RIAA's 'Expert' Witness Testimony Now Online

NewYorkCountryLawyer writes "The online community now has an opportunity to see the fruits of its labor. Back in December, the Slashdot ('What Questions Would You Ask an RIAA Expert?') and Groklaw ('Another Lawyer Would Like to Pick Your Brain, Please') communities were asked for their input on possible questions to pose to the RIAA's 'expert'. Dr. Doug Jacobson of Iowa State University, was scheduled to be deposed in February in UMG v. Lindor, for the first time in any RIAA case. Ms. Lindor's lawyers were flooded with about 1400 responses. The deposition of Dr. Jacobson went forward on February 23, 2007, and the transcript is now available online (pdf) (ascii). Ray Beckerman, one of Ms. Lindor's attorneys, had this comment: 'We are deeply grateful to the community for reviewing our request, for giving us thoughts and ideas, and for reviewing other readers' responses. Now I ask the tech community to review this all-important transcript, and bear witness to the shoddy investigation and junk science upon which the RIAA has based its litigation war against the people. The computer scientists among you will be astounded that the RIAA has been permitted to burden our court system with cases based upon such arrant and careless nonsense.'"

One quick thought about licensure

[Raul654]

I saw something in the transcript that I wanted to point out before anyone else here criticizes Jacobson on it:

Q. By what body are you certified as an engineer?
A. By no professional society.
Q. No professional society? Is there any organization that has certified you as an engineer?
A. No.
Q. Are you part of any peer regulatory body?
A. I don't quite understand what you mean by --
Q. Are you part of any body the members of which are peer-regulated?
A. Can you give me an example of what you are --
Q. A lawyer, an architect, an accountant. I thought an engineer had to be certified by a peer-regulated body.
A. To be called a professional engineer they do.
Q. So are you not a professional engineer?
A. I do not have a PE license.

Based on his Jacobson's research page. It looks like Jacob's, a professor "on the faculty of Electrical and Computer Engineering", is a computer engineer. Given that, the above statement is totally understandable As a computer engineer myself, I can say that it is *EXTREMELY* rare for a computer engineer to be a licensed PE. (Not a single computer engineering professor in my University is). PE's are common in engineering professions where somebody needs to sign off on the final product - civil engineering especially, and mechanical engineering to a lesser extent.

Some "expert"!

[Coopjust]

This guy comes to the conclusion that it was the defendant's computer, even though there is no evidence from hard drive forensics, and he says there is no wireless router since the IP was registered to the house.

Also, he kept no records of the forensic analysis, and he is always trying to pin the idea that an IP address is a computer, even though it's obvious he's avoiding or twisting questions, even to someone who isn't so technically inclined.

Re:Some "expert"!

[tftp]

To me it's crystal clear that they observed someone's Kazaa traffic, but when they snatched the HDD it was some other computer. The reason for that is not some outlandish NAT or Kazaa hack, but simply an IP address confusion (either a true collision, or a wrong DHCP log at Verizon - not that they care.)

Re:Some "expert"!

[geoskd]

Also, he kept no records of the forensic analysis, and he is always trying to pin the idea that an IP address is a computer, even though it's obvious he's avoiding or twisting questions, even to someone who isn't so technically inclined.

I feel bad for the guy. Yes, he sold his soul to the mafiaa, but internetworking is difficult enough to explain to someone with some background in IT. This deposition is exactly the same kind of thing you would get if a lawyer had to explain tax law to a computer engineer, with the added benefit that the Q/A process is an exceptuionally difficult way to go about educating someone on how this crap actualy works. The long and the short is that The guy can demonstrate that the machine that was running KaZaa thought that its IP address and the IP address of the network connection were identical. This shows that either KaZaa was running on a machine that was *not* behind a NAT, or someone went to great lengths to convince KaZaa that it wasn't behind a NAT and have it work correctly. The net result is that it is reasonable to say that the computer that had that IP address was the *only* device connected through that particular Cable Modem / DSL line at that particular time. If it was behind a NAT, KaZaa would have showed a primary IP of 141.155.57.198, and the host IP of something like 192.168.1.100, or somesuch. Thus when he says that an IP address uniquely identifies a computer, in this case it does. He tried very hard not to say that it is always true because it isn't. That is why the lawyer (who clearly doesn't understand internetworking, but had a list of "gothchas") couldn't pin him down to anything. Otherwise, the only real glaring omission that should have been added is that some routers have *multiple* MAC address' one for each port. (modern routers only have one cause each connection can safely assume that it won't be rerouted back to the same router, but some early routers had a unique MAC for each port, before someone discovered that it was a waste of good MAC's)

-=Geoskd

Re:Some "expert"!

[Ungrounded+Lightning]

An expert who ignores that there is a subnet mask that gives you a full 4th octet under a single IP either hasn't ever worked with networking, or is not aware of the knowledge they are shelling out to first year students in technical institutes;

The record doesn't show anything like that.

One of the few things he did right was determine that the IP address was assigned to the computer, that NAT wasn't in use. The tool he used does this by extracting and displaying both the "from" IP address on the packet and a copy of the interface's IP address that KaZaA helpfully records in the data part of at least one of the packets of the exchange. This eliminates NAT on routers and wireless access points.

Since the connection was a dialup with a DHCP-assigned dynamic IP address, it would have a single IP address - which eliminates multi-address subnets. The combination of that with "no NAT" eliminates wireless access points and multi-computer home networks. (The computer that dialed up COULD be NATting and forwarding for others, but it WAS the one that ran the KaZaA client.)

But it doesn't eliminate the possibility that the IP was actually assigned to the defendant. There are a lot of ways that could happen. For instance: Maybe the clocks were off between the ISP's logger and the tool that captured the IP address of the "pirate publisher". Maybe the ISP's logs weren't high enough resolution and there was a logon-logoff event. Maybe somebody typoed the IP address somewhere. And a bunch of other possibilities. The MAC address wasn't recorded (or recordable remotely) so they don't have a unique identifier of the computer's wireless card, and even if they did it's possible to hack 'em.

Given that there's no sign of a KaZaA client or music files on the captured hard drive, it seems likely that th identification of the defendant's computer from the ISP's logs and the IP capturing tool output was somehow in error, and they got the wrong victim.

IPV6

[Nom+du+Keyboard]

There's a spot down in there where the RIAA expert refers to IPV6, and this refers to 2004. That alone should get him laughed out of the tech community.

Not to mention that he maintains he can trace the IP address back to a specific ISP account and computer (emphasis mine). Unless he's a Peeping Tom with a web-cam in the defendant's house, the RIAA should be demanding their money back from him.

Oh, and then there's the place where he maintains that at the time the computer was imaged many months afterwards, that there was no wireless router in use at that time Media Sentry "discovered" this "infringer". Is there a log that keeps records of every IP address you've ever connected with?

And I have to laugh at how he refers to "registered" computers. I thought he was talking about gun registration, or some such thing. I've never heard of my own computer being "registered" to anything. Is this another invented RIAA term, like "Media Distribution System"? Has anyone else ever referred to KaZaA, or any other P2P program, as an MDS? Ray, you can't be letting the RIAA frame the terms of the debate to ignorant Judges.

And don't miss the parts where he says he didn't actually document any of his findings because there was nothing to find, however, you should go through your own copy of the disc to verify my Registry findings that no wireless router was in place. He's supposed to be the expert, and he wants the defense to replicate his findings in the Registry??? Are there any registry experts here? Probably a few, but not many. But he assures us it's there.

Biggest thing is that he says that no KaZaA was present, nor any infringing music files. The only way the RIAA can respond is you sent us the wrong hard drive. No question that the person in question might have actually been innocent. RIAA -- You Bastards!

Glad to know that we helped, Ray! Keep fighting the good fight!

Re:Damn

[NewYorkCountryLawyer]

I think many of his students will be appalled at the actual contents of his testimony.

For example, he teaches a course in "Information Warfare", the entire thrust of which is that the internet is dangerous and insecure in the extreme. He teaches students all about the infinite numbers of vulnerabilities.

Then he testifies that he forms an opinion in 45 minutes based upon some printouts from an investigator who pulled down some screenshots from the internet.... with no verification whatsoever.

And that he's give about 200 such opinions. And so far, 200 out of 200 concluded, without reservation, that there was indeed copyright infringement.

What kind of grade would he issue to a student who handed in work like that?

This testimony fails a basic test for evidence

[grandpa-geek]

IANAL, but I understand that there are standards for admissibility of scientific evidence, and the questions quoted below (and several that follow) cover them. The most recent ruling is called "Daubert."

Whatever this witness has to say based on his methods is useless because the methods have not been generally accepted and/or there are no peer reviews or tests of the methods' accuracy/reliability and no known level of accuracy/reliability.

Q. Has your method of determining from
the MediaSentry materials whether a particular
computer has been used for uploading or downloading
copyrighted works been tested by any testing body?

A. Not that I have submitted.
Q. Do you know anyone else that is using
your method, other than you?
A. Not that I'm aware of.
Q. Has your method of determining
through the MediaSentry materials whether a
particular computer has been used for uploading or
downloading copyrighted works been subjected to any
form of peer review?
A. Not that I'm aware of.
Q. Has your method of determining from
the MediaSentry materials whether a computer has
been used for uploading or downloading copyrighted
works been published?
A. No.
Q. Is there a known rate of error for
your method?
A. No.
Q. Is there a potential rate of error?
MR. GABRIEL: Object to the form.
A. I guess there is always a potential
of an error.
Q. Do you know of a rate of error?
A. To my process, no.

Q. Are there any standards and controls
over what you have done?
A. No.
Q. Have your methods been generally
accepted in the scientific community?
A. The process has not been vetted
through the scientific community.

Standards for Evidence?

[Proudrooster]

Wow! I just finished reading the ASCII transcript and would be embarassed to bring this case. Just looking at the following facts:

• The "expert" did about 45 minutes worth of work and produced no evidence to support the allegations and produced almost no documentation.
• The "expert" does not fully understand how the software that gathered the evidence functions
• The "expert" does not know if the information he received from the ISP (Verizon/3rd Party) is accurate.
• The "expert" does not know if the clocks were synchronized between the evidence gatherers and the ISP.
• The "expert" can not identify which computer is involved in the allegations.
• The "expert" can not identity what physical person is involved in the allegations.
• The "expert" understands the Internet is insecure and computers can be taken over and remote controlled.
• The "expert" understands there are several methods which could have mistakenly identified the accused, e.g. "ip spoofing".
• The "expert" either lied under oath or is not really an expert when he said he could not make certain determinations about a computer based soley on the harddrive. He stated he could not tell if the computer had a "wireless network card" by looking soley at the registry without the computer that the registry came from. Huh???? Hint to the "expert", look for "WLAN" in the Registry, double hint, WLAN='Wireless LAN'.
• The "expert" could not demonstrate that the files uploaded/downloaded were copyrighted material and simply had a screen shot of some filenames and ip addresses from a 3rd party.
• The "expert" acknowledged that screenshots could be faked.
• The "expert" acknowledged that public IP addresses can change often and could be spoofed

This entire case hinges on screenshots, mystery analysis software "encase", a questionable expert, and an IP address obtained from an ISP. The evidence in this case doesn't even make it to the standard of "hearsay" not to mention the fact that the plaintiff lawyer appears to be highly inexperienced with Turets syndrome and keeps blurting "Objection to form."

I suspect that if one were to dig deeper into the so-called evidence, one would learn that information obtained from Verizon is prone to error, and that the procedures for generating the screenshots from KaZaa are based on assumptions which are prone to error and probably performed by monkeys. I want to read the deposition from the "dude/monkey" who took the screenshots, please post that one next.

If I were the lawyer for the defendant, I would already be filing my motion for dismissal "with prejudice" with the award of reasonable lawyer fees for having brought a case without any evidence.

Are there any standards for evidence? Is a printout obtained via supoena really a standard for evidence? If so, I can prove anything you like and as a bonus, I even have a professional certification. :)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:so sad

[mamer-retrogamer]

Perhaps you should go back to stealing. It'll cost you less (jail) time and money if you get caught shoplifting a physical CD than if you are accused of making an unauthorized copy of it.

Re:Damn

[violet16]

I'm not especially techy, but it seems that the general opinion here is much harsher on Jacobson than is really warranted. Obviously most of us here think he's on the wrong side of an important fight, but we need to actually address what he says, not dismiss him because we think he sucks.

The on-topic +5 posts here seem very biased to me. They are insulting towards Jacobsen but fail to identify anything like an actual error in anything he says. The general opinion as to why he's wrong seems to be (a) the RIAA could have faked their screenshots, (b) the application could have been custom-hacked to lie about its private IP address, (c) Jacobson doesn't know exactly how the sniffer technology works. Which is all true. But it's quite unlikely that the RIAA is faking up screenshots so they can accuse completely random people of illegal file sharing, or that the accused custom-hacked their Kazaa client, or that the sniffer tech is totally bogus.

If you're accused of illegal file sharing and you're innocent, I'd imagine plausible reasons why are:
(a) They identified the infringer's IP address correctly but are mistaken in thinking it was assigned to you during the relevant time window; or
(b) The infringement did take place on your IP address but you have an unsecured network (ideally a wireless router) and god knows who did it; or
(c) The infringement did take place on your computer but several people use that and who knows which of them did it.

Unless Verizon screwed up, (a) seems out. And despite what Ray seems hell-bent on establishing, so does (b), given the public IP/private IP match. That strongly suggests it was indeed a single computer with a direct connection to the internet. Now, I know it's not 100% proof. But it seems to be quite likely, and I'd think it certainly sounds plausible to a judge.

Now please correct me if and where I'm wrong! Can we actually find something Jacobson said that's plainly wrong, and not just possibly wrong under unlikely circumstances?