Tuesday, May 13, 2008

Interesting article: (1) Jacobson's software is purchased by MediaSentry and (2) RIAA admits it can only identify 'offering', not downloading

One of our readers has brought to our attention an interesting article in the Chronicle of Higher Education, which contains a number of interesting points:

1. MediaSentry is a customer of Audible Magic software, the software in which Dr. Jacobson has an indirect financial interest, and uses Audible Magic software as part of its investigation. So when Dr. Jacobson testifies about how reliable MediaSentry is, he's talking about his customer, and when he testified that he doesn't know what their procedures are, he was lying.

2. The software process used by MediaSentry differs markedly from the way Richard Gabriel has sought to describe it in his representations to various courts.

3. Cara Duckworth, the RIAA's spokesperson, admits that

the RIAA can tell only when a song is being offered for users to illegally download; investigators have no way of knowing when someone else is actually downloading the song.





Commentary & discussion:

p2pnet.net
Digg
C/Net



Keywords: digital copyright law online internet law legal download upload peer to peer p2p file sharing filesharing music movies indie independent label freeculture creative commons pop/rock artists riaa independent mp3 cd favorite songs intellectual property

8 comments:

Anonymous said...

Based upon the description in the article, MediaSentry does not actually download the files. It seems that the RIAA assumes that files are "made available" simply because the program says that they exist.

I wonder what would happen if someone designed a program compatible with file sharing networks that advertised a set of known, copyrighted files with known hashes, but that upon a download initiation, sent a completely different uncopyrighted file. Or if it simply wouldn't transmit any file.

What if no files existed at all, and the only thing the program did was display a list of songs to other P2P users that can never be downloaded. Would such a program "make available" infringing files, even though such files don't even exist?

This would be an interesting hypothetical to pose to the RIAA. It would be even more interesting to see how they would respond to a motion for summary judgment on these facts.

Anonymous said...

Cara Duckworth has just admitted that:

They cannot detect any actual violations (infringements) of the Copyright Act.

That the "evidence necessary to prove your guilt" has not only not been secured, but never existed in the first place.

That the RIAA truly has no case when they have filed suit against you.

-DM

Anonymous said...

First Anonymous, the article I saw says that they check Limewire hashes for matches against files they already have on file. If the hash matches they assume that the files are identical and they don't need to actually download it to know what it is.

This is only true if a strong method of hashing is in place, and that the program providing the hashes is providing them accurately. Limewire is an open-source application meaning that you can modify it to report whatever you want it to report.

While normal operation of a P2P system requires accurate hashes for efficient operation (this shows which users have the same file, regardless of the file name, for multi-sourced downloading to work), all that happens if you report a different hash is that your file is listed as different from an otherwise identical file from someone else.

Of course, just because a program says that a file exists doesn't mean it actually does. Ghost files do exist. You only prove that the files exists once you've copied it. And then how do you prove that it didn't come from multiple sources? Have they modified Limewire to only download from one person?

And one last interesting point. People sharing files limit how many people can upload from them at any one time to keep from swamping their upload channel and not providing a full file to anyone. People with rare or popular songs may have dozens up to a hundred or more pending requests waiting in the upload queue. The chances of the RIAA being able to successfully download a file from a popular user are far less than from someone sharing files less in demand, meaning that the most popular people are also the hardest ones to collect actual downloads from. I wonder how that affects their strategy?

-DM

mhoyes62 said...

I see several problems with their methodology. One, you are assuming that the list for a particular IP address is accurate. Unlike what the article states, an IP address is just leased, it is not a unique identifier. There are not enough IP addresses available to give to every internet user. Second, if they don't download the music in question, they can not state that it was really available, and not just listed. If they do download it though, unless they keep a packet log for the entire download session, they can not prove that it was downloaded from a particular IP address. The idea behind P2P networks is that the load is shared. From their example of the Madonna song, if it is available on 100s of computers, you can receive pieces of it from all of those computers. In that instance, you would only be infringing on a percentage of the song, and not the complete song.

It also makes it sound like they can get an IP address and find out the name the same say. This has to go through the legal system, which moves at a different speed. To date, I have yet to see any way that there is any attempt to confirm times listed between the Media Sentry computers, and the ISP log files.

The description basically makes it sound like, "We the RIAA think someone is sharing our songs, and the ISP gave us your name, so you own us money!" Never mind that it is all built on a house of cards, they have the money, so they can afford to run their customers into the ground.

meh

Anonymous said...

Regarding (1): Was Mr. Jacobson required to disclose that his testimony was designed, in part, to vindicate his own software as used by his clients? At least, shouldn't this point have come up when Mr. Beckerman deposed him?

Regarding (2): I have raised this before, but it is becoming relevant again: even if the RIAA downloaded the files, they never submitted the downloaded files as evidence. In other words, they never submitted evidence to the effect (beyond the mere filenames) that the listed files are, in fact, copyrighted. The defendants generally concede that the plaintiffs own the copyrights, but they shouldn't concede that the files at issue actually contain copyrighted music unless the RIAA has some evidence. In particular, the RIAA has a campaign of seeding these network with fake files pretending to be copyrighted music. How can they tell that the files the users have don't come from the RIAA in the first place?

Other comments here mention hash values in this regard. This would be fine if the RIAA actually recorded the hash values and submitted them to the court -- but have they ever done that? Certainly not in any filing I saw here.

The hash functions used by file-sharing software are usually quite good: I would trust the RIAA on this point if they had the hash values. To DM: to provide fake output, there's no need to modify the software. It's simpler to doctor the output than the program that generates it.

Anonymous said...

This is anonymous #1 (2:16:00) again, with another thought. What method does Media Sentry use to "engage in a so-called TCP connection" with a computer? Does this mean that they send ping packets to a computer? Do they run an nmap scan or other port scanning program to determine whether the computer has open connections? Do they use some custom-built software to fake the file sharing transaction? The article uses technical jargon that doesn't really say much at all.

For instance, most computers on the Internet will respond to a ping request, but that simply would tell Media Sentry that the computer is online. A ping request would not tell Media Sentry whether that computer was running a P2P program. On the other hand, nmap or nessus or other intrusion detection programs will list what P2P services are running, but will also provide much more information about the computer. While I am not a lawyer, my understanding is that the use of such software to "probe" other computers may violate criminal computer trespass laws.

Both of the programs I listed provide detailed information about what services are running on a computer, and are highly valuable for system administrators, but are also the first step for breaking into a computer system. It's a sort of electronic equivalent to jiggling the door handle to see if it's open, or scoping out open or broken windows.

Macros said...

So the RIAA lays either a DMCA complaint, or requests a subpoena for the users details, but Uni admins have no record of a download at the time indicated.

Wouldn't that mean that the RIAA *DOESN'T* have the evidence they are claiming? That would make them in contempt of either the DMCA or a Court, I am guessing.

I can't see how a handshake is evidence of a person infringing the copyright - there's no evidence that the file in question is the file they claim it is in their listings.

Looks to me like Media Sentry & the RIAA just cooked their goose.

Anonymous said...

To I Said:

The hash functions used by file-sharing software are usually quite good:

Actually they're not always that good. Example, KaZaA, perhaps for performance reasons since hashing GB sized movie files is long even on fast machines, only hashed part of each file shared. As a result, by knowing which part of the file was not hashed it became easy to pollute both individual files, and multi-sourced downloads by putting junk in the unhashed portion of the file. Other P2P clients may also have used weak, or incomplete, hashing.

-DM