Marshall University Challenges RIAA

NewYorkCountryLawyer writes "Marshall University, in Huntington, West Virginia, has become just the second US college or university to show the moxie to stand up for its students instead of instantly caving in to RIAA extortion. In February, Marshall, represented by the Attorney General of the State of West Virginia, made a motion to quash the RIAA's subpoena for student identities, pointing out in exquisite detail in its long-time IT guy's affidavit (PDF) the impossibility of identifying copyright 'infringers' based on the RIAA's meager evidence. Unfortunately, the Magistrate — under the mistaken impression that the RIAA isn't going to sue the identified students, but merely wants to talk to them — recommended that the subpoena be okayed by the District Judge (PDF). It is not yet known whether Marshall will be filing objections. The first US college or university known to have attacked the RIAA's subpoena was the University of Oregon, which — also represented by its state's Attorney General — made a motion to quash last November, and even questioned the legality of the RIAA's methods. The Oregon motion is still pending."

Hunh?

[belmolis]

Unless I have missed something, the magistrate judge's opinion is not based on the idea that the RIAA "merely wants to talk to" the students. Where does it say that?

Curiously, the magistrate judge's opinion does not even address the central issue, of whether the RIAA's evidence is sufficient to support the subpoena. It is devoted entirely to the question of whether the subpoena imposes an excessive burden on the university. His ruling that the university's burden is not great because it is merely required to produced the names of the students associated with the IP addresses, not to determine who was using the machines at the times of the alleged infringement,appears to be correct.

Re:Hunh?

[gnick]

Actually, the RIAA does not want to sue the students - It would much prefer to just talk to them. And threaten to sue them to extort $$$.

Re:Hunh?

[corsec67]

Who says that an IP address can even be related to a specific computer, much less a person?

All the university would know is that something with a specific MAC address was using that IP at that specific time.

Since MAC addresses are spoofable, how can they be related to a specific person at all?

Re:Hunh?

[Sancho]

There's a chain of evidence which is used to get a person in many universities. It's the same way any ISP would track usage down to a specific user.

Users are typically registered. Usually in universities, this is accomplished through a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user. From there, it's trivial to tie the packets to the MAC--spoofing IP addresses is trivial on most networking equipment in use by universities (i.e. we're not talking crappy Linksys routers, here.) MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred. Even if it isn't explicitly blocked, it would be a special case that would need to be handled when trying to identify the student, but it is by no means a dealbreaker.

Of course, if the student is running a wireless access point, you run into problems. This is why some universities don't allow wireless access points to be connected to the network (they can't outright ban them due to FCC regulations) and the university agreements almost universally state that traffic originating from the student's port is considered to be the student's liability.

ISPs (including universities) have valid reasons for wanting to be able to track people down. It's unfortunate that the ability to track people down means that they can give up their information when the RIAA comes subpoenaing.

411

[whisper_jeff]

"...under the mistaken impression that the RIAA isn't going to sue the identified students, but merely wants to talk to them..."

What an idiotic impression. Even if it was a correct impression (how anyone who's done a hint of research on the situation could have that impression is beyond me...), I'd like to think that legal officials would discourage people from using the legal system as their publicly funded 411 service. This whole situation (the RIAA lawsuits as a whole) blows my mind more and more every day and not just because of how moronic the RIAA are. Sadly, they aren't the only idiots running around...

This is a shake down

[DrLang21]

There is no way that the Magistrate actually believes that the RIAA does not intend to sue these students. No reasonable individual could possibly look at the recent history and believe that they had any intentions other than to demand a large settlement or to sue for even larger damage claims. If the Magistrate believes otherwise, their ability to perform their job should be brought into question.

Re:Hunh?

[immcintosh]

I don't know about every university, but every one that I've used the network on is basically totally open. Can't recall ever having to authenticate or do anything other than simply plug in and go. That's how it was in the dorms I lived in (albeit 6 or so years ago), as well as the public access points (libraries) of my and other nearby universities.

I have no doubt there are universities that do more, but I sure wouldn't assume that to be the case by default. In fact, I've been to more than one university that had unsecured wireless access pretty easily available from common public locations, and the argument that such a situation is actually beneficial to the educational process seems an easy one to make.

Re:3 cheers for the WV AG

[NewYorkCountryLawyer]

you know the RIAA is in trouble when elected politicians want to take them on.

I knew they were in trouble before that.

And I'm not very bright.

Re:Hunh?

[Skapare]

There's a chain of evidence which is used to get a person in many universities. It's the same way any ISP would track usage down to a specific user.

But not all universities are alike in how they structure their networks and allocate their resources. They are not even alike in how much resources they get. Marshall University is definitely one where costs are kept as low as they can get them. West Virginia is not one of the rich states.

Users are typically registered. Usually in universities, this is accomplished through a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user.

That would be so at that moment in time, no accounting for the issues involved with students using wireless over their dorm connections.

From there, it's trivial to tie the packets to the MAC--spoofing IP addresses is trivial on most networking equipment in use by universities (i.e. we're not talking crappy Linksys routers, here.) MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred.

It's not necessarily easy to block it, as that results in problems moving computers around. And not all switches can block it. Low priced switches, much like a low resource university would have to buy, probably don't have the ability.

Even if it isn't explicitly blocked, it would be a special case that would need to be handled when trying to identify the student, but it is by no means a dealbreaker.

What it means is that after the student who logged in shuts their computer off, another computer that was pinging them to see when they shut off can immediately impersonate that MAC address. Even if most users properly signoff before shutting down or pulling the plug, it only takes a few that don't for someone wanting to run anonymously to do that every now and then.

Of course, if the student is running a wireless access point, you run into problems. This is why some universities don't allow wireless access points to be connected to the network (they can't outright ban them due to FCC regulations) and the university agreements almost universally state that traffic originating from the student's port is considered to be the student's liability.

Then there is the issue that you have multiple students working from the same port. At least 2 live in each room in most of the rooms. There are a few singles and triples there (I went to school at Marshall for 3 years and lived in the dorms for 2 of those years ... I know how at least the ones that were there then are organized). So you can at least have 2 students using one port at a time. And it is typical for students with laptops/notebooks to roam around or get together with others in different rooms to collaborate on various projects, school related or not. Student run access points make that so much simpler. Now I don't know if Marshall has every floor in every dorm covered with wireless, but they could see it as a cost savings by NOT doing so, knowing that the students themselves will provide localized access at no cost to the school.

ISPs (including universities) have valid reasons for wanting to be able to track people down. It's unfortunate that the ability to track people down means that they can give up their information when the RIAA comes subpoenaing.

That may be a good goal, but it's generally not practical in a resource limited situation. They may consider it more important to be sure outsiders are not using the network than it is to exactly know who sent each and every packet by its IP address. Knowing that 99% of traffic was carried out by some authorized person on campus may be sufficient. Being able to block that 1% of other traffic might not be worth the cost. Being able to track any instance of traffic to a specific person might not be worth the cost. And i

Re:Hunh?

[SanityInAnarchy]

MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred.

Wait, what? How does this happen?

I mean, yes, it'd be somewhat more difficult if we're not on the same network, but there's always other networks, and wifi, on any sufficiently large campus. Besides, my understanding is that a switch can't know which nic actually "owns" that mac address, thus whoever had it first "wins" and gets the IP also.

And then, there's always the possibility of simply registering a spoofed address on purpose, knowing I can then un-spoof it if I'm caught, and claim that it wasn't my laptop.

This is why some universities don't allow wireless access points to be connected to the network

And some universities provide their own wireless access points. Some of them even allocate real, Internet-visible ipv4 addresses to every laptop.