http://www.businessweek.com/technology/content/jan2004/tc20040127_2819_tc047.htm

NOTHING BUT NET
By Alex Salkever

Big Music's Worst Move Yet
The RIAA's newest legal assault on file swappers is pushing them to encrypted networks, where the damage could become catastrophic


The music file-swapping masses got a fresh jolt of fear on Jan. 21 when the Recording Industry Association of America filed 532 lawsuits against alleged copyright infringers for downloading or sharing pirated tunes on the Internet. The suits made good on the RIAA's promise in December not to skip a beat in its legal war against music piracy.

That promise came after a U.S. appeals court in Washington, D.C., in December found that a federal law the RIAA used to force Internet service providers to cough up the identities of alleged file swappers is unconstitutional. The court ruled, essentially, that the provision violated due process.

In response, the RIAA shifted its attack to a more cumbersome form of lawsuits. In these so-called John Doe suits, RIAA lawyers file against an Internet protocol address (an ID that every computer connected to the Net has) that they believe is attached to a computer engaged in illegal file trading. Should the court deem the suit worthy of consideration, then the ISP used by that computer to access the Net could be forced to reveal the subscriber's identity.

LOST WAR. This is more time-consuming and costly than the procedure the Appeals Court shut down, which allowed any copyright holder to demand the identity of an ISP's customers without any proof of wrongdoing or any sort of due process. Even in the John Doe suits, it's not clear how much support the RIAA will get from ISPs already furious with it for earlier tactics that spooked subscribers and resulted in suits against clearly innocent parties.

One has to admit: The RIAA sure is tenacious in pursuing its strategy. What it doesn't seem to realize, though, is that it has already lost the war (see BW Online, 1/16/04, "Did Big Music Really Sink the Pirates?"). The recording industry's hardball tactics have fueled a technological shift that'll make it nearly impossible to pursue file swappers in the future.

How so? The culture of fear and loathing that the RIAA has created is starting to put encryption on the must-have list of every Joe and Jane Internet user. The results will be wide-ranging and will pose a threat to the movie industry, the software industry, and just about any other industry involved with the creation and sale of intellectual property.

TREADING LIGHTLY. The often-made argument that RIAA pressure would push file swappers to adopt more and more drastic means of evasion has been borne out over time. First came Napster, a system of centralized servers envisioned by Sean Fanning. U.S. courts easily identified it as an enabler of copyright infringement due to the manner in which Napster's servers willingly facilitated illegal music file trading.

The next generation of file-swapping setups eliminated central servers and built peer-to-peer networks that directly connected file sharers to each other. These networks have proven far more impervious to lawsuits. The companies that make the software used to build these networks have had some success in arguing that they only build the tools and play no direct role in copyright violations that occur on these networks -- which could just as easily be used for legitimate purposes such as sharing personal photos, computer files, and other forms of noncopyrighted content.

Reluctant to toss the baby out with the bathwater, courts have tread lightly since file swapping is a new technology that could provide a useful service to society in the future as a venue for sharing and even selling information.

OBVIOUS FINGERPRINTS. That forced the RIAA and other copyright holders to go after the weak link in the chain: individual users. It did so with great gusto in the spring of 2003, unleashing a torrent of lawsuits and a fearsome public relations campaign.

This offensive against file swappers, however, hinged on a simple fact. The current generation of decentralized file-swapping networks makes little or no effort to mask the digital fingerprints of individual users. Researchers working for the RIAA can easily log onto the networks, download pirated songs, and note the IP addresses of particularly egregious file sharers. The RIAA defines those as anyone offering 800 or so songs for download.

By ripping off the thin veil of anonymity and hitting hundreds of users for thousands of dollars per case in settlement costs, the RIAA has inspired the most tangible fear yet seen among Web users -- something neither credit-card thieves, nor hackers, nor even the U.S. government has managed to inspire.
"DIAPHANOUS AT BEST." No one wants to open their mailbox and see a letter from the RIAA. Parents of school-age children live in terror of just such a letter and the potential costs to their family. In truth, however, the likelihood of the average user getting nailed remains very small, largely because the RIAA can't individually sue the millions of less prolific file swappers.

But media coverage of the suits has unleashed a frightening specter of the corporate Big Brother reaching out and swatting ordinary Net users. "The RIAA's successful extraction of user identity from Internet service providers makes it vividly clear that the veil of privacy enjoyed by the average Internet user is diaphanous at best, and that the obstacles to piercing that veil are much much lower than for, say, allowing the police to search your home or read your (physical) mail," writes cyber pundit Clay Shirky in an article entitled "The RIAA Succeeds Where the Cypherpunks Failed").

This atmosphere has now led to a new reality where encryption becomes expected and pervasive. While encrypted P2P file-sharing networks remain less polished and less popular than the unencrypted variety, the masses will inevitably switch to those protected networks if the RIAA continues to sue.

CODE CRACKERS. Then it'll have a lot of trouble because lawyers won't be enough. The industry group will need cryptographers and security experts to break the protocols used for cloaking the traffic in order to merely determine whether a song traveling on the Blubster, FreeNet, BitTorrent, or Earth Station 5 P2P network is pirated or an amateur recording with no copyright restrictions.

The RIAA will have to become a lot more like the code-cracking National Security Agency in an escalating cat-and-mouse game with programmers who write encrypted file-sharing network software. Establishing a viable code-cracking operation to tackle a wide variety of alleged offenders would require huge cash outlays and serious talent. The only successful nongovernment efforts to do this type of work to date have relied on giant networks of PCs linked together or clever researchers who find specific but relatively-easy-to-patch holes in encryption software. Building such a capability would cost the record labels many millions.

Beyond music, the RIAA's aggressive tactics have already contributed to a changed security landscape, where encryption is becoming more accessible to everyone. Apple Computer (AAPL ) has built a drag-and-drop system where anything stored in the home folder can be easily guarded by potent 128-bit encryption.

STRONGER CURTAIN. Of course, this isn't a direct reaction to RIAA tactics. But Apple famously brags that it adds features its users ask for. And one can only imagine that at least some of the Apple users who asked for this capability had the RIAA in mind. And Skype, the free P2P Internet telephony network built by the former founders of KaZaA, has provisions for strong encryption. Perhaps most ominous to creators of copyrighted content, the shift to encrypted P2P networks will allow not only continued trading of pirated music but also of pirated software and movies.

Should Microsoft (MSFT ), Intel (INTC ), and others succeed in building a generation of computers with copyright controls built into the core operating system or onto the chips, then encryption will hardly help a pirate when an MP3 won't launch without a valid digital certificate. That scenario, however, remains highly unlikely as the complications of accurately categorizing and reading each individuals' copyrighted content, from old CDs to iTunes purchased online, is daunting at the least.

In the end, large chunks of computing and the Internet will go behind a much stronger curtain of anonymity, and the pirates will remain untouchable underground -- thanks to the RIAA's misguided legal missiles.

encryption, there are quite a few. it won't take long before one leads the pack. my guess would either be Morpheus or Sharezza

Doesn't this violate the DMCA? Or does that only apply when it helps them?

The RIAA has been scanning a site I frequent with all legal music. They've been wasting everyone's bandwidth getting legal stuff via bittorrent trying to find something illegal. sharingthegroove.org is all legal, just like etree.org. There has been someone with Disney connecting to EVERY torrent and getting things. I don't think it's someone at the Disney corporation taking advantage of the T1 connection.

These are legal bootlegs traded and seeded within the community and trading circles. It's not illegal to own bootlegs. I dare them to try to shut the site down and sue the users. They'd fail miserably. They'd also run into a brick wall of artists who allow for their shows to be traded and downloaded. They're not official releases, yet the RIAA continues to scan the site. They've also been trying to get into my computer. Problem: they run into 2 firewalls. I don't want them in here planting files. I have nothing of interest to them.

Anyone else having a problem with these bastards?

"The music file-swapping masses got a fresh jolt of fear..."

Funny, there were several adjectives I would use to describe my response to the new suits from the RIAA. Indignation, disgust, anger, revulsion, all followed by amusement when I reminded myself that the RIAA has not yet successfully sued one consumer.

But fear... nah. Wasn't in there anywhere.

Fear? Nope, none here. Why should I be afraid? It's only a matter of time before one of these lawsuits goes to court, and even a half-witted lawyer could win the case for the filesharer with a multitude of defenses to choose from.

But by the time that happens, everything will be encrypted anyways, and breaking encryptions to invade privacy and seek personal information about a user is FAR more illegal then any copyright infringement. I continue to download mp3s and listen to them. Unfortunately since the RIAA is persisting in it's criminal activities, I'm utilizing my constitutional rights as well as free choice to boycott the bastards. Sorry, not getting any money from me. Although if you stopped suing people, I *might* be inclined buy a CD or two now and then, but it appears they don't want me to

Exactly. I respect their wishes when it comes to this. If they don't want you to get the music, then don't. Simple as that.

haven't bought any of their crap since about january of 2002. might be a long time before I do again.

I'm shakin in me boots

(actually, I got a song called "Shakin"" that you can download and LISTEN TO and copy and distribute for free. Get it at garageband.com or iuma.com just search for Electric Gypsy at those sites. COMMING TO D-MUSIC SOON! Yep, we of Electric Gypsy are gonna build a D-Music Site too! Happens SOON!)

Shmoo

This is interesting...I can't visit garageband.com if I have PeerGuardian running...I get a "page not found" error on IE and get this on PG:

Connection Rejected: 216.218.207.10 - Garageband NS1.BAYTSP.NET

If I remember correctly, aren't BayTSP a group of RIAA lackeys who were scanning Kazaa, Morpheus, etc for them?

Yeah, I got that too. Anything like that I'm staying away from no matter what it is. So far the only addresses blocked are from BayTSP and Disney (they wasted the bandwidth of many a user).

I don't see how encryption helps. If I d/l a song from you over an encrypted network, I still need to decrypt it when it's downloaded. Any RIAA lackey can login and do the same. How does encryption keep the RIAA out but allow every other Joe User in?

No Ekted, they aren't encrypting the file, but encrypting the transfer process. This way its much more difficult for you to track down where precisely the file arrived FROM. Once its on your system, its your own problem.

I think the quick underground reply will be the founding of several large friendNets, wherein people must be invited in by the group, and there is no anonymous access. Still imperfect, but with all the open p2p systems up and running, the Association will be hardpressed to even have the ability to attack these.

Further... this entire process will doom them and I think they realize it. THey are in the music industry. CHanging gears like this and mastering new copyright protections and methods of attacking p2p software is NOT in line with their core corporate competencies and will not improve their bottom line, all the while draining their coffers. It's truly a bad move.

I would love to see what they will spend in developing cryptography divisions to combat this.

It's a combination of encryption and other techniques on top of that that mask the originating IP address. ! they try to find out your true IP. Nope. 2. They try to see what the data is going across IP ranges. Nope. MUTE is already up and running and works. Not many users on it yet but you can download files with relative ease and not too bad speed. Only trouble is it's scaleability. It might not be too god if it gets too big.

http://mute-net.sourceforge.net/

The one I am looking forward to is Tor. It uses similar ideas to MUTE but has some extra protection and works at the protocol level so a lot of non-secure apps can actually use it without or very little special upgrading. It's a variation on the onion ring protocol but is much much more secure and useable.

http://www.freehaven.net/tor

Waste is also anonymous but limited to only 50 users so is not really of use to most people.

Blubster has already promised and is working on anonymizing it's users.

There will be others. It cannot be prevented now. The RIAA etc have stirred up a hornets nest and when governments are looking back at why sudeenly there are all these uncrackable networks around that the feds are having trouble monitoring they will have only those idiots and themselves to blame.

Long live freedom of information.

Svensta, can you explain what you mean by "encrypting the transfer process"? I have a lot of experience programming network applications. I'd like to understand this. If you are receiving packets from another computer, you can ALWAYS get the IP address, because that is how packets are addressed. Otherwise, they have no way to reach you.

"How does encryption keep the RIAA out but allow every other Joe User in?"

It doesn't necessarily have to keep the RIAA out to be legal. By using any kind of encryption, you have suddenly added an access control, aka copy protection.

This means that if the RIAA bypasses your encryption, they have violated the DMCA.

I went and read the spec for one of those links. It appears anonymity is achieved by only by proxy (A->B->C). So when C receives a file, he has no idea it was A who sent it. However, C still knows B's IP address. It would seem to me from a legal point of view that B is complicit.

But don't you have to then determine what the file is for "B" to complicit. If you can't determine what type of file it was, then you can't determine the "b" was complicit. You know how time it would ake to determine what every encrypted file contained? Even the riaA doesn't have thattype of wealth.

Or that type of spell checking either. Sorry, was my first typing of the day. Haven't had my coffee yet.

According to the article, "researcher" working for the RIAA would be the word to describe BayTSP. Of all the words in the English language, I find it odd that "researcher" is the best word they could use to describe companies such as BayTSP.

DeadMan:

Yeah, I submitted the story about MUTE several days ago, but for some reason, it didn't get posted. I tried MUTE, but kept getting "Not Found" or "Failed" error messages when I tried to DL. You say it's working for you? I might try it again...

I am RIAA lackey #7. I run Encrypted-p2p-app-of-the-day and download metallica.mp3. It turns out to be real. And I know I got the data for this file through IP address a.b.c.d. I don't know if that IP was sharing the original file or not, but I do know that it was complicit in the transfer.

"Of all the words in the English language, I find it odd that "researcher" is the best word they could use to describe companies such as BayTSP."

You have to remember, most fair names for them would be too impolite to print.

Interesting, a good perspective. I liked reading it.

:-:~ Phantom

Try the URLs again but take off the at the end. Good article. I can't wait till the RIAA dies.

take off the br at the end

Connection Rejected: 216.218.207.10 - Garageband NS1.BAYTSP.NET

sorry about that but i found that a few months ago if you check this out...

Pinging NS1.BAYTSP.NET [216.218.207.18] with 32 bytes of data

Garageband HURRICANE-CE0712-261 (NET-216-218-207-0-1)
216.218.207.0 - 216.218.207.63


any more questions?

Ekted, I was giving you the layman's explanations, because I thought you were a relative technical newbie. I myself am in networking applications and I have asked myself your questions many times. I do not see a feasible way to protect the anonymity of file transfers, save the p2p2p model, and as you point out, there will be SOME complicity therein, leaving someone olding the bag.

The bottom line is that there is no root privacy, unless you can actually mask your ip and mac through your own proxy. It can be done, but then, on the casual end-user level, this is an impossibility in reality.

I am very curious to see what the next generation of anonymizers is capable of.

The thing is. They could proxy it through one of their computers, with MUTE installed, but as far as downloading goes, they leave it blank. That would leave RIAA holding the bag.

Similar tactics could be used by other p2p's.

"In the end, large chunks of computing and the Internet will go behind a much stronger curtain of anonymity, and the pirates will remain untouchable underground -- thanks to the RIAA's misguided legal missiles. "

YEE-HAH!! As Nietzsche said, "what doesn't kill us, empowers us". The RIAA's tactics will bring about the new generation of filesharers, whose activities will be invulnerable, untraceable and invisible. Viva Encryption!

Cheerz,
Critto, non-sharer

Svensta wrote:

"I think the quick underground reply will be the founding of several large friendNets, wherein people must be invited in by the group, and there is no anonymous access."

I already see this at my son's college where private BadBlue HTTP networks have cropped up and entrance is by invitation only. There are also private FTP networks running WarFTP that also require a name and password. This has two endearing effects. First, it bypasses the entry level University security that try to stop traffic to WinMX or Kazza by denying access to those networks. Second, the invitation only networks running on random ports would be nearly impossible to detect, and very hard to identify, save an inside job.

Private networks -- here is a tool that some might want to use to set up a private messaging and file-sharing net.

www.foopchat.com Freeware.

It is not p2p, because files must be temporarily stored on the central server, then retrieved by others, however, since this is a private network, if you don't invite the RIAA, they won't be at your party.

A friend of a friend of mine wrote this program, and I helped a little in the beta testing stage. It seems to do what is advertised. The price is right.

Messaging is encrypted with CES (I think). That isn't a high-level encryption, but better than nothing at all.