Wednesday, February 28, 2007

RIAA Liars

The RIAA launched a new website recently: P2P Lawsuits. It's a one stop shop for anyone who has been sent a letter from the RIAA. They make it nice and easy to pay them their extortion... er, settlement money.

The most interesting part of the site, I think, is their FAQ.

In particular, I like this question the most:

Q: If I have Wi-Fi at home, how can you be sure it was me who did the downloading?

A: The fact that a wireless connection is involved does not mean that the individual engaging in copyright infringement cannot be identified. Cases are routinely pursued where a wireless connection is involved.

This is a total lie.

From the data that they have collected (essentially, logging onto a p2p network and downloading one or more files from you) - they have absolutely no way to know which computer in your house, or worse, which computer in your apartment building was using the Internet connection.

If you are dumb enough to accidentally share your home movies/homework folder too, and they download your World History final exam - then they may be able to claim that you are the evil-file sharer.. However, with just an IP address, they don't have anything.

Why are they lying? Because by stating this, they may get people to settle who would otherwise have a pretty reasonable defense.

Yes, there have been timing attack papers in the past few year (Kohno et all, in particular), and there are ways of fingerprinting a remote OS, even passively. However, none of these techniques will reveal which specific computer was using a wifi connection.

The RIAA are liars. Plain and simple.


Sid Stamm said...

I disagree. I think you are mis-reading their response to the question: they are not claiming they can identify all Wi-Fi users, they simply say it is not impossible for them to identify some.

I haven't used a P2P network in a long time, so things may have changed, but take a look at this hypothetical exmaple:

Alice signs up for a p2p account, using a university email account ( If this email address is somehow available (i.e., watching unencrypted login traffic, obtaining P2P network registration records, etc) an identity,, can be bound to whomever logs into the P2P network with Alice's ID. After downloading a file from Alice's account on the P2P network, they can reasonably assume Alice is responsible for serving that file -- so long as they can pair Alice with that email.

Now, this is not 100% solid proof, but the probability that Alice is responsible is probably good enough evidence to hold up in court... though I'm no lawyer, I do know the RIAA has won in the past without completely solid scientific (or forensic) proof. Given the first rule of security, a good portion of P2P users are probably like Alice.

You're right, however, that it is very unlikely they could identify the actual computer serving the questionable content... and surely it's not true that they can always identify people, especially with the great number of massively insecure home Wi-Fi networks that are out there.

A P2P user who is reasonably privacy-conscious (e.g., signed up with a disposable email address and thus anonymous on the P2P network) can only be fingerprinted by the index of files served by their account on the P2P network. If this user joins a P2P network from some place that requires identification to connect (like at IU, you essentially need to provide your credentials to get an IP) there's additional risk: administrators of that network who cooperate with the RIAA ... but that's a whole different discussion.

Arvind said...

this article should give you some insight and help clarify stuff.

Anonymous said...

You're right that they have no technical way to determine which client of an unprotected wireless network is at fault. However, you may have some problems if you are the owner of the AP/ISP account and you are in fact at fault.

Any legal proceedings would surely lead to an examination of all the computers which you use to connect to the AP. While there has been contention as to whether the RIAA's consultants can image an entire hard drive, including personal documents, in the process of such a search, there is no question that the defendant has an obligation to produce all files and logs that are relevant to the case -- which would certainly include P2P applications, folders and registry settings, plus media folders indicated in the settings of those applications.

This kind of search could definitely provide a strong link between a user and an infringing share.