Sunday, April 17, 2005

RIAA claims they sued 405 students -- but how do they know?

The recording industry's latest lawsuit advertising campaign targeted Internet2 file sharing. The Detroit News quoted me on this development.

People think the RIAA sues people. Wrong. They sue IP addresses. When the RIAA launches one of its batches of suits against alleged file sharers, they give each relevant ISP a list of IP addresses that allegedly shared files, and, under the DMCA, the ISP must cough up any log links to personal identities.

But the press dutifully reports what the RIAA says in the press release. Many media outlets claimed that 405 students were sued. But that's not necessarily the case. But Heather Newman in the Detroit Free Press quoted the RIAA carefully:

The RIAA said it targeted 20 Michigan State University students, who were not identified by name in the legal papers filed Wednesday. The lawsuits cite the Internet Protocol addresses used by the students while they were downloading -- combinations of numbers that uniquely identify every connection to the Web. Once the lawsuits are filed, the RIAA can subpoena the names of the students using those addresses at the time the downloads were made, RIAA spokeswoman Jenni Engebretsen said.


Here's my question: how does the RIAA know that the IP addresses they claimed that engaged in file sharing belonged to students? If all you have is an IP address, how can an external entity know if an address belongs to a student?

IP addresses do not equate to individuals. An IP address might be static, assigned to one person or purpose -- but most often these days, an IP address is dynamic, reassigned frequently. If the address is dynamic, you have to examine logs to see if you can connect the IP address to an individual. Sometimes, you can't; logs can be voluminous, and must be rotated.

A university would hope that faculty and staff, above all, would not engage in illegal file sharing, but it's possible. A guest might engage in file sharing. Or an intruder might engage in file sharing -- someone breaks into a computer on campus, knowing it has enormous bandwidth, and sets up Grokster or equivalent.

The RIAA claimed they sued 405 students at 18 institutions. The truth is they identified 405 computers by IP address. In theory, one person -- not necessarily a student -- at each institution could've generated all the traffic the RIAA assumed was file sharing. FYI, the RIAA says they found i2hub activity at an additional 140 universities.

For the RIAA to assert that the offenders are students, when they do not yet know the identity of the alleged offenders, is reckless. It might be true, but it's not known. For the media to take RIAA claims at face value, without questioning, is sloppy. Heck, the New York Post assumed that the offenders were not only students, but specifically female students.

At least Heather Newman got it right: the RIAA named computers, not individuals, and although it's likely the alleged offenders were students, it's not known until investigation.

No comments: