Marshall University Challenges RIAA

NewYorkCountryLawyer writes "Marshall University, in Huntington, West Virginia, has become just the second US college or university to show the moxie to stand up for its students instead of instantly caving in to RIAA extortion. In February, Marshall, represented by the Attorney General of the State of West Virginia, made a motion to quash the RIAA's subpoena for student identities, pointing out in exquisite detail in its long-time IT guy's affidavit (PDF) the impossibility of identifying copyright 'infringers' based on the RIAA's meager evidence. Unfortunately, the Magistrate — under the mistaken impression that the RIAA isn't going to sue the identified students, but merely wants to talk to them — recommended that the subpoena be okayed by the District Judge (PDF). It is not yet known whether Marshall will be filing objections. The first US college or university known to have attacked the RIAA's subpoena was the University of Oregon, which — also represented by its state's Attorney General — made a motion to quash last November, and even questioned the legality of the RIAA's methods. The Oregon motion is still pending."

2nd university to show a movie?

[CrazyJim1 (809850)]

I'd want to see a movie that was counter RIAA. Then I reread it as moxie :(

Re:2nd university to show a movie?

[Farmer Tim (530755)]

I'd want to see a movie that was counter RIAA.

Soundtrack available through...oh, wait...

Re:

[Seto89 (986727)]

Soundtrack available through...

...Piratebay.org [thepiratebay.org] - the tracker that brought you titles such as "All your music" and "mkv - HD without Blu-ray"...
available NOW (764 seeds, 1132 leeches)

Re:

[Presto Vivace (882157)]

'd want to see a movie that was counter RIAA Might have a problem getting a studio to fund it.

Re:2nd university to show a movie?

[Zencyde (850968)]

Speaking of movies... modified quote:
Lower ranking RIAA lawyer: Oh no! The college students are revolting!
Higher ranking RIAA lawyer: We already know this.

Re:

[sconeu (64226)]

We are... MARSHALL!!!!!

Re:

[CSMatt (1175471)]

Search the Internet. Parodies abound. I can guarentee you that there is at least one person or group of people who both hate the RIAA and know how to make a good movie.

Re:

[adona1 (1078711)]

Check out this one [youtube.com] from The IT Crowd. Unsure whether it's prophetic of things to come, or just funny ;)

Hunh?

[belmolis (702863)]

Unless I have missed something, the magistrate judge's opinion is not based on the idea that the RIAA "merely wants to talk to" the students. Where does it say that?

Curiously, the magistrate judge's opinion does not even address the central issue, of whether the RIAA's evidence is sufficient to support the subpoena. It is devoted entirely to the question of whether the subpoena imposes an excessive burden on the university. His ruling that the university's burden is not great because it is merely required to produced the names of the students associated with the IP addresses, not to determine who was using the machines at the times of the alleged infringement,appears to be correct.

Re:

[gnick (1211984)]

Actually, the RIAA does not want to sue the students - It would much prefer to just talk to them. And threaten to sue them to extort $$$.

Re:Hunh?

[corsec67 (627446)]

Who says that an IP address can even be related to a specific computer, much less a person?

All the university would know is that something with a specific MAC address was using that IP at that specific time.

Since MAC addresses are spoofable, how can they be related to a specific person at all?

Re:Hunh?

[Sancho (17056)]

There's a chain of evidence which is used to get a person in many universities. It's the same way any ISP would track usage down to a specific user.

Users are typically registered. Usually in universities, this is accomplished through a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user. From there, it's trivial to tie the packets to the MAC--spoofing IP addresses is trivial on most networking equipment in use by universities (i.e. we're not talking crappy Linksys routers, here.) MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred. Even if it isn't explicitly blocked, it would be a special case that would need to be handled when trying to identify the student, but it is by no means a dealbreaker.

Of course, if the student is running a wireless access point, you run into problems. This is why some universities don't allow wireless access points to be connected to the network (they can't outright ban them due to FCC regulations) and the university agreements almost universally state that traffic originating from the student's port is considered to be the student's liability.

ISPs (including universities) have valid reasons for wanting to be able to track people down. It's unfortunate that the ability to track people down means that they can give up their information when the RIAA comes subpoenaing.

Re:Hunh?

[corsec67 (627446)]

What about University provided wifi?

At the University I went to, CU, the wifi was unsecured, aside from the MAC address check. Yes, I did have to register the MAC to me, but then the MAC address was broadcast in the open, and could easily be spoofed, which I have used in the past.

Agreed that over wired ethernet, it is much easier to prevent MAC spoofing, but what about wifi?

Re:

[Sancho (17056)]

Official wireless is probably a completely different beast. Lots of universities use WPA, for which spoofing will be irrelevant. If they're using an open network, I'd think that they'd be open to complaints and possible lawsuits if they gave up the names or otherwise tried to claim that a specific student was tied to a specific IP/MAC address. Then again, most students wouldn't know that spoofing was possible or likely.

It may be that high-end networking equipment can disable wireless connections originat

Re:

[immcintosh (1089551)]

I don't know about every university, but every one that I've used the network on is basically totally open. Can't recall ever having to authenticate or do anything other than simply plug in and go. That's how it was in the dorms I lived in (albeit 6 or so years ago), as well as the public access points (libraries) of my and other nearby universities.

I have no doubt there are universities that do more, but I sure wouldn't assume that to be the case by default. In fact, I've been to more than one univers

Re:

[Sancho (17056)]

Maybe I've been around mostly more technical universities? I can only think of one where student access was as easy as you're describing.

I do think that ease of communication is inherently necessary to the educational process, but I don't think that anonymous communication necessarily is.

Re:

[Skapare (16644)]

There's a chain of evidence which is used to get a person in many universities. It's the same way any ISP would track usage down to a specific user.

But not all universities are alike in how they structure their networks and allocate their resources. They are not even alike in how much resources they get. Marshall University is definitely one where costs are kept as low as they can get them. West Virginia is not one of the rich states.

Users are typically registered. Usually in universities, this is accomplished through a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user.

That would be so at that moment in time, no accounting for the issues involved with students using wireless over their dorm connections.

From there, it's trivial to tie the packets to the MAC--spoofing IP addresses is trivial on most networking equipment in use by universities (i.e. we're not talking crappy Linksys routers, here.) MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred.

It's not necessarily easy to block it, as that results in problems moving c

Re:

[SanityInAnarchy (655584)]

MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred.

Wait, what? How does this happen?

I mean, yes, it'd be somewhat more difficult if we're not on the same network, but there's always other networks, and wifi, on any sufficiently large campus. Besides, my understanding is that a switch can't know which nic actually "owns" that mac address, thus whoever had it first "wins" and gets the IP also.

And then, there's always the possibility of simply register

Re:

[Sancho (17056)]

When I was in school, our university tied MACS to IPs, and usernames to MACS. Spoofing a mac on a different network would mean that the tuple didn't match, meaning there is no false accusation. Spoofing a MAC prior to registering doesn't help because you provided a username/password at the time of the registration.
 

Re:

[Technician (215283)]

That's pretty surprising. What's the purpose of allowing access through that proxy server, but not full blown access?


Students need to log into school servers to use school resources. The www proxy is often not under that umbrella. Try it. An Ubuntu live CD works fine for a zero fingerprint session. Boot, set the browser to use autoproxy, and surf. No login ID or finerprints are left on the machine. BT and an external USB drive work fine.

Re:

[cdrudge (68377)]

I didn't read all the articles linked to, but the affidavit linked to specifically states that computers are authenticated via a MUNET account. So it's not just a MAC address but it's also a username and password. It seems to me that MU position is a little shaky as while indeed anyone could have stolen another users account or it was a shared computer, ultimately it still is the responsibility of the owner. I think a valid comparison could be drawn to if a gun is used in a crime. If the bullet can be t

Re:

[corsec67 (627446)]

Not quite.
Unless every single connection from the computer was authenticated to the MUNET account, all you would know is that a MAC address is registered to a MUNET account, and that a specific IP was assigned to a given MAC address through DHCP.

What you don't know is if the owner of the MUNET account owned the device that was sending out that MAC address at that time, just that the owner of the MUNET's computer defaults to a specific MAC address.

Do any universities require an encrypted tunnel of some sort

Re:

[CSMatt (1175471)]

You were supposed to use a car analogy.

Re:

[vux984 (928602)]

Bad analagy:

If a gun is used in a crime, and you have a body and a bullet, then yeah, you can go and talk to him. And if he doesn't want to talk? He doesn't have to. Unless you arrest him, in which case he gets a lawyer, and you have to release him if you dont' have at least some evidence he did something wrong that you can charge him with.

With these RIAA cases, we don't even have a *crime* here. Nevermind a bullet. Yet the ISP (university) is expected to hand over contact information without so much as bli

Re:

[shawn443 (882648)]

I disagree. Of course the standards of proof differ. At its simplest though, each type is two opposing sides trying to convince someone that their version of the event is the correct one. It depends on who believes what. Sometimes, even only circumstantial evidence is convincing enough.

Re:

[penguinbrat (711309)]

From the linked PDF...

"A significant part of this burden, however, stems from a mistaken belief that the University was required to determine who was 'using a given computer a given time'. By requiring plaintiffs to serve an amended subpoena making it clear that they seek only identifying information with respect to the person associated with the IP address at the date and time of the alleged infringing use, the perceived burden should be reduced."

Jeeze... Considering that an IP address is in all practical

Re:

[belmolis (702863)]

I don't disagree with you. I think that the RIAA's approach is ridiculous. My point is that that isn't what the decision addressed. All it talks about is the question of whether the subpoena imposes an excessive burden on the university.

Go WVa

[esocid (946821)]

Being a graduate of Virginia Tech, which received a letter for 36 John Does [collegiatetimes.com] earlier this year, which also refused to give names, I'm glad more universities are actually pushing back against this strong-arming. I don't think VT did anything in return to the RIAA, can't find anything else on it, but at least they didn't give in to their tactics.
Where's NewYorkCountyLawyer? FTFA

But, "Is he in for a surprise," says Recording Industry vs The People's Ray Beckerman.

Nice touch man.

Re:

[LMacG (118321)]

That's "Country". And what do you mean, where is he? He's what we like to call "the submitter".

Re:Go WVa

[NewYorkCountryLawyer (912032)]

That's "Country". And what do you mean, where is he? He's what we like to call "the submitter".

Thank you, LMacG.

What did you think of the IT guy's affidavit? I felt it was a model of clarity, explaining to the judge that the RIAA doesn't have a case against these kids. The IT guy at the University of Arizona did a good job on that same issue [blogspot.com] but the school, like idiots, just caved in and turned over the information, ignoring the motion to quash [blogspot.com] which one of the students had filed.

411

[whisper_jeff (680366)]

"...under the mistaken impression that the RIAA isn't going to sue the identified students, but merely wants to talk to them..."

What an idiotic impression. Even if it was a correct impression (how anyone who's done a hint of research on the situation could have that impression is beyond me...), I'd like to think that legal officials would discourage people from using the legal system as their publicly funded 411 service. This whole situation (the RIAA lawsuits as a whole) blows my mind more and more every day and not just because of how moronic the RIAA are. Sadly, they aren't the only idiots running around...

This is a shake down

[DrLang21 (900992)]

There is no way that the Magistrate actually believes that the RIAA does not intend to sue these students. No reasonable individual could possibly look at the recent history and believe that they had any intentions other than to demand a large settlement or to sue for even larger damage claims. If the Magistrate believes otherwise, their ability to perform their job should be brought into question.

Re:

[Sancho (17056)]

It gives the magistrate a political out, particularly if the RIAA lawyers were acting as officers of the court when they made that declaration.

Add one to the list of respectable u.s. colleges

[unity100 (970058)]

this riaa charade is letting every potential student worldwide know what university in u.s. is quality, what is university is dipshit when it comes to tradition, heritage and morals.

I Don't Get It

[Nom du Keyboard (633989)]

I've read the magistrate judge's order twice, and can't see where he is under the apparent impression that the RIAA only wants to sit down and have a friendly Father/Son chat with these college students.

But then there's this:

absent the identifying information from the university, plaintiffs simply cannot proceed with their lawsuit, establishes to the Court's satisfaction that Marshall University's obligation under the subpoena is not unduly burdensome.

That seems to make no logical sense at all. The judge seems to be saying that if Plaintiffs cannot proceed with their case otherwise, then there is no such thing as a subpoena that's too burdensome on non-party Marshall University.

Is this judge out of his freaking mind!!!

Re:

[evanbd (210358)]

It sounds to me like he is saying that subpoena is mildly burdensome, and that it would not be granted if the information was simply useful and not mandatory for the lawsuit. The same amount of burden could very reasonably be seen as reasonable and unreasonable in two different contexts, depending on how much the parties to the suit actually needed the information.

Re:

[esome (166227)]

That seems to make no logical sense at all. The judge seems to be saying that if Plaintiffs cannot proceed with their case otherwise, then there is no such thing as a subpoena that's too burdensome on non-party Marshall University.

Is this judge out of his freaking mind!!!

You're correct that the notion that the plaintiff's ability to proceed or not should have little bearing on the decision of whether or not the subpoena is overly burdensome. You've left out the first half of the argument though, that it's not burdensome because it only requires the names and IP addresses. The judge seems at best guilty of poor (maybe even deceptive) wording here. I see nothing wrong with the actual basis for his decision though. I mean, how burdensome is it to cough up the info?

Seriousl

Re:

[Nom du Keyboard (633989)]

I'll ask a dumb question: Why can't a system admin just copy the relevant logs to a disk, turn it over to the RIAA, and let them sort it out?

That wouldn't give the RIAA the information they're looking for. All the automatic logs attempt to do is match an IP address to a MAC (media access control) address on the remote device at the time in question. Who is the supposed owner of the equipment with that MAC address is in a second completely separate database, which contains most likely just student id num

Re:I Don't Get It

[NewYorkCountryLawyer (912032)]

1. The subpoena asked for the identity of the infringers.

2. The university argued it can't identify the infringers, and spelled out in the IT guy's affidavit why it's impossible, without conducting an elaborate investigation.

3. The magistrate ruled 'they're not asking you for the identities of the infringers', they just want to know who's associated with the IP address.

4. He is apparently unaware of the RIAA equation, "whoever is associated with the IP address" = "the defendant" = "the infringer". He is assuming the RIAA lawyers conduct themselves like real lawyers.

Re:

[pfleming (683342)]

IANAL but that's kinda how I read it too. Yes, they are asking for their identities.

Tomato, tomahto?

[klx (458077)]

FTFA:

Marshall argues ... that compliance ... would impose an undue burden on its limited resources. A significant part of this burden, however, stems from a mistaken belief that the University was required to determine who was âoeusing a given computer at a given time.â By ... making it clear that they seek only identifying information with respect to the person associated with the IP address at the date and time of the alleged infringing use, the perceived burden should be considerably reduced.

Ex

Re:

[NewYorkCountryLawyer (912032)]

Exactly how is finding "the person associated with [an] IP address at [a] date and time" different from determining who was "using a given computer at a given time"?

The person using the computer, if he were using it to commit copyright infringement, is an infringer, while the person whose internet access account would not be. If it were my internet access, but you plugged your laptop in at my dorm room, and used it to infringe someone's copyright, you would be the infringer, and I would be blameless. But I would be the one the RIAA sues. The Magistrate doesn't realize what morons he's dealing with. Marshall's IT guy is aware.

Diet counsel for Universities

[OpenSourced (323149)]

Eat lots of calcium! You might develop a backbone!

3 cheers for the WV AG

[Presto Vivace (882157)]

you know the RIAA is in trouble when elected politicians want to take them on.

Re:

[NewYorkCountryLawyer (912032)]

you know the RIAA is in trouble when elected politicians want to take them on.

I knew they were in trouble before that.

And I'm not very bright.

Re:

[Ossifer (703813)]

No, you're Spartacus!

Re:And even after all the years of these articles.

[sm62704 (957197)]

Thieves take without the owners' permission. Your "pirates" are uploading content they PAID for - exactly the opposiute of stealing. They're not breaking the law by taking, they're breaking the law by giving. In no way can copyright infringers be called "thieves".

A music thief is someone who steals CDs from Best Buy. A music thief is also someone who scams a recording artist he's signed a contract with out of all his royalties, like the music industry has done time and again.

Which label do you work for again, Mr. Cpward? Sony-BMG? If so, there's a special place in hell for you.

Re:And even after all the years of these articles.

[D Ninja (825055)]

Which label do you work for again, Mr. Cpward? Sony-BMG? If so, there's a special place in hell for you.

...where "Hit Me Baby One More Time" is on an infinite loop...

Re:

[Sancho (17056)]

First of all, they may not have paid for the content. It's quite likely that they uploaded the content that they themselves downloaded.

Second, while I dislike the comparison of copyright infringement to thievery, it is nonetheless illegal. It is likely less immoral, but that's not a judgement call that the government should be making.

Re:And even after all the years of these arti SUX!

[Nom du Keyboard (633989)]

A music thief is someone who steals CDs from Best Buy.

And the punishment (fines) for stealing that physical CD from Best Buy is one to several hundred times less than the statutory damages asked for and allowed under law ($750 to $150,000 PER TRACK) for online copyright infringement. Tell me how that makes any sense!

And the recording industry is lobbying hard to RAISE those statutory damage limits EVEN HIGHER.

I'm sorry, but they have an overly exaggerated view of the true value of their product.