Privacy versus Intellectual Property:
Detection Methods Used by Copyright Holders
Timothy M. Valdez
Department of Computer Science
University of Idaho
Moscow, ID 83844
Dr. Paul Oman, advisor
a. Intellectual Property versus privacy
b. Types: mp3’s, books; Napster, et al
c. Value of IP (loss of potential revenue) versus value of privacy
d. Methods of safeguarding IP
iii. Licensing (shrink-wrap, et al)
II. P2P and IM uses
a. Personal file sharing
b. Software and file backup
c. Community building
d. Freedom from electronic intrusions
e. Anonymous discussion and criticism
III. Detection and enforcement against infringing uses
a. RIAA hires outside firms for data mining
b. DMCA; Extravagant penalties
i. Attempted law to legalize hacking into P2P computers
ii. H.R.2752 Author, Consumer and Computer Owner Protection and Security (ACCOPS) Act of 2003: “To encourage the development and distribution of creative works by enhancing domestic and international enforcement of the copyright laws, and for other purposes.”
iii. S.2048 Consumer Broadband and Digital Television Promotion Act (CBDTPA): “A bill to regulate interstate commerce in certain devices by providing for private sector development of technological protection measures to be implemented and enforced by Federal regulations to protect digital content and promote broadband as well as the transition to digital television, and for other purposes.”
iv. H.R.2517 Piracy Deterrence and Education Act of 2003: “To enhance criminal enforcement of the copyright laws, educate the public about the application of copyright law to the Internet, and clarify the authority to seize unauthorized copyrighted works.”
v. H.R.2885 Protecting Children from Peer-to-Peer Pornography Act of 2003: “To prohibit the distribution of peer-to-peer file trading software in interstate commerce.”
vi. H.R.5211 To amend title 17, United States Code, to limit the liability of copyright owners for protecting their works on peer-to-peer networks: “Amends Federal copyright law to protect a copyright owner from liability in any criminal or civil action for impairing, with appropriate technology, the unauthorized distribution, display, performance, or reproduction of his or her copyrighted work on a publicly accessible peer-to-peer file trading network, if such impairment does not, without authorization, alter, delete, or otherwise impair the integrity of any computer file or data residing on the computer of a file trader.”
d. Offering monetary rewards for “information leading to...”
e. Denial of Service attacks on P2P networks
f. Napster-era file hashes
g. Flooding networks with fake files
h. Software written to sabotage P2P networks and computers downloading copyrighted music
IV. Problems with detection and enforcement methods
a. Loss of online privacy and anonymity
b. Possible trespass to chattels issue
c. Illegal subpoenas
d. Presumption of guilt
e. Loss of 5th amendment rights
V. Legislative activity regarding privacy and online freedom
a. Senator Norm Coleman (R-MN) letter to RIAA, follow-ups, congressional investigations
b. Pending legislation
i. H.R.107 Digital Media Consumers' Rights Act (DMCRA) of 2003: “To amend the Federal Trade Commission Act to provide that the advertising or sale of a mislabeled copy-protected music disc is an unfair method of competition and an unfair and deceptive act or practice, and for other purposes.”
ii. H.R.69 Online Privacy Protection Act of 2003: “To require the Federal Trade Commission to prescribe regulations to protect the privacy of personal information collected from and about individuals who are not covered by the Children's Online Privacy Protection Act of 1998 on the Internet, to provide greater individual control over the collection and use of that information, and for other purposes.”
iii. S.563 Computer Owners’ Bill of Rights. “To protect owners of computers, and for other purposes.”
iv. H.R.1066 BALANCE Act of 2003 (Benefit Authors without Limiting Advancement or Net Consumer Expectations) (formerly H.R.5522 Digital Choice and Freedom Act of 2002): “To amend title 17, United States Code, to safeguard the rights and expectations of consumers who lawfully obtain digital entertainment.”
v. S.692 Digital Consumer Right to Know Act of 2003. “To require the Federal Trade Commission to issue rules regarding the disclosure of technological measures that restrict consumer flexibility to use and manipulate digital information and entertainment content.”
vi. H.R.48 Global Internet Freedom Act: “Establishes in the International Broadcasting Bureau the Office of Global Internet Freedom to develop and implement a comprehensive global strategy to combat state-sponsored and state-directed Internet jamming and persecution of those who use the Internet.”
vii. H.R.3159 Government Network Security Act of 2003: “To require Federal agencies to develop and implement plans to protect the security and privacy of government computer systems from the risks posed by peer-to-peer file sharing.”
VI. Proactive methods and technologies to protect against network surveillance
a. Conversion of text file lists into graphic images to bypass automated detection
b. P2P file lists employing anti-bot images requiring user interaction
c. Randomize file and subdirectory names via script
d. Tarpits for bots
e. Use of Wi-Fi hotspots for anonymous connections
f. P2P file sharing software using encrypted communication protocols
g. P2P2P proxies
h. Changing MD5 hashes and/or CRC32 checksums of multimedia files
i. Use of darknets
Numerous methods are used by copyright holders in an effort to protect their Intellectual Property (IP) rights. In many cases those methods intrude on the real and perceived rights of Internet users to participate in private communications. This begs the question: at what point does privacy lose out against aggressive enforcement toward possible IP-infringing activities such as peer-to-peer file sharing? There is a monetary value attached to IP, and it is measured by the loss of potential revenue. There is also a value attached to an Internet user’s privacy, of which the loss is measured by the chilling effects imposed upon their online freedoms. There are many methods available for copyright holders to protect IP using Digital Rights Management that do not interfere with the privacy rights of individuals. While it has been shown that a few technologies such as peer-to-peer (P2P) and Instant Messaging facilitate IP-infringing activities, there are also many acceptable uses for these technologies. An example of a law that has privacy implications is the Digital Millennium Copyright Act (DMCA). This law has been the basis for many recent non copyright-related lawsuits. Copyright holders are connecting to the largest P2P networks and filing subpoenas with Internet Service Providers to obtain personal information about potential IP infringers. This leads to a loss of the expectation of privacy that Internet users are accustomed to. If the copyright holders electronically enter the hard drives of P2P users they may be held liable for possible trespass to chattels or other legalities. These actions deprive the P2P user of their due process rights and the expectation of innocence. Recognizing that copyright holders such as the Recording Industry Association of America (RIAA) may be too zealous in their detection methods, Senator Norm Coleman (R-MN) has begun proceedings to investigate the privacy implications of their information-gathering procedures. In addition, several bills have been introduced in an effort to curb the misuse of the DMCA. Before these new laws and amendments take effect, P2P users will need to take steps to protect their privacy from the detection methods employed by copyright holders such as the RIAA and its subsidiaries.
The passage into law of the Digital Millennium Copyright Act (DMCA)
in October 1998 has affected the balance between consumers’ right to use of
resources, and copyright holders’ desire to control their property. This was a
direct result of the creation of file-sharing software Napster by
Section 107 of the Copyright Act of the United States defines a four-factor test for the fair use of IP, generally applied by the courts (when necessary) on a case-by-case basis:
Historically, consumers have been able to legally make a copy of a VHS movie, and even software, for archival backup purposes. With new DRM processes and shrink-wrap licenses that capability can be prevented by the copyright holder, thus preventing fair use of the content. Recent court cases have upheld the legality of shrink-wrap licenses preventing the reverse-engineering of software , which is a programming technique used to enable market competition and product interoperability. You may be held liable for numerous offenses by reverse-engineering the protection on any DRM in an attempt to bypass or remove the protection to allow saving the content in a new format or simply backing it up.
Each of these mediums (music
files, movie files, and electronic books) presents unique challenges to DRM
systems. Adobe introduced an encryption scheme based on their Portable Document
Format (PDF) to protect books converted into an electronic version. This “e-Book”
design  used a weak password algorithm  to encrypt the contents of the
book. This same technique was used to embed software tokens in the data stream
which selectively enabled or disabled the ability to print out or copy the
file. A company in
IM and P2P
Both Instant Messaging (IM) and Peer-to-Peer file sharing have significant legal uses such as personal file sharing, archival software backup, commercial software support, and anonymous discussion, none of which infringe on any copyrights. IM technology provides the privacy necessary for the freedom of expression and debate of personal and sensitive issues within the Internet community. This anonymous method of communication is what has allowed the Internet to be widely regarded as having freedom from undesirable intrusions. The Supreme Court has consistently afforded first amendment protection to the anonymous posting of comments and “whistle blowing”: “Under our Constitution, anonymous pamphleteering is not a pernicious, fraudulent practice, but an honorable tradition of advocacy and of dissent. Anonymity is a shield from the tyranny of the majority.” 
In Reno v. ACLU the Court further upheld anonymous free speech and updated their earlier decision to include the Internet:
“Through the use of chatrooms, any person with a phone line can become a town crier with a voice that resonates farther than it could from any soapbox. Through the use of webpages, mail exploders, and newsgroups, the same individual can become a pamphleteer.”  In the conclusion of this case, the Court added: “As a matter of constitutional tradition, in the absence of evidence to the contrary, we presume that governmental regulation of the content of speech is more likely to interfere with the free exchange of ideas than to encourage it. The interest in encouraging freedom of expression in a democratic society outweighs any theoretical but unproven benefit of censorship.” [ibid]
Morpheus (a popular P2P client application) was sued for failing to prevent the IP-infringing uses of its software by customers. They won a motion for summary judgment primarily based on the decision in Sony v. Universal Studios (the famous Betamax case) where the Supreme Court declared: “…the mere capability of substantial noninfringing uses is all that is required to protect a new technology from an attack grounded on allegations of contributory copyright infringement.”  (emphasis mine)
Separately, in MGM v. Grokster (a case hinging on the possible requirement of a software company to produce a product that prevents infringing uses) the Court followed up with a similar decision:
“The doctrine of vicarious infringement does not contemplate liability based upon the fact that a product could be made such that it is less susceptible to unlawful use, where no control over the user of the product exists.” [MGM v. Grokster, 259 F. Supp. 2d at 1045-46 (emphasis in original).] Additionally the Court said: “It is no surprise that – just as the studios initially resisted video tape rather than releasing prerecorded tapes – the established record and movie companies have resisted opportunities to exploit peer-to-peer technology. When one entirely dominates the existing means of distribution, one tends to resist change.” . The Court further states: “In the case of the music and motion picture industries, permitting the incumbent leaders to suppress disruptive technologies will leave not just society, but copyright owners themselves poorer over the long run.” 
These court cases have shown that the judicial branch of our government is more savvy than anticipated. It is important to note that the future use of a product must be contemplated while determining if an infringing activity is taking place. An analogous case involving a P2P product named Madster (formerly Aimster) was lost because the defendant (Madster) used examples with copyrighted music files in their program documentation tutorials and also failed to produce any evidence of significant non-infringing product usage.
In an activity related to freedom
of speech, the Sarbanes-Oxley Act of 2002
(as passed by the Senate, titled: Public
Company Accounting Reform and Investor Protection Act of 2002)  which
became law in the wake of the Enron debacle gives significant protection to
whistleblowers. More recently a
In an attempt to subjugate the anti-P2P actions of the RIAA, MPAA, and similar agencies, Sharman Networks, the creators of the KaZaA file-sharing software, modified their End-user License Agreement (EULA) in October 2003 to provide for their indemnification from any illegal or improper use of their software and network by end users:
2.11 Monitor traffic or make search requests in order to accumulate information about individual users; […]
2.14 Collect or store personal data about other users 
They also added verbiage that attempts to prevent the use of their software and network for the purpose of discovering or tracking users’ identities. Historically the courts have upheld shrink-wrap licenses, and it will be interesting to see if this new tactic holds up when it is challenged in the current court case wherein Sharman is suing the record labels and movie studios .
I will concentrate on the current actions employed by the RIAA in their attempt to detect infringing uses of copyrighted materials. The RIAA has retained several companies such as MediaSentry, Cyveillance, BayTSP, and Vidius to broaden their detection and data mining capabilities. Possible detection steps  employed by the RIAA and its hired tracking firms are as follows:
Recently, the RIAA suffered a setback in their subpoena campaign when a Federal district court overturned a lower court’s decision on the DMCA subpoena process, stating that the DMCA was passed by Congress before P2P technology existed thus that activity is exempted from the subpoena provision . Now they have the added expense of filing an actual “John Doe” lawsuit against the suspected offender, which then legally allows them to subpoena the ISP for any requested information on that IP address. Putting a twist on the outcome, RIAA president Cary Sherman stated this was an unfortunate event, since it now prevents them from sending letters to the people prior to filing a lawsuit against them.
This automated method is in addition to the brute-force approach of simply logging on to the P2P network with a compatible file-sharing program and searching for potentially-infringing material. In a white paper dated September 11, 2000, titled To Catch a Cyber Thief Arlington, Virginia-based Cyveillance introduces a system of Intellectual Property Protection Solutions they call NetSapien™ Technology: ”the most powerful business search and analysis tool available” which spiders the billions of web pages on the Internet for relevant content and assesses the meaning of that information for marketing intelligence, customer and brand loyalty . This technology makes searching for unauthorized copies of intellectual property much smarter than blindly doing a keyword lookup on a web search engine [ibid].
A similar approach is employed by Los Gatos, California-based BayTSP; however they go further by actually sending infringement notices to the user and their ISP as well as monitoring for compliance of takedown notices (international infringement notification complies with the Berne Convention.)  The automated system runs 24x7 and according to their website “monitors all major P2P networks … global surveillance of the Internet, including web sites, FTP sites, P2P networks, IRC sites, newsgroups, and auction/retail sites.”  “BayTSP has patented technology that utilizes the extracted DNA of a specific digital file - still image, video, audio, etc.- which its spiders track on the Internet, FTP sites, peer-to-peer networks, IRC, Usenet, and auction/retail sites.” [ibid]
MediaSentry, a New York-based corporation, also scans the Internet looking for pirated copies of music and videos:
“Using a sophisticated network of Internet-based software and data mining techniques, MediaSentry patrols the Internet for possible copyright infringements. Full support is offered for peer-to-peer file trading communities, IRC networks, websites, FTP sites, and newsgroups. A continuously updated catalog of infringements is cross referenced against a database of client materials… The core MediaSentry engine uses advanced heuristics, self-adapting searches, neural search algorithms, and probability ranking formulas, permitting an unprecedented ability to accurately detect piracy and ensure compliance with copyright laws.” 
MediaSentry is one of the most hated anti-P2P companies because they actively inject spoofed decoy files on P2P nodes while simultaneously downloading every available infringing file to prevent their download by other file sharers.
In a 75-page, 2001 study titled “The Copyright Crusade” Viant Media and Entertainment CTO Frank Andrew explored the influence of P2P file sharing on the business models of copyright holders . His findings suggested that piracy and copyright infringement via the Internet are runaway activities that must be curtailed soon by copyright holders, and he offers some rudimentary statistics on several methods of Internet file trading such as common P2P clients and the use of Internet Relay Chat (IRC) channels. He concludes that using IRC is not easy for the majority of Internet customers, yet 22% of daily pirated movies pass through IRC servers [ibid]. So far, IRC has remained under the radar of the RIAA, MPAA, and their partners but that is certainly going to change soon.
The Digital Theft Deterrence and Copyright Damages Improvement Act of 1999 amended §504(c) of the U.S. Copyright Act to allow for fines of $750 to $30,000 per infringing act and up to $150,000 per each willful infringement (up to $250,000 per work for repeat offenders) . The DMCA contains a safe-harbor provision that protects ISP’s from legal action if they willingly and promptly comply with subpoena requests. This has led to the ISP capitulating rather than risking criminal penalties, with a resultant loss of privacy and anonymity for their customers. Verizon Internet Services recently attempted to quash an RIAA subpoena seeking the identity of a subscriber who allegedly downloaded over 600 copyrighted music files via the KaZaA P2P network . Verizon cited privacy, First Amendment, and due process issues, as well as the fact that Congress never considered P2P technology when drafting the DMCA “because that technology did not exist in 1998” . The motion to quash was denied by the district court, but on appeal, and after another DMCA subpoena was served upon Verizon, the appeals court overturned those decisions and found for Verizon, calling portions of the RIAA’s argument “silly”:
“The issue is whether § 512(h) applies to an ISP acting only as a conduit for data transferred between two internet users, such as persons sending and receiving e-mail or, as in this case, sharing P2P files. Verizon contends § 512(h) does not authorize the issuance of a subpoena to an ISP that transmits infringing material but does not store any such material on its servers. The RIAA argues § 512(h) on its face authorizes the issuance of a subpoena to an “[internet] service provider” without regard to whether the ISP is acting as a conduit for user-directed communications. We conclude from both the terms of § 512(h) and the overall structure of § 512 that, as Verizon contends, a subpoena may be issued only to an ISP engaged in storing on its servers material that is infringing or the subject of infringing activity. […] Finally, the RIAA argues the definition of ‘[internet] service provider’ in § 512(k)(1)(B) makes § 512(h) applicable to an ISP regardless what function it performs with respect to infringing material – transmitting it per § 512(a), caching it per § 512(b), hosting it per § 512(c), or locating it per § 512(d). This argument borders upon the silly. […] In sum, we agree with Verizon that § 512(h) does not by its terms authorize the subpoenas issued here. A § 512(h) subpoena simply cannot meet the notice requirement of § 512(c)(3)(A)(iii). […] We are not unsympathetic either to the RIAA’s concern regarding the widespread infringement of its members’ copyrights, or to the need for legal tools to protect those rights. It is not the province of the courts, however, to rewrite the DMCA in order to make it fit a new and unforseen [sic] internet architecture, no matter how damaging that development has been to the music industry or threatens being to the motion picture and software industries.”  (emphasis mine)
Per the decision above it is no longer appropriate for the RIAA to send discovery subpoenas to ISP’s requesting file sharing customers’ contact information when the ISP’s are merely acting as a conduit for P2P network traffic [ibid]. This is perhaps unfortunate, since it implies that the DMCA will soon have a large sum of “special interest” money thrown at it in an effort by large corporations to have this particular shortcoming amended.
Several bills have been independently introduced by the House and Senate to further protect the interests of big business IP owners and copyright holders from piracy and infringing uses of their property:
Anti-P2P Actions and Detection
The RIAA and its hired tracking firms have several options at their disposal if they wish to lessen or prevent copyrighted content from being traded over P2P networks. It is known that some of the following techniques are currently being used or might be used soon, and at least one is being prepared for use:
If the RIAA or its agents access a P2P network with the intent to either flood the network with fake multimedia files or otherwise perform a denial of service action, they could be liable to a civil lawsuit under the “trespass to chattels” common law. This intentional tort (a wrongful act…that injures another and for which the law imposes civil liability)  is defined as: “…an intentional interference with a plaintiff's right of possession to personal property. This may occur if a defendant damages the property or deprives the plaintiff of possession of the property.” 
The use of software  written specifically to disrupt network communications or personal computers engaged in same may also fall under the trespass to chattels tort. This angle has yet to be explored in court.
Constitutional issues might
also arise. The Fifth Amendment to the Constitution of the
“No person shall … be deprived of life, liberty, or property, without due process of law; [The Fifth Amendment] can be asserted in any proceeding, civil or criminal, administrative or judicial, investigatory or adjudicatory; and it protects against any disclosures which the witness reasonably believes could be used in a criminal prosecution or could lead to other evidence that might be so used.” 
The “Due Process” clause affords many rights to the individual, yet the subpoena provision of the DMCA does not take those rights into account.
The methods employed by the RIAA for detecting materials being downloaded by web and P2P users, in conjunction with the associated presumption of guilt, intrude upon the privacy expectations of Internet patrons with the loss of online privacy and anonymity as a result. Some of these methods have been mentioned previously.
The issuance of subpoenas to a P2P-user’s ISP for possibly-infringing file trading activities, in the absence of solid evidence, could be construed as a privacy invasion. If it is later determined that no laws were in fact broken, the loss of anonymity, public integrity, and time spent dealing with the actions of the RIAA can not be regained. There is also no guarantee that the ISP will be able to identify the actual person who is performing the action. All they can potentially do is confirm that the logged-in account’s computer was connected at the time specified in the subpoena.
The subpoena process specified in the DMCA runs contrary to the accepted procedure known in legal circles as “Rule 45” (of the Federal Rules of Civil Procedure) which states: “If separate from a subpoena commanding the attendance of a person, a subpoena for production or inspection shall issue from the court for the district in which the production or inspection is to be made.”  (emphasis mine) This is how both Massachusetts Institute of Technology and Boston College successfully quashed the subpoenas from the RIAA attempting to obtain the identities of several students alleged to be conducting illegal file sharing . In response, the RIAA simply filed the subpoenas again in the state of Massachusetts. Now that the DMCA subpoena process has become unenforceable for P2P network traffic, the media companies are going to have to find a new method for detecting the owners of any IP addresses suspected of trading copyrighted materials across P2P networks.
Congress has recognized the problem of maintaining citizens’ online anonymity and privacy, and has been proposing legislation that appears to begin the process of balancing property holders’ and users’ rights. The most vocal proponent is Senator Norm Coleman (R-MN) who recently sent a letter to the RIAA  asking for the specific methods they use to identify illegal file sharing and what safeguards are in place to protect P2P users’ privacy. The RIAA responded to the request quickly . This action was initiated due to the voluminous number of subpoenas the RIAA has filed in Washington D.C., currently holding at 382, which required extra court clerks to process the enormous tide of paperwork . Each piece of proposed legislation has pros and cons, but all are designed to more equitably balance copyright law and empower the consumer with knowledge and rights. Senator Coleman is also holding congressional hearings in an effort to lessen the bludgeoning of citizens by the RIAA.
The House of Representatives has the following items on the table:
“(1) include analog or digital transmissions of a copyrighted work within fair use protections; (2) provide that it is not a copyright infringement for a person who lawfully obtains or receives a transmission of a digital work to reproduce, store, adapt, or access it for archival purposes or to transfer it to a preferred digital media device in order to effect a non-public performance or display; (3) allow the owner of a particular copy of a digital work to sell or otherwise dispose of the work by means of a transmission to a single recipient, provided the owner does not retain his or her copy in a retrievable form and the work is sold or otherwise disposed of in its original format; and (4) permit circumvention of copyright encryption technology if it is necessary to enable a non-infringing use and the copyright owner fails to make publicly available the necessary means for circumvention without additional cost or burden to a person who has lawfully obtained a copy or phonorecord [sic] of a work, or lawfully received a transmission of it.” 
“Establishes in the International
Broadcasting Bureau the Office of Global Internet Freedom to develop and
implement a comprehensive global strategy to combat state-sponsored and
state-directed Internet jamming and persecution of those who use the Internet.
Requires an annual report from the Office to Congress on the status of state
interference with Internet use and of
The Senate has not been sitting idle either; they have introduced these relevant bills:
“Requires the Federal Trade Commission (FTC) to: (1) establish standards for the provision of technical support for computers and computer-related products by computer hardware and software manufacturers, as well as consultants and resellers that provide technical support (entities); (2) issue guidelines to encourage each such entity to collect and submit to the FTC information on the nature and quality of such technical support; and (3) establish a public registry in which any person or entity that does not seek to receive unsolicited marketing e-mail to a computer may register the e-mail address(es) of such computer for that purpose. Prohibits unsolicited marketing e-mail to registered computers.” 
“Directs the Federal Trade Commission (FTC) to issue rules to implement requirements that a producer or distributor of copyrighted digital content disclose the nature of restrictions that limit the practical ability of the content purchaser to play, copy, transmit, or transfer such content on, to, or between devices commonly used with respect to that type of content. Requires such disclosure in the case of limitations on: (1) the recording for later viewing or listening of certain audio or video programming; (2) the reasonable and noncommercial use of legally acquired audio or video content; (3) making backup copies of legally acquired content subject to accidental damage, erasure, or destruction; (4) using limited excerpts of legally acquired content; and (5) engaging in the secondhand transfer or sale of legally acquired content. Provides disclosure exceptions. Requires the FTC to annually review the effectiveness of such rules. Expresses the sense of Congress that: (1) competition among distribution outlets and methods generally benefits consumers; and (2) copyright holders selling digital content in electronic form for distribution over the Internet should offer to license such content to multiple unaffiliated distributors.” 
Many of these bills are currently wending their way through the House and Senate, and hopefully most will be ratified. This would be a boon for American consumers and go a long way toward bringing balance back to the application of Copyright Law.
Preventing the Loss of Privacy and Anonymity
Several methods exist to reduce the privacy loss facilitated by automated methods of search and discovery. Each of the following techniques exhibits both strengths and weaknesses against certain types of surveillance and monitoring techniques:
1. Conversion of text file lists into graphic images to bypass
automated filename detection: The automated scanning of P2P networks can be
reduced or even eliminated by conversion of available file lists into graphic
images instead of plain text. This simple action would greatly increase the
amount of human interaction required to visually confirm downloads. This might
mean that existing P2P software or even the underlying network protocols will
need to have major reworking in order to maintain ease of use for customers. Instead
of connecting to a potential download client and receiving a plain text list of
files in their shared folders, the P2P software will need to display a graphic
image of the user’s available files. Compiler libraries exist to facilitate the
creation of .GIF images in real time (that image format is now royalty free
2. P2P file lists employing anti-bot images requiring manual user interaction to download: This technique is already in use today by web-based email providers like Hotmail and Yahoo! mail, which require a person to type in the value displayed by a random graphic image. This prevents any automated method of bulk account creation, which was frequently used by spammers. This would be a relatively easy function to implement in P2P client software, perhaps even being a server-side only component.
3. Randomize file and subdirectory names via script: For files sitting on a web or FTP server, web spiders for any search engine may access directories and their contents, adding them to a central database for public use. By randomizing the directory names as well as individual file names this risk is lessened but not entirely prevented. A simple Perl script can not only rename files and directories, but can also simultaneously update the web page or FTP links pointing to the files. If a search engine manages to spider one set of links, they will only remain valid until the next cycle of renaming occurs. Scheduling this renaming procedure at a high granularity will mitigate discovery.
4. Tarpits for bots: This technique is easily used against web-based bots and to a certain extent FTP-based bots. It could also be used against P2P-based bots on any of the current P2P networks, however this particular case would require some custom programming to implement (this case is covered later.) The basic idea behind a tarpit is to create a bunch of seemingly-real file links, either on a web page or in an FTP directory. When the bot follows this link, it merely leads to another web page or directory with another set of seemingly-real links. Each link can easily be randomly created by using a small database of common file names. This process continues ad nauseum. Intelligent bots would perform a breadth-first search, limiting their search depth to a small value such as five in order to prevent being "trapped" by this technique. However, this idea would still be valid; the file sharer would simply place the "real" files on the server at a level just below this artificial search limit, ensuring that the HTTP_REFERER environment variable points to the final fake directory that was generated in the current session. For a P2P network honeypot, the search results returned by the P2P client software would need to be modified to point to a fake set of filenames which in turn point to another set of fake filenames, etc. By forcing the P2P client user to enter a one-time password embedded in a graphic image at program startup, the network could determine if this was an automated bot or a real human and thus control the link types presented to the client. It is important to note that this honeypot technique is only valid against automated methods of file scanning, however there are so many file sharing locations on the Internet that everyone becomes anonymous simply by sheer numbers.
5. Use of Wi-Fi hotspots for anonymous connections: By using
free wireless network connections for P2P file sharing the user is completely
anonymous and thus immune to potential liability for alleged illegal activities.
Such so-called "hotspots" are located all over:
6. P2P file sharing software using encrypted communication protocols: Two different directions can be taken with this technique: using existing protocols, or rolling your own. The benefit of using your own protocol is having complete control over every aspect of the data packets. This generally results in a much faster and secure transfer capability over existing protocols, yet requires extensive knowledge of low-level protocol programming. The benefit of using existing protocols such as SSL over HTTPS and SFTP is that these protocols usually bypass ISP and corporate firewalls. Palestine-based EarthStationV is one P2P program that uses existing secure protocols to not only connect to their secure P2P network anonymously, but also allow you to run a secure web server and private network from your own computer .
7. P2P2P proxies: This is similar in concept to anonymous
email “remailer chaining” where all identifying header information is stripped
from the message and forwarded to another remailer, until eventually being
delivered to the recipient. In this case, the data stream for a downloaded file
is split and sent to a random P2P client that forwards this portion of the
download to another random P2P client, until eventually every packet reaches its
destination. Each P2P client will not be downloading a complete file but only
parts of it, and no one knows which client is requesting the file. This might
affect certain legalities of copyright infringement because no single person
ever downloads a complete file. AT&T built a free anonymous web browsing
proxy in 1997 called “Crowds” based on this idea (now defunct), and the U.S.
Navy built an anonymizing network service called “The Onion Routing Project” 
also based on this principle. It ran for many years before finally being shut
“The Onion Routing [OR] research project is building an Internet-based system that strongly resists traffic analysis, eavesdropping, and other attacks both by outsiders (e.g. Internet routers) and insiders (Onion Routers themselves). It prevents the transport medium from knowing who is communicating with whom -- the network knows only that communication is taking place. In addition, the content of the communication is hidden from eavesdroppers up to the point where the traffic leaves the OR network. […] Onion routing accomplishes this goal by separating identification from routing. Connections are always anonymous, although communication need not be. Communication may be made anonymous by removing identifying information from the data stream. Onion routing can be used by a variety of unmodified Internet applications by means of proxies (non-invasive procedure) or by modifying the network protocol stack on a machine to be connected to the network (moderate or highly-invasive procedure).” [ibid]
8. Changing MD5 hashes or CRC32 checksums of multimedia files: A person only known by the pseudonym nycfashiongirl who decided to challenge her subpoena in a recent RIAA case prompted an interesting discovery: the RIAA has been maintaining a large database of MP3 file hashes dating back to the days of the original Napster file sharing program. These file checksums are compared against the hashes of recently-downloaded music files to see if they are identical or not. If the checksums match, then this file is indistinguishable from one traded on the original Napster network. An obvious solution to defeating this type of “fingerprinting” is to simply change the file in a method that impacts the checksum but doesn’t affect the quality of the sound. The first thing to be done is either eliminate or rewrite the IDv2 or IDv3 info tag in the music file header, located in a fixed position in the MP3 file. There are mathematical methods to change certain bits throughout the MP3 file that affect the file hash yet have no audible affect during playback. A drawback to this solution is that some P2P networks may use the file checksum to identify a valid MP3 music file, instead of just by title. By changing this checksum these P2P networks will need to find another method for identifying known good files so users don’t waste their time downloading fake or corrupted files.
9. Using darknets: Creating and joining a hidden or “unplugged” network of P2P clients is probably the most private method of performing file sharing. Waste , MUTE , and FreeNet  are some proposed methods for performing this activity. These disconnected networks of peers are not open to the general Internet, and clients cannot connect without knowledge of a secret key or password. Thus these “darknets” are highly resistant to privacy incursions by the RIAA or similar agents. MUTE is one of the newer file sharing clients to appear, and seems to be highly-resistant to traffic tracing and logging. Each MUTE client generates a unique “virtual address” upon startup, and only that random ID is returned per client for all successful search requests. All MUTE traffic is also encrypted, thus rendering moot any packet sniffing attempts. And since each request packet (for searches) is routed through a network of peers only the next neighbor’s IP address could be discovered, which doesn’t matter because all file transfers are performed directly between peers.
The issues surrounding P2P file sharing freedoms and DRM are too complicated to offer a quick and simple solution. As technology becomes more complex and pervasive, it is obvious that copyright and intellectual property protection laws will always play catch-up. While copyright infringement runs rampant over the Internet, there exists a need for a secure DRM technique that also protects an individual’s privacy and allows for unfettered fair use of protected material. It is perhaps more important that a user’s fair-use rights be protected than that of a copyright holder’s control over their material. In this vein, the assumption of guilt for downloading copyrighted material must be changed to a presumption of innocence by the copyright holders such as the RIAA, MPAA, and their ilk. Until existing laws are amended to provide this much needed privacy protection, Internet users will need to protect themselves.
This protection would best be implemented as a series of concentric rings or levels around the user. Moving the privacy protection model from one that is network-based to one client-based might be a step in the right direction. IP-blocking tools like Peer Guardian and properly-tuned personal firewall software can prevent unwanted connections from any block of IP addresses desired. As new addresses to block are discovered they can easily be added to the blocking rules. Moving a level outward, the actual network traffic needs to be encrypted and proxies need to be employed so as to prevent sniffing tactics and name servers from returning useful trace data. Finally, by simply removing themselves directly off the Internet via the use of darknets, P2P users can ensure that the weakest link in their file trading hierarchy is themselves. By allowing only trusted partners into the darknet, they effectively prevent any outside privacy breaches from occurring. With a combination of new technology and new protective laws being ratified, the future of P2P file-sharing remains hopeful.
1. Supreme Court Decision: McIntyre v.
Available from HTTP://supct.law.cornell.edu/supct/html/93-986.ZO.html (accessed Sept., 2003)
2. Supreme Court Decision:
Available from HTTP://laws.findlaw.com/us/000/96-511.html (accessed Sept, 2003)
Available from HTTP://www4.law.cornell.edu/uscode/17/107.html (accessed Sept, 2003)
Available from HTTP://www.theregister.co.uk/content/54/25274.html (accessed Sept., 2003)
Marcus, Sandra. “Napster and Peer-to-Peer Music Exchange”.
Available from HTTP:://web.utk.edu/~smarcus/History.html (accessed Sept., 2003)
7. Harbert, Eric F. “Signed, Sealed, Delivered: You're Mine”. UCLA Journal of Law & Technology Notes 12 (2003).
Available from HTTP://www.lawtechjournal.com/notes/2003/12_030730_Harbert.php (accessed Sept., 2003)
8. Unknown. PDF document: “Adobe and eBooks: Turning a new page in publishing”. September 1999.
Available from HTTP://www.adobe.com/products/acrobat/webbuy/pdfs/eBookWP12.pdf (accessed Sept., 2003)
9. Anonymous. “PDF 1.3 Encryption Explained”.
Available from HTTP://www-2.cs.cmu.edu/~dst/Adobe/Gallery/anon21jul01-pdf-encryption.txt (accessed Sept., 2003). See also Dave Touretzky’s webpage at HTTP://www-2.cs.cmu.edu/~dst/Adobe/Gallery/
Public Law 107-204. “Corporate and Criminal Fraud Accountability Act of 2002”.
Available from HTTP://thomas.loc.gov/cgi-bin/bdquery/z?d107:HR03763:|TOM:/bss/d107query.html (accessed Oct., 2003)
Grand, Rick. PDF document: “To Catch a Cyber Thief”.
Available from HTTP://www.cyveillance.com/web/downloads/To%20Catch%20a%20Thief.pdf (accessed Sept., 2003)
12. Beder, Sharon. “SLAPPs--Strategic Lawsuits Against Public Participation: Coming to a Controversy Near You”. Current Affairs Bulletin, vol.72, no. 3, Oct/Nov 1995, pp.22-29.
Available from HTTP://www.uow.edu.au/arts/sts/sbeder/SLAPPS.html (accessed Oct., 2003)
“Digital Theft Deterrence and Copyright
Damages Improvement Act of 1999”. 106th Congress.
Available from HTTP://www.techlawjournal.com/cong106/copyright/s1257is.htm (accessed Oct., 2003)
14. Reply brief of Verizon,
“Oral Argument Scheduled for
Available from HTTP://www.eff.org/Cases/RIAA_v_Verizon/20030717_verizon_reply_brief.pdf (accessed Oct., 2003)
15. Zolli, Andrew. “Monsters of Rock”. Wired, issue 11.09. Sept. 2003.
Available from HTTP://www.wired.com/wired/archive/11.09/start.html?pg=12 (accessed Oct., 2003)
Available from HTTP://www.law.cornell.edu/rules/frcp/Rule45.htm (accessed Oct., 2003)
17. Federal order granting
MIT motion to quash subpoena.
Available from HTTP http://merlin.raisethefist.com/riaa/order-080703.pdf (accessed Oct., 2003)
18. FindLaw Legal Dictionary. Search for definition of “tort”.
Available from HTTP://dictionary.lp.findlaw.com/scripts/
results.pl?co=lawcrawler.findlaw.com&topic=71/71cf401e8052ec0c1c26e498c20fb9c3 (accessed Oct., 2003)
19. FindLaw for Business. Search for “trespass to chattels”.
Available from HTTP://sv.biz.findlaw.com/legal/tort3.html (accessed Oct., 2003)
20. Fifth Amendment to the Constitution of the United States of America. The 'Lectric Law Library's Legal Lexicon.
Available from HTTP://www.lectlaw.com/def/f083.htm (accessed Oct., 2003)
21. Katalov, Vladimir. ” Press-release: Advanced Acrobat eBooks are NOT Really
Available from HTTP://www.planetpdf.com/mainpage.asp?webpageid=2393 (accessed Oct., 2003)
22. RIAA v. Verizon Case Archive.
Available from HTTP://www.eff.org/Cases/RIAA_v_Verizon (accessed Oct., 2003)
23. Associated Press. “RIAA
Reveals Method to Madness”.
Available from HTTP://www.wired.com/news/digiwood/0,1412,60222,00.html (accessed Oct., 2003)
Available from HTTP://www.law.cornell.edu/treaties/berne/overview.html (accessed Nov., 2003)
25. BayTSP (Tracking-Security-Protection).
Available from HTTP://www.baytsp.com/solutions_copyright.html (accessed Nov., 2003)
Available from HTTP://www.mediasentry.com/about/technology.asp (accessed Nov., 2003)
27. Andrew, Beutler, Markham, et al. “The Copyright Crusade”. Winter/spring 2001.
Available from HTTP://www.ebcenter.org/download/Inf_Viant_CopyrightCrusade_feb02.pdf (accessed Nov., 2003)
28. Sperry Corporation Patent. “LZW Compression and GIF”.
Available from HTTP://www-cse.stanford.edu/classes/cs201/projects-99-00/software-patents/lzw.html (accessed Nov., 2003)
29. Union Square Wireless Map via www.nycwireless.net
Available from HTTP://www.nodedb.com/unitedstates/ny/newyork/view.php?nodeid=805 (accessed Dec., 2003)
30. Earth Station V P2P software.
Available from HTTP://www.earthstation5.com/benefits.html (accessed Dec., 2003)
31. The Onion Router Project web site, Department of Defense, U.S. Navy.
Available HTTP://www.onion-router.net/ (accessed Dec., 2003)
32. PDF document: “U.S. Court
of Appeals decision reverses district court decision against Verizon,
Available from HTTP://pacer.cadc.uscourts.gov/docs/common/opinions/200312/03-7015a.pdf (accessed Dec., 2003)
33. “Author, Consumer, and Computer
Owner Protection and Security Act of 2003”. 108th Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:H.R.2752: (accessed Jan., 2004)
Ryan. “Michael Jackson Slams ACCOPS Act”.
Available from HTTP://www.atnewyork.com/news/print.php/2238141 (accessed Jan., 2004)
35. “Consumer Broadband and Digital Television Promotion Act”. 107th
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c107:S.2048: (accessed Jan., 2004)
36. “Piracy Deterrence and Education
Act of 2003”. 108th Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:H.R.2517: (accessed Jan., 2004)
37. PDF document: “Order Granting Defendants Grokster and StreamCast Networks Motions for Summary Judgement”. MGM Studios v. Grokster. Case numbers CV 01-08541-SVW & CV 01-09923-SVW.
Available from HTTP://www.eff.org/IP/P2P/MGM_v_Grokster/030425_order_on_motions.pdf (accessed Jan., 2004)
38. PDF document: “Defendant Grokster’s Memorandum in Support
of Motion for Summary Judgement.” MGM Studios v. Grokster. Case number CV
Available from HTTP://www.eff.org/IP/P2P/MGM_v_Grokster/GROKSTER_MEMORANDUM.pdf (accessed Jan., 2004)
39. PDF document: “Appellee
StreamCast Networks, Inc.’s Opening Brief”. Ninth Circuit Court of
Appeals. Case numbers CV-01-08541-SVW & CV-01-09923-SVW.
Available from HTTP://www.eff.org/IP/P2P/MGM_v_Grokster/20030917_morpheus_appeal_brief.pdf (accessed Jan., 2004)
40. “Protecting Children from Peer-to-Peer Pornography Act of 2003”. 108th
Available from HTTP://www.theorator.com/bills108/hr2885.html (accessed Jan., 2004)
41. “To amend title 17, United States Code, to limit the liability of
copyright owners for protecting their works on peer-to-peer networks”. 107th
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c107:H.R.5211: (accessed Jan., 2004)
42. PDF document: “Coleman to
Available from http://www.senate.gov/~govt-aff/_files/ColemanRIAALetter.pdf (accessed Jan., 2004)
43. PDF document: “RIAA to
Coleman Response Letter”.
Available from HTTP:://www.senate.gov/~govt-aff/_files/ACF5E9.pdf (accessed Jan., 2004)
44. “Digital Media Consumers' Rights Act of 2003”. 108th
Available from HTTP://www.theorator.com/bills108/hr107.html (accessed Jan., 2004)
45. “Online Privacy Protection Act of 2003”. 108th Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:H.R.69: (accessed Jan., 2004)
46. “Benefit Authors without
Limiting Advancement or Net Consumer Expectations (BALANCE) Act of 2003”. 108th Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:H.R.1066: (accessed Jan., 2004)
Summary of the BALANCE Act of 2003.
Available from HTTP://thomas.loc.gov/cgi-bin/bdquery/z?d108:HR01066:@@@L&summ2=m& (accessed Jan., 2004)
48. “Global Internet Freedom Act”. 108th Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:H.R.48: (accessed Jan., 2004)
49. Summary of the Global Internet Freedom Act.
Available from HTTP://thomas.loc.gov/cgi-bin/bdquery/z?d108:HR00048:@@@D&summ2=m& (accessed Jan., 2004)
50. “Government Network Security Act
of 2003”. 108th Congress.
Available from HTTPhttp://thomas.loc.gov/cgi-bin/query/z?c108:H.R.3159: (accessed Jan., 2004)
51. “Computer Owners' Bill of Rights”. 108th Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:S.563: (accessed Jan., 2004)
52. Summary of the Computer Owners’ Bill of Rights.
Available from HTTP://thomas.loc.gov/cgi-bin/bdquery/z?d108:SN00563:@@@D&summ2=m& (accessed Jan., 2004)
53. “Digital Consumer Right to Know Act of 2003”. 108th
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:S.692: (accessed Jan., 2004)
54. Summary of the Digital Consumer Right to Know Act of 2003.
Available from HTTP://thomas.loc.gov/cgi-bin/bdquery/z?d108:SN00692:@@@D&summ2=m& (accessed Jan., 2004)
55. Dennis. “Kazaa
changes its End User License Agreement to block RIAA”.
Available from HTTP://www.cdfreaks.com/news2.php?ID=8221 (accessed Feb., 2004)
56. raoulduke1. “Kazaa Owner Cleared to Sue Record Labels”.
Available from HTTP://www.boycott-riaa.com/article/10031 (accessed Feb., 2004)
63. Software. “Waste”.
HTTP://sourceforge.net/projects/waste (accessed Feb., 2004)
64. Software. “MUTE”.
HTTP://mute-net.sourceforge.net/ (accessed Feb., 2004)
65. Software. “FreeNet”.
HTTP://freenet.sourceforge.net/index.php (accessed Feb., 2004)
List (as of August 2003) of companies providing P2P identification services to the RIAA/MPAA: