Slashdot Mirror

← Back to Stories (view on slashdot.org)

Marshall University Challenges RIAA

Posted by kdawson on from the mixed-results dept.

NewYorkCountryLawyer writes "Marshall University, in Huntington, West Virginia, has become just the second US college or university to show the moxie to stand up for its students instead of instantly caving in to RIAA extortion. In February, Marshall, represented by the Attorney General of the State of West Virginia, made a motion to quash the RIAA's subpoena for student identities, pointing out in exquisite detail in its long-time IT guy's affidavit (PDF) the impossibility of identifying copyright 'infringers' based on the RIAA's meager evidence. Unfortunately, the Magistrate — under the mistaken impression that the RIAA isn't going to sue the identified students, but merely wants to talk to them — recommended that the subpoena be okayed by the District Judge (PDF). It is not yet known whether Marshall will be filing objections. The first US college or university known to have attacked the RIAA's subpoena was the University of Oregon, which — also represented by its state's Attorney General — made a motion to quash last November, and even questioned the legality of the RIAA's methods. The Oregon motion is still pending."

28 of 117 comments (clear)

  1. Re:2nd university to show a movie? by Farmer+Tim · · Score: 5, Funny

    I'd want to see a movie that was counter RIAA.

    Soundtrack available through...oh, wait...

    --
    Blank until /. makes another boneheaded UI decision.
  2. Hunh? by belmolis · · Score: 3, Insightful

    Unless I have missed something, the magistrate judge's opinion is not based on the idea that the RIAA "merely wants to talk to" the students. Where does it say that?

    Curiously, the magistrate judge's opinion does not even address the central issue, of whether the RIAA's evidence is sufficient to support the subpoena. It is devoted entirely to the question of whether the subpoena imposes an excessive burden on the university. His ruling that the university's burden is not great because it is merely required to produced the names of the students associated with the IP addresses, not to determine who was using the machines at the times of the alleged infringement,appears to be correct.

    1. Re:Hunh? by gnick · · Score: 2, Insightful

      Actually, the RIAA does not want to sue the students - It would much prefer to just talk to them. And threaten to sue them to extort $$$.

      --
      He's getting rather old, but he's a good mouse.
    2. Re:Hunh? by corsec67 · · Score: 4, Insightful

      Who says that an IP address can even be related to a specific computer, much less a person?

      All the university would know is that something with a specific MAC address was using that IP at that specific time.

      Since MAC addresses are spoofable, how can they be related to a specific person at all?

      --
      If I have nothing to hide, don't search me
    3. Re:Hunh? by Sancho · · Score: 3, Insightful

      There's a chain of evidence which is used to get a person in many universities. It's the same way any ISP would track usage down to a specific user.

      Users are typically registered. Usually in universities, this is accomplished through a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user. From there, it's trivial to tie the packets to the MAC--spoofing IP addresses is trivial on most networking equipment in use by universities (i.e. we're not talking crappy Linksys routers, here.) MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred. Even if it isn't explicitly blocked, it would be a special case that would need to be handled when trying to identify the student, but it is by no means a dealbreaker.

      Of course, if the student is running a wireless access point, you run into problems. This is why some universities don't allow wireless access points to be connected to the network (they can't outright ban them due to FCC regulations) and the university agreements almost universally state that traffic originating from the student's port is considered to be the student's liability.

      ISPs (including universities) have valid reasons for wanting to be able to track people down. It's unfortunate that the ability to track people down means that they can give up their information when the RIAA comes subpoenaing.

    4. Re:Hunh? by corsec67 · · Score: 3, Informative

      What about University provided wifi?

      At the University I went to, CU, the wifi was unsecured, aside from the MAC address check. Yes, I did have to register the MAC to me, but then the MAC address was broadcast in the open, and could easily be spoofed, which I have used in the past.

      Agreed that over wired ethernet, it is much easier to prevent MAC spoofing, but what about wifi?

      --
      If I have nothing to hide, don't search me
    5. Re:Hunh? by cdrudge · · Score: 2, Interesting

      I didn't read all the articles linked to, but the affidavit linked to specifically states that computers are authenticated via a MUNET account. So it's not just a MAC address but it's also a username and password. It seems to me that MU position is a little shaky as while indeed anyone could have stolen another users account or it was a shared computer, ultimately it still is the responsibility of the owner. I think a valid comparison could be drawn to if a gun is used in a crime. If the bullet can be traced back to at least the gun, the gun owner is usually at least questioned, are they not?

    6. Re:Hunh? by Sancho · · Score: 2, Interesting

      Official wireless is probably a completely different beast. Lots of universities use WPA, for which spoofing will be irrelevant. If they're using an open network, I'd think that they'd be open to complaints and possible lawsuits if they gave up the names or otherwise tried to claim that a specific student was tied to a specific IP/MAC address. Then again, most students wouldn't know that spoofing was possible or likely.

      It may be that high-end networking equipment can disable wireless connections originating from a duplicate MAC during a session--I just don't know enough about the capabilities of this equipment.

      Nonetheless, universities tend to want to know who's sitting at the other end of the connection. It's disingenuous to suggest that they could take action themselves based upon spurious data, but that that same data isn't good enough to hand back when faced with a subpoena. If the university decides to abandon tracking of students, then more power to them. But I doubt that it's the case that most universities are willing to do this.

    7. Re:Hunh? by immcintosh · · Score: 2, Insightful

      I don't know about every university, but every one that I've used the network on is basically totally open. Can't recall ever having to authenticate or do anything other than simply plug in and go. That's how it was in the dorms I lived in (albeit 6 or so years ago), as well as the public access points (libraries) of my and other nearby universities.

      I have no doubt there are universities that do more, but I sure wouldn't assume that to be the case by default. In fact, I've been to more than one university that had unsecured wireless access pretty easily available from common public locations, and the argument that such a situation is actually beneficial to the educational process seems an easy one to make.

    8. Re:Hunh? by vux984 · · Score: 2, Interesting

      Bad analagy:

      If a gun is used in a crime, and you have a body and a bullet, then yeah, you can go and talk to him. And if he doesn't want to talk? He doesn't have to. Unless you arrest him, in which case he gets a lawyer, and you have to release him if you dont' have at least some evidence he did something wrong that you can charge him with.

      With these RIAA cases, we don't even have a *crime* here. Nevermind a bullet. Yet the ISP (university) is expected to hand over contact information without so much as blinking.

      My neighbor can't wake up one morning, pick a random IP out of his ass, and tell an ISP to hand over the contact information for who ever was using it last night. *That* is very nearly what the RIAA does. Of course they have some vague claim of 'ip infringement' behind it, but provide no evidence of it, and what evidence they might be worthless or even obtained illegaly...

    9. Re:Hunh? by Skapare · · Score: 2, Insightful

      There's a chain of evidence which is used to get a person in many universities. It's the same way any ISP would track usage down to a specific user.

      But not all universities are alike in how they structure their networks and allocate their resources. They are not even alike in how much resources they get. Marshall University is definitely one where costs are kept as low as they can get them. West Virginia is not one of the rich states.

      Users are typically registered. Usually in universities, this is accomplished through a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user.

      That would be so at that moment in time, no accounting for the issues involved with students using wireless over their dorm connections.

      From there, it's trivial to tie the packets to the MAC--spoofing IP addresses is trivial on most networking equipment in use by universities (i.e. we're not talking crappy Linksys routers, here.) MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred.

      It's not necessarily easy to block it, as that results in problems moving computers around. And not all switches can block it. Low priced switches, much like a low resource university would have to buy, probably don't have the ability.

      Even if it isn't explicitly blocked, it would be a special case that would need to be handled when trying to identify the student, but it is by no means a dealbreaker.

      What it means is that after the student who logged in shuts their computer off, another computer that was pinging them to see when they shut off can immediately impersonate that MAC address. Even if most users properly signoff before shutting down or pulling the plug, it only takes a few that don't for someone wanting to run anonymously to do that every now and then.

      Of course, if the student is running a wireless access point, you run into problems. This is why some universities don't allow wireless access points to be connected to the network (they can't outright ban them due to FCC regulations) and the university agreements almost universally state that traffic originating from the student's port is considered to be the student's liability.

      Then there is the issue that you have multiple students working from the same port. At least 2 live in each room in most of the rooms. There are a few singles and triples there (I went to school at Marshall for 3 years and lived in the dorms for 2 of those years ... I know how at least the ones that were there then are organized). So you can at least have 2 students using one port at a time. And it is typical for students with laptops/notebooks to roam around or get together with others in different rooms to collaborate on various projects, school related or not. Student run access points make that so much simpler. Now I don't know if Marshall has every floor in every dorm covered with wireless, but they could see it as a cost savings by NOT doing so, knowing that the students themselves will provide localized access at no cost to the school.

      ISPs (including universities) have valid reasons for wanting to be able to track people down. It's unfortunate that the ability to track people down means that they can give up their information when the RIAA comes subpoenaing.

      That may be a good goal, but it's generally not practical in a resource limited situation. They may consider it more important to be sure outsiders are not using the network than it is to exactly know who sent each and every packet by its IP address. Knowing that 99% of traffic was carried out by some authorized person on campus may be sufficient. Being able to block that 1% of other traffic might not be worth the cost. Being able to track any instance of traffic to a specific person might not be worth the cost. And i

      --
      now we need to go OSS in diesel cars
    10. Re:Hunh? by SanityInAnarchy · · Score: 2, Insightful

      MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred.

      Wait, what? How does this happen?

      I mean, yes, it'd be somewhat more difficult if we're not on the same network, but there's always other networks, and wifi, on any sufficiently large campus. Besides, my understanding is that a switch can't know which nic actually "owns" that mac address, thus whoever had it first "wins" and gets the IP also.

      And then, there's always the possibility of simply registering a spoofed address on purpose, knowing I can then un-spoof it if I'm caught, and claim that it wasn't my laptop.

      This is why some universities don't allow wireless access points to be connected to the network

      And some universities provide their own wireless access points. Some of them even allocate real, Internet-visible ipv4 addresses to every laptop.

      --
      Don't thank God, thank a doctor!
    11. Re:Hunh? by Technician · · Score: 2, Informative

      That's pretty surprising. What's the purpose of allowing access through that proxy server, but not full blown access?


      Students need to log into school servers to use school resources. The www proxy is often not under that umbrella. Try it. An Ubuntu live CD works fine for a zero fingerprint session. Boot, set the browser to use autoproxy, and surf. No login ID or finerprints are left on the machine. BT and an external USB drive work fine.

      --
      The truth shall set you free!
  3. Re:2nd university to show a movie? by Zencyde · · Score: 4, Funny

    Speaking of movies... modified quote:
    Lower ranking RIAA lawyer: Oh no! The college students are revolting!
    Higher ranking RIAA lawyer: We already know this.

    --
    What day is it? Could you please tell me?
  4. 411 by whisper_jeff · · Score: 2, Insightful

    "...under the mistaken impression that the RIAA isn't going to sue the identified students, but merely wants to talk to them..."

    What an idiotic impression. Even if it was a correct impression (how anyone who's done a hint of research on the situation could have that impression is beyond me...), I'd like to think that legal officials would discourage people from using the legal system as their publicly funded 411 service. This whole situation (the RIAA lawsuits as a whole) blows my mind more and more every day and not just because of how moronic the RIAA are. Sadly, they aren't the only idiots running around...

  5. This is a shake down by DrLang21 · · Score: 4, Insightful

    There is no way that the Magistrate actually believes that the RIAA does not intend to sue these students. No reasonable individual could possibly look at the recent history and believe that they had any intentions other than to demand a large settlement or to sue for even larger damage claims. If the Magistrate believes otherwise, their ability to perform their job should be brought into question.

    --
    I see the glass as full with a FoS of 2.
  6. Re:And even after all the years of these articles. by sm62704 · · Score: 4, Interesting

    Thieves take without the owners' permission. Your "pirates" are uploading content they PAID for - exactly the opposiute of stealing. They're not breaking the law by taking, they're breaking the law by giving. In no way can copyright infringers be called "thieves".

    A music thief is someone who steals CDs from Best Buy. A music thief is also someone who scams a recording artist he's signed a contract with out of all his royalties, like the music industry has done time and again.

    Which label do you work for again, Mr. Cpward? Sony-BMG? If so, there's a special place in hell for you.

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  7. Re:And even after all the years of these articles. by D+Ninja · · Score: 4, Funny

    Which label do you work for again, Mr. Cpward? Sony-BMG? If so, there's a special place in hell for you. ...where "Hit Me Baby One More Time" is on an infinite loop...
  8. Re:2nd university to show a movie? by Seto89 · · Score: 3, Funny

    Soundtrack available through...

    ...Piratebay.org - the tracker that brought you titles such as "All your music" and "mkv - HD without Blu-ray"...
    available NOW (764 seeds, 1132 leeches)

    --
    There are two kinds of people - those who are radioactive and those who have already decayed..
  9. I Don't Get It by Nom+du+Keyboard · · Score: 2, Interesting
    I've read the magistrate judge's order twice, and can't see where he is under the apparent impression that the RIAA only wants to sit down and have a friendly Father/Son chat with these college students.

    But then there's this:

    absent the identifying information from the university, plaintiffs simply cannot proceed with their lawsuit, establishes to the Court's satisfaction that Marshall University's obligation under the subpoena is not unduly burdensome.

    That seems to make no logical sense at all. The judge seems to be saying that if Plaintiffs cannot proceed with their case otherwise, then there is no such thing as a subpoena that's too burdensome on non-party Marshall University.

    Is this judge out of his freaking mind!!!

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
    1. Re:I Don't Get It by esome · · Score: 2, Informative

      That seems to make no logical sense at all. The judge seems to be saying that if Plaintiffs cannot proceed with their case otherwise, then there is no such thing as a subpoena that's too burdensome on non-party Marshall University.


      Is this judge out of his freaking mind!!!

      You're correct that the notion that the plaintiff's ability to proceed or not should have little bearing on the decision of whether or not the subpoena is overly burdensome. You've left out the first half of the argument though, that it's not burdensome because it only requires the names and IP addresses. The judge seems at best guilty of poor (maybe even deceptive) wording here. I see nothing wrong with the actual basis for his decision though. I mean, how burdensome is it to cough up the info?

      Seriously, as I have no technical background in this area, I'll ask a dumb question: Why can't a system admin just copy the relevant logs to a disk, turn it over to the RIAA, and let them sort it out? Note that I'm asking why they can't, not why they wouldn't want to.

      I don't like the RIAA poking around in the schools networks fishing for students to sue any more than the next slashdotter but the argument "Gosh, it's just too hard for us to give out the info on our computers." seems kind of weak.
    2. Re:I Don't Get It by NewYorkCountryLawyer · · Score: 5, Informative

      1. The subpoena asked for the identity of the infringers.

      2. The university argued it can't identify the infringers, and spelled out in the IT guy's affidavit why it's impossible, without conducting an elaborate investigation.

      3. The magistrate ruled 'they're not asking you for the identities of the infringers', they just want to know who's associated with the IP address.

      4. He is apparently unaware of the RIAA equation, "whoever is associated with the IP address" = "the defendant" = "the infringer". He is assuming the RIAA lawyers conduct themselves like real lawyers.

      --
      Ray Beckerman +5 Insightful
  10. Re:And even after all the years of these arti SUX! by Nom+du+Keyboard · · Score: 2, Interesting

    A music thief is someone who steals CDs from Best Buy.

    And the punishment (fines) for stealing that physical CD from Best Buy is one to several hundred times less than the statutory damages asked for and allowed under law ($750 to $150,000 PER TRACK) for online copyright infringement. Tell me how that makes any sense!

    And the recording industry is lobbying hard to RAISE those statutory damage limits EVEN HIGHER.

    I'm sorry, but they have an overly exaggerated view of the true value of their product.

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  11. Re:Go WVa by NewYorkCountryLawyer · · Score: 3, Informative

    That's "Country". And what do you mean, where is he? He's what we like to call "the submitter". Thank you, LMacG.

    What did you think of the IT guy's affidavit? I felt it was a model of clarity, explaining to the judge that the RIAA doesn't have a case against these kids. The IT guy at the University of Arizona did a good job on that same issue but the school, like idiots, just caved in and turned over the information, ignoring the motion to quash which one of the students had filed.
    --
    Ray Beckerman +5 Insightful
  12. Tomato, tomahto? by klx · · Score: 2, Interesting

    FTFA:

    Marshall argues ... that compliance ... would impose an undue burden on its limited resources. A significant part of this burden, however, stems from a mistaken belief that the University was required to determine who was âoeusing a given computer at a given time.â By ... making it clear that they seek only identifying information with respect to the person associated with the IP address at the date and time of the alleged infringing use, the perceived burden should be considerably reduced.

    Exactly how is finding "the person associated with [an] IP address at [a] date and time" different from determining who was "using a given computer at a given time"? Assuming a DHCP environment, I can see how it would be more difficult to start with a physical computer and trace back to a person, but I can't see how Marshall could have understood "computer" as anything but "IP".

  13. Re:3 cheers for the WV AG by NewYorkCountryLawyer · · Score: 2, Insightful

    you know the RIAA is in trouble when elected politicians want to take them on. I knew they were in trouble before that.

    And I'm not very bright.
    --
    Ray Beckerman +5 Insightful
  14. My School Just Got Targeted by the RIAA by Anonymous Coward · · Score: 2, Interesting

    I attend the University of Massachusetts - Lowell as a grad student and got this in my e-mail about 4 hours ago. I'm not worried as I haven't lived on campus for 2 years, and didn't share any music because the network was prohibitively slow. However, it looks like Umass isn't going to grow a pair and fight it. Just rollover and give names.
    E-mail is as follows:

    Students,

    Be advised that the University has recently received several copyright infringement notices from the RIAA and SafeNet DMCA.

    Each individual RIAA notice states an account on the University network âoewas used to reproduce and/or distribute unauthorized copies of one or more copyrighted sound recordings.â The notice provides details of the infringement and warns âoethis network user may be liable for the infringing activity occurring on your network... This letter does not constitute a waiver of any right to recover damages incurred by virtue of any such unauthorized activities, and such rights as well as claims for other relief are expressly retained. Moreover, this letter does not constitute a waiver of our members' right to sue the user at issue for copyright infringement.â

    The notice also encourages the user to visit the MUSIC Coalitionâ(TM)s website at www.musicunited.org.

    The SafeNet DMCA notices are similar in nature.

    Details provided within the notices will be used to identify students for further action.

    All students should discontinue the sharing/copying/downloading of copyrighted material. Safe and legal access to digital music and movies is available through Ruckus.

  15. Re:2nd university to show a movie? by adona1 · · Score: 2, Interesting

    Check out this one from The IT Crowd. Unsure whether it's prophetic of things to come, or just funny ;)

    --
    Between the falling angel and the rising ape