net.wars: Strangers on the Net

by Wendy M Grossman | posted on 03 October 2003

"What did you do in the net.wars, Daddy?" "I quit sharing Frank Sinatra songs as soon as I found out it was dangerous and argued that they couldn't prove it was me." Not much to tell the grandchildren, is it?

Wendy M Grossman

New Scientist had a nice little coup this week when it ran a story I haven't seen elsewhere about an anonymously posted paper on an Australian Web site that points out flaws in the RIAA's evidence in the P2P cases. Europeans have so far been blissfully left out of the madness - though that won't last if the European Parliament votes the wrong way in the next couple of months - but as you all probably know wherever you live, a scourge of subpoenas have been sent out to Americans from grandmothers to twelve-year-olds demanding huge sums of money in return for downloading or sharing copyrighted music.

Most people panic and settle. What would you do if you were faced with a demand for $150 million or thereabouts because your kid had been hanging out on KaZaA while you weren't even sure where the capitals went?

The RIAA's strategy is based on the fact that in order to transfer files from one remote computer to another, you have to directly connect the two, and therefore the IP address each is at must be known to the other machine. I haven't used KaZaA, but the file-sharing services I am familiar with vary greatly in how easy it is to identify the actual source of a file. BitTorrent, as far as I can tell, gives no information at all; eDonkey shows you weird identifying names and numbers. The average user searching for and pulling down files probably has no idea where they actually come from. IRC is used by a relatively small community these days, and most of them aren't journalists, so it gets little publicity. Plus, it's not the most user-friendly of environments, mIRC notwithstanding.

For these reasons, people serving up files on IRC seem to feel relatively safe doing it, even though their actual location is easily retrievable. Of course, the educated user who sets something like TCPView will have no trouble seeing at once where the data is coming from on any system.

"P2P Entrapment - Incriminating Peer To Peer Network Users", written by "have2Banonymous" and dated September 27, 2003, appears to be a reasonable piece of work, though as a poster points out on Slashdot most of the attacks mooted seem implausible. The more important point, however, is that neither P2P networks nor the Internet protocols nor the ISPs' own systems were designed to provide rigorous identification of the people using them. That's why we have spoofing and a load of other problems.

Probably no one has ever audited ISPs' logs to establish the level of accuracy with which they note the times and dates a user has been assigned a particular IP address. It's not an issue for ISPs these days, because that's not how they bill; they bill a flat rate every month. (The old-style online information services, which charged by the hour, did of course have to keep accurate billing records, but those used the login and logout times; you didn't have an IP number.) Fixed-IP folks, like me with my ADSL service, obviously are easily matched to IP numbers. But that by itself isn't enough. Was I the person at home? Do I have the facilities to use these programs? We do know of at least one case of mistaken subpoena already.

If you want to protest these suits, by the way, the EFF has this handy petition you can sign before they send it off to Congress.

That said, I kind of agree with the guy who pointed out that if we really believe file-sharing shouldn't be illegal we should have the balls to stand up and be sued. I don't know how many people went to jail rather than serve in the Vietnam war, but I'm sure we've got more file-sharers than marched on Washington in 1968. Where would they put fifty million people who wanted to turn themselves in and serve their time? "What did you do in the net.wars, Daddy?" "I quit sharing Frank Sinatra songs as soon as I found out it was dangerous and argued that they couldn't prove it was me." Not much to tell the grandchildren, is it?

Meanwhile, in another part of the forest, the idea of "Trusted Computing" is beginning to take an ominous shape. This week also saw the publication of the EFF's analysis of the core principles upon which the two major initiatives in this area are converging.

Key to the EFF's objections to the way these ideas are going is the element of "remote attestation", which would essentially prevent software from being surreptitiously changed. So far, that's not a bad idea. But the EFF points out that potentially remote attestation could limit the control users have over their computers, treating them as a threat equal to an outside attacker. (Doesn't the owner as adversary sound like the kind of thing the technical support staff would think up?) In the EFF's examples, remote attestation could be abused to force computer owners to run specific software (like those sites today that just won't work in anything but Internet Explorer), limit interoperability, force upgrades, and enforce digital rights management. The RIAA (and MPAA) may soon not be the only people who presume we are all guilty unless proven innocent; our computers may do so, too.

Note to British readers: the rules on access to and retention of telecommunications data are due to be discussed on October 22 in a public meeting held at the LSE and hosted by Privacy International and the Foundation for Information Policy Research. Please read the announcement and RSVP as instructed there if you can make it.

Technorati tags:      
You can discuss this article on our discussion board.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).