Computer Security Expert Testifies that the RIAA Can’t Identify Users by IP Address

Points out that “Many computers can be connected to the Internet with identical IP addresses as long as they remain behind control points such as routers, firewalls, proxy servers, or similar technologies.”

For all the RIAA’s usual mischief, like recent attempts to subpoena a guys former employer, and also amazingly to try and have him identify everyone who’s used his computer for the last 3 years(can you?), there have been a few bright spots of victory that we can all sit back and enjoy.

One of those recent victories was in the Capitol v. Foster case where an Oklahoma court ordered the RIAA to pay the defendant Debbie Foster some $68,685.23 in attorneys fees and costs. The judge in that case even went so far as to criticize the RIAA’s lawyers motives as “questionable,” and their legal theories as “marginal,” something many of us without legal degrees have known for quite some time.

Well now the same Oklahoma attorney who so nicely humbled the RIAA’s legal team is at work again defending some of the students caught up in the RIAA’s college campus crackdown.

In Arista v. Does 1-11, the RIAA is trying to subpoena the names and addresses of 11 Oklahoma State University students accused of copyright infringement, but several of the students are trying to vacate the order by arguing the fact that the RIAA’s use of IP addresses is based on the assumption that it’s a unique means of identification, which it’s not.

To assist in proving their argument that a person cannot be uniquely identified by an IP address they have enlisted the expert testimony of Jayson E. Street, CISO of Stratagem 1 Solutions in Oklahoma City, Oklahoma, and recognized computer security and forensics expert.

In a 15 page expert witness declaration submitted to the court, Jayson essentially attacks the entire premise of the RIAA’s lawsuit which is that an IP address can be used to uniquely identify an individual. He calls this assertion “factually erroneous” and “misleading,”

For the RIAA first argues that “Users of P2P networks can be identified by their IP addresses because each computer or network device(such as a router) that connects to a P2P network must have a unique IP address within the internet to deliver files from one computer or network to another.”

Jayson counters that “In my opinion, the above statement is factually erroneous.”

He continues by pointing out that “An individual cannot be uniquely identified by an IP address,” and that “…networks of networks can have many duplicate addresses.” due to the fact that all connected computers reside behind the same control, or access point.

The RIAA also argues that “Two Computers cannot effectively function if they are connected to the Internet with the same IP address at the same time.”

Jayson again calls their statements “factually erroneous” by pointing out that they can if they are located behind the same control points “…such as routers, fire walls, proxy servers, or similar technologies.”

The RIAA even goes so far as to try and compare the internet to the “…telephone system where each location has a unique number,” and whereby “…only one call can be placed at a time to or from that home.”

Jayson, much to his credit, take this statement to task, calling it “misleading” due to the fact that “A telephone network is a circuit-switched network ” that “…creates or removes a circuit or end-to end link between the two devices that wish to communicate.”

“The internet,” he points out, “is not a circuit-switch network. Instead, it is a packet-switched network.”

“In such a network individual packets are created by the end point devices and deposited onto the network with destination information, ” he says. “Control devices within the network can then decide which path the individual packets will take across the network. Not all packets will necessarily take the same path. As such in a given network, there can be many simultaneous communication stream that are presented through a single control point ana all logged as coming from a single IP address.”

How’s that for a rebuttal?

The RIAA’s singular most important method of “identifying” individuals, the IP address, is basically proven to be an “erroneous” and “misleading” means of proving that an end user is responsible beyond all doubt, thus allowing the merits of current and future lawsuits against individuals to be called into question.

Don’t you just love the smell of victory in the morning?