The Copyright Group Lawsuits: There Is a Word For This…

Nate Anderson over at Ars Technica has a great article up today about the unprecedented new round of P2P lawsuits being filed by Dunlap, Grubb, & Weaver. In it he discusses some of the initial responses to the subpoena filings in some of the more than 14,000 new cases.

Some users have been fighting back, trying to keep their identities a secret. “Motions to quash” have dribbled into the Washington, DC District Court from around the country, several of them scrawled by hand. Each contains a plea—one goes so far as to say that she is “now throwing myself on the mercy of the courts to have this [subpoena] quash or vactated. [sic]”

Lawyers are rarely involved, and the motions are badly formed, sometimes unsigned, often missing key sections or failing to address basic arguments. They are the response of citizens who find themselves one day suddenly caught up in a federal lawsuit happening in Washington. They are alternately weird, sad, or outraged. What they are not is “effective.”

For some background, the Virginia-based law firm Dunlap, Grubb, & Weaver is running these cases effectively like a business. More details after the jump…

The scheme works like this: Picture yourself as an indie movie producer. You make your labor-of-love movie, probably with the primary goal of making a name for yourself, generating some buzz, and helping to break yourself into “the biz”. The vast majority of indie movies make little-or-no money in the market and end up being a loss for investors (studios invest in them hoping that one will become a break-out hit, like happened this year with The Hurt Locker which is, incidentally, one of the targeted films). This is not new. It is the way things are done, much like the publishing industry. Dunlap, Grubb, & Weaver contacts you about your new indie movie project, and offers a convenient new way to monetize your film. They will track any illicit trading of your film on the various P2P networks (mainly bittorrent currently), effectively by logging onto the swarms themselves and recording the IP addresses of all of the participating systems. Then, they will subpoena the ISP records for each of these addresses to get the people’s names and addresses, file copyright infringement lawsuits against these users in Federal court asking damages of around $150,000 per case, and then offer each defendant the chance to settle for sums of between $1500 and $2500. The law firm will even set up convenient websites for each film where these “defendants” can pay the money for this “generous” settlement offer. Then, the law firm will split the profits with you, the movie maker, and you can actually generate some profit for your little indie movie. They even have a convenient website advertising their services at SaveCinema.org and they’re billing themselves of the savior of indie movie making.

Of course, they don’t mention that the biggest reason indie movie making has been having trouble lately isn’t due to piracy at all, but because the major movie studios have reacted to the recent recession by cutting their funding for indie releases and concentrating on “sure thing” big-budget blockbuster releases. In fact, it could be argued that this type of piracy can actually help indie movie makers generate buzz about their film, leading to larger distribution possibilities and the possibility of their film “going viral”. After all, for the price of zero, the pirates are likely more willing to take a chance on an unknown film and then end up liking it and spreading the word to their friends and family (who end up actually going to see it, rent it, or ask for it at their local indie-friendly theater). In fact, some indie movie makers are actually using P2P networks for this exact purpose and encouraging people to download their works (actively seeding the torrents themselves). In fact, last year the Pirate Bay joined together with some of the other top Bittorrent tracker sites to create a coalition called VODO to help Indie Filmmakers get their works out to the public.

No, they don’t mention any of this. They simply quote the same-old vastly inflated piracy loss figures and they say “come get your taste” to all the indie filmmakers out there. It is particularly interesting that this group chose to go with Indie filmmakers, rather than big-budget studios. This serves two purposes:

• It helps in the inevitable PR war that they can portray the filmmakers as poor, starving artists rather than high-rolling executives flying around in their corporate jets.
• It keeps the “stink” off of the MPAA when they, like the RIAA before them, sue some highly sympathetic defendants (dead grandmothers, for example), get caught using illegal investigatory practices, and it shields them from counterclaims that could open them to anti-trust and RICO cases.

The MPAA certainly learned a lot from watching the RIAA attack the Internet before it. They stand to gain a lot from these cases, with little or no effort on their part directly. And for the law firm, there couldn’t be a better business model. They get to make a ton of profit off of the cases, because studies have shown that most people just settle rather than fight the cases. From Ars Technica:

The sheer volume suggests that these cases aren’t designed for prosecution—and they don’t need to be. As the RIAA lawsuits showed us, most people will settle. Data from the recording industry lawsuits, revealed in a court case, showed that 11,000 of the 18,000 Does settled immediately or had their cases dropped by the labels. Seven thousand either refused to settle or never responded to the settlement letter, but after the RIAA subpoenaed their identities and filed “named” lawsuits against them, nearly every one settled.

After years of litigation, the number of people who have pursued a trial all the way to a verdict can be counted on one hand.

And, for those few people who do decide to fight back, maybe because they are innocent or to make a political point, the law firm can pick and choose which cases are the least sympathetic and most likely to result in a ruling in their favor, and then drop the rest. Otherwise, they just set up a payment website, and let Mastercard and Visa handle the collections for them. Quite a nice little racket they have there, isn’t it?

Oh, and it is only a matter of time before we see more illegal copy cats out there.

In the end, it is true that many of those people targeted (most of them, even) probably did infringe copyright law. However, the extremely draconian penalties proscribed by law were designed to shut down large-scale commercial counterfeiting rings that mass-produce fake DVDs and sell them on the gray market. They were never intended to be used against normal people (most of whom are simply guilty of having a teenager at home with some poor judgment and a broadband connection). Even if you agree that the punishment of $150,000 for participating in an online “download swarm” of a single movie (which probably never even had hopes of making $150,000 in the open market total) somehow fits the crime, it is impossible to tell how many of these people are actually innocent! Consider this:

• Do you ever let friends and family use your home computer and internet connection unsupervised?
• Do you run an open (or poorly secured) WiFi hotspot in your home so that you can use it with a handheld device that doesn’t support WPA2?
• Do you have a secured WiFi hotspot, but a simple-to-guess password?
• Have you ever gotten a computer virus or had your computer infected with malware?

All of these things could easily lead to you being targeted, regardless of whether you even know what a P2P program is or how to use one. Not only that, but there are many other ways to false positives. From a 2008 paper titled “Challenges and Directions for Monitoring P2P File Sharing Networks, or, Why My Printer Received a DMCA Takedown Notice“:

The first request from a BitTorrent client to a tracker serves two purposes. First, it elicits a response that provides the newly joined client with an initial set of peers with which to exchange data. Second, the request notifies the tracker that a new peer is available and can be listed in responses to future requests. By default, BitTorrent trackers record the source IP address from the request as the actual address of the peer to be delivered to others. But, some BitTorrent tracker implementations support an optional extension to the peer request message that allows requesting clients to specify a different IP address that the tracker should record in its list of peers instead. This is intended to provide support for proxy servers and peers/trackers behind the same NAT. But, when combined with the lack of verification of tracker responses by monitoring agents, this extension also allows malicious clients to frame arbitrary IPs for infringement via a simple HTTP request. We refer to this behavior as the misreporting client attack.

And they go on to list others sources of possible “errors”:

Misreporting by trackers: The most straightforward way to falsely implicate an IP address in infringement is for the coordinating tracker to simply return that IP address as a peer regardless of participation. Since the torrent metadata files that specify trackers are user-generated, a malicious user can frame arbitrary IPs simply by naming his own misreporting tracker during the creation of the torrent and then uploading that torrent to one of the many public aggregation websites that we (and enforcement agencies, presumably) crawl. From the perspective of users downloading the file, such a malicious tracker would seem no different than any other.

Mistimed reports: A tracker need not be malicious to falsely implicate users. Consider the following scenario. Bob participates in an infringing BitTorrent swarm from a laptop via WiFi with an IP address assigned via DHCP, e.g., at a university or coffee shop. Bob then closes his laptop to leave, suspending his BitTorrent client without an orderly notification to the tracker that he has left. Some time later, Alice joins the same WiFi network and, due to the DHCP timeout of Bob’s IP, Alice receives Bob’s former address. Simultaneously, a monitoring agent queries the tracker for the swarm Bob was downloading and the tracker reports Bob’s former IP. The monitoring agent then dispatches a DMCA notice to the ISP running the WiFi network naming Bob’s IP but with a timestamp that would attribute that IP to Alice, a false positive. Whether this is a problem in practice depends on the relative timeouts of BitTorrent trackers and DHCP leases, neither of which is fixed. In a university environment in 2007, DHCP lease times were set to 30 minutes [4]. The interarrival time of tracker requests is typically 15 minutes at least, meaning that even a conservative tracker timeout policy of two missed requests coupled with a 30 minute DHCP lease time could result in this type of misidentification.

Man-in-the-middle: Because BitTorrent tracker responses are not encrypted, man-in-the-middle attacks at the network level are straightforward. Anyone on the path between tracker and a monitoring agent can alter the tracker’s response, implicating arbitrary IPs. Further, man-in-the-middle attacks are also possible at the overlay level. For redundancy, current BitTorrent clients support additional methods of gathering peers beyond tracker requests. These include peer gossip and distributed hash table (DHT) lookup [3]. Although we have not determined experimentally if these sources of peers are used by monitoring agents, each permits man-in-the-middle attacks. DHT nodes can ignore routing requests and return false IPs in fraudulent result messages. Similarly, peers can gossip arbitrary IPs to their neighbors.

But none of that matters. The beauty of this scheme is that they don’t even have to bother to try to get accurate lists of “offenders”. Just sue everyone! The vast majority of people will just settle, because the alternative is to hire a lawyer at your own expense, and try to defend yourself in a jurisdiction located perhaps a continent away, and then risk that you might still lose and end up on the hook for hundreds of thousands or millions of dollars. Those that don’t? Well, just vet them, pick the worst ones, and drop all the rest of the cases.

As the new Ars article sums up:

Most of those targeted by this new crop of lawsuits are no doubt liable, but the motions to quash remind us of just how many defenses exist. We’ve now heard from those who claim to be totally innocent, those who claim to be freelance copyright cops, and those who claim that malware did it.

Are they all telling the truth? Who knows. But those who are submitting these filings face a daunting set of legal bills as they hire lawyers to litigate a case that could be taking place in federal court hundreds or thousands of miles away—and they face the prospect of $150,000 in statutory damages if a jury rules against them. Even if found not liable for infringement, legal fees at this level can be severe.

Perhaps it’s just easier, and cheaper, to settle. That’s what the plaintiffs are apparently banking on.

Copyright law in this country is terribly broken. We have megacorporations holding effectively indefinite copyrights and using this monopoly power to quash competition and stifle innovation. We have a system, originally designed to “encourage the further production of arts” being used to guarantee income for the great-great-grandchildren of artists. How does copyright incentivize an artist to produce more artwork 70 years after they are dead? And we have a new generation of brilliant “mashup artists” like Girl Talk, DJ Danger Mouse, and the guy who made the “Hey Ya” Outkast/Peanuts mashup video being threatened for copyright violations for what is clearly something new and unique.

Like I said… There is a word for this. And it is covered by 18 U.S.C. §§ 875–877.