Is RIAA's Linares Affidavit Technically Valid?

NewYorkCountryLawyer writes "In support of its ex parte, 'John Doe,' discovery applications against college students, the RIAA has been using a declaration by its 'Anti-Piracy' Vice President Carlos Linares (PDF) to show the judge that it has a good copyright infringement case against the 'John Does.' A Boston University student has challenged the validity of Mr. Linares's declaration, and the RIAA is fighting back. Would appreciate the Slashdot community's take on the validity of Mr. Linares's 'science.'"

The companies behind the RIAA...

[Barkmullz]

I do not feel particularly qualified to validate Mr. Linares's claims. However, over the years I have 'forgotten' that the RIAA is just a trade organization, comprised of many different companies. It was interesting to read through the list of plantiffs and put a face on who the RIAA really is. Here they are if you did not RTFA:

• Arista Records, LLC
• Warner Bros. Records, Inc.
• Atlantic Recording Corporation
• Virgin Records America, Inc.
• UMG Recordings, Inc.
• BMG Music
• Capitol Records, Inc.
• Sony BMG Music Entertainment
• Motown Record Company, L.P.
• Maverick Recording Company
• Elektra Entertainment Group, Inc.
• Laface Records, LLC.
• Interscope Records

This may not be a good thing, as my hatred will now be diluted

"Individual"??

[paxundae]

The term "individual" isn't valid, but legally it may be close enough. IANAL. An IP address where files are available is identified, not an individual. That IP address may represent a single traditional computer system, a series of computers behind a router, or even an open wireless access point. The fact that you can trace activity to an IP address does not mean you can trace activity to an actual real person. You can figure out who pays for access to the internet using that IP address, but that doesn't necessarily mean that much. However, legally, it may, if the duty to ensure that an IP address is not used for illegal activities rests with the person who pays the subscription fee instead of the person who uses the address. This may be reasonable...those who pay for access are probably the least cost avoiders (actually, the ISPs may be the least cost avoiders, but we don't want them shutting down every service they can detect).

It been done...

[HaeMaker]

This sounds vaguely familiar...

Hey, I'll reply anyway.

[khasim]

The biggest mistake is that they're trying to imply that an IP address is tied to a specific person at a specific point in time.

It is not.

It may be tied to a specific computer. Or a specific router / firewall. Or even a specific UNSECURED wireless access point.

But it is NOT tied to a specific person.

Their second biggest mistake is claiming (without any evidence) that each file being "pirated" represents a lost sale. So the courts need to work REALLY REALLY FAST to stop the money being lost.

Their third biggest mistake is that the machine with the IP address, that is associated with the "piracy" is 100% under the conscious, knowing control of the person who is being charged. As opposed to your neighbor using your unprotected wireless access point to download files without your knowledge.

Anyone have any others?

Re:Hey, I'll reply anyway.

[banuk]

As opposed to your neighbor using your unprotected wireless access point to download files without your knowledge.

Why does it have to be unsecured wireless? We all know how insecure WEP is and isn't it plausible that someone hacked your WEP? The key thing I'm trying to say is that you have to prove guilt. How can they prove it was my computer it could have been a hacked WEP and the only way they'd have access to my router is for them to hack ME.

Re:Hey, I'll reply anyway.

[Wavicle]

It may be tied to a specific computer. Or a specific router / firewall. Or even a specific UNSECURED wireless access point.

Agreed.

Furthermore Mr. Linares knows, or should have known this is true. It would have been completely negligent for him not to do so. Wireless routers for home users which allow a single IP address to service 20+ individual computers and ship unsecured by default can be purchased at any electronics dealer, including Walmart, for less than $70.

Furthermore Mr. Linares knows, or should have known, that IP redirector (or "bounce") programs have been a staple of internet anonymity for at least two decades. These packet bouncers were commonly used to anonymise IRC connections and were often illegally installed on other computers without the computer operators knowledge. Therefore these computers which have been identified could have been hijacked using an internet tool that is at least 20 years old. Mr. Linares could not reasonably be ignorant of them.

Mr. Linares must have known that his statements regarding the reliability of IP addresses were false and self-serving, and he intentionally misrepresented this to the court under penalty of perjury.

I'm just sayin' that I think there should be a law against intentional misrepresentation to the court, and maybe some penalties as well.

Re:Hey, I'll reply anyway.

[kennygraham]

The key thing I'm trying to say is that you have to prove guilt.

They don't have to prove guilt. It's not criminal court."

Re:Hey, I'll reply anyway.

[mrsteveman1]

What you suggest is unreasonable and probably illegal. WEP is broken to a few minutes, and you can't demand users trash WEP only equipment.

I'm all for authenticated wireless but it is nearly impossible to implement on a scale like this unless we use verisign certificates and a public auth server that is free. Most APs can't do it anyway at the moment, and neither can many consumer devices, most can't even do WPA. Linksys has a for-pay auth setup they provide but this is nowhere near being universally compatible.

I would argue it is not the consumers problem anyway and most consumers barely understand how Wi-Fi works, much less an integrated 802.1x wireless authentication system using public servers. Not only will it fail to accomplish its goals, going after individual users does not help the situation in any way.

Re:Hey, I'll reply anyway.

[iainl]

"Consumers don't understand how it works" is a perfectly valid defence if you're trying to sue me for what a joyrider got up to in my car after stealing it, and my excuse is that I thought a basic lock would be enough.

Re:Hey, I'll reply anyway.

[Calinous]

They don't have to prove guilt without the shadow of a doubt. They just need to prove the most probable guilt.

      But they do need to prove you guilty beyond circumstantial evidence

Inaccurate statements

[Sparr0]

In point 12, an IP network is compared to the phone network, and it is stated that only one computer can use each [implied: visible] IP at a time. Given the prevalence of NAT, this is not only technically untrue but also quite reliably false.

In point 12, it is stated that an ISP or college can identify the user of an IP address. This is untrue as the "user" could be no more than a MAC address, which can change. And even if true, the context seems to imply that this remains true in hindsight, which is false unless logs are kept.

Point 15 states that human review is involved in the case of EACH infringer, which is blatantly untrue given the history of automated (and wrong) cease and desist letters.

Re:Inaccurate statements

[MechaBlue]

The last sentence of point 7 is false. In the days before Napster, a variety of other means were used. One was to submit a list of files to a centralized search engine, which would allow users to find materials on the computers of others. Modern P2P programs provide substantial improvements around usability and performance; however, the functionality that they provide was available and in common use pre-P2P boom.

Item 8 states that the majority of the traffic on P2P is pirated material and also implies that the "vast majority" of content shared via P2P is pirated audio. Is there data to back this up? I suspect that video, photos, and programs (e.g., games) makes up a large amount of illegal P2P traffic. It feels like a rhetorical device used to paint the RIAA as a tragic victim.

Item 9 is incorrect. The ISP can not know who the infringers are. They can only know whose account is attached to that IP number. NAT routers are a possible workaround. Also, some services allow for multiple simultaneous IP addresses. For example, Telus requires that visible MAC addresses be registered.

By registering 2 MAC addresses, Telus will let users have two IPs at once. If Alan has a single NAT router connected, that leaves 1 free registration slot. If Bob, someone completely unknown to Alan, were to get the username and password for Alan's account, it would be possible for Bob to register his NAT router to Alan's account. If Alan only uses 1 device (i.e., 1 IP), there is a good chance that he'll never discover that Bob was piggybacking his account. If Alan needs the second IP, then he'll probably overwrite Bob's MAC without noticing there is a problem. Even if Alan notes that there is a problem, it's unlikely the MAC address could be traced to Bob because Bob could change the MAC address on his device and because of the difficulties of tracking the MAC address of a device from manufacturer to end user.

Item 9 also feels like a rhetorical device used to paint the RIAA as a tragic victim. The scope and value of piracy is hotly debated. http://arstechnica.com/news.ars/post/20070212-8813 .html

Item 11 implies that searching is sufficient to tell if a file is a copyrighted song. This is not always the case; unless the file is downloaded, its contents can not be known. I think that "examines" needs to be rigorously defined. (This ties in with the parent's comments on item 15.)

Item 12 assumes that computers are single user. This is not the case with most modern OSes. It would be possible for someone to log into an unsecured computer and use it for sharing files over P2P. The IP of the computer used to share via P2P may be known but the user can not be. It also assumes that the computer has not been compromised via malware.

Item 14 states that files are downloaded. However, it does not provide any methodology for determining if the files contain copyrighted audio. Metadata can be falsified. How are logs created and handled? Are they screenshots? (This ties in with the parent's comments on item 15 again.)

Item 16 states that "...the infringer's ISP quickly and easily can identify the computer from which the infringement occured...". It may be able to provide an IP address but that's not a sure thing (there have been past incidents where the wrong person was identified). They definitely can't prove that a MAC address belongs to a computer that is owned and controlled by the identified account holder. The MAC address is configurable. It's not possible for an IP address alone to be capable of identifying a computer, even if the IP is static.

Adam decides to open his own business selling socks online and decides to house the server in his home. He upgrades his account to a server account with 1 static IP and sets up his business on that IP. After 3 months with no sales, Adam packs it in and downgrades his account after downloading the complete discography of NKOTB

Re:Inaccurate statements

[arth1]

Also, further to point 11. The copyrights are for the particular performance. There may be many performances of one work, even by the same artist, and the copyrights held by different people. I have downloaded songs directly from an artist's site, where the song also exists on RIAA labels. A search matching the artist and title won't prove that it was a performance their clients hold copyrights to. They may not even know whether other copies exist, who holds the copyright to them, and what the distribution rights are. And if they do, they're showing willful neglect if they prosecute without establishing and documenting this first!

Re:misleading slashdot headline

[rtb61]

Not necessarily, it allows a walk away statement ie. he can walk away from any distortions. One example is the exaggeration that the P2P users, have no connection with each other, or knowledge of each other.

Of course P2P users can know each other really well and can know exactly with whom they are exchanging content they are fully legally entitled to, also in joining a specific P2P network, they are forming a new association, based upon shared expectations of what they mutually expect from this new relationship, an extension to that is the sharing of a part of their personal and private space i.e. a part of their hard disk drive storage space in their personal computer and their files that they have stored their, and upon a mutual understanding of not exploiting that trust and abusing that relationship by using it in a false, deceitful and fraudulent manner.

The second major lie is of course that 'users' can be identified by their IP address, and hugely misleading fabrication, the only way one user, human being, can be identified by an IP address, is if that IP address was embedded in a device inserted in their body, even then it would be impossible to say that the IP address response was not being generated by another electronic device that had no association with that user at all. An IP address provides a temporary, non fixed, transitory, addressing protocol, so that electronic devices can effectively exchange data across a shared interconnected network. Many devices can exactly the same IP address, they can even connect at the same time, but that will cause network problems for those devices and problems for any other devices attempting to communicate with them. However it terms of routing network traffic, many millions of devices a currently connected to the Internet with exactly the same IP address beyond the default IP address of routers. The lie is again carried over to where Media Sentry, identifies the 'individual' what a crock, this lie is even extended to the ISP, that somehow the ISP can identify who is using the electronic device at the time.

It would also seem that the RIAA claims copyright on file names, if heaven forbid, you have file names that in part, or whole, including misspellings, match with file names that the RIAA or Media Sentry might possibly association with works they are claiming protection for, you are somehow infringing copyright.

That closing bit is most telling, we have no idea who is committing the copyright infringement, finally the truth, but we want to prosecute somebody, anybody and everybody based upon a, we say so basis, and a temporary IP address issued by an ISP that is of sufficient security and legal documentation and verification of identity as is necessary to manage a $25 a month Internet account (seriously how much technical effort and expense do you put in to manage and record and track that cheap an account especially hundreds of thousands of them).

Re:Provable ID problem

[Technician]

The fact that you can trace activity to an IP address does not mean you can trace activity to an actual real person.

That is the blaring hole in the arguement in the PDF on Paragraph 12 where they compare IP addresses to telephone numbers. They claim that phones sharing one line are like a party line. Only one can make a call from one number at a time. They missed entirely using ports on a router so multiple users behind a router can make a call all at once from the same phone number. The number does not identify the individual any more than call from the political campaign center identifies the individual making the call. You may try to call them back and sue the individual for harrassment, but identifying the individual by the phone number is a problem.

His declaration under penalty of purgery under the laws of the United States that the foregoing are true and correct should have had peer review so they would indeed be true and correct. They are not and is easly proven so. The following is easly proven. Not all IP address have a direct connected single user computer just like not all phone numbers are to a single person renting an apartment. Enter routers and trunked/ISDN lines and his example falls apart. He should be careful what he signs as true and correct. It could cost him.

Ok, let's break it down.

[spotter]

IANAL or a law student, just a future CS phd (hopefully RSN).

1) First Linares acknowledges that a route can have an IP address, then he says "Two computers cannot effectivly function if they are connected to the Internet with the same IP address".

This is not true. i.e. routers and NAT. Multiple Computers can have the same effective IP address to the internet. While they can track it down to the NAT device, they cant go further.

2) They assume the network provider maintains a log of IP addresses. This is not a given. A Good guess perhaps, but not a fact.

3) While its good practice that they download files and humanly verify the contents, the list of files can't be verified to be all infringing content. Unless they actually downloaded said file themselves, its an assumption that the file is named/labeled correctly. He says this later when he says that it only "suggests" that there were many copyright files. (Not being a lawyer, don't know the implication).

4) They claim an ISP can identify the computer being used. This is inaccurate. They can identify the customer, but most customers are behind routers (aka NAT) so they have no ability to identify which computer.

5) They claim expedited discovery is "critical" to stopping piracy. I can't believe they believe that expiding discovery will have any dent on piracy.

6) They claim that infringment of non public works greatly harms it when released, I believe there's evidence to the contrary (i.e. widely distributed albums have debuted at number 1 or other times higher then anyone expected).

7) unsure why expidited discovery impacts if they can serve defendants. If it happens quickly or over a long period of time, what difference does it make?

8) They now claim ISPs destroy logs, but if discovery is going on, are they allowed to?

Re:Gee, what does this person expect to hear?

Seeing as we're not paying you, could you please not comment?

Spoofing?

[squarefish]

It is possible to spoof email, MAC, and IP addresses, but I don't know the likelihood of being able to spoof the IP while participating in file sharing with bit torrent or limewire.
It is also very possible to spoof caller id.
Are these good arguments?
I think there are enough holes in their statements to bring it into question, but this stuff is very technical and may be difficult to explain in court, although the MPAA is trying to do the same, albeit poorly.

Feedback

[wrook]

Free advice from a non-lawyer. Not only that, but I only have time to scan the document quickly, however here are some points that I think might be relevant:

1. The word "piracy" is repeatedly used. I don't believe this is a standard legal term (outside of naval encounters). The word is not defined in the document. I think the intent is to equate the term "piracy" with "copyright infringement", but to spin it imply other things. One could probably attack this term successfully.

2. Point 8 is a logical fallacy. Whether or not record companies authorize P2P distribution of music is completely unrelated to the conclusion that P2P networks are used primarily for copyright infringement. One would first have to show that the vast majority of content falls under the record companies' copyrights.

3. "Distribution" has a specific legal definition in copyright law (or it does in my country, anyway). P2P copying may or may not fall under that definition. This is extremely important. They are trying to imply that P2P copying is a more serious offense than copying in other ways.

4. Points 9 an 10 bother me slightly, but I can't put my finger on why. They are implying that the P2P users are anonymous and thus can escape lawsuits from copyright holders. This is probably an important point in their case. I suspect they are trying to show that P2P users are intentionally hiding because they are doing something they know is wrong. This is why it is OK to remove that anonymity. It is important to stress that whatever the motives of the defendant, it is the plaintif's job to show that an infringement occurred *and* that the defendant was involved before an injunction is granted. The anonymity of the defendant is immaterial to that point.

5. Point 11 states that Media Sentry can identify files being offered. It can not. It can only identify the *names* of the files being offered. The name of a file does not constitute anything more than circumstantial evidence that the file contains what they think it contains.

6. As has been stated numerous times before Point 12 is just false. An IP address identifies a machine, not a user. Any number of users may access that machine. Other machines may route through that machine and masquerade as it. The owner of the machine may not even be aware that someone else is using it for this purpose.

7. Point 13 doesn't make any sense at all. They indicate no mechanism for Media Sentry to identify copyrighted works. Or even if one assumes that all the works available through the P2P network are copyrighted, there is no mechanism for determining who the owner of that copyright is. The document seems to imply that all users of the P2P network can do this and since Media Sentry uses the same mechanisms, it can do it too. But users can not generally do this. They would have to provide some explanation for the mechanism they are using.

8. Point 16 states that the IP address can identify where the infringement occurred. This is incorrect. It merely shows one step of the way. In order to identify where the infringement occurred, they would also have to show that the packets were not then transferred to a third party. This information is not actually stored anywhere on the computer, so it might be impossible in practice to say for sure where the infringement occurred.

9. Point 17: How is Verizon's concession in any way relevant to a judges decision? Does Verizon get to make precedent?

10. In point 18, they use the terms "distribute" and "make available". Again, these have very specific legal meanings. They have not described how the alleged actions of the defendants are equivalent to these legal terms. Even if they have documented copying, this is different than the above terms (at least in my country).

11. Again point 18, they have stated that the Defendant made illegal copies available. They have no way of determining this. They merely suspect that the Defendant's computer was used to *relay* copies (or pa

Re:Don't feed the lawyers

[sconeu]

It wasn't Linares. It's Ray Beckerman, aka NewYorkCountryLawyer.

Sheesh, if you won't RTFA, at least click the submitter's name before you go all conspiracy.

Re:Provable ID problem

[The+Rizz]

Only one can make a call from one number at a time. They missed entirely using ports on a router so multiple users behind a router can make a call all at once from the same phone number. The number does not identify the individual any more than call from the political campaign center identifies the individual making the call. You may try to call them back and sue the individual for harrassment, but identifying the individual by the phone number is a problem. Actually, I would say IP = phone number is a perfect analogy, and fits precisely with your logic. How? Look at any company with a large phone system, such as corporate offices, call centers, or (most familiar to most people) hotels. There are dozens if not hundreds of calls coming and going simultaneously - all of which connect through the same phone number. If you receive a call from someone inside one of these systems, you (usually) get the same number on caller ID regardless of who called you, or from what internal location. You can trace it back to the building's switchboard, but from there it is impossible to trace further from outside the system. Likewise, when you call to one of these systems, you call a general number and any further routing is done by the system on the other end by giving either a name or extension number (analogous to a port number).

Re:Bittorrent "Calitolizes" on piracy?

[shark72]

"How exactly does Bittorrent "Capitolize" on anything? Its free software. No Ads, No fees, ect. Is the RIAA objection to pirates DONATING to open scource projects?"

This is the quote to which you refer:

Notwithstanding the court's decision enjoining Napster, similar online media distribution systems emerged and attempted to capitalize on the growing illegal market that Napster fostered. These include KaZaA, eDonkey, iMesh, Ares, BitTorrent, DirectConnect, and Gnutella, among others.

If you're confused, it may be because you're reading it too literally. When you see "BitTorrent" in the above, mentally replace it with "BitTorrent tracker sites" (ie: The Pirate Bay). Many of them are commercial endeavors making thousands upon thousands of dollars in profit each month (just because they provide a free service does not mean that they don't have a profit motive). Facilitating piracy is a big business, and business is good.

HTH.

Re:misleading slashdot headline

[TubeSteak]

Not necessarily, it allows a walk away statement ie. he can walk away from any distortions. Here's point 2 from his declaration:

As Vice President Anti-Piracy Affairs I am responsible for evaluating to online strategies for the RIAA, including oversight of the investigations into online infringement of copyrighted sound recordings. As such, this Declaration is based on my personal knowledge, and if called upon to do so, I would be prepared to testify as to its truth and accuracy. "I am responsible for evaluating to online strategies for the RIAA"

Is he an expert? In what? His credentials?

Before anyone can discuss the content of his Declaration, it seems to me that it would be prudent to evaluate whether or not it should carry any weight at all. After skimming the Declaration, he seems to be making a lot of assertions that I think a Judge would normally expect to come from an expert.

In other words:
What qualifies him to testify as to [the Declaration's] truth and accuracy"?

Read the final sentence in article 14.

[macraig]

"... and additional data that track the movement of the files through the Internet."

Note that, throughout his statements up to this point, Linares has repeatedly reasserted that MediaSentry doesn't use any techniques not enabled by the software and medium and not available to any other user of the system. It's obvious he wants to preserve for MediaSentry and, by extension the RIAA, that no "illegal" or unethical techniques were employed to gather data.

Right here, with this sentence, he contradicts himself. I think it's rather obvious that this sentence describes an activity that other P2P users cannot do, even if they chose to try. The very ambiguity of it, and his failure to clarify it, is noteworthy.

Dig deeper right there; "X" marks the spot, as Blackbeard might say.

Re:Gee, what does this person expect to hear?

[Kokuyo]

'This person' just happens to be one of those lawyers who's constantly trying to put the RIAA in its place and takes the time to keep us informed. He also takes the time to explain the relevant processes of law to us nerds.

Don't you think it's a hilariously good idea to come to us when he doesn't understand 100% how P2P networks work? Aren't we exactly the ones who know best why RIAA's claims are stupid? So let's think this through: A lawyer who happens to understand law (gee, what a coincidence...) asks techies whether the technical interpretation of the 'bad guy' holds true or not.

I don't see your problem. Would you rather he pull a Matlock on the judge and try to get the jury to shed a tear for the poor victim? That guy is doing a hell of a job.

Point 12 is false, without it the rest is moot

[Joce640k]

IP addresses don't identify a person, only a junction point in the network (router).

To use their telephone analogy: If you dial a "1-800" there isn't a single telephone and single person answering it, there's a whole network of telephones and many operators to answer them. The Internet works exactly the same way, if anything this "routing" of connections is even more common than in the telephone network.

IP addresses are actually in short supply (there's only a few hundred million of them...) so most people don't even have the option of having single IP address = single computer.

Then there's WiFi.... most home broadband connections are supplied with a wireless router and these routers are unsecured by default. Anybody within a half mile radius can connect and use the internet connection. These people will have the same IP address as the legitimate owner of the router. This practice of using other people's connections is very common in highly populated areas (I personally know two people who do it...)

Even if password access is enabled, the standard "WEP" encryption can be broken in a matter of minutes using freely downloadable software (type "wep cracker" into google and you'll get you a whole list of them).

So...premise 12 is wrong. Without it the rest of the document is moot.