What Questions Would You Ask An RIAA 'Expert'?

NewYorkCountryLawyer asks: "In UMG v. Lindor, the RIAA has submitted an 'expert' report (pdf) and 26-page curriculum vitae (pdf), prepared by Dr. Doug Jacobson of Iowa State University who is the RIAA's expert witness in all of its cases against consumers, relating to alleged copyright infringement by means of a shared files folder on Kazaa, and supposed analysis of the hard drive of a computer in Ms. Lindor's apartment. The RIAA's 'experts' have been shut down in the Netherlands and Canada, having been shown by Prof. Sips and Dr. Pouwelse of Delft University's Parallel and Distributed Systems research group (pdf) to have failed to do their homework, but are still operating in the USA. The materials were submitted in connection with a motion to compel Ms. Lindor's son, who lives 4 miles away from her, to turn over his computer and music listening devices to the RIAA. Both Ms. Lindor's attorney (pdf) and Ms. Lindor's son's attorney (pdf) have objected to the introduction of these materials, but Dr. Jacobson's document production and deposition are scheduled for January and February, and we would love to get the tech community's ideas for questions to ask, and in general your reactions, thoughts, opinions, information, and any other input you can share with us. (In case you haven't guessed, we are the attorneys for Ms. Lindor.)"

IANAL.

[mmell]

But TLP'er is, so here goes...

On initial analysis, the gentleman does appear to be qualified to render "expert testimony". I assume that his bona fides are in order. The fact that jurisdictions outside the US don't acknowledge his expertise is irrelevant - this gentleman's qualifications appear (unfortunately) to be impeccable.

Many of my associates here on /. to the contrary, the plaintiff will probably have little to no difficulty establishing whether or not the suspect computer in this case was using the IP address from which the plaintiff alleges the copyright infringement took place. Likewise, based on the ISP records, the plaintiff will probably have little difficulty proving that their record of the shared content as identified from the plaintiff's computer is an accurate and correct representation of that IP address' activity. Attacking the accuracy of their data (showing a computer at the defendant's IP address was sharing files via P2P technology) will probably likewise prove unproductive; and as I'm sure you're aware, making allegations of misconduct without evidence on your part to support your allegations could be very bad for your professional situation. To my /. fellows, remember that this is a civil case - the standard is not "proof beyond a reasonable doubt" but rather "a preponderance of evidence". With that end in view, rather than attacking the assertion that illegal file sharing took place from that IP address you should try to establish whether or not Ms. Lindor's computer contains evidence of this illicit activity.

While Ms. Lindor has been named as the defendant, I would suspect that the plaintiff's case hinges not on alleging that Ms. Lindor actually performed the acts in question, but rather that by providing internet connectivity and/or computer equipment which was used to ostensibly perform this act, Ms. Lindor is liable for damages caused by this act. However, the plaintiff's entire case rests on proving that the physical connection used to perform this act terminates with Ms. Lindor's residence and computing equipment (areas under her control). You should have little difficulty finding your own expert in the IT field, one who can demonstrate ideas such as MAC and IP address spoofing to gain illicit access to a network. Your expert should also be able to establish that (barring an extremely involved investigation which did not take place at the time) these items, while intended to be unique to a single computer connected at a single point to the network, are in fact easily forged. It should then prove trivial to explain why these items can not be used to positively and uniquely identify Ms. Lindor's computer and network connection.

Finally, you might consider analyzing the state of Ms. Lindor's equipment. If she was using any version of wireless networking, that would imply an even greater likelihood that the acts in question were performed with neither the knowledge or consent of Ms. Lindor. Insecurity in wireless networks has been a problem practically since their inception; and while Ms. Lindor may still have some liability (much like the registered owner of an automobile may be liable for damages caused by a thief who stole that automobile), this may be a factor in mitigation or extenuation of the alleged infringement.

Incidentally, you should ensure that UMG is fully aware of what the news will make of all this after a verdict is rendered. "Single mother loses home, life savings to music industry" would make a great headline, and I'm sure you could find more than a few sympathetic journalists to write an appropriately scathing article to go with it. As you're well aware, the courts aren't the only courts in this country; the court of public opinion can be a monstrous thing to those unwary enough to stand in its path!

Re:ask groklaw

[werewolf1031]

That would be great if he wanted legal advice and information, but he doesn't. He wants computer-related technical advice and info, which he likely won't find on a legal website. Hence, he posted to a 'nerd' website to find those technical answers. Funny, I thought he made that pretty clear?

For example, he might ask:

• Can these "experts" guarantee the authenticity of screenshots showing IP addresses, ensuring they haven't been altered? (Most likely answer: No Frickin' Way.)
• What methods were used to determine that defendant was using the IP addresses in question at the time of the infringement? Can these methods be duplicated independently by outside IT personnel? What kind of authenticity measures were applied to the networking logs indicating that the defendant was indeed using those IP addresses at the time? Are they plain text files? How can anyone be sure they haven't been altered?
• Did they verify the contents of the allegedly infringing files to ensure that they do, indeed, contain material copyrighted by the plaintiff? And yes, checksums can be faked, with some effort, so they would have to actually listen to the files. Are these files still intact on the defendant's hard drive, and if so, how were they verified to have not been placed there after seizure?

I could go on all day, but you get the point. The lawyer doesn't want legal advice, he wants technical advice. Pay attention, dude.

Re:ask groklaw

[tinkerghost]

Additionally

• What measures were taken to verify that the IP address was neither spoofed nor usurped during the period in question?

Having worked for a cable ISP, it's not uncommon for 2 cable modems on the same UBR to have the same IP address - usually a result of one of the modems failing to honor the lease time from the DHCP grant - though potentially it could be deliberately done. Add to that the joy of promiscious mode settings and you can potentially be broadcasting from your neighbors IP address with his spoofed MAC address and still get your responses back.

• Were any of the routers between the system which captured the screenshot and the defendants modem compromised at the time the screenshot was taken?

I don't recall the exact number, but IIRC one of the internal memo's indicated about 5-10% of my former companies UBR's had been compromised at some point in the last year.

• What investigations have you taken into determining if the defendants computer was not compromised at the time of the screenshot.
• If the US Government is repeatedly the victim of criminal computer access, what is the level of due dilligence required of the average citizen to prevent a compromised system from being used to illicitly trade files?

If I understand it correctly, it is their responsibility to prove that the system was not compromised at the time of the screenshot. Given the average 1st security update to a virgin XP box is 20-30 minutes and the average time to ownership is 15 minutes, I think there is a reasonable case to be made that the box may have been compromised at some point - proving it wasn't at the specified time may be difficult - especially if there are a few virus fragments laying around indicating it being 'p0wn3d' in the past.

Re:Conflict of interest

[cpt+kangarooski]

Actually, that's only the standard in criminal cases. In civil cases, the standard is the far, far lower 'balance of probabilities' standard. Simply put, it's 'whatever probably happened actually did happen' even if that probability is a mere 51%. Even if there's 49% of doubt, that's still not good enough in such a case for the defendant to win.

So honestly, if someone was accused of file sharing on the basis of them being assigned an IP at a particular time from which files were downloaded which contain copyrighted material, even if we only have RIAA's word for it, and the defendant had an open WAP, and a computer forensicist finds corresponding files on the defendant's hard drive, while we all may accept that there is a real possibility that the defendant didn't do it, does anyone think that he probably didn't do it? Because if he probably did it, despite even a very strong (but necessarily lesser) chance that he didn't, then you have to find him liable.

I find it difficult to believe that /. users would think that the defendant probably didn't do it, barring something else of particular significance.

Re:Conflict of interest

[NewYorkCountryLawyer]

My impression is that they
-make money on the settlements
-lose money on the default judgments and
-lose a lot of money on every contested case.