Marshall University Challenges RIAA

NewYorkCountryLawyer writes "Marshall University, in Huntington, West Virginia, has become just the second US college or university to show the moxie to stand up for its students instead of instantly caving in to RIAA extortion. In February, Marshall, represented by the Attorney General of the State of West Virginia, made a motion to quash the RIAA's subpoena for student identities, pointing out in exquisite detail in its long-time IT guy's affidavit (PDF) the impossibility of identifying copyright 'infringers' based on the RIAA's meager evidence. Unfortunately, the Magistrate — under the mistaken impression that the RIAA isn't going to sue the identified students, but merely wants to talk to them — recommended that the subpoena be okayed by the District Judge (PDF). It is not yet known whether Marshall will be filing objections. The first US college or university known to have attacked the RIAA's subpoena was the University of Oregon, which — also represented by its state's Attorney General — made a motion to quash last November, and even questioned the legality of the RIAA's methods. The Oregon motion is still pending."

2nd university to show a movie?

[CrazyJim1]

I'd want to see a movie that was counter RIAA. Then I reread it as moxie :(

Re:2nd university to show a movie?

[Farmer+Tim]

I'd want to see a movie that was counter RIAA.

Soundtrack available through...oh, wait...

Re:2nd university to show a movie?

[Dekker3D]

agreed wholeheartedly. some kind of funny anti-riaa movie to offset the annoying anti-piracy ones. i don't know about you guys, but our local version of the riaa in the netherlands (stichting brein) has their own anti-piracy clip which is added to the start of about four out of five movies. veeeerry annoying.

Re:2nd university to show a movie?

[Zencyde]

Speaking of movies... modified quote:
Lower ranking RIAA lawyer: Oh no! The college students are revolting!
Higher ranking RIAA lawyer: We already know this.

Re:2nd university to show a movie?

[Ghubi]

Hmmm, I wonder if Jeff Skoll reads Slashdot.

Re:2nd university to show a movie?

[Seto89]

Soundtrack available through...

...Piratebay.org - the tracker that brought you titles such as "All your music" and "mkv - HD without Blu-ray"...
available NOW (764 seeds, 1132 leeches)

Re:2nd university to show a movie?

[CSMatt]

Search the Internet. Parodies abound. I can guarentee you that there is at least one person or group of people who both hate the RIAA and know how to make a good movie.

Re:2nd university to show a movie?

[sconeu]

We are... MARSHALL!!!!!

Re:2nd university to show a movie?

[Presto+Vivace]

'd want to see a movie that was counter RIAA Might have a problem getting a studio to fund it.

Re:2nd university to show a movie?

[adona1]

Check out this one from The IT Crowd. Unsure whether it's prophetic of things to come, or just funny ;)

Re:2nd university to show a movie?

[Thanus]

We are... MARSHALL!!!!! I second that, MU 2004!

Re:2nd university to show a movie?

[Shadow-isoHunt]

Watch "This Film Is Not Yet Rated" by Kirby Dick, you'd likely enjoy it.

Re:2nd university to show a movie?

[Farmer+Tim]

Roger Corman is still alive, and record executives are as close to brain eating zombies as you can get, so I think he'd be interested.

BTW: Recording Industry Association of America != Motion Picture Association of America. Paramount and New Line aren't RIAA members, and somehow I've got the impression that they wouldn't let principles stand in the way of profit.

Hunh?

[belmolis]

Unless I have missed something, the magistrate judge's opinion is not based on the idea that the RIAA "merely wants to talk to" the students. Where does it say that?

Curiously, the magistrate judge's opinion does not even address the central issue, of whether the RIAA's evidence is sufficient to support the subpoena. It is devoted entirely to the question of whether the subpoena imposes an excessive burden on the university. His ruling that the university's burden is not great because it is merely required to produced the names of the students associated with the IP addresses, not to determine who was using the machines at the times of the alleged infringement,appears to be correct.

Re:Hunh?

[gnick]

Actually, the RIAA does not want to sue the students - It would much prefer to just talk to them. And threaten to sue them to extort $$$.

Re:Hunh?

[corsec67]

Who says that an IP address can even be related to a specific computer, much less a person?

All the university would know is that something with a specific MAC address was using that IP at that specific time.

Since MAC addresses are spoofable, how can they be related to a specific person at all?

Re:Hunh?

[Sancho]

There's a chain of evidence which is used to get a person in many universities. It's the same way any ISP would track usage down to a specific user.

Users are typically registered. Usually in universities, this is accomplished through a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user. From there, it's trivial to tie the packets to the MAC--spoofing IP addresses is trivial on most networking equipment in use by universities (i.e. we're not talking crappy Linksys routers, here.) MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred. Even if it isn't explicitly blocked, it would be a special case that would need to be handled when trying to identify the student, but it is by no means a dealbreaker.

Of course, if the student is running a wireless access point, you run into problems. This is why some universities don't allow wireless access points to be connected to the network (they can't outright ban them due to FCC regulations) and the university agreements almost universally state that traffic originating from the student's port is considered to be the student's liability.

ISPs (including universities) have valid reasons for wanting to be able to track people down. It's unfortunate that the ability to track people down means that they can give up their information when the RIAA comes subpoenaing.

Re:Hunh?

[corsec67]

What about University provided wifi?

At the University I went to, CU, the wifi was unsecured, aside from the MAC address check. Yes, I did have to register the MAC to me, but then the MAC address was broadcast in the open, and could easily be spoofed, which I have used in the past.

Agreed that over wired ethernet, it is much easier to prevent MAC spoofing, but what about wifi?

Re:Hunh?

[cdrudge]

I didn't read all the articles linked to, but the affidavit linked to specifically states that computers are authenticated via a MUNET account. So it's not just a MAC address but it's also a username and password. It seems to me that MU position is a little shaky as while indeed anyone could have stolen another users account or it was a shared computer, ultimately it still is the responsibility of the owner. I think a valid comparison could be drawn to if a gun is used in a crime. If the bullet can be traced back to at least the gun, the gun owner is usually at least questioned, are they not?

Re:Hunh?

Any analogy between a criminal case and a civil case is clearly flawed.

Re:Hunh?

[Sancho]

Official wireless is probably a completely different beast. Lots of universities use WPA, for which spoofing will be irrelevant. If they're using an open network, I'd think that they'd be open to complaints and possible lawsuits if they gave up the names or otherwise tried to claim that a specific student was tied to a specific IP/MAC address. Then again, most students wouldn't know that spoofing was possible or likely.

It may be that high-end networking equipment can disable wireless connections originating from a duplicate MAC during a session--I just don't know enough about the capabilities of this equipment.

Nonetheless, universities tend to want to know who's sitting at the other end of the connection. It's disingenuous to suggest that they could take action themselves based upon spurious data, but that that same data isn't good enough to hand back when faced with a subpoena. If the university decides to abandon tracking of students, then more power to them. But I doubt that it's the case that most universities are willing to do this.

Re:Hunh?

[corsec67]

Not quite.
Unless every single connection from the computer was authenticated to the MUNET account, all you would know is that a MAC address is registered to a MUNET account, and that a specific IP was assigned to a given MAC address through DHCP.

What you don't know is if the owner of the MUNET account owned the device that was sending out that MAC address at that time, just that the owner of the MUNET's computer defaults to a specific MAC address.

Do any universities require an encrypted tunnel of some sort from a computer to the router based on authentication to the University account? Otherwise, you can't tie a MAC address to even a specific computer, much less a person.

Re:Hunh?

[Gm4n]

Who says that an IP address can even be related to a specific computer, much less a person? The universities. The standard at several universities I've visited is a MAC filtered wired (and wireless) network; you "register" your computer in connection to your school login/password, tying the MAC address (and therefore, the issued IP) directly to your account.

Since MAC addresses are spoofable, how can they be related to a specific person at all? Exactly the problem, but that might not be taken into consideration in a courtroom.

Re:Hunh?

Except that we don't actually keep records of who owns what guns.

The majority of the US, anyway.

Re:Hunh?

[penguinbrat]

From the linked PDF...

"A significant part of this burden, however, stems from a mistaken belief that the University was required to determine who was 'using a given computer a given time'. By requiring plaintiffs to serve an amended subpoena making it clear that they seek only identifying information with respect to the person associated with the IP address at the date and time of the alleged infringing use, the perceived burden should be reduced."

Jeeze... Considering that an IP address is in all practical terms is imaginary and only usable by a the originating computer/network system, it would be interesting (possibly a little to much) to see how this know-it-all idiot uses his.

Re:Hunh?

[shawn443]

I disagree. Of course the standards of proof differ. At its simplest though, each type is two opposing sides trying to convince someone that their version of the event is the correct one. It depends on who believes what. Sometimes, even only circumstantial evidence is convincing enough.

Re:Hunh?

[belmolis]

I don't disagree with you. I think that the RIAA's approach is ridiculous. My point is that that isn't what the decision addressed. All it talks about is the question of whether the subpoena imposes an excessive burden on the university.

Re:Hunh?

[CSMatt]

You were supposed to use a car analogy.

Re:Hunh?

[immcintosh]

I don't know about every university, but every one that I've used the network on is basically totally open. Can't recall ever having to authenticate or do anything other than simply plug in and go. That's how it was in the dorms I lived in (albeit 6 or so years ago), as well as the public access points (libraries) of my and other nearby universities.

I have no doubt there are universities that do more, but I sure wouldn't assume that to be the case by default. In fact, I've been to more than one university that had unsecured wireless access pretty easily available from common public locations, and the argument that such a situation is actually beneficial to the educational process seems an easy one to make.

Re:Hunh?

[Sancho]

Maybe I've been around mostly more technical universities? I can only think of one where student access was as easy as you're describing.

I do think that ease of communication is inherently necessary to the educational process, but I don't think that anonymous communication necessarily is.

Re:Hunh?

[vux984]

Bad analagy:

If a gun is used in a crime, and you have a body and a bullet, then yeah, you can go and talk to him. And if he doesn't want to talk? He doesn't have to. Unless you arrest him, in which case he gets a lawyer, and you have to release him if you dont' have at least some evidence he did something wrong that you can charge him with.

With these RIAA cases, we don't even have a *crime* here. Nevermind a bullet. Yet the ISP (university) is expected to hand over contact information without so much as blinking.

My neighbor can't wake up one morning, pick a random IP out of his ass, and tell an ISP to hand over the contact information for who ever was using it last night. *That* is very nearly what the RIAA does. Of course they have some vague claim of 'ip infringement' behind it, but provide no evidence of it, and what evidence they might be worthless or even obtained illegaly...

Re:Hunh?

[Paradise+Pete]

Any analogy between a criminal case and a civil case is clearly flawed.

So you're saying they're like apples and oranges?

Re:Hunh?

[Skapare]

There's a chain of evidence which is used to get a person in many universities. It's the same way any ISP would track usage down to a specific user.

But not all universities are alike in how they structure their networks and allocate their resources. They are not even alike in how much resources they get. Marshall University is definitely one where costs are kept as low as they can get them. West Virginia is not one of the rich states.

Users are typically registered. Usually in universities, this is accomplished through a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user.

That would be so at that moment in time, no accounting for the issues involved with students using wireless over their dorm connections.

From there, it's trivial to tie the packets to the MAC--spoofing IP addresses is trivial on most networking equipment in use by universities (i.e. we're not talking crappy Linksys routers, here.) MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred.

It's not necessarily easy to block it, as that results in problems moving computers around. And not all switches can block it. Low priced switches, much like a low resource university would have to buy, probably don't have the ability.

Even if it isn't explicitly blocked, it would be a special case that would need to be handled when trying to identify the student, but it is by no means a dealbreaker.

What it means is that after the student who logged in shuts their computer off, another computer that was pinging them to see when they shut off can immediately impersonate that MAC address. Even if most users properly signoff before shutting down or pulling the plug, it only takes a few that don't for someone wanting to run anonymously to do that every now and then.

Of course, if the student is running a wireless access point, you run into problems. This is why some universities don't allow wireless access points to be connected to the network (they can't outright ban them due to FCC regulations) and the university agreements almost universally state that traffic originating from the student's port is considered to be the student's liability.

Then there is the issue that you have multiple students working from the same port. At least 2 live in each room in most of the rooms. There are a few singles and triples there (I went to school at Marshall for 3 years and lived in the dorms for 2 of those years ... I know how at least the ones that were there then are organized). So you can at least have 2 students using one port at a time. And it is typical for students with laptops/notebooks to roam around or get together with others in different rooms to collaborate on various projects, school related or not. Student run access points make that so much simpler. Now I don't know if Marshall has every floor in every dorm covered with wireless, but they could see it as a cost savings by NOT doing so, knowing that the students themselves will provide localized access at no cost to the school.

ISPs (including universities) have valid reasons for wanting to be able to track people down. It's unfortunate that the ability to track people down means that they can give up their information when the RIAA comes subpoenaing.

That may be a good goal, but it's generally not practical in a resource limited situation. They may consider it more important to be sure outsiders are not using the network than it is to exactly know who sent each and every packet by its IP address. Knowing that 99% of traffic was carried out by some authorized person on campus may be sufficient. Being able to block that 1% of other traffic might not be worth the cost. Being able to track any instance of traffic to a specific person might not be worth the cost. And i

Re:Hunh?

[SanityInAnarchy]

MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred.

Wait, what? How does this happen?

I mean, yes, it'd be somewhat more difficult if we're not on the same network, but there's always other networks, and wifi, on any sufficiently large campus. Besides, my understanding is that a switch can't know which nic actually "owns" that mac address, thus whoever had it first "wins" and gets the IP also.

And then, there's always the possibility of simply registering a spoofed address on purpose, knowing I can then un-spoof it if I'm caught, and claim that it wasn't my laptop.

This is why some universities don't allow wireless access points to be connected to the network

And some universities provide their own wireless access points. Some of them even allocate real, Internet-visible ipv4 addresses to every laptop.

Re:Hunh?

[Sancho]

When I was in school, our university tied MACS to IPs, and usernames to MACS. Spoofing a mac on a different network would mean that the tuple didn't match, meaning there is no false accusation. Spoofing a MAC prior to registering doesn't help because you provided a username/password at the time of the registration.

Re:Hunh?

[penix1]

Marshall University requires logins to connect both in the dorms and in the computer labs (5 that I remember). The only place where you can IIRC is the new library. The computer labs in Corbly Hall are especially locked down since that was the home of the CS department.

According to the local paper, The Harald-Dispatch (Harald-Disgrace to us locals) the subpoena was issued because Marshall had already turned some names in then stopped when other universities started challenging. The argument made was then if they could turn some in why couldn't they turn others in? Also, there is the fact that they publically announced that they forwarded the "you are being sued! Have a nice day!" letters to the students involved.

DISCLAIMER: I am a Marshall Alumni.

Re:Hunh?

[SanityInAnarchy]

our university tied MACS to IPs, and usernames to MACS.

Makes sense...

Spoofing a mac on a different network would mean that the tuple didn't match

This I don't get. Are you not allowed to move between networks?

See, I could physically plug my laptop into anywhere on campus, and expect it to work. Or I could turn on the wireless -- different mac address, but bound to the same username and IP -- and expect it to work.

But I didn't have to login every time. Therefore, someone else could easily have spoofed my MAC on the same wireless network. I don't know, but I suspect, that they could also have spoofed it on a different physical network -- if I'm lucky, the school might ping me, but that's not exactly infallible, especially when most firewalls block ping.

\

Spoofing a MAC prior to registering doesn't help

Right, but if you don't register, you don't get an IP. All an attacker would really have to do is sniff wireless traffic, find a valid IP, look at the MAC behind it, and spoof that. On a physical network, it would be a bit harder, as there might be a router in the way -- but you could probably find IPs on your local network to spoof, then go to a different local network and spoof them (simulating that user moving across networks). That basically prevents there from being one switch to figure it out.

I haven't tested this, but I have no reason to believe it wouldn't work.

Re:Hunh?

[__aawavt7683]

Even if they trace macs, record users, verify with username and password, etc etc, the only way to secure it would be to run everything through a VPN that they sign on to when they connect to the wireless net.

At my University, they certainly have you use your university username and password to sign on to the wireless network. At that time, it associates your IP address with your user ID and password, and probably your mac, and lets the IP address access the internet.

As the IP address is nothing special (not changed upon login) but just associated with "Yes, they're allowed out," it would be entirely possible for someone to watch wireless connections in the area, remember IP's and associated macs, and "notice" when traffic stops going to/from them. This wouldn't be difficult with Kismet in a light/moderately used area. Still, I give them a B+ for effort -- there aren't all _that_ many knowledgeable people around.

Once an associated user disappears from the network, just "borrow" the rest of their session as that user by cloning the MAC, IP addresss and... you're already logged in, so you're allowed out. The university has everything: MAC address, IP address, and a fully authenticated username/password.

The only way around it is to have the user apply for a VPN login/password and encrypt the entire connection... Anything less, and you've got real issues verifying who is using what. (For the dorms of three universities I stayed at, simple hubs (10Mbit for 300 people.. ergh! arp spoofing works well against torrent users) or switches were used to direct wired data, and considering you can't then record which actual port a given packet comes from, you hit the same problem -- anyone in the dorm can be sending/receiving the data.)

-DrkShadow

Re:Hunh?

Jeeze... Considering that an IP address is in all practical terms is imaginary and only usable by a the originating computer/network system, it would be interesting (possibly a little to much) to see how this know-it-all idiot uses his.

After having written an incoherent sentence such as that you'd be well advised not to call others idiots.

Re:Hunh?

[Technician]

On some universities, the login is simply for the campus network.

Users are typically registered. Usually in universities, this is accomplished through a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user. From there, it's trivial to tie the packets to the MAC--spoofing IP addresses is trivial on most networking equipment in use by universities (i.e. we're not talking crappy Linksys routers, here.) MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred.

Many of them will permit a connection to the WWW proxy server without a login. (I know, I tried) Having an unregisered and un-logged in machine running BT may be the way to go. You have a clean machine with login and another machine on a router.

Re:Hunh?

[Sancho]

I believe that WPA has a similar concept to sessions, which won't be hijackable unless the sniffer has managed to crack the session key. I'd have to go back and read through some of the literature again to refresh my memory, though. It's entirely possible that I'm misremembering that.

Re:Hunh?

[Sancho]

Oh, sorry, I realize now that you were referring to the part of my post which had to do with open networks and network equipment blocking duplicate MACs.

Yes, it would be a problem which would require much more thought. Since 802.11(abgn) is a fairly chatty protocol, you could probably manage by having a fairly short timeout. With a minimal period of time during which a spoofer could act, you'd eliminate a lot of problems. Further, wireless networking cards can be profiled and identified, so you could add to the tuple the manufacturer, and in some cases, the driver version. Relative location would also be useful (if someone manages to hop from one end of the building to another instantaneously, there's something fishy going on.)

Re:Hunh?

[Sancho]

That's pretty surprising. What's the purpose of allowing access through that proxy server, but not full blown access?

Re:Hunh?

[Technician]

That's pretty surprising. What's the purpose of allowing access through that proxy server, but not full blown access?


Students need to log into school servers to use school resources. The www proxy is often not under that umbrella. Try it. An Ubuntu live CD works fine for a zero fingerprint session. Boot, set the browser to use autoproxy, and surf. No login ID or finerprints are left on the machine. BT and an external USB drive work fine.

Re:Hunh?

[Mille+Mots]

a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user.

Out of curiosity, how do you make the logical jump from recording the username and the MAC to tying the MAC to the user? At best, you can tie the MAC to the username because that is all you have recorded.

A username does not uniquely identify the actual user of a given system any more than an IP address would. I believe that your premise is false.

Re:Hunh?

[Sancho]

In the university rules, the anything done with the username is considered to be the liability of the user. I don't know if this is enforceable, but for the purposes of discussion, it's enough.

Go WVa

[esocid]

Being a graduate of Virginia Tech, which received a letter for 36 John Does earlier this year, which also refused to give names, I'm glad more universities are actually pushing back against this strong-arming. I don't think VT did anything in return to the RIAA, can't find anything else on it, but at least they didn't give in to their tactics.
Where's NewYorkCountyLawyer? FTFA

But, "Is he in for a surprise," says Recording Industry vs The People's Ray Beckerman.

Nice touch man.

Re:Go WVa

[LMacG]

That's "Country". And what do you mean, where is he? He's what we like to call "the submitter".

Re:Go WVa

[NewYorkCountryLawyer]

That's "Country". And what do you mean, where is he? He's what we like to call "the submitter". Thank you, LMacG.

What did you think of the IT guy's affidavit? I felt it was a model of clarity, explaining to the judge that the RIAA doesn't have a case against these kids. The IT guy at the University of Arizona did a good job on that same issue but the school, like idiots, just caved in and turned over the information, ignoring the motion to quash which one of the students had filed.

Re:Go WVa

[LMacG]

Aside from the one incident of apostrophe abuse in item 9, I think it was perfect. It established that Mr. Fox is knowledgable and experienced, and then laid out exactly why "sufficient accuracy" and "a high-degree of certainty" could not apply.

Americans should do something...

c'mon, you should stand up collectively and fight. Us canadians can't do everything for you - it is hard enough supplying you with 50% of the pirated movies that are out there (according to the RIAA... that is) and hosting all your non-european trackers.

Re:Americans should do something...

Canadians... fight? You guys barely have an army! Plus, a portion of it is French!

Re:Americans should do something...

[lusiphur69]

I'd take a quebecois over an anonymous coward, anyday. We'll skip the history lesson, clearly not worth the effort.

Besides, french-canadian women are hot and poutine is tasty. Maple syrup and french-canadian woman are both.
I like my Canada with Quebec in it.

411

[whisper_jeff]

"...under the mistaken impression that the RIAA isn't going to sue the identified students, but merely wants to talk to them..."

What an idiotic impression. Even if it was a correct impression (how anyone who's done a hint of research on the situation could have that impression is beyond me...), I'd like to think that legal officials would discourage people from using the legal system as their publicly funded 411 service. This whole situation (the RIAA lawsuits as a whole) blows my mind more and more every day and not just because of how moronic the RIAA are. Sadly, they aren't the only idiots running around...

This is a shake down

[DrLang21]

There is no way that the Magistrate actually believes that the RIAA does not intend to sue these students. No reasonable individual could possibly look at the recent history and believe that they had any intentions other than to demand a large settlement or to sue for even larger damage claims. If the Magistrate believes otherwise, their ability to perform their job should be brought into question.

Re:This is a shake down

[Sancho]

It gives the magistrate a political out, particularly if the RIAA lawyers were acting as officers of the court when they made that declaration.

Re:This is a shake down

[poot_rootbeer]

There is no way that the Magistrate actually believes that the RIAA does not intend to sue these students.

The RIAA damn well better intended to sue some students, or else why the hell are they wasting the courts' time with subpoenas?

I guess that means

[b4dc0d3r]

WE ARE
MARSHALL

Re:I guess that means

[Ossifer]

No, you're Spartacus!

Re:I guess that means

NO, I'M Spartacus!

Re:I guess that means

Uh, yeah, he's Spartacus.

Re:I guess that means

[sconeu]

Damn. You beat me to it. That was my first thought as well.

Re:And even after all the years of these articles.

[JJNess]

While what you say does hold some truth (former music pirate here, who's reverted back to purchasing music), the matter is more the extortion-like tactics the RIAA uses to make the US Justice System their own personal marionettes. It shouldn't be allowed, but I suspect politicians would rather enjoy the money that lobbyist groups give them than to stand up for what is right.
That's American Politics in a nutshell.

Re:And even after all the years of these articles.

[sm62704]

Thieves take without the owners' permission. Your "pirates" are uploading content they PAID for - exactly the opposiute of stealing. They're not breaking the law by taking, they're breaking the law by giving. In no way can copyright infringers be called "thieves".

A music thief is someone who steals CDs from Best Buy. A music thief is also someone who scams a recording artist he's signed a contract with out of all his royalties, like the music industry has done time and again.

Which label do you work for again, Mr. Cpward? Sony-BMG? If so, there's a special place in hell for you.

Re:And even after all the years of these articles.

[D+Ninja]

Which label do you work for again, Mr. Cpward? Sony-BMG? If so, there's a special place in hell for you. ...where "Hit Me Baby One More Time" is on an infinite loop...

Add one to the list of respectable u.s. colleges

[unity100]

this riaa charade is letting every potential student worldwide know what university in u.s. is quality, what is university is dipshit when it comes to tradition, heritage and morals.

I Don't Get It

[Nom+du+Keyboard]

I've read the magistrate judge's order twice, and can't see where he is under the apparent impression that the RIAA only wants to sit down and have a friendly Father/Son chat with these college students.

But then there's this:

absent the identifying information from the university, plaintiffs simply cannot proceed with their lawsuit, establishes to the Court's satisfaction that Marshall University's obligation under the subpoena is not unduly burdensome.

That seems to make no logical sense at all. The judge seems to be saying that if Plaintiffs cannot proceed with their case otherwise, then there is no such thing as a subpoena that's too burdensome on non-party Marshall University.

Is this judge out of his freaking mind!!!

Re:I Don't Get It

absent the identifying information from the university, plaintiffs simply cannot proceed with their lawsuit, establishes to the Court's satisfaction that Marshall University's obligation under the subpoena is not unduly burdensome. If that were sufficient justification, then this scenario would also end up with a justified subpoena:

The RIAA files a lawsuit against Does 1 through 238,364. They subpoena the Tier 1 ISPs (Global Crossing, AT&T, etc.) for identifying information concerning the users whose traffic passed over their networks. The judge, seeing that the lawsuit can't proceed without identifying information on those people, grants the subpoenas, forcing the Tier 1 ISPs to undertake a significantly expensive investigation on all 238,364 users of the Intarweb.

Now, maybe the judge can find other justification for granting the subpoenas. Who knows. But that sure as hell ain't it.

Re:I Don't Get It

I have a surprise for you, West Virginia doesn't require that a Magistrate know anything about the law. They are elected and the only requirement is that they are over a specific age and a resident of the county they want to practice in.

IANAL, but I was looking into the requirements and a previous DA gave them to me.

Re:I Don't Get It

[evanbd]

It sounds to me like he is saying that subpoena is mildly burdensome, and that it would not be granted if the information was simply useful and not mandatory for the lawsuit. The same amount of burden could very reasonably be seen as reasonable and unreasonable in two different contexts, depending on how much the parties to the suit actually needed the information.

Re:I Don't Get It

[esome]

That seems to make no logical sense at all. The judge seems to be saying that if Plaintiffs cannot proceed with their case otherwise, then there is no such thing as a subpoena that's too burdensome on non-party Marshall University.

Is this judge out of his freaking mind!!!

You're correct that the notion that the plaintiff's ability to proceed or not should have little bearing on the decision of whether or not the subpoena is overly burdensome. You've left out the first half of the argument though, that it's not burdensome because it only requires the names and IP addresses. The judge seems at best guilty of poor (maybe even deceptive) wording here. I see nothing wrong with the actual basis for his decision though. I mean, how burdensome is it to cough up the info?

Seriously, as I have no technical background in this area, I'll ask a dumb question: Why can't a system admin just copy the relevant logs to a disk, turn it over to the RIAA, and let them sort it out? Note that I'm asking why they can't, not why they wouldn't want to.

I don't like the RIAA poking around in the schools networks fishing for students to sue any more than the next slashdotter but the argument "Gosh, it's just too hard for us to give out the info on our computers." seems kind of weak.

Re:I Don't Get It

[NewYorkCountryLawyer]

1. The subpoena asked for the identity of the infringers.

2. The university argued it can't identify the infringers, and spelled out in the IT guy's affidavit why it's impossible, without conducting an elaborate investigation.

3. The magistrate ruled 'they're not asking you for the identities of the infringers', they just want to know who's associated with the IP address.

4. He is apparently unaware of the RIAA equation, "whoever is associated with the IP address" = "the defendant" = "the infringer". He is assuming the RIAA lawyers conduct themselves like real lawyers.

Re:I Don't Get It

That's just the thing.. They can only give the information on who owns the account or IP used. Not who actually USED that account or IP.. The accountholder is perhaps likely the one who used it at the given time but there's simply nothing to say that's actually true..

Re:I Don't Get It

[pfleming]

IANAL but that's kinda how I read it too. Yes, they are asking for their identities.

Re:I Don't Get It

[Nom+du+Keyboard]

I'll ask a dumb question: Why can't a system admin just copy the relevant logs to a disk, turn it over to the RIAA, and let them sort it out?

That wouldn't give the RIAA the information they're looking for. All the automatic logs attempt to do is match an IP address to a MAC (media access control) address on the remote device at the time in question. Who is the supposed owner of the equipment with that MAC address is in a second completely separate database, which contains most likely just student id numbers matched to the MAC addresses on file -- information the RIAA is most definitely NOT entitled to have for any non-involved student. And then you'd need to take the student id numbers to a third database that contains all their directory information -- again information the RIAA is NOT entitled to have for any non-involved student.

You can't just give the RIAA a dump of all the university's student and IT databases and let them paw through it looking for the specific information they seek. The privacy violations in that are immense!

Re:I Don't Get It

[PieceofLavalamp]

4. He is apparently unaware of the RIAA equation, "whoever is associated with the IP address" = "the defendant" = "the infringer". He is assuming the RIAA lawyers conduct themselves like real lawyers. I agree you probably right about that. But I'd like to know how after all the shady and off color things these lawsuits have been shown to use, how he's not aware that this needs more scrutiny than the average bear. If he really is ignorant that's kinda frightening

Re:And even after all the years of these articles.

[Sancho]

First of all, they may not have paid for the content. It's quite likely that they uploaded the content that they themselves downloaded.

Second, while I dislike the comparison of copyright infringement to thievery, it is nonetheless illegal. It is likely less immoral, but that's not a judgement call that the government should be making.

Re:And even after all the years of these articles.

The best way not to be concerned about this is to not be a frigging music thief.

While what you say does hold some truth

It's already been shown, the RIAA will even sue those who have not downloaded music illegally, just for the press coverage titles of "RIAA sues file sharer" in an overt process of "fearing" people into stopping. I believe that's a definition of terrorism. Where's GWB when you need him?

Re:And even after all the years of these arti SUX!

[Nom+du+Keyboard]

A music thief is someone who steals CDs from Best Buy.

And the punishment (fines) for stealing that physical CD from Best Buy is one to several hundred times less than the statutory damages asked for and allowed under law ($750 to $150,000 PER TRACK) for online copyright infringement. Tell me how that makes any sense!

And the recording industry is lobbying hard to RAISE those statutory damage limits EVEN HIGHER.

I'm sorry, but they have an overly exaggerated view of the true value of their product.

Re:And even after all the years of these articles.

[JJNess]

I spoke from an ethical standpoint, not anything else. Yes, grandma Johnson didn't download NWA and Eazy-E tracks, yet got sued anyways.

I'm just saying that were I to get sued by the RIAA a year ago, I'd have been guilty. Now I have cleaned up my act... Helps though that the majority of music I download comes from Europe so I have a small percentage of files from an RIAA label, nor did I ever upload music, nor do I purchase music from RIAA labels (unless the album is worth it). That way I can breathe a little bit easier in this case.

My brother at university got a letter from the university staff about downloading, apparently somebody tracked it to him, but he only had to clean it off his hard drive to be clear, so I don't think it was the RIAA's usual strong-arm henchmen Media Defender who sent the letter...

Anyways, GWB is a terrorist himself. 'Nuff said.

Movies?

[Nathrael]

Well, just watch this one. You don't need parodies if the original is already making you laugh hard.

Re:Movies?

[Nathrael]

Forgot the URL, sorry, here it is.

Re:Movies?

I was quite shocked after I had watched that movie ("Don't Copy That Floppy"). How come they could get a 10 minute SD (?) movie on a floppy!? I'm sure they would have been better off if they had sold this amazing compression technology to broadband, video, TV and satellite companies.

For a minute there I dreamed about having my whole DVD collection on a 100 MB Zip disk.

Re:Movies?

[Homer's+Donuts]

You mean Steal This Film

Marshall University Challenges RIAA

[SecondHand]

... and RIAA's lawyers howl "Meat! Meat!".

Tomato, tomahto?

[klx]

FTFA:

Marshall argues ... that compliance ... would impose an undue burden on its limited resources. A significant part of this burden, however, stems from a mistaken belief that the University was required to determine who was âoeusing a given computer at a given time.â By ... making it clear that they seek only identifying information with respect to the person associated with the IP address at the date and time of the alleged infringing use, the perceived burden should be considerably reduced.

Exactly how is finding "the person associated with [an] IP address at [a] date and time" different from determining who was "using a given computer at a given time"? Assuming a DHCP environment, I can see how it would be more difficult to start with a physical computer and trace back to a person, but I can't see how Marshall could have understood "computer" as anything but "IP".

Re:Tomato, tomahto?

[NewYorkCountryLawyer]

Exactly how is finding "the person associated with [an] IP address at [a] date and time" different from determining who was "using a given computer at a given time"? The person using the computer, if he were using it to commit copyright infringement, is an infringer, while the person whose internet access account would not be. If it were my internet access, but you plugged your laptop in at my dorm room, and used it to infringe someone's copyright, you would be the infringer, and I would be blameless. But I would be the one the RIAA sues. The Magistrate doesn't realize what morons he's dealing with. Marshall's IT guy is aware.

Re:Tomato, tomahto?

[klx]

Ah, stupid me, I was thinking about labs and work desktops, not resnets.

Diet counsel for Universities

[OpenSourced]

Eat lots of calcium! You might develop a backbone!

Car analogy

[Digestromath]

The RIAA is saying that they have a pedistrian who was potentially infringed upon by a car. They also supposedly know the make, colour, model and the license plate of the car that was at the scene.

The subpeona is to get the name the of the person owning the car. However it doesn't prove who was driving it.

Also to note, that having the make, model, colour and license plate of the car doesn't actually mean the car belonged to someone or was in fact real. In fact, it could have all been faked.

As well, at this point in time they can't in fact prove the pedestrian was actually hit, or if he suffered damages. Although that would be the point of a trial.

3 cheers for the WV AG

[Presto+Vivace]

you know the RIAA is in trouble when elected politicians want to take them on.

Re:3 cheers for the WV AG

[NewYorkCountryLawyer]

you know the RIAA is in trouble when elected politicians want to take them on. I knew they were in trouble before that.

And I'm not very bright.

What's the RIAA's ROI

[stussymo]

I thought iTunes already solved the RIAA's problem. Yet, they continue to throw away money on this crap. But then, I suppose they have to justify their obscene percentage margins taken from the 'artists.'

Round Robin DNS

[jasonmanley]

I remember reading an article about Round Robin DNS setup as a way of combatting DOS attacks. This seems to be a similar thing on a much bigger scale.

The point really is

[cdrguru]

The point really is that if IP != Individual, then Internet = Consequences Free Zone. Period.

If you can't connect a "person" with an "action" in any way, then "actions" have no consequences any longer. You can use all the hand-waving you want, but that is what it comes down to. Either someone is responsible, or nobody is.

Today, ISPs shielding customers means pretty much that nobody is ever responsible. Unless you brag or otherwise spill the beans, whatever you do online can never be traced to a person, just an IP address. There was somewhat of a tacit understanding that IP == Account == Person for a while but that seems to be over now. Now it is IP == Forgible MAC == ????

So where does that get us? Well, for many it means free music, movies and software. For others it means the ability to extort, threaten and destroy lives. Another group can exploit whatever technical or social gaps there may be to take over computers worldwide. All without consequences because there is no provable link between an IP address and a person. And utterly no responsibility for the use of services by an "account holder". I see this every day and there doesn't seem to be any legal, moral or other alternative here.

It does mean that DRM is king and "security" is whatever you can purchase - because the people with the time available cannot be stopped from attacking servers, people and services.

Re:The point really is

[Jaime2]

An IP is no more an identity than a phone number is. Though phone numbers aren't identities, people get arrested all the time for calling bomb threats to schools and airports. Sometimes the guilty are caught, sometimes they get away.

No one with a technical background ever claimed that an IP or MAC was traceable to a computer. I remember configuring NetWare IPX clients in 1994 and being able to configure an arbitrary MAC address. I've been working with NAT forever and NAT breaks the IP to client relationship.

An IP address was never designed to be a user identity. Heck, when IP addresses were conceived, the idea of one person having a whole computer to themselves was still on the horizon. Just because you want it to work that way doesn't mean everyone else should change their practices to make it so.

If you want to push for a global authentication scheme to make people on the Internet accountable, fine go do that. But don't pretend that IP addresses are that scheme. It would be far too easy to frame someone if IP addresses become admissible as identity in court.

Re:The point really is

[lusiphur69]

"An IP is no more an identity than a phone number is. Though phone numbers aren't identities, people get arrested all the time for calling bomb threats to schools and airports. Sometimes the guilty are caught, sometimes they get away."

If only I had not already replied in this thread..mod this reply up.

Advocating some kind of secure, global authentication scheme might be completely insane, wildly expensive, difficult to maintain and always capable of being circumvented, but if that is what you feel is best, go ahead and make a case for it. Your first post does not exactly lay a strong foundation. Internet criminals, intruders into private networks are still caught - particularly if the intrusion caused actual, you know, damages. Luckily, however, certain forms of petty crime, such as the IP infringement the RIAA feels the need to impose draconican measures to combat, are too expensive to investigate versus any possible gain.

Now - sit down and exhale, deeply.

My School Just Got Targeted by the RIAA

I attend the University of Massachusetts - Lowell as a grad student and got this in my e-mail about 4 hours ago. I'm not worried as I haven't lived on campus for 2 years, and didn't share any music because the network was prohibitively slow. However, it looks like Umass isn't going to grow a pair and fight it. Just rollover and give names.
E-mail is as follows:

Students,

Be advised that the University has recently received several copyright infringement notices from the RIAA and SafeNet DMCA.

Each individual RIAA notice states an account on the University network âoewas used to reproduce and/or distribute unauthorized copies of one or more copyrighted sound recordings.â The notice provides details of the infringement and warns âoethis network user may be liable for the infringing activity occurring on your network... This letter does not constitute a waiver of any right to recover damages incurred by virtue of any such unauthorized activities, and such rights as well as claims for other relief are expressly retained. Moreover, this letter does not constitute a waiver of our members' right to sue the user at issue for copyright infringement.â

The notice also encourages the user to visit the MUSIC Coalitionâ(TM)s website at www.musicunited.org.

The SafeNet DMCA notices are similar in nature.

Details provided within the notices will be used to identify students for further action.

All students should discontinue the sharing/copying/downloading of copyrighted material. Safe and legal access to digital music and movies is available through Ruckus.

Re:And even after all the years of these articles.

First of all, they may not have paid for the content. It's quite likely that they uploaded the content that they themselves downloaded. . Oh, well that's settled then. Since you say it's quite likely, that should be enough for everyone. Fine them to wazoo. No need to get courts involved and pesky things like "evidence".

For the Record...

[DaveKAO]

The IT Guy (Jan Fox) is a woman.

http://users.marshall.edu/~fox/

Hey, hey, RIAA...

I downloaded Madonna's new album today!
Got it a week before its official release, and for free! Bet that burns your toast, huh, RIAA?

We are Marshall...

...and that's all that Mathers!

Re:And even after all the years of these arti SUX!

[Atlantis-Rising]

Excellent, so you suggest that jailtime is appropriate for file-sharers? Or perhaps that shoplifting should be punishable by statutory damages of $150,000 per act?

The thing is, shoplifting and copyright infringement are very different- copyright infringement isn't a crime, to start with. The punishments should be different, and the punishments for copyright infringement can be only monetary and equitable relief.

Where to next?

[fireheadca]

Do current music artists get a corporate discount?

Would the RIAA sue it's own members?

The RIAA should sue itself for being this stupid.

---
My html sucks and I don't give a damn.

Re:And even after all the years of these articles.

[Sancho]

That's a pretty big stretch from what I said.

Re:And even after all the years of these articles.

[tinkerghost]

Which label do you work for again, Mr. Cpward? Sony-BMG? If so, there's a special place in hell for you.

...where "Hit Me Baby One More Time" is on an infinite loop...

I strenuously object, here in hell we have standards. I would never endanger my demons by exposing them to such crap.

Sincerely,
B.L. Zebub

Re:And even after all the years of these articles.

[sm62704]

First of all, they may not have paid for the content. It's quite likely that they uploaded the content that they themselves downloaded.

Somebody bought a copy and uploaded it. If they downloaded it and then uploaded it then it's already there.

Second, while I dislike the comparison of copyright infringement to thievery, it is nonetheless illegal.

So is rape, but I don't think you would say that copyright infringement is rape.

Re:And even after all the years of these arti SUX!

[sm62704]

The thing is, shoplifting and copyright infringement are very different

BINGO! Like I said (and like I believe the comment between yours and mine said), copyright infringement isn't stealing, and the penalties are way out of whack; a small fine or community service for shoplifting (although repeat offenders will see the inside of a jail) for the criminal act of stealing, vs tens of thousands in civil costs for copyright infringement.

Re:Cock sucking twofo

[sm62704]

Wow it is. And he has mod points too!

Now mod this one troll as well.

Re:And even after all the years of these arti SUX!

[Atlantis-Rising]

While you may have said essentially the same thing as I did, I think you misinterpreted my reason for saying it.

Civil copyright infringement, by necessity, can only provide for equitable and monetary relief; that is, the court can only order that the infringer stop or pay fines (or both).

However, that said, in many ways, civil copyright infringement can be far more damaging than mere theft. Theft of a CD is a fairly minimal occurrence which perhaps costs the store in direct costs ten dollars; copyright infringement of a massive scale (like the massive DVD pirating efforts and efforts to pirate Microsoft Windows in the third world) is a much larger operation with much higher associated costs. It is fairly reasonable, therefore, that there would be more significant punishments added onto it.

Essentially, copyright infringement covers a much, much wider spectrum of illegality and damages done than theft under $5000. That is the reason for the quantum of damages being set the way it is.