Software [In]security: DMCA Rent-a-cops Accept Fake IDs
- Worst Case: Innocence Lost
- Enter the Scientists: Throwing the Book at a Laser Printer
A recent scientific study confirms that some methods used to enforce copyright law by identifying individual users on peer-to-peer networks are at best inconclusive and at worst implicate the innocent.
I am a musician and a writer, so I understand why copyright law is important and how enforcing copyright law supports the livelihoods of artists, writers, and musicians worldwide. However, if the Digital Millennium Copyright Act (DMCA) is improperly applied, innocent computer users can be caught in the crossfire. A technologically-sound balance must be sought between the legitimate rights of users and the protection of intellectual capital.
Worst Case: Innocence Lost
Heather Green of BusinessWeek writes in her April 24, 2008 story "Does She Look Like a Music Pirate?" about the legal shenanigans surrounding Tanya Andersen, a woman falsely accused of impugning copyright law by the Recording Industry Association of America (RIAA). Ms. Andersen is one of the 40,000 people the RIAA has targeted for legal action and one of fewer than 100 who have actively defended themselves.
Using strong arm tactics that border on bullying, the RIAA and its corporate agent the Settlement Support Center (since replaced by the Settlement Information Line Call Center) pushed for an expensive legal settlement to a case built on flimsy evidence — an apparently common tactic called out in a pending countersuit spearheaded by Ms. Andersen. Her Seattle-based lawyer labels the tactic an "extortion campaign."
You might argue that demanding settlement from copyright infringers is justified, especially since the products that the RIAA is defending really are stolen with regularity over the Internet. At the heart of the matter are the methods used to identify alleged infringers. Rent-a-cop copyright enforcement companies such as MediaSentry and MediaDefender regularly monitor peer-to-peer file-sharing services including BitTorrent and KaZaA. They attempt to determine a user's identity by collecting IP and username information and contacting the relevant ISP to tag the actual user. After that, the fun begins.
There are serious technical problems with the user-identification scheme used by some of the services. Here are two: NAT allows many users to share an IP number and simultaneously access services, say in a coffee shop; and DHCP is commonly used by commercial consumer-grade ISPs to assign regularly-recycled temporary IP numbers to users. It should be readily apparent that relying on an IP number alone to prove copyright infringement presents a steep burden of proof (especially given complex timing issues). But these problems only scratch the surface.