Slashdot Mirror
Innocent File-Sharers Could Appear Guilty?
daveo0331 writes " New Scientist has an article about what could be a promising defense strategy for people targeted by the RIAA. Basically, anyone on the Gnutella network can frame other users by making it look like someone is hosting RIAA music, even though they're not. Therefore, the RIAA's "evidence" against file sharers is theoretically unreliable and wouldn't stand as good a chance of holding up in court. No mention of whether this has anything to do with the RIAA's eagerness to settle the lawsuits out of court. The article is based on a research paper (PDF link, HTML version) posted anonymously to a web hosting service in Australia."
Thanks to google, here's the HTML version of the PDF.
Sure, karma whoring, but who wants to load a PDF? At least I didn't post a MS Word version of it!
-ted
I think most people will either be scared into settling, or not have enough money to pay for litigation and court costs. Although it's nice that there is a way around the RIAA's mass suing, how often will this technique really be used...
Not really. The courts have decided there's legitimate uses for P2P and therefore they actually have to catch you in the act of violating the law to sue you. One concern here, though, is the Gnutella network doesn't, by itself, detect your IP. You can put whatever IP in you want and it'll appear that way to the rest of the network. Often, you'll see people with IPs in the 192.168/16 block on there. I could see how they could get your IP wrong this way and falsely accuse you because someone on the network claimed to have your IP. And this sort of thing scares me away from Gnutella.
Help me. I've been modbombed by a few people with entirely too much time on their hands.
You don't seem to understand the article. Infact, I would go out and call you a "big fat liar," but I'll try to be civil here.
You can't put whatever you want as your IP. That's stupid. In P2P networks, other peers connect to you. They know your real IP number.
Where you lie is when someone searches for a file (you search by asking your neighbors in Gnutella), you just put in a random (or not so random) IP number and claim that the machine returned a successful hit and send it back to the original peer.
Lo and Behold! That machine could be thought of a culprit by the RIAA if they don't verify by downloading.
now supporting:
cmdrTaco for president '04
michael for oval office intern summer '05
The issue is... what "evidence" is used to secure the subponea to get the case to court, or to obtain more evidence - i.e. the physical computer itself. I doubt this will be used as a defence in court, but as a technical attack on the legal process the plaintiff used to subponea the personal information of the defendant in the first place.
The subponea is issued simply at the "request" of the copyright holder. In basic terms, because they say in good faith, that infringement (impringlement) occured.
The ability to seriously compromise the very basis of the subponea is a very serious issue. It would be like getting a warrent to search your house based on faulty evidence. If the basis for the warrant is shoddy, then the evidence gathered by executing the warrant is generally inadmissible. This often simply taints the case so horribly, a judge will refuse to let the case go forward.
In essence, this new technical analysis adds serious doubt to the initial procedure proving infringement and the request to "reveal" the true identity of the user in the first place. Thus, it could have serious impact on the validity of the subponea, and thus toss the entire case on technicalities.
Again, I don't see this as an argument that infringement didn't take place in the trial phase of a case. It would be used to quash a subponea, or additional evidence produced after its issue.
(I'm not a lawyer, so perhaps my critiquie is wrong.)
Cheers,
Greg
hmmm, let's see. I've used P2P apps to:
*Remotely administer files on a computer
*Access files on my PC while at class
*Back up data
*Aquire legal distributions of applications
*Aquire legal distributions of media
*Aquire quick information about a song or artist
*Communicate and (legaly) share files between friends and co-workers
seems like legitimate uses to me.
T Money
World Domination with a plastic spoon since 1984
I know for a fact that the MPAA monitors eDonkey. I was caught by them a few months ago, and they told my college to yell at me. Since the RIAA seems to put even more resources than the MPAA into tracking file sharing, I'm positive they're also watching eDonkey.
The article points out how p2p query and response packets can be forged, owing to the routing used by p2p systems. But when a download starts, it's between one peer and another (hence "P2P" or peer-to-peer). Downloads are invariably over tcp for reliability. So if the music industry downloads a song from you--well, you gave it to them over a specific IP that is not masked by the p2p query routing. One might object that the people being sued by the RIAA are not actually sharing files, and they there are simply bogus query response packets being sent by mischiefful hackers. But surely the music industry actually actually downloads the shared file, and makes sure it's copyrighted material. (If they don't, then all we'd have to do is share /dev/random
as "madonna.mp3" or some such.) So,
if the music industry is downloading
a file from a known IP, how does a
spoofed search packet make for reasonable
doubt? There's been one recent account
of the wrong person being sued. This
appears to be clerical error when the RIAA
requested the identity of certain IP--
It's all but certain that after that little
snafu (much touted by anti-RIAA folks),
the RIAA corrected their mistake and went
after the right person, this time making sure
the secretary typed the right IP number on
the subpoena.
The only situation where the 'spoof share' defense raised in the paper might be plausible is if the person sharing the music had their machine hacked. That is, if their IP was being used as a reflector to bounce a TCP stream off of another person.
Usually only hackers (well, script kiddies too) use reflectors and tcp proxies to help mask their trail. But you'd think that if someone where good enough to use open proxies/reflectors (even if they're just script kiddies), they *at least* know enough to not use kazaa/gnutella, and instead use IRC, xdcc, bittorrent, and other technologies that the RIAA has not cracked into (yet?) To make an analogy: gnutella/kazaa are like Walmart. Everyone can come in an after some delay and trouble, finally find what they're looking for. But even script kiddies who know about IRC are like the mafia types who stop the delivery truck behind the Walmart, and make off with what they want. Look, if you're really into xdcc and/or IRC transfers, you can get whatever you want. You probably have a few ftp upload sites (perhaps some temporarily 'volunteered') by viruses and worms) to trade files. There's no need to rub shoulders with the masses in Kazaa and not find what you're looking for.
It's an interesting paper, but the contribution amounts to saying "Well, if you're accused of violating copyright by the RIAA, perhaps you can claim your computer was hacked by someone else. Yea... that's it 'I was hacked and didn't share those files myself.'".
That's an interesting defense. Perhaps it will work on a judge or two. BUT remember this: Usually when you make a defense, you have an affirmative burden to meet. You have to support your defense with evidence.... So if you claim you were hacked, you'll have to prove it.
So, your computer better have been hacked by someone, *for real*, or else you'll be in trouble with the court. Downloading mp3s and getting caught is one thing. Perpetrating a fraud on the court or manufacturing evidence is another.
First, as some have mentioned previously, all of the RIAA legal actions required that the ISP's map date + IP correctly to the right user. This has shown to be problematic, as a number of Mac users have been caught up in the lawsuits.
The RIAA cannot expect the ISP's to provide 100% infallable information. This alone is a bigger threat than the attacks mentioned.
On to the paper. You can find it via google.
For the duration of these items im going to assume that the networks in question are either FastTrack/KaZaa or Gnutella. These appear to be the networks currently targeted by the RIAA.
Scenario 1: Modifying Search Requests and Search Results in Transit
This is a non starter, as the RIAA have mentioned before regarding their tactics that they rely on MD5 check sums of files that are downloaded from the peer. Simply modifying search results or requests will not incriminate anyone given the method the RIAA is using.
Scenario 2: Spoofing the Originator of Search Results and Search Requests
This falls into the same problem as #1. This will not get someone targeted by the RIAA.
Scenario 3: Renaming a Contraband File to Match Incoming Search Requests
This is a bit more troubling, as the MD5 sums would match the contraband, however, the title may be something completely innocuous - "Slashot Comment Archive" for example.
I find it unlikely that the RIAA would target someone based on MD5's alone. Their tactics appear to use a search to identify potential infringing uploaders, and then a download to confirm contraband via MD5 sum.
If this is the case, then the search for contraband would likely miss this type of file, as it would be renamed to something else (also popular) but unrelated to contraband content.
This does remain a viable risk and potentially exploitable entrapment attack
Scenario 4: Impersonating Another GP2P User
This is another non starter in the same lines as #1 and #2. The RIAA is not using randomly selected user GUID's to identify infringers.
Scenario 5: Tricking an Innocent User Into Downloading Contraband from an Authority
This is a very implausible attack. The RIAA is using custom software to track the network, and does not appear to be uploading the files they are downloading for evidence, as would normally be the case with a standard kazaa/morpheous client.
The chances of downloading a contraband file from the RIAA crawlers seems nil, regardless of how spoofed search resulsts could direct them in this fashion.
In short, there is a potential for abuse, but the methods used by the RIAA prevent a number of these from working effectively. They search keywords and titles, and then confirm contraband with MD5 checksums of the uploaded content.
This is very hard to spoof without actually deploying the contraband on a peer with malicious intent. You are still liable if someone puts contraband on your client!
The biggest danger is still the ISP's inability to properly account for times and dates for each user associated to each IP address. This will continue to target innocent individuals, although the RIAA does appear to drop cases that are blatantly without merit.
In a criminal case, yes, it most certainly does raise reasonable doubt; and were the RIAA prosecuting criminally this would be suffcient cause for a finding of not guilty, or even dismisal.
However, for now, the RIAA is not prosecuting criminally (although this threat is always in the background of any negotiations to settle). They are prosecuting civilly.
In a civil case it is the preponderance of the evidence that is considered. In other words does the jury think it's more likely the defendant is "guilty" (liable actually) than not.
This is a much looser standard just ask O.J. ( Or Chaplin, who was found liable for the support of a child he had proven wasn't his).
KFG
Nice point and it inspired me to go check out the wording of the DMCA to see exactly what it does say about subpoenas.
In preface to the quote, I'll add my opinion that this paper on spoofed addresses is probably even more relevant to the pending appeals of the ISPs than to the cases against individuals.
As you can see for yourself, this paper would allow the ISP to simply deny that they have a reliable response to the subpoena and so cannot provide any data. Here's the quote from Title 17, Chapter 5, Section 512
If it's not feasible for the ISP to provide evidence "sufficient to identify the alleged infringer" then how can the ISP be compelled to compy? Note that the law does not say that the ISP must simply provide any records they have, it specifically states that they must provide records that identify the alleged infringer. If their records cannot reliably identify any individual, then why should they be compelled to provide information that they, themselves know to be quite likely false and misleading. How would such actions serve justice when the ISP is already aware that the records are misleading and cannot be considered identifying data.
If this report of spoofed identities on P2P is true, then providing such records would make the ISPs liable for misrepresenting their data as identifying alleged infringers when they can't actually verify that this is the information that the data provides.
About a year ago. There wasn't any punishment I'm aware of, but the network people didn't like the fact that they got quite a lot of those mails (big university, and obviously many people sharing).
THESE ARE NOT CRIMINAL CASES. There is NO JURY.
Of course there are juries in civil cases. What makes you think there aren't? It depends on the jurisdiction, but at least in the federal court system, in most civil cases you need only ask for a jury trial to get one, and only if both parties waive will you not get a jury (i.e., get a bench trial).
That'll help to provide reasonable doubt! No... no, wait... these are civil cases, not criminal. There's no burden of proof, no assumption of innocence, no "reasonable doubt" defence.
All that the RIAA has to do is to show that the balance of probability is that the person on the other side of the courtroom is who the RIAA say they are and did what the RIAA say they did. Now, really, how probable is it that Kazaa users (which is who they are targetting) are likely to be the target of a malicious prank that's only been claimed (anonymously, and not yet independently verified) to be theoretically possible on Gnutella?
Sorry for the nasty little wake up call, but civil cases aren't like Twelve Angry Men . If you're relying on this as a defence, I'd suggest changing your story to "a wizard did it", because that's a more probable explanation.
If you were blocking sigs, you wouldn't have to read this.
"Longer than it took to slashdot it, it seems. "
Actually it stayed up like 2 hours.
Interesting note: I tried to create a batch file that endlessly spun on the CPU, trying to make it self DoS. Unfortunately, I'm running Windows 2000. When I made a batch file that looped itself, after it spun a few times I got a message to the effect of "too many iterations, closing app". Now with all the talk about how stupid MS security is, it was an interesting suprise to find that it wouldn't let me put it in an endless loop.
"Derp de derp."
If you are using any version of windows NT, it is not always wise to open untrusted telnet links. By default windows will send the NTLM hash of the logged in user to the remote server, which could be auditted to recover the password in usually less than a day.
The point of it is to grant exclusive right to copy.
Here's what I'm getting at. If the RIAA search through P2P networks and find you have copyrighted files available for download, they must still prove that you knowingly duplicated them illegally. Right?
Wrong. By making them available for download, you are illegally distributing them.
On the other hand, if someone downloads a copyright file from your computer, then the crime is theirs, not yours.
Wrong. For example, maybe the downloader already owns the software or CD or whatever and are making a backup copy.
Would it be a reasonable defence that you weren't aware the material was copyright?
No. All material is "copyright". Unless there is a notice that grants you the right to redistribute, you don't have that right.
Could you build a defence on grounds that, without the copyright warning, you assumed the material was public domain
Not unless it had a copyright notice asserting that the material was indeed public domain.
pushing blame back to the last guy who did the copying and who failed to attach the copyright warning.
If someone strips licensing or copyright information, that is usually illegal. But you are still to blame unless they replace the notice with a notice that appears to grant you permission to redistribute.
Once again I sit at my desk in Canada and read about this RIAA fiasco. It seems like in America someone is always looking for a fight not a peacefull resolution. This only hurts society in the long run and creates division among the masses. Up here in the North we don't view our citizens as "the enemy". To view how Canada has managed to find a respectable solution to this issue click here. This is the official government decision.
:)
If anyone is interested we have lots of room up here. The winters are cold but the bandwidth is plentiful and cheap