Innocent File-Sharers Could Appear Guilty?

daveo0331 writes " New Scientist has an article about what could be a promising defense strategy for people targeted by the RIAA. Basically, anyone on the Gnutella network can frame other users by making it look like someone is hosting RIAA music, even though they're not. Therefore, the RIAA's "evidence" against file sharers is theoretically unreliable and wouldn't stand as good a chance of holding up in court. No mention of whether this has anything to do with the RIAA's eagerness to settle the lawsuits out of court. The article is based on a research paper (PDF link, HTML version) posted anonymously to a web hosting service in Australia."

html link

[tedtimmons]

Thanks to google, here's the HTML version of the PDF.

Sure, karma whoring, but who wants to load a PDF? At least I didn't post a MS Word version of it!

-ted

Re:Does it realy make a difference?

[SoIosoft]

Not really. The courts have decided there's legitimate uses for P2P and therefore they actually have to catch you in the act of violating the law to sue you. One concern here, though, is the Gnutella network doesn't, by itself, detect your IP. You can put whatever IP in you want and it'll appear that way to the rest of the network. Often, you'll see people with IPs in the 192.168/16 block on there. I could see how they could get your IP wrong this way and falsely accuse you because someone on the network claimed to have your IP. And this sort of thing scares me away from Gnutella.

Re:Does it realy make a difference?

[jpu8086]

You don't seem to understand the article. Infact, I would go out and call you a "big fat liar," but I'll try to be civil here.

You can't put whatever you want as your IP. That's stupid. In P2P networks, other peers connect to you. They know your real IP number.

Where you lie is when someone searches for a file (you search by asking your neighbors in Gnutella), you just put in a random (or not so random) IP number and claim that the machine returned a successful hit and send it back to the original peer.

Lo and Behold! That machine could be thought of a culprit by the RIAA if they don't verify by downloading.

Re:A Question

[Kilbasar]

I know for a fact that the MPAA monitors eDonkey. I was caught by them a few months ago, and they told my college to yell at me. Since the RIAA seems to put even more resources than the MPAA into tracking file sharing, I'm positive they're also watching eDonkey.

Flaws in the paper

[PureFiction]

First, as some have mentioned previously, all of the RIAA legal actions required that the ISP's map date + IP correctly to the right user. This has shown to be problematic, as a number of Mac users have been caught up in the lawsuits.

The RIAA cannot expect the ISP's to provide 100% infallable information. This alone is a bigger threat than the attacks mentioned.

On to the paper. You can find it via google.

For the duration of these items im going to assume that the networks in question are either FastTrack/KaZaa or Gnutella. These appear to be the networks currently targeted by the RIAA.

Scenario 1: Modifying Search Requests and Search Results in Transit

This is a non starter, as the RIAA have mentioned before regarding their tactics that they rely on MD5 check sums of files that are downloaded from the peer. Simply modifying search results or requests will not incriminate anyone given the method the RIAA is using.

Scenario 2: Spoofing the Originator of Search Results and Search Requests

This falls into the same problem as #1. This will not get someone targeted by the RIAA.

Scenario 3: Renaming a Contraband File to Match Incoming Search Requests

This is a bit more troubling, as the MD5 sums would match the contraband, however, the title may be something completely innocuous - "Slashot Comment Archive" for example.

I find it unlikely that the RIAA would target someone based on MD5's alone. Their tactics appear to use a search to identify potential infringing uploaders, and then a download to confirm contraband via MD5 sum.

If this is the case, then the search for contraband would likely miss this type of file, as it would be renamed to something else (also popular) but unrelated to contraband content.

This does remain a viable risk and potentially exploitable entrapment attack

Scenario 4: Impersonating Another GP2P User

This is another non starter in the same lines as #1 and #2. The RIAA is not using randomly selected user GUID's to identify infringers.

Scenario 5: Tricking an Innocent User Into Downloading Contraband from an Authority

This is a very implausible attack. The RIAA is using custom software to track the network, and does not appear to be uploading the files they are downloading for evidence, as would normally be the case with a standard kazaa/morpheous client.

The chances of downloading a contraband file from the RIAA crawlers seems nil, regardless of how spoofed search resulsts could direct them in this fashion.

In short, there is a potential for abuse, but the methods used by the RIAA prevent a number of these from working effectively. They search keywords and titles, and then confirm contraband with MD5 checksums of the uploaded content.

This is very hard to spoof without actually deploying the contraband on a peer with malicious intent. You are still liable if someone puts contraband on your client!

The biggest danger is still the ISP's inability to properly account for times and dates for each user associated to each IP address. This will continue to target innocent individuals, although the RIAA does appear to drop cases that are blatantly without merit.

Re:There are no juries, these are CIVIL cases

[odin53]

THESE ARE NOT CRIMINAL CASES. There is NO JURY.

Of course there are juries in civil cases. What makes you think there aren't? It depends on the jurisdiction, but at least in the federal court system, in most civil cases you need only ask for a jury trial to get one, and only if both parties waive will you not get a jury (i.e., get a bench trial).

Possibly beware of the link...

[Zone-MR]

If you are using any version of windows NT, it is not always wise to open untrusted telnet links. By default windows will send the NTLM hash of the logged in user to the remote server, which could be auditted to recover the password in usually less than a day.

So many misconceptions . . .

[werdna]

In reviewing the threads in response here, I noted so many misconceptions as to how our legal system works, I thought it might be useful to compile them into a single e-mail rather than answer piecemeal.

1. Jury Trial. Somebody suggested that because this is a civil action, there is no jury trial. This is not the case. The Seventh Amendment assures that a plaintiff or defendant is entitled to a jury trial for an action traditionally at law, which includes actions for Copyright Infringement.
   
2. Preponderance of the Evidence.Because these are civil actions, the plaintiff only needs to prove the elements of his cause of action by a preponderance of the evidence. That is, to produce evidence tending to show that it is more likely than not that the allegation occurred. The theoretical possibilty that it might have happened otherwise doesn't suffice to get you off the hook (as it might in a criminal trial) unless you show not only that it is theoretically possible you aren't guilty, but that it is LIKELY that you aren't guilty.
   
3. Reliability. Most evidence is unreliable -- there are two sides to every tale, and you almost never have a forensic "gotcha" slam-dunk that will actually goes to trial. The standards of authentication are virtually trivial in many cases, and the weight of the evidence is weighed by ordinary people. I guarantee this -- at the end of the day, the jury is not going to listen to forensic experts on both sides contradicting one another as to whether there might have been fuzzy spoofing to frame the defendant -- the jury is going to consider the facts and evidence overall, the credibility of the witnesses and most significantly, the circumstances overall under which they occurred. Case in point: A produces contract supposedly signed by B. B denies signature. Signature experts on both sides quibble about authenticity of signature. This case will be decided not on the scientific evidence, almost never. It will be decided on the circumstances of the case: "Did you speak with A then? yes. Did you discuss the terms of this agreement? yes, but those weren't the terms. Did you get the shipment of widgets shortly thereafter? yes. did you install them? yes. did you see the invoice? i don't remember. did you ever complain about the price on the invoice? i don't remember. how about that first check you sent, how come you used the price set in the agreement then? well, that was a clerical error." The answers won't matter so much, as HOW they are answered. And you will be amazed at how well a jury can smell a liar.
   
4. Not everybody lies. When you are caught, at some point you will be asked the ultimate questions under oath, and then you have a choice: (i) tell the truth, in which case you may be credible enough to prevail; or (ii) lie, in which case you may be credible enough to prevail. The thing about lying, however, is this: you are lying. For many of us, when push comes to shove, personal honor tends to matter more than a few bucks. For others, well, that's how it goes -- they are the lying liars that make this place a sadder one in which to live.
   
5. RIAA has a case. Look, here it is. If the facts are true, if you have copies of unauthorized works on your computer, and they catch you -- you are busted. You did the deed, and it is actionable. You might not like it, but you are responsible under the law for your conduct.