What Questions Would You Ask An RIAA 'Expert'?

NewYorkCountryLawyer asks: "In UMG v. Lindor, the RIAA has submitted an 'expert' report (pdf) and 26-page curriculum vitae (pdf), prepared by Dr. Doug Jacobson of Iowa State University who is the RIAA's expert witness in all of its cases against consumers, relating to alleged copyright infringement by means of a shared files folder on Kazaa, and supposed analysis of the hard drive of a computer in Ms. Lindor's apartment. The RIAA's 'experts' have been shut down in the Netherlands and Canada, having been shown by Prof. Sips and Dr. Pouwelse of Delft University's Parallel and Distributed Systems research group (pdf) to have failed to do their homework, but are still operating in the USA. The materials were submitted in connection with a motion to compel Ms. Lindor's son, who lives 4 miles away from her, to turn over his computer and music listening devices to the RIAA. Both Ms. Lindor's attorney (pdf) and Ms. Lindor's son's attorney (pdf) have objected to the introduction of these materials, but Dr. Jacobson's document production and deposition are scheduled for January and February, and we would love to get the tech community's ideas for questions to ask, and in general your reactions, thoughts, opinions, information, and any other input you can share with us. (In case you haven't guessed, we are the attorneys for Ms. Lindor.)"

I'd ask:

[Vengeance]

How old are you?

You see, I'm doing a research paper on how long a human can live without a brain.

Conflict of interest

[MECC]

What steps would you take to prove that a screenshot is 'authentic'? If I doctored a screenshot to include a list of songs, how would you discover the doctoring? How would establish that the song names contained the correct songs and not something else? Are all screenshots unalterable?

Describe the process of 'proving' that someone's home computer used a given IP address at a given time. Anywhere.

Re:Conflict of interest

[DCFC]

I agree it is a good question, but I'd spin it slightly. I'd ask him *how* to doctor a screen, and how trivial it would be to fiddle records that showed the defendant had a given IP address.
It would take very little time for a competent person to do this, indeed to ridicule the RIAA position,I could take a couple of days with an average 10 year old would leave them able to do this, a smart 8 year old could do it in a morning.
Ask him if he's conducted a review of ISP logging s/w, as in read the source code, not as in sent an email asking if it was "OK". Would bet good money he hasn't. Actually the ISP's aren't likely to sayt their s/w is 100%. a) Because it's a lie which no one will believe
b) they don't know if it works, and don't care enough to check.
Ask him why the records sent by ISPs say in big letters words to the effect "we've no bloody idea if this record is accurate, hell we can't even get change of billing address right, or get the accounts to add up, you think we trust these records ? Dream on. We sent them because we don't want to go to jail, not because they are correct."
One question I'd ask him as an educator is
If you had a student that could not change this data to support the RIAA case, would he award them a good grade ?
Maybe follow up by asking him how many people have such training (my guess is that there are more people capable of this in the USA than firing a gun competently. Would you convict on the grounds that the prosecutor said "almost no one can shoot a target as small as a person at 25 metres" I would follow this pattern for any of the evidence produced by the RIAA
Get him to explain as their expert how it could be faked. When he claims something cannot, come to Slashdot, and I am very confident that not only can we find an "expert" who can fix it, but possibly more usefully a 13 year old with no formal CompSci education to demo how trivial it is.
There is no computer record used by ISPs or almost anyone else that cannot be faked if you have the password.
My background includes records stored by banks and a major government, and they use tapes and disks of the same brand and configuration as everyone else. Tedious, but not hard.
Even the access logs that record such changes are themselves very fragile, and are simply entries in a different easily malleable list, typically on the same system, and it's far from unknown for the access level required for the audit list to be reachable with the standard system admin password. This is the default for nearly all database systems. If his track record is accurate, then he will have the options of either admitting the evidence could be fake, or lying. Next question is to ask him the typical failure rate of IT systems. Ask him the difference between mission critical computing like you see on aircraft and medical systems and the famously buggy and bizarre scareware the utilities blunder with. Ask him if he'd convict a friend of a serious crime based upon ISP records.
No one with any integrity would do this. Then ask him what level of crime/penalty he'd accept. Good odds he'll pick music piracy. In particular it is important that you get him to acknowledge that the records say that this IP address matched an account, not a computer. This is very much not the same as saying "this computer did this". If you're lucky and this twerp does'nt read slashdot, he will say the MAC address unqiuely identifies a computer. One typically assumes this in many applications, but it is a standard documented function of many devices such as routers to take whatever MAC address you tell them.

Have you _ever_ made a mix tape?

[waterford0069]

To take one for Steven Jay Page of the Bare Naked Ladies

Have you _ever_ (and I mean EVER) made a "mix" tape? Did you give it to your SO/love interest?

Steven's argument being that effectively EVERY person in the music industry has done this at one time or another, and to be punishing their customers from doing effectively the same thing is hypocritical.

Freedom

[crabpeople]

Why do you hate freedom?

A bit about Mr. Jacobson

[linefeed0]

I always hate it when academics use their position to further crap like this rather than fight the bullshit. My alma mater had plenty of these jerks too, particularly the people running the career programs in "e-commerce" and computer security. One telltale sign is that they've testified before Congress. Apparently Mr. Jacobson doesn't like p2p because there's porn on it. The money shot is this bit:

There are several issues that make pornography on peer-to-peer networks more problematic than web or FTP-hosted pornography. You don't have to look for pornography on peer-to-peer networks; it will find you.

On SOVIET LIMEWIRE, PORN FINDS YOU!

Come on!

[zepo1a]

Come /.! NewYorkCountryLawyer is trying to do something good here.

Can we get serious for a minute? Please?

questions

[superwiz]

1. What measures will be taken to safeguard the integrity of the data and the data storage devices. You don't want your property destroyed in the process of investigation.

2. Ask for extensive access to all the equipment that will be used during the investigation to verify that the said equipment may not accidently harm your devices and data.

3. Ask for a comprehensive review of all the privacy-safeguarding mechanisms that the plaintiffs have in place for the retrieved data. Further, ask for an audit of the feasibility of the privacy safeguards as well as their effectiveness in actually protecting the privacy of the data.

Re:questions

[crmanriq]

1. Please provide a detailed outline of what tests you wish to perform, and the tools that you will use to perform them. Are these industry recognized tools, or are they proprietary? If they are not industry recognized, please provide source code so that their results may be analyzed in context by recognized experts.
2. Please state your reasons why these tests cannot be performed by an independent laboratory by skilled professionals.
3. Please state what industry standards these tests meet that will confirm their validity. (Do they meet an IEEE or ASTM testing standard?) If no industry standard exists, then provide documented research that lays out why these tests meet a standard of proof that can and should be allowed in a court of law.
4. What specialized equipment will be used in testing? Has this equipment been certified for this use, or is this a new use of the equipment? If it is a new use, then please provide supporting documentation to certify that any results achieved will be meaningful.
5. What measures will be taken to preserve the integrity of the data so that your results may be independently verified?
6. What measures will be taken to keep the equipment free from harm?
7. What measures will be taken to preserve the chain of evidence?
8. What measures will be taken to ensure that no data is added to, removed from or changed on the by your personnel or your agents? How can this be independently verified?
9. Which of your described tests include subjective criteria, and which are purely objective? How is the subjective criteria to be evaluated, and how could an independent testing body repeat this portion of testing?
10. How long will the testing take, and will you provide a functionally equal replacement during the testing duration so as not to deprive the owners of the use of their property?

Re:questions

[DamnStupidElf]

4. Ask them if they have the necessary licenses from Microsoft and any other companies to make copies of the data on the hard disk, including any legally purchased music they might encounter. Almost every forensic software package creates a complete duplicate of the hard disk as its first step to preserve the chain of evidence. Additionally, ask them if they will violate copyright law if they duplicate the hard disk and there are illegally copied media files on the disk that they don't own the copyright to. In criminal investigations, law enforcement is generally exempt from copyright law for the purposes of evidence gathering. I don't think individuals and companies have the same leeway during discovery, so basically the entire premise they are basing their case on will prevent them from performing an accurate forensic examination. Even if they don't make a duplicate copy of the drive, they will still be unlicensed to view certain files simply because the defendant doesn't have the right to relicense them. I imagine this has come up in courts before where companies try to hide things like trade secrets and copyrighted documents from discovery, but in those cases they are generally the sole owner of those documents and can be compelled to release them. A person owns almost none of the rights to software and other media on their own computer.

I think it's only fair that the plaintiffs should have to play by their own rules, e.g. that any use or copies of copyrighted material without explicit permission is absolutely forbidden.

Attack his expertise

I saw at least one false statement in one of the filings. It's not a lie so much as a total lack of understanding of how IP networks really work and how far they can be pushed. Combine that with the fact he's been discredited in Canada and it should make the court ask questions.

In particular the statement that he was able to determine there was no wireless router in use at the time cannot be substantiated. It is possible to have a wireless router that NATs you right back to your public IP. In fact, I've done it (with out the wireless part) at least twice for different reasons.

If I were you, I would set up a demo that shows this and rub his nose in it.

Very good questions

[NetDanzr]

Those are very good questions. I'd add the following:

* How do you prove that the contents of the "shared" folder were actually shared with third parties? (I have a "shared" folder with music on my PC, to stream to my other PCs and my stereo)
* How do you prove the "shared" folder was not created automatically by the P2P software?
* How do you prove that the user was computer savvy enough to prevent the software from creating the folder?

ask groklaw

[SABME]

Have you considered asking this question on http://groklaw.net/?

You might get a better response there (i.e., less noise than /.), especially since Groklaw is about legal issues surrounding tech.

What bugs does MediaSentry have?

[Chris+Snook]

My father is an attorney, and he once told me that you never ask a question you don't already know the answer to, unless the answer cannot possibly hurt you. There are a few possible answers here:

1) I don't know.

If he doesn't know, he's not an expert on MediaSentry.

2) None.

At this point you enter into evidence a copy of The Mythical Man-Month or some similar tome, and quote figures on bugs per lines of code. You have now discredited him.

3) Lots, for example...

This will go over *great* with a jury.

This guy claims that the hard drive provided must be the wrong hard drive because it doesn't show any evidence of file sharing whatsoever, and MediaSentry claims there was file sharing. Maybe it's a bug in MediaSentry.

Whatever.

[arkanes]

Did none of you read the PDF? The expert report says that the hard drive provided to him was *not* the one used to share the files. He doesn't discuss his methodology in any detail, but it's reasonable enough. He states that, based on his analysis of the hard drive that the machine was directly connected to the internet (not via a router), which is easy enough to tell from the IP address assigned, and that it does not and did not have Kazaa (apparently the p2p program used) on it. From the other links, it sounds like they're claiming that his isn't the hard drive they wanted, from the machine they wanted, and that they're trying to get access to the sons hard drive based on that. Assuming that the expert isn't totally incompetent and/or lying, he's right. If this hard drive is from the machine that had the IP addresses in the subpoena from Verizon (he says he has access to the Verizon information, but not whether or not the IPs match up), then you have a pretty airtight dismissal - no evidence of sharing, lets go home. If they're trying to claim that the son probably brought his machine over, you're going to have to rely on legal arguments rather than technical ones. It's certainly possible that he did, but I don't know enough about the law to say whether that matters in a case like this. The case is against her, not her son, so can't you argue for dismissal on that alone? If they're claiming that you gave them some totally unrelated drive, you're going to need to document where that drive came from. I assume you have all your ducks in a row with regards to the chain of documents and evidence for that drive. If you don't, then someone screwed up along the way and someone is going to pay for it - probably your client and her family. That's not something interrogation of this witness will help you with - his analysis of the drive is probably correct. What he's saying is that he didn't find the evidence the RIAA wants on the drive, so prove that's the drive they asked for and go home.

Real questions

[realmolo]

I read the PDF report from the RIAA's expert.

Seems that he's saying that the hard drive he examined contained NO TRACE of Kazaa ever being installed, and no trace of any "shared files". He goes on to say that the hard drive appeared to be hardly used, since there were very few user-created files. The implication is that the hard drive he examined is not the hard drive that was used to share music, or that it had been completely erased at some point.

I would ask him about the possibility that the hard drive was reformatted in the process of re-installing Windows, via an normal Windows CD or especially a "restore CD". And I would also ask him if it is possible that Ms. Lindor re-installed Windows because she was having other problems with the computer, and a re-install was the simplest way to fix those problems. I would also ask him if formatting the drive and re-installing Windows is a common way to repair computers that have become unusable due to viruses and spyware. I would also ask him how common spyware and viruses are, and how a user such as Ms. Lindor would be able to fix a machine infected with spyware and/or viruses without resorting to formatting her hard drive and re-installing Windows.

Basically, reformatting the drive is a perfectly legitimate thing to do when Windows, or any operating system, becomes "unusable" due to corruption of system files by malicious software. Just because her drive is "empty" doesn't mean she is trying to hide evidence. She may have done it simply to get her computer working again.

Could the defendands computer have been hacked?

[Iphtashu+Fitz]

Here's one for you:

Is it possible that the defendands computer was compromised in some way by a third party without their knowledge, and that the third party was the one who put the music on the computer and set it up to be shared?

I was at my brothers house over the xmas weekend and he was complaining about odd behavior on his Windows PC. The mouse simply stopped functioning properly in a number of applications, etc. He's on a DSL line but behind a router/firewall, with a software-based firewall and virus scanner installed. I decided to do a thorough check myself, however, and discovered that there was a directory containing over 2 gigabytes of porn that he knew nothing about. It was quite obvious that some sort of malicious software had made it onto his PCand turned it into some sort of porn file server, probably for some P2P network. Now my brother is no Windows expert but he's fairly savvy technically (college grad with a computer science major, MBA from a well respected business school). If he couldn't detect this going on with his own computer then how could a computer-illiterite person be expected to?

IANAL.

[mmell]

But TLP'er is, so here goes...

On initial analysis, the gentleman does appear to be qualified to render "expert testimony". I assume that his bona fides are in order. The fact that jurisdictions outside the US don't acknowledge his expertise is irrelevant - this gentleman's qualifications appear (unfortunately) to be impeccable.

Many of my associates here on /. to the contrary, the plaintiff will probably have little to no difficulty establishing whether or not the suspect computer in this case was using the IP address from which the plaintiff alleges the copyright infringement took place. Likewise, based on the ISP records, the plaintiff will probably have little difficulty proving that their record of the shared content as identified from the plaintiff's computer is an accurate and correct representation of that IP address' activity. Attacking the accuracy of their data (showing a computer at the defendant's IP address was sharing files via P2P technology) will probably likewise prove unproductive; and as I'm sure you're aware, making allegations of misconduct without evidence on your part to support your allegations could be very bad for your professional situation. To my /. fellows, remember that this is a civil case - the standard is not "proof beyond a reasonable doubt" but rather "a preponderance of evidence". With that end in view, rather than attacking the assertion that illegal file sharing took place from that IP address you should try to establish whether or not Ms. Lindor's computer contains evidence of this illicit activity.

While Ms. Lindor has been named as the defendant, I would suspect that the plaintiff's case hinges not on alleging that Ms. Lindor actually performed the acts in question, but rather that by providing internet connectivity and/or computer equipment which was used to ostensibly perform this act, Ms. Lindor is liable for damages caused by this act. However, the plaintiff's entire case rests on proving that the physical connection used to perform this act terminates with Ms. Lindor's residence and computing equipment (areas under her control). You should have little difficulty finding your own expert in the IT field, one who can demonstrate ideas such as MAC and IP address spoofing to gain illicit access to a network. Your expert should also be able to establish that (barring an extremely involved investigation which did not take place at the time) these items, while intended to be unique to a single computer connected at a single point to the network, are in fact easily forged. It should then prove trivial to explain why these items can not be used to positively and uniquely identify Ms. Lindor's computer and network connection.

Finally, you might consider analyzing the state of Ms. Lindor's equipment. If she was using any version of wireless networking, that would imply an even greater likelihood that the acts in question were performed with neither the knowledge or consent of Ms. Lindor. Insecurity in wireless networks has been a problem practically since their inception; and while Ms. Lindor may still have some liability (much like the registered owner of an automobile may be liable for damages caused by a thief who stole that automobile), this may be a factor in mitigation or extenuation of the alleged infringement.

Incidentally, you should ensure that UMG is fully aware of what the news will make of all this after a verdict is rendered. "Single mother loses home, life savings to music industry" would make a great headline, and I'm sure you could find more than a few sympathetic journalists to write an appropriately scathing article to go with it. As you're well aware, the courts aren't the only courts in this country; the court of public opinion can be a monstrous thing to those unwary enough to stand in its path!

Discredit him thoroughly

[Xenographic]

Obviously, we know several things:

* Screenshots are unreliable. They're easy to fake. I suggest you have a few fakes on hand.
* Thus, the chain of evidence *IS* the evidence and the only evidence. Make sure you know EVERY detail about it.
* You can't really prove which person was at the computer without something else to corroborate it, only the owner of the computer.

These are the biggest apparent gaps. You need to know everything about them and to dump as much as you can into the public record for us. You also need to document all the "I don't know" answers, because those will be the ones where you might hurt them the most.

Therefore, you should question him in detail on at least the following points:

* How are the screenshots taken. Who has access to them? What's the chain of evidence? How and where are all of these things stored? Are they stored in a secure manner? How would you know if they were altered?
- Make doctored screenshots. Have him "authenticate" the fakes. Bonus points if you do this in front of the jury. Double bonus if the infringing IP is that of riaa.com, sony.com or similar. WARNING: This is a public site. He may VERY well be reading this.

* Describe, in detail, the exact process by which you find those allegedly infringing upon your copyrights. Be methodical. You want to know the exact version of the OS they're running (not just "win XP" or "various"). You want to know EVERY program they use, even if it's MS Paint. You want them to produce the source code of any custom programs for analysis by outside experts. You want to know about any known flaws. You want to see any and all release or design notes, ESPECIALLY any bugs, source/versioning control, changelogs, etc. You want to know which exact version of their custom program found the infringement for this case. That does NOT let them off the hook on letting you examine prior versions or newer versions--old bugs DO stick around even when they've been "fixed" and you need to see both newer and older versions. I.E. if the bug has been fixed twice, you know it was there in the interim. Yes, they may put out protective orders and whatnot, but the more information about this you can get into the public record, the more they'll squirm and the more we'll reveal the sloppiness they're hiding. And I know they have things to hide, unless they're so clueless as not to know their own weaknesses. You can work both alternatives to your advantage.

* Describe how the ISP identifies the person associated with the IP. You may actually have to subpoena the ISP on this point, I suspect they'll just produce the letter and say that that's sufficient. It's not. We both know that even if the IP belonged to a computer using their internet service, they don't have any idea who's at the screen at any given time, only which account is active. And even this may be unreliable. You NEED to get every last detail about how they log the IPs leased out, how they associate them with their customers, where the data is stored, how long it is stored for, who has access to it, on what computers it's stored, how reliable those computers are (e.g. any records of maintenance, program changes or downtime), etc. You're the lawyer here. You know better than I how important being methodical in discovery is, and every detail may be significant. I suspect they'll have trouble producing everything. Records may not exist for some things, but this is also important--every gap is a gap in their chain of evidence. It takes only one broken link to destroy a chain... Get EVERY detail you can from this into the record and make sure it gets sealed or redacted as little as possible. All these details about software, hardware, and the human processes that work with them are of vital importance to us for technical analysis, just like case law, venue and precedents are to your case. Even the programs they don't use directly, like antivirus or firewall software may be important, not to mention the topology of thei

here's my strategy

[greenrom]

First I'd use their own witness to establish a possible defense for the alleged infringement. Then I'd point out how weak the argument for claiming the hard drive he examined is not the correct one. Finally, I'd establish that there is no evidence that the hard drive they're trying to subpoena contains any evidence of infringement and portray the whole thing as a big fishing expedition. Let me walk through these 3 in a little more detail.

1. The witness claims the computer was not connected to a router because of the IP addresses he observed in the registry. The addresses you'd typically use for a home router are non-routable ip addresses like 192.168.*, 172.*, or 10.*. These are special address ranges that don't appear on the public internet. Routers use them because you can guarantee that the IP addresses assigned to computers by the router will not conflict with any other address. While it is possible to configure most routers to use a different routable address, the assumption the defendant makes is probably reasonable. However, if no router is being used as the witness claims, then the attached computer did not have the protection a router's NAT provides from outside attacks. I would grill him on this. The theory I would push is that since the computer was insecure, someone else did the infringement but used the defendant's vulnerable computer to run proxy software to hide their illegal activities. This sort of thing actually happens quite frequently. If you search, you can find lots of software for doing this. Further, proxy software isn't that difficult to write. Anyone with a good programming background could easily write one, and anyone with a good understanding of networking who wanted to do something online without it being traceable back to them would likely use this exact technique. Virus scanners already detect many of these programs, but there are many, many more that the virus scanners don't know about yet. I would get him to admit this. There are many, many ways to hide software like this, so even if you look for it and don't find it, you can never be completely sure it isn't there. That's why many experts will tell you that if a system has been compromised, the only sure way to restore it to a secure state is to wipe it and reinstall everything. There's just too many ways to hide malicious software to be sure you found everything the attacker did.
2. I'd point out the many other conclusions one could draw other than, "this must be the wrong hard drive." One possibility is the proxy explanation I gave in #1 - kazaa wouldn't be on the computer in this case. Another explanation for the lack of files on the computer is that the defendant just didn't use the computer very much. Another explanation would be that the computer recently had the hard drive formatted and the software reinstalled - I believe this is undisputed. An explanation for the lack of kazaa files is that kazaa was never there in the first place. Essentially he's saying, "I was told the person using this hard drive was using P2P software to share files. I don't find any evidence of that on this hard drive, so this must be the wrong hard drive." Another explanation is that it's the right hard drive, but that kazaa was not being used and the defendant didn't even use the computer that much. If you try to say a format and reinstall would wipe away all evidence of kazaa, he might try to claim that the forensic software he used could still detect it as not all the data gets overwritten. This is true, but to counter this, ask "Is it possible the data you were looking for could have been overwritten when the operating system was reinstalled?" His answer will be yes. "Could your forensics software detect that data after it has been overwritten by other files or when the operating system was reinstalled?" His answer will be no.
3. Finally, portray the whole thing as a fishing expedition. Ask him about how widespread the problem of illegally sharing files with kazaa is. Ask him if you randomly just