Tufts Tells Judge, We Can't Tie IP To MAC Addresses

NewYorkCountryLawyer writes "Protesting that Tufts University's DHCP-based systems 'were not designed to facilitate forensic examinations,' but rather to ensure 'smooth operations and to manage capacity issues,' the IT Office at Tufts University has responded to the subpoena in an RIAA case, Zomba v. Does 1-11, by submitting a report to the judge (PDF) explaining why it cannot cross-match IP addresses and MAC addresses, or identify users accurately. The IT office explained that the system identifies machines, not users; that some MAC addresses have multiple users; that only the Address Resolution Protocol system has even the potential to match IP addresses with MAC addresses, but that system could not do so accurately. For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."

That's one smug grin i would love to see.

[Deus.1.01]

I'm sure the ICT department were real sorry they couldnt facilitate RIAA's demands.

Re:That's one smug grin i would love to see.

DHCP is not required keep a mapping between MAC and IP address. At least not at the protocol level. A very minimalistic implementation of a DHCP daemon would only need to keep the IP addresses that it has doled out and for how long - after expirey time, mark that address as unused. The client, according to the RFC, is supposed to ask for a new IP address and work properly if it gets a new address. That would qualify as conforming under the RFC that spells out DHCP. If you do that and don't store the IP address, you can't reverse the mapping using DHCP - only ARP can.

Last I checked, universities were not required to keep log files, and if you kept log files from the above program (that printed "Issued IP xx.xx.xx.xx at 12:00:00UTC for 4h"), it wouldn't help you in the slightest.

Re:hehe

[drspliff]

How long until it makes law?

We were recently required to explicitly keep something like 6 months worth of call data records (although we keep many years worth already due to customer requirements) so that wasn't such an issue.

However, if ISPs (and universities or other large organisations) were suddenly required to keep track of all IP allocations for 6 months or more it'd cost a bucket load to implement.

Remember, kids...

Remember kids: Just because an IP address doesn't necessarily identify a person doesn't mean that copyright infringement is OK.

Re:What, me change MAC address? I wouldn't do that

[huge]

People should understand that MAC address is no more permanent than IP address is.

Unfortunately they don't.

More like "notice that you're being watched"

[lysse]

Nice move on Tufts' part. If they ever do receive such a "notice to preserve", they can relay it straight back to their students and staff and say "look, the RIAA is watching us with a view to screwing you, so behave yourselves" for the duration of such a notice; and if they don't, they have effectively insulated their charges from all further RIAA action. And all whilst looking extermely co-operative for the benefit of the courts...

Re:And the judge understood it?

[meringuoid]

I suppose in the US you have judges with clue. In the UK it's fuddy duddy old men in wigs who go "What is this 'internet'?"

You mean judges who know meaningless jargon when they hear it, and want all terms of reference used in their courtroom to be clearly defined.

What, exactly, legally speaking, is a 'website'? Where does one 'website' end and another begin? How does a 'site' differ from a 'page', if at all? Is a 'forum' part of a 'website', or only attached to it? Is there, as the media often says, a 'file sharing website' called 'BitTorrent' on which pirates trade music? What exactly is this 'Web' thing anyway, and how is it distinct from the 'Internet', if at all?

A lot of terms bandied about in common parlance regarding Internet services are very vague, and I'm glad to hear of judges demanding that they be defined clearly and unambiguously when in court.

Please don't even GIVE them this idea.

[Lunarsight]

For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."

I honestly wish Tufts hadn't even suggested this to the RIAA, since we all know this will be the next thing they'll try and have legislated through Congress. One of the congressmen on the RIAA payroll will attempt to slip it into a bill undetected.

They won't limit it to colleges either - they'll probably make it a requirement of ISPs in general.

Why?

[Armakuni]

For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit.

Why? The RIAA is not a court of law or even a government agency. Surely the university would have no obligation to comply with its requests? Talking about the RIAA in these terms ("notices", "forensic") lends it unwarranted legitimacy and authority.

Re:hehe

[szo]

Right, aim high!

Re:hehe

[NewYorkCountryLawyer]

Next hot network thing: RIAA approved DHCP ;)

Scary, isn't it?

Re:What, me change MAC address? I wouldn't do that

[Stellian]

Yes but the proof RIAA would bring to the court is not just the IP/MAC address combination. That's just a pretext to grab a random student who's IP happens to match, seize his computer and find thousands of MP3 files in the shared folders of a P2P application. That would then constitute the actual evidence they need.

Re:You don't have a loghost?

[sgbett]

And, of course, nobody has *ever* spoofed a MAC Address ....

Re:Be honest

[tooyoung]

How many kids have any clue whatsoever on how to do this? I'd wager most CIS and IS students don't even know how to do it

True, but I bet that most CIS and IS students know that you CAN do it. Then it becomes a simple matter of googling. The key here is that anyone who has taken a bAIX networking course has enough knowledge to dispute evidence crucial to the RIAA's case. The fact the RIAA is able to continually present this evidence in a court room tells me that
1. Judges and juries do not know enough about the technology that they are ruling on.
2. The RIAA's experts are deliberately misleading the judges and juries. This is not ethical and should have consequence.

Re:Be honest

[AusIV]

Why would MAC spoofing have to be common knowledge to use that as a defense for their students?

It's not like every student would have to be going around spoofing MAC addresses. You could have ten kids going around sniffing MAC addresses, then spoofing a different MAC every day to do their file sharing. You could certainly be vulnerable to this without knowing how it works.

Re:You don't have a loghost?

[MoeDrippins]

Spot on. The lack of clue within the RIAA is mindnumbing.

I suspect the RIAA knows EXACTLY what the technical facts are. But if they can still sue w/o having those get in their way, so much the better! (For them)

Remember this is law, not logic.