Forgot your password?
typodupeerror
The Courts Government News Your Rights Online

Marshall University Challenges RIAA 117

Posted by kdawson
from the mixed-results dept.
NewYorkCountryLawyer writes "Marshall University, in Huntington, West Virginia, has become just the second US college or university to show the moxie to stand up for its students instead of instantly caving in to RIAA extortion. In February, Marshall, represented by the Attorney General of the State of West Virginia, made a motion to quash the RIAA's subpoena for student identities, pointing out in exquisite detail in its long-time IT guy's affidavit (PDF) the impossibility of identifying copyright 'infringers' based on the RIAA's meager evidence. Unfortunately, the Magistrate — under the mistaken impression that the RIAA isn't going to sue the identified students, but merely wants to talk to them — recommended that the subpoena be okayed by the District Judge (PDF). It is not yet known whether Marshall will be filing objections. The first US college or university known to have attacked the RIAA's subpoena was the University of Oregon, which — also represented by its state's Attorney General — made a motion to quash last November, and even questioned the legality of the RIAA's methods. The Oregon motion is still pending."
This discussion has been archived. No new comments can be posted.

Marshall University Challenges RIAA

Comments Filter:
  • I'd want to see a movie that was counter RIAA. Then I reread it as moxie :(
  • Hunh? (Score:4, Insightful)

    by belmolis (702863) <`billposer' `at' `alum.mit.edu'> on Tuesday April 22, 2008 @04:14PM (#23163128) Homepage

    Unless I have missed something, the magistrate judge's opinion is not based on the idea that the RIAA "merely wants to talk to" the students. Where does it say that?

    Curiously, the magistrate judge's opinion does not even address the central issue, of whether the RIAA's evidence is sufficient to support the subpoena. It is devoted entirely to the question of whether the subpoena imposes an excessive burden on the university. His ruling that the university's burden is not great because it is merely required to produced the names of the students associated with the IP addresses, not to determine who was using the machines at the times of the alleged infringement,appears to be correct.

    • Re: (Score:3, Insightful)

      by gnick (1211984)
      Actually, the RIAA does not want to sue the students - It would much prefer to just talk to them. And threaten to sue them to extort $$$.
    • Re:Hunh? (Score:5, Insightful)

      by corsec67 (627446) on Tuesday April 22, 2008 @04:18PM (#23163184) Homepage Journal
      Who says that an IP address can even be related to a specific computer, much less a person?

      All the university would know is that something with a specific MAC address was using that IP at that specific time.

      Since MAC addresses are spoofable, how can they be related to a specific person at all?
      • Re:Hunh? (Score:4, Insightful)

        by Sancho (17056) * on Tuesday April 22, 2008 @04:28PM (#23163288) Homepage
        There's a chain of evidence which is used to get a person in many universities. It's the same way any ISP would track usage down to a specific user.

        Users are typically registered. Usually in universities, this is accomplished through a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user. From there, it's trivial to tie the packets to the MAC--spoofing IP addresses is trivial on most networking equipment in use by universities (i.e. we're not talking crappy Linksys routers, here.) MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred. Even if it isn't explicitly blocked, it would be a special case that would need to be handled when trying to identify the student, but it is by no means a dealbreaker.

        Of course, if the student is running a wireless access point, you run into problems. This is why some universities don't allow wireless access points to be connected to the network (they can't outright ban them due to FCC regulations) and the university agreements almost universally state that traffic originating from the student's port is considered to be the student's liability.

        ISPs (including universities) have valid reasons for wanting to be able to track people down. It's unfortunate that the ability to track people down means that they can give up their information when the RIAA comes subpoenaing.
        • Re:Hunh? (Score:4, Informative)

          by corsec67 (627446) on Tuesday April 22, 2008 @04:33PM (#23163336) Homepage Journal
          What about University provided wifi?

          At the University I went to, CU, the wifi was unsecured, aside from the MAC address check. Yes, I did have to register the MAC to me, but then the MAC address was broadcast in the open, and could easily be spoofed, which I have used in the past.

          Agreed that over wired ethernet, it is much easier to prevent MAC spoofing, but what about wifi?
          • Re: (Score:3, Interesting)

            by Sancho (17056) *
            Official wireless is probably a completely different beast. Lots of universities use WPA, for which spoofing will be irrelevant. If they're using an open network, I'd think that they'd be open to complaints and possible lawsuits if they gave up the names or otherwise tried to claim that a specific student was tied to a specific IP/MAC address. Then again, most students wouldn't know that spoofing was possible or likely.

            It may be that high-end networking equipment can disable wireless connections originat
            • by DrkShadow (72055)
              Even if they trace macs, record users, verify with username and password, etc etc, the only way to secure it would be to run everything through a VPN that they sign on to when they connect to the wireless net.

              At my University, they certainly have you use your university username and password to sign on to the wireless network. At that time, it associates your IP address with your user ID and password, and probably your mac, and lets the IP address access the internet.

              As the IP address is nothing special (no
              • by Sancho (17056) *
                I believe that WPA has a similar concept to sessions, which won't be hijackable unless the sniffer has managed to crack the session key. I'd have to go back and read through some of the literature again to refresh my memory, though. It's entirely possible that I'm misremembering that.
              • by Sancho (17056) *
                Oh, sorry, I realize now that you were referring to the part of my post which had to do with open networks and network equipment blocking duplicate MACs.

                Yes, it would be a problem which would require much more thought. Since 802.11(abgn) is a fairly chatty protocol, you could probably manage by having a fairly short timeout. With a minimal period of time during which a spoofer could act, you'd eliminate a lot of problems. Further, wireless networking cards can be profiled and identified, so you could add
        • Re: (Score:3, Insightful)

          by immcintosh (1089551)

          I don't know about every university, but every one that I've used the network on is basically totally open. Can't recall ever having to authenticate or do anything other than simply plug in and go. That's how it was in the dorms I lived in (albeit 6 or so years ago), as well as the public access points (libraries) of my and other nearby universities.

          I have no doubt there are universities that do more, but I sure wouldn't assume that to be the case by default. In fact, I've been to more than one univers

          • by Sancho (17056) *
            Maybe I've been around mostly more technical universities? I can only think of one where student access was as easy as you're describing.

            I do think that ease of communication is inherently necessary to the educational process, but I don't think that anonymous communication necessarily is.
          • by penix1 (722987)
            Marshall University requires logins to connect both in the dorms and in the computer labs (5 that I remember). The only place where you can IIRC is the new library. The computer labs in Corbly Hall are especially locked down since that was the home of the CS department.

            According to the local paper, The Harald-Dispatch (Harald-Disgrace to us locals) the subpoena was issued because Marshall had already turned some names in then stopped when other universities started challenging. The argument made was then if
        • Re: (Score:3, Insightful)

          by Skapare (16644)

          There's a chain of evidence which is used to get a person in many universities. It's the same way any ISP would track usage down to a specific user.

          But not all universities are alike in how they structure their networks and allocate their resources. They are not even alike in how much resources they get. Marshall University is definitely one where costs are kept as low as they can get them. West Virginia is not one of the rich states.

          Users are typically registered. Usually in universities, this is accomplished through a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user.

          That would be so at that moment in time, no accounting for the issues involved with students using wireless over their dorm connections.

          From there, it's trivial to tie the packets to the MAC--spoofing IP addresses is trivial on most networking equipment in use by universities (i.e. we're not talking crappy Linksys routers, here.) MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred.

          It's not necessarily easy to block it, as that results in problems moving c

        • Re: (Score:3, Insightful)

          MAC spoofing is rare, but also quite easy to block on the switch, long before any damning traffic occurred.

          Wait, what? How does this happen?

          I mean, yes, it'd be somewhat more difficult if we're not on the same network, but there's always other networks, and wifi, on any sufficiently large campus. Besides, my understanding is that a switch can't know which nic actually "owns" that mac address, thus whoever had it first "wins" and gets the IP also.

          And then, there's always the possibility of simply register

          • by Sancho (17056) *
            When I was in school, our university tied MACS to IPs, and usernames to MACS. Spoofing a mac on a different network would mean that the tuple didn't match, meaning there is no false accusation. Spoofing a MAC prior to registering doesn't help because you provided a username/password at the time of the registration.
             
            • our university tied MACS to IPs, and usernames to MACS.

              Makes sense...

              Spoofing a mac on a different network would mean that the tuple didn't match

              This I don't get. Are you not allowed to move between networks?

              See, I could physically plug my laptop into anywhere on campus, and expect it to work. Or I could turn on the wireless -- different mac address, but bound to the same username and IP -- and expect it to work.

              But I didn't have to login every time. Therefore, someone else could easily have spoofed my

        • On some universities, the login is simply for the campus network.

          Users are typically registered. Usually in universities, this is accomplished through a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user. From there, it's trivial to tie the packets to the MAC--spoofing IP addresses is trivial on most networking equipment in use by universities (i.e. we're not talking crappy Linksys routers, here.) MAC spoofing is rare, but also quite easy to bloc
          • by Sancho (17056) *
            That's pretty surprising. What's the purpose of allowing access through that proxy server, but not full blown access?
            • Re: (Score:3, Informative)

              by Technician (215283)
              That's pretty surprising. What's the purpose of allowing access through that proxy server, but not full blown access?


              Students need to log into school servers to use school resources. The www proxy is often not under that umbrella. Try it. An Ubuntu live CD works fine for a zero fingerprint session. Boot, set the browser to use autoproxy, and surf. No login ID or finerprints are left on the machine. BT and an external USB drive work fine.
        • a captive portal which records the MAC and username (authenticated with a password.) This ties the MAC to the user.

          Out of curiosity, how do you make the logical jump from recording the username and the MAC to tying the MAC to the user? At best, you can tie the MAC to the username because that is all you have recorded.

          A username does not uniquely identify the actual user of a given system any more than an IP address would. I believe that your premise is false.
          • by Sancho (17056) *
            In the university rules, the anything done with the username is considered to be the liability of the user. I don't know if this is enforceable, but for the purposes of discussion, it's enough.
      • Re: (Score:3, Interesting)

        by cdrudge (68377)
        I didn't read all the articles linked to, but the affidavit linked to specifically states that computers are authenticated via a MUNET account. So it's not just a MAC address but it's also a username and password. It seems to me that MU position is a little shaky as while indeed anyone could have stolen another users account or it was a shared computer, ultimately it still is the responsibility of the owner. I think a valid comparison could be drawn to if a gun is used in a crime. If the bullet can be t
        • by corsec67 (627446)
          Not quite.
          Unless every single connection from the computer was authenticated to the MUNET account, all you would know is that a MAC address is registered to a MUNET account, and that a specific IP was assigned to a given MAC address through DHCP.

          What you don't know is if the owner of the MUNET account owned the device that was sending out that MAC address at that time, just that the owner of the MUNET's computer defaults to a specific MAC address.

          Do any universities require an encrypted tunnel of some sort
        • by CSMatt (1175471)
          You were supposed to use a car analogy.
          • The RIAA is saying that they have a pedistrian who was potentially infringed upon by a car. They also supposedly know the make, colour, model and the license plate of the car that was at the scene.

            The subpeona is to get the name the of the person owning the car. However it doesn't prove who was driving it.

            Also to note, that having the make, model, colour and license plate of the car doesn't actually mean the car belonged to someone or was in fact real. In fact, it could have all been faked.

            As well, at

        • Re: (Score:3, Interesting)

          by vux984 (928602)
          Bad analagy:

          If a gun is used in a crime, and you have a body and a bullet, then yeah, you can go and talk to him. And if he doesn't want to talk? He doesn't have to. Unless you arrest him, in which case he gets a lawyer, and you have to release him if you dont' have at least some evidence he did something wrong that you can charge him with.

          With these RIAA cases, we don't even have a *crime* here. Nevermind a bullet. Yet the ISP (university) is expected to hand over contact information without so much as bli
      • by Gm4n (1139093)

        Who says that an IP address can even be related to a specific computer, much less a person?

        The universities. The standard at several universities I've visited is a MAC filtered wired (and wireless) network; you "register" your computer in connection to your school login/password, tying the MAC address (and therefore, the issued IP) directly to your account.

        Since MAC addresses are spoofable, how can they be related to a specific person at all?

        Exactly the problem, but that might not be taken into consideration in a courtroom.

      • From the linked PDF...

        "A significant part of this burden, however, stems from a mistaken belief that the University was required to determine who was 'using a given computer a given time'. By requiring plaintiffs to serve an amended subpoena making it clear that they seek only identifying information with respect to the person associated with the IP address at the date and time of the alleged infringing use, the perceived burden should be reduced."

        Jeeze... Considering that an IP address is in all practical
      • by belmolis (702863)

        I don't disagree with you. I think that the RIAA's approach is ridiculous. My point is that that isn't what the decision addressed. All it talks about is the question of whether the subpoena imposes an excessive burden on the university.

  • by esocid (946821)
    Being a graduate of Virginia Tech, which received a letter for 36 John Does [collegiatetimes.com] earlier this year, which also refused to give names, I'm glad more universities are actually pushing back against this strong-arming. I don't think VT did anything in return to the RIAA, can't find anything else on it, but at least they didn't give in to their tactics.
    Where's NewYorkCountyLawyer? FTFA

    But, "Is he in for a surprise," says Recording Industry vs The People's Ray Beckerman.

    Nice touch man.

  • 411 (Score:3, Insightful)

    by whisper_jeff (680366) on Tuesday April 22, 2008 @04:35PM (#23163370)
    "...under the mistaken impression that the RIAA isn't going to sue the identified students, but merely wants to talk to them..."

    What an idiotic impression. Even if it was a correct impression (how anyone who's done a hint of research on the situation could have that impression is beyond me...), I'd like to think that legal officials would discourage people from using the legal system as their publicly funded 411 service. This whole situation (the RIAA lawsuits as a whole) blows my mind more and more every day and not just because of how moronic the RIAA are. Sadly, they aren't the only idiots running around...
  • by DrLang21 (900992) on Tuesday April 22, 2008 @04:39PM (#23163412)
    There is no way that the Magistrate actually believes that the RIAA does not intend to sue these students. No reasonable individual could possibly look at the recent history and believe that they had any intentions other than to demand a large settlement or to sue for even larger damage claims. If the Magistrate believes otherwise, their ability to perform their job should be brought into question.
    • by Sancho (17056) *
      It gives the magistrate a political out, particularly if the RIAA lawyers were acting as officers of the court when they made that declaration.
    • There is no way that the Magistrate actually believes that the RIAA does not intend to sue these students.

      The RIAA damn well better intended to sue some students, or else why the hell are they wasting the courts' time with subpoenas?
  • WE ARE
    MARSHALL
  • this riaa charade is letting every potential student worldwide know what university in u.s. is quality, what is university is dipshit when it comes to tradition, heritage and morals.
  • I Don't Get It (Score:3, Interesting)

    by Nom du Keyboard (633989) on Tuesday April 22, 2008 @05:00PM (#23163654)
    I've read the magistrate judge's order twice, and can't see where he is under the apparent impression that the RIAA only wants to sit down and have a friendly Father/Son chat with these college students.

    But then there's this:

    absent the identifying information from the university, plaintiffs simply cannot proceed with their lawsuit, establishes to the Court's satisfaction that Marshall University's obligation under the subpoena is not unduly burdensome.

    That seems to make no logical sense at all. The judge seems to be saying that if Plaintiffs cannot proceed with their case otherwise, then there is no such thing as a subpoena that's too burdensome on non-party Marshall University.

    Is this judge out of his freaking mind!!!

    • by evanbd (210358)
      It sounds to me like he is saying that subpoena is mildly burdensome, and that it would not be granted if the information was simply useful and not mandatory for the lawsuit. The same amount of burden could very reasonably be seen as reasonable and unreasonable in two different contexts, depending on how much the parties to the suit actually needed the information.
    • Re: (Score:2, Informative)

      by esome (166227)

      That seems to make no logical sense at all. The judge seems to be saying that if Plaintiffs cannot proceed with their case otherwise, then there is no such thing as a subpoena that's too burdensome on non-party Marshall University.

      Is this judge out of his freaking mind!!!

      You're correct that the notion that the plaintiff's ability to proceed or not should have little bearing on the decision of whether or not the subpoena is overly burdensome. You've left out the first half of the argument though, that it's not burdensome because it only requires the names and IP addresses. The judge seems at best guilty of poor (maybe even deceptive) wording here. I see nothing wrong with the actual basis for his decision though. I mean, how burdensome is it to cough up the info?

      Seriousl

      • I'll ask a dumb question: Why can't a system admin just copy the relevant logs to a disk, turn it over to the RIAA, and let them sort it out?

        That wouldn't give the RIAA the information they're looking for. All the automatic logs attempt to do is match an IP address to a MAC (media access control) address on the remote device at the time in question. Who is the supposed owner of the equipment with that MAC address is in a second completely separate database, which contains most likely just student id num

    • Re:I Don't Get It (Score:5, Informative)

      by NewYorkCountryLawyer (912032) * <ray@nosPAm.beckermanlegal.com> on Tuesday April 22, 2008 @05:46PM (#23164184) Homepage Journal
      1. The subpoena asked for the identity of the infringers.

      2. The university argued it can't identify the infringers, and spelled out in the IT guy's affidavit why it's impossible, without conducting an elaborate investigation.

      3. The magistrate ruled 'they're not asking you for the identities of the infringers', they just want to know who's associated with the IP address.

      4. He is apparently unaware of the RIAA equation, "whoever is associated with the IP address" = "the defendant" = "the infringer". He is assuming the RIAA lawyers conduct themselves like real lawyers.
      • by pfleming (683342)
        IANAL but that's kinda how I read it too. Yes, they are asking for their identities.
      • 4. He is apparently unaware of the RIAA equation, "whoever is associated with the IP address" = "the defendant" = "the infringer". He is assuming the RIAA lawyers conduct themselves like real lawyers.
        I agree you probably right about that. But I'd like to know how after all the shady and off color things these lawsuits have been shown to use, how he's not aware that this needs more scrutiny than the average bear. If he really is ignorant that's kinda frightening
  • ... and RIAA's lawyers howl "Meat! Meat!".
  • Tomato, tomahto? (Score:2, Interesting)

    by klx (458077)
    FTFA:

    Marshall argues ... that compliance ... would impose an undue burden on its limited resources. A significant part of this burden, however, stems from a mistaken belief that the University was required to determine who was âoeusing a given computer at a given time.â By ... making it clear that they seek only identifying information with respect to the person associated with the IP address at the date and time of the alleged infringing use, the perceived burden should be considerably reduced.

    Ex
    • Exactly how is finding "the person associated with [an] IP address at [a] date and time" different from determining who was "using a given computer at a given time"?

      The person using the computer, if he were using it to commit copyright infringement, is an infringer, while the person whose internet access account would not be. If it were my internet access, but you plugged your laptop in at my dorm room, and used it to infringe someone's copyright, you would be the infringer, and I would be blameless. But I would be the one the RIAA sues. The Magistrate doesn't realize what morons he's dealing with. Marshall's IT guy is aware.

      • by klx (458077)
        Ah, stupid me, I was thinking about labs and work desktops, not resnets.
  • Eat lots of calcium! You might develop a backbone!
  • you know the RIAA is in trouble when elected politicians want to take them on.
    • Re: (Score:3, Insightful)

      you know the RIAA is in trouble when elected politicians want to take them on.
      I knew they were in trouble before that.

      And I'm not very bright.
  • I thought iTunes already solved the RIAA's problem. Yet, they continue to throw away money on this crap. But then, I suppose they have to justify their obscene percentage margins taken from the 'artists.'
  • I remember reading an article about Round Robin DNS setup as a way of combatting DOS attacks. This seems to be a similar thing on a much bigger scale.
  • The point really is that if IP != Individual, then Internet = Consequences Free Zone. Period.

    If you can't connect a "person" with an "action" in any way, then "actions" have no consequences any longer. You can use all the hand-waving you want, but that is what it comes down to. Either someone is responsible, or nobody is.

    Today, ISPs shielding customers means pretty much that nobody is ever responsible. Unless you brag or otherwise spill the beans, whatever you do online can never be traced to a person,
    • by Jaime2 (824950)
      An IP is no more an identity than a phone number is. Though phone numbers aren't identities, people get arrested all the time for calling bomb threats to schools and airports. Sometimes the guilty are caught, sometimes they get away.

      No one with a technical background ever claimed that an IP or MAC was traceable to a computer. I remember configuring NetWare IPX clients in 1994 and being able to configure an arbitrary MAC address. I've been working with NAT forever and NAT breaks the IP to client relati
      • "An IP is no more an identity than a phone number is. Though phone numbers aren't identities, people get arrested all the time for calling bomb threats to schools and airports. Sometimes the guilty are caught, sometimes they get away."

        If only I had not already replied in this thread..mod this reply up.

        Advocating some kind of secure, global authentication scheme might be completely insane, wildly expensive, difficult to maintain and always capable of being circumvented, but if that is what you feel is best,
  • by Anonymous Coward
    I attend the University of Massachusetts - Lowell as a grad student and got this in my e-mail about 4 hours ago. I'm not worried as I haven't lived on campus for 2 years, and didn't share any music because the network was prohibitively slow. However, it looks like Umass isn't going to grow a pair and fight it. Just rollover and give names.
    E-mail is as follows:

    Students,

    Be advised that the University has recently received several copyright infringement notices from the RIAA and SafeNet DMCA.

    Each individual RI
  • The IT Guy (Jan Fox) is a woman.

    http://users.marshall.edu/~fox/
  • Do current music artists get a corporate discount?

    Would the RIAA sue it's own members?

    The RIAA should sue itself for being this stupid.

    ---
    My html sucks and I don't give a damn.

"Love your country but never trust its government." -- from a hand-painted road sign in central Pennsylvania

Working...