How The RIAA and MPAA Unknowingly Assist Child Pornographers

Or: How the Media Companies did more to spread cryptography, anonymity preserving technology and general knowledge about good online privacy hygiene than an army of activist cypherpunks ever could have


[Ed: I have to admit, I'm pretty proud of the fact that I've managed to tar two of the great Satans in the world, the RIAA and MPAA, with the kiddie porn brush. It's about time, since they've been doing the same to anonymity researchers for years]

A few years back, after waiting all night outside the US Supreme Court, I saw a semi-familiar face walking towards the front of the court-house. Without thinking, I ran up to him, and asked if I could have my photo taken with him. True, he is an extremely evil and corrupt man. Not quite as bad as Pol Pot, or even Cheney, but still evil enough. His name is Jack Valenti, and this blog-post describes how, strangely enough, he and his cohorts make the lives of child pornographers far better, and far safer.

-------

Music and software piracy existed long before Napster. It took place on Internet news groups (usenet), bulletin board systems (BBS), ftp, and good old fashioned person-to-person exchange via floppy disks. The real threat that Napster posed, was that it was really easy to use. So simple, that a non-technical user could quickly figure it out. What Napster did, essentially, was make an entire generation of non-technical users into 'pirates'.

We all know the story: Napster was shut down by the record labels, and shortly afterwards, improved systems like Gnutella and Kazaa took its place. While Napster had been a centralized system (with verbose logging, should law enforcement ever need it), the new systems were extremely difficult to take down, and presented a significant problem for anyone who wished to do forensic analysis after the fact - since there were no centralized records of who downloaded and uploaded what files.

Whereas before, the FBI could have sent Napster a supoena stating "Tell us every user sharing these 5000 kiddie porn files", the new networks were purpose built to not be able to have that ability. Not because the designers wanted to help those sharing kiddie porn, but because the record labels used the very same techniques that the FBI used to combat child porn.

Fast forward a few years.

The record companies have their agents (like BayTSP) regularly trawling P2P networks looking for copyrighted content. The FBI and other parts of the government are either already using similar technologies, or surely have to be developing them....

In response, users have deployed technologies like PeerGuardian - which block network addresses known to be used by the record companies and their clients. And since DOJ has decided to begin, albeit slowly, prosecuting major P2P offenders, they will soon find themselves added to these blacklists - if they haven't been added already.

Let us now consider the case of encryption:

Shortly after the crypto-wars, the only people using encryption on their machines were paranoid crypto-geeks, or cypherpunks, as they called themselves. Systems were far too difficult to use to be deployed by the common man.

Fast forward a few years. The makers of Kazaa learned many lessons from their interactions with the record labels. When they developed their next program, Skype, they made sure to design cryptographic protocols into the core level of the program. Every single Skype call is encrypted - and if the call never leaves the skype network, then no one but the two callers can listen in. To make things even more difficult, just as with Kazaa, Skype was developed in eastern Europe, and owned in another country. This multi-jurisdictional separation makes subpoenas quite tricky.

Skype is now the most widely deployed cryptographic application, ever. It's easy to use, it is used by millions of Internet users around the world, and the government has no real way to tap voice data as it crosses the network - CALEA, or not.

The point that I am trying to make is the following:

By going after people for sharing movies and music online, the major media companies have essentially created a huge market for anonymous (or close to anonymous) technologies. Technologies such as Tor, Freenet, Gnutella, and Skype arguably wouldn't exist as they do today if the Media companies didn't go after 'pirates' with such vigor. And with the influx of millions of new users, these programs have become better - either through more financial support/advertising, or through new developers/open source coders who are finding bugs and adding features.

P2P enforcement forced anonymity and evasion technologies to evolve far faster than they ever would have if the FBI had been the only 'threat' to privacy online.

However, these technologies do not just make the task of detecting copyrighted works more difficult - they make the FBI's job of finding child pornographers more difficult. Far more people use encryption now. Far more people erase data, and turn off logging.

The mass publicity of the NSA lawsuits has only cemented the idea in the public consciousness that email can be read, and so, I would argue, that less and less sensitive information is sent by email. More, not all, but more, people know that their email is not secure.

And now with all the press relating to data loss/breaches by companies, we are finding that many Fortune 500 companies are demanding full disk encryption from their Operating System suppliers. This will roll downhill. Someone who gets comfortable with the idea of an encrypted filesystem at work will be far more likely to turn that option on when they install Windows Vista at home. This will of course, hugely frustrate the FBI. This isn't to say that they can't break it, but it makes their lives far far more difficult.


What is the moral to this story? The record companies have made an entire generation of college students into criminals, and as such, those college kids have resorted to technical means of avoiding detection - which create a gigantic crowd of encrypted and obfuscated data in which 'real' criminals can hide. These evasion methods are the very same techniques which can frustrate legitimate and useful law enforcement, which as an unintended side-effect, suffer. The ability to catch genuine terrorists and child pornographers is significantly limited through the short sighted actions of the major media companies.

And the thing is - it's too late to fix it. The genie is out of the bottle.

Just as the drug war has made an entire generation fear and mistrust the police, the P2P wars have given the Internet generation a reason to protect their privacy, or at least frustrate forensic analysis of their online activity.

So the next time you see an article describing a new tactic that the record labels are taking to stamp out piracy - Stop for a moment, and please, think of the children.


Note: I started coming up with the idea for this blog post a week ago over lunch with a colleague. However, I decided to hurry up and finish it after reading a recent law review article by Eric Stieglitz (ANONYMITY ON THE INTERNET: HOW DOES IT WORK, WHO NEEDS IT, AND WHAT ARE ITS POLICY IMPLICATIONS? ). You can find it on westlaw or lexis if you're lucky enough to have an account.

RIAA Liars

The RIAA launched a new website recently: P2P Lawsuits. It's a one stop shop for anyone who has been sent a letter from the RIAA. They make it nice and easy to pay them their extortion... er, settlement money.

The most interesting part of the site, I think, is their FAQ.

In particular, I like this question the most:

Q: If I have Wi-Fi at home, how can you be sure it was me who did the downloading?

A: The fact that a wireless connection is involved does not mean that the individual engaging in copyright infringement cannot be identified. Cases are routinely pursued where a wireless connection is involved.


This is a total lie.

From the data that they have collected (essentially, logging onto a p2p network and downloading one or more files from you) - they have absolutely no way to know which computer in your house, or worse, which computer in your apartment building was using the Internet connection.

If you are dumb enough to accidentally share your home movies/homework folder too, and they download your World History final exam - then they may be able to claim that you are the evil-file sharer.. However, with just an IP address, they don't have anything.

Why are they lying? Because by stating this, they may get people to settle who would otherwise have a pretty reasonable defense.

Yes, there have been timing attack papers in the past few year (Kohno et all, in particular), and there are ways of fingerprinting a remote OS, even passively. However, none of these techniques will reveal which specific computer was using a wifi connection.

The RIAA are liars. Plain and simple.

Plausible Deniability via 2 wifi-routers?

I like the idea of having an open wifi access point in my house. It makes me feel warm and fuzzy to know that people can use my excess bandwidth - something I've paid for, but am not really using.

However, there are a few major problems with simply leaving your access point unlocked.

1. Security - Anyone sitting outside your house instantly has a way of bypassing your firewall and getting access to your local network. This makes it much easier for you to get hacked.

2. Privacy - Anyone sitting outside your house can sniff your wifi network, and see the packets flying back and forth between your laptop in the living room, and the access point. Given that not all internet traffic is encrypted, this is a bad bad thing (do you really want someone to know which google queries you're submitting)?

3. Network Speed - While you may be happy to let your excess bandwidth get used by the folks next door - do you really want those dirty hippy freeloaders to get priority on your network, or at the least, do you want to have to compete with their downloads?

Which is why I now have 2 wifi routers.

I have a Buffalo 54G router which runs dd-wrt, a neato linux based customizable router, which runs an encrypted wifi network - this is the network that my own laptop and various wireless devices connect to. This device runs as the main router for the house, does all traffic shaping, firewalling, etc.

I have another el-cheapo wifi router plugged into the buffalo. This no-name router is left open, unlocked, and advertises itself as "Anarchy Free Wireless".

The linux-wifi router allows me to set a virtual vlan, so that the el-cheapo router doesn't get to see my internal network. Traffic from the no-name router is sent directly to the Internet connection. Do not pass go, do not collect 200 dollars.

On top of all of this, I have Quality of Service set on the linux router, so that the freeloaders across the street get the dregs of my Internet connection. Whatever I have left over, they can use - but if I need it, I get priority. This is exactly how it should be.

There were a few reasons I wanted to set this up - at the least, I shouldn't have to reveal my wifi password to friends that come over for a cup of coffee. Just because you want to check your email from my living room, it doesn't mean you should be able to later port-scan my home network from the comfort of your car.

But best of all - I now have quasi plausible deniability. For sure, this hasn't been proven in court yet, but it at least puts me on better ground than if my network were locked. If the G-Men ever show up at my house again (assuming it's for something that I didn't actually attach my name to, unlike last time), I can quite reasonably claim that it wasn't me, and that it must have been one of the hippy art students across the street.

Plus, in theory, I might be able to qualify as a common carrier under the DMCA. Given that I don't keep any logs at all on my wifi routers, I have absolutely no way of knowing who is using my open network - and just like a Tor exit node, I may be able to ignore DMCA threats - or at least explain that it wasn't me, and that I don't know who it was.