Is RIAA's Linares Affidavit Technically Valid?

NewYorkCountryLawyer writes "In support of its ex parte, 'John Doe,' discovery applications against college students, the RIAA has been using a declaration by its 'Anti-Piracy' Vice President Carlos Linares (PDF) to show the judge that it has a good copyright infringement case against the 'John Does.' A Boston University student has challenged the validity of Mr. Linares's declaration, and the RIAA is fighting back. Would appreciate the Slashdot community's take on the validity of Mr. Linares's 'science.'"

Re:misleading slashdot headline

[rtb61]

Not necessarily, it allows a walk away statement ie. he can walk away from any distortions. One example is the exaggeration that the P2P users, have no connection with each other, or knowledge of each other.

Of course P2P users can know each other really well and can know exactly with whom they are exchanging content they are fully legally entitled to, also in joining a specific P2P network, they are forming a new association, based upon shared expectations of what they mutually expect from this new relationship, an extension to that is the sharing of a part of their personal and private space i.e. a part of their hard disk drive storage space in their personal computer and their files that they have stored their, and upon a mutual understanding of not exploiting that trust and abusing that relationship by using it in a false, deceitful and fraudulent manner.

The second major lie is of course that 'users' can be identified by their IP address, and hugely misleading fabrication, the only way one user, human being, can be identified by an IP address, is if that IP address was embedded in a device inserted in their body, even then it would be impossible to say that the IP address response was not being generated by another electronic device that had no association with that user at all. An IP address provides a temporary, non fixed, transitory, addressing protocol, so that electronic devices can effectively exchange data across a shared interconnected network. Many devices can exactly the same IP address, they can even connect at the same time, but that will cause network problems for those devices and problems for any other devices attempting to communicate with them. However it terms of routing network traffic, many millions of devices a currently connected to the Internet with exactly the same IP address beyond the default IP address of routers. The lie is again carried over to where Media Sentry, identifies the 'individual' what a crock, this lie is even extended to the ISP, that somehow the ISP can identify who is using the electronic device at the time.

It would also seem that the RIAA claims copyright on file names, if heaven forbid, you have file names that in part, or whole, including misspellings, match with file names that the RIAA or Media Sentry might possibly association with works they are claiming protection for, you are somehow infringing copyright.

That closing bit is most telling, we have no idea who is committing the copyright infringement, finally the truth, but we want to prosecute somebody, anybody and everybody based upon a, we say so basis, and a temporary IP address issued by an ISP that is of sufficient security and legal documentation and verification of identity as is necessary to manage a $25 a month Internet account (seriously how much technical effort and expense do you put in to manage and record and track that cheap an account especially hundreds of thousands of them).

Spoofing?

[squarefish]

It is possible to spoof email, MAC, and IP addresses, but I don't know the likelihood of being able to spoof the IP while participating in file sharing with bit torrent or limewire.
It is also very possible to spoof caller id.
Are these good arguments?
I think there are enough holes in their statements to bring it into question, but this stuff is very technical and may be difficult to explain in court, although the MPAA is trying to do the same, albeit poorly.

Re:Hey, I'll reply anyway.

[PavementPizza]

The standard of proof is a lot lower in civil cases, such as those the RIAA is filing.

Re:Hey, I'll reply anyway.

[Spazmania]

It may be tied to a specific computer. Or a specific router / firewall. Or even a specific UNSECURED wireless access point. But it is NOT tied to a specific person.

This is a valid point. If they have not demonstrated that a particular IP address was assigned to a particular student then the subpoena should be quashed in favor of a subpoena asking the university to identify the character of the system associated with the IP address (student, shared server, etc.) Once the university specifies that a particular address was assigned to a single individual, they may proceed with the original subpoena.

Their second biggest mistake is claiming (without any evidence) that each file being "pirated" represents a lost sale.

That is irrelevant to the motion to quash the subpoena. That will be proven or not in the course of the case. For now its sufficient that they claim damage has occured. They don't have to try the case during the discovery phase; trying the case happens later after all the facts have been discovered.

Their third biggest mistake is that the machine with the IP address, that is associated with the "piracy" is 100% under the conscious, knowing control of the person who is being charged.

This is also irrelevant. For a subpoena its sufficient that it be assigned to a particular individual. There will be time later to argue whether or not the assigned user was in control of the equipment using that IP address, though this is certainly a worthwhile avenue to explore for the defense.

Re:Inaccurate statements

[arth1]

Also, further to point 11. The copyrights are for the particular performance. There may be many performances of one work, even by the same artist, and the copyrights held by different people. I have downloaded songs directly from an artist's site, where the song also exists on RIAA labels. A search matching the artist and title won't prove that it was a performance their clients hold copyrights to. They may not even know whether other copies exist, who holds the copyright to them, and what the distribution rights are. And if they do, they're showing willful neglect if they prosecute without establishing and documenting this first!

RIAA is also breaking the copyright law!

[xenobyte]

They download files suspected of violating their clients rights, but they have no idea whether the file really is what it claims to be, nor whether the copyright owner actually has licensed the work to be shared by P2P networks but only to be used for personal enjoyment, not for law enforcement purposes and similar. Remember, the copyright owner can make such limitations, which actually are tame compared to some of the limitations RIAA routinely puts on their 'property'.

In my opinion just one file illegally downloaded by RIAA invalidates their entire legal process. In civilian law there are no loopholes that allow for breaking some laws in order to enforce others - and that's a very good thing.

Okie

[Sycraft-fu]

Here are the things I'd point out as grossly wrong in the document.

#6 claims that "similar online media distribution systems emerged and attempted to capitalize on the growing illegal market Napster fostered," followed by examples. This statement is provably incorrect in two ways. The first is that most, probably all, of these networks are not designed for media sharing, they are designed for file sharing. I only personally have knowledge of Bittorrent, eDonkey and DirectConnect but in all those cases the software is designed to share any and all files a user wishes, with no special exclusivity for media. Some, like the eDonkey variant eMule can restrict searches to various types of files (such as just video or music) but it does so only via the extension of the file. Others, like Bittorrent, have no such capability at all since search isn't an included part of the protocol. Bittorrent is just a distributed HTTP mechanism, searching is added through other means.

The second is that they are designed and/or primarily utilized for illegal purposes. Bittorrent, being highly popular, is the best example. It was designed simply to allow peer-to-peer downloading of files from websites to take the load off of a single server. It is currently extremely widely used for legitimate purposes. One of the largest would be the patch mechanism for Blizzard Entertainment's (a subsidiary of Vivendi Games) MMORPG World of Warcraft. The official patch mechanism form Blizzard uses Bittorrent so as to lessen the load on Blizzard's own servers. Another high profile use would be Linux distribution, nearly every Linux distro's preferred method of distribution is Bittorrent.

#9 claims that the RIAA members lose massive amounts of revenue to P2P copying. However there is no proof of this offered, and indeed I am aware of no proof out there. The only empirically valid, peer reviewed study I am aware of at this point is a 2005 study conducted by UNC Chapel Hill and Harvard (found here) which found: "Using detailed records of transfers of digital music files, we find that file sharing has no statistically significant effect on purchases of the average album in our sample. In specifications that identify the effect of file sharing on sales relatively precisely, we reject the hypothesis that file sharing is responsible for the majority of lost sales." To the extent the RIAA has offered any figures at all it is based off of the assumption that every copy made is money lost, at full retail value. This is of course false because it fails to take in to account several factors:

1) The music producers do not receive the full retail price for each album.
2) Some people who made a copy of the music, never would have purchased it had it not been available for free. They simply were unwilling or unable to spend the money, and as such nothing has been lost.
3) Some people may have bought some of the music they had downloaded, had they been unable to get it for free, but not all of it. For example a university student with a disposable income of less than $100 per month would clearly not purchase 100 albums costing in excess of $10 each, even if they downloaded that many. Thus while some sales may have been lost, not all of them have.
4) Some people may have bought more as a result of their downloading. They download songs as a sort of "virtual window shopping" and when they find ones they like, they purchase the CD. Thus sales are actually gained.

The RIAA's model for calculation could be mathematically stated as L = D * R where L is the amount of loss in dollars, D is the number of downloads presumed to have taken place and R is the average retail price. This is clearly overly simplistic and thus incorrect. A real formula would look more like L = D * P1 * W - D * P2 * W where L is the amount of loss in dollars, D is the number of downloads presumed to have taken place, P1 is the percentage of the time people did NOT bu

Re:misleading slashdot headline

[TigerNation]

NYCounty Lawyer: I'm a recovering lawyer who wants you to create an email address subject to attorney/client confidentiality, one that assures those techies who respond that their confidentiality can be firewalled from the inevitable subpoena to be served upon slashdot--I can hear the RIAA vipers salivating at this very moment! Get with the program, please!

Re:The companies behind the RIAA...

[weinrich]

I find it disturbing that these companies, most of which are huge all by themselves, haven't been forced by the courts to fight their own battles by using their own individual resources to track down the infringers of their own copyrights.

Therefore, as it stands, this basically represents a reverse-class-action suit, with many individual plaintiffs collectively suing a single defendent.

Re:Hey, I'll reply anyway.

Bullshit. The persons whose name shows up on the internet bill is the start of finding out who they can sue.
For the RIAA mass sweeping program to be cost effective or efficient, it has to make some assumptions. These same assumptions are what people are up in arms about and what most people that actually fight them are raising issues with. Of course the RIAA does not want to actually test these assumptions in a court because it blows apart the whole scam.
The assumptions are:
1) A screen shot of IP addresses and file names is 100% proof that you were distributing actual copyrighted material owned by them.
2) The IP address they see in a P2P list is 100% traceable through the ISP and your ISP is 100% accurate when it supplies a name of that account holder that had that address at the time.
3) The owner of ISP account of that IP identified in step 2 was the same person that was actually sitting at the computer that had that IP address at that time and was the person actively involved in the alleged copyright violation.

Now these are not criminal cases so the there has to be a reasonable amount of evidence to show you are the person and you were distributing copyrighted content without permission.

Here are the problems with those assumptions. Files name are not the copyrighted content they are claiming you distributed. A file name could represent anything and there have been stories about the RIAA promoting or at least knowing about people and companies posting bogus and mislabeled files to P2P networks. A file name is just a name, there is nothing technical that makes the name a representation of the actual content. The ability to present any file with any name to a P2P network is possible by any one in the world. IMO, the RIAA should have to actually download the file from you and you only in a traceable and auditable manner before it can be presented as evidence of an infringement and then the file inspected to ensure it is something they own the copyright on. This would show two things, that your IP address actually distributed a work that they own the copyright to that work. Someone may claim that there are hashes and cross checks built into some P2P clients but are these cross checks built into the client that these sweeping companies hired by the RIAA to look for these things? Is a hash good enough to assume you are actually distributing the file? What if you have a hacked client on your end and are just providing dead links? What if your computer shows the file but when the company attempts to get the file, they get no actual data from your IP address? None of this appears to play a role in the evidence that the RIAA presents.

I have no real argument for the accuracy of the IP address, I assume timestamps may play a role but who knows.

Again, the RIAA wants this process to go quick and smooth. If their practices or evidence is put through a test in court, the efficiency of the mass lawsuits drops significantly and the program will be even more of a waste of time for them. They will fight or drop suits that challenge these practices and I think we all know why. Of course the RIAA knows this is on shaky ground as well and my guess is they are milking it out as long as possible until laws can be tailored to make they sweeping more efficient or the government can take over the lawsuits by making these criminal cases. Look Mr Representative, we can not keep up, here is some campaign money, modify the rules for us. I don't know if criminal cases would be better or not, one I think as the laws are now, it would require a lot more solid evidence but those laws could change or an opinion of what "solid" is pertaining to P2P could be redefined.

Re:Hey, I'll reply anyway.

[Calinous]

They don't have to prove guilt without the shadow of a doubt. They just need to prove the most probable guilt.

      But they do need to prove you guilty beyond circumstantial evidence

Comments on the affidavit

[bbernard]

In my opinion as a network and network security professional, the affidavit takes some liberties with the truth of IP networking. Most blatantly it ignores the technologies of NAT and PAT, and assumes that the IP address presented to the Internet belongs to a single computer, and that this computer is owned and operated by the person who the IP address was assigned to. To me, this is the crux of the whole argument: You simply can NOT determine the identity of a USER by the IP address shown to the Internet. You can only identify the owner/subscriber of the connection to the Internet. You MUST do further evidence gathering to complete the discovery process and identify a person.

Here are my thoughts paragraph by paragraph. I hope they're helpful. If not, I hope they're at least not dry. FULL DISCLOSURE: I've never actually used any P2P network software, but then again when I was in college "gopher" was a cool utility.

6. "At any given moment, millions of people illegally use online media distribution systems to upload or download copyrighted material." By who's count? Where did this number come from? How many millions of people are on the Internet? Is he saying that such a huge percentage of the users of the Internet are "at any given time" ALL illegally sharing files?

8. "Thus, the vast majority of the content that is copied and distributed on P2P networks is unauthorized by the copyright owner" This statement is far too broad. Again, what evidence does he have? Is he further stating that the vast majority of the files on P2P networks are music files? Again, by what evidence?

12. "Users of P2P networks...can be identified by using Internet Protocol ("IP") addresses because the unique IP address of the computer offering the files for distribution can be captured..." This is factually incorrect. While the IP address being presented to the Internet can be determined, this IP address may represent any number of distinct computers due to technologies such as Network Address Translation (NAT) and Port Address Translation (PAT). If the "unique IP address" of the actual computer can still be identified by the P2P client (which I can not speak to having never actually used P2P software) that addresses is not necessarily permanent either. The technology of Dynamic Host Control Protocol (DHCP) allows for the temporary assignment of IP addresses to computers. This means that the IP address of the computer in question may have changed between the time of the alleged distribution of copyrighted materials and the time of the investigation of that. Further still, and IP address is assigned to a computer, not to a person. This argument does not, in any way, indicate any correlation between IP address and person. It is more akin to identifying a driver based on a photograph of the license plate of the car. Yes, you may know who owns the car, but you don't know who was driving. For that matter, you don't know if somebody lifted the license plate and put it on a different car.

12. "Two computes cannot effectively function if they are connected to the Internet with the same IP address at the same time." This does not account for methods of hijacking an IP address, nor does it account for the NAT or PAT technologies discussed earlier.

12. "This is analogous to the telephone system where each location has a unique number." In so far as you can identify the "owner" of the telephone number, but you still haven't identified who placed the call.

16. "Once provided with the IP address, plus the date and time of the infringing activity...can identify the computer from which the infringement occurred (and the name and address of the subscriber that controls that computer)." There is an assumption here that there is no NAT or PAT occurring on the network. More correctly, what can be identified is the subscriber to whom the IP has been assigned. That IP may represent a single computer or a network of computers. That network may include publicly accessible connections, and unless the RIAA has done the due-diligence to determine that the subscriber who had the IP address at that time has a secure and locked-down network, they still have not even identified an actual computer yet.

Re:Gee, what does this person expect to hear?

[dlim]

I was under the impression that the point of modding a post is to show that you appreciated the content of the post and to make it more visible to others who may not read every post in the discussion (or TFA), thus contributing to the community. Does it really matter if you can increase someone's karma?

Can RIAA detect file is illegal by listening?

[Ms.+Doe]

No one has yet addressed the question of how RIAA can tell whether files on my computer are licensed or unlicensed by listening. Lineres' said *** The RIAA also listens to the downloaded music files from these users in order to confirm that they are, indeed, illegal copies of sound recordings whose copyrights are owned RIAA members.*** (para. 15) and ***The RIAA downloaded and listened to a representative sample of the music files being offered for download by each Defendant and was able to confirm that the files each Defendant was offering for distribution were illegal copies of sound recordings whose copyrights are owned by RIAA members. *** (para. 18) Is there anyone with technical credentials who can say that Lineres was lying since it is impossible to distinguish between licensed sound files and unlicensed ("illegal") copies by listening?