutella like you sue Napster, since there is no such entity as Gnutella. Decentralization is the key. Gnutella is essentially nothing more than bunches and bunches of people acting independently to share files.


---