MediaSentry – Defense moves to suppress in RIAA case

Print Friendly

The RIAA cases reminds me a great deal of Alice in Wonderland. Sometimes the arguments raised on both sides stretch credulity to the point where I wonder at the respective attorney’s ability to raise them with a straight face. During my morning browsing of slashdot I came across this article which links to a motion to suppress all the MediaSentry evidence. Normally the RIAA case is not relevant enough to forensics for me to comment on, but the motion made here touches on the Private Investigators (“PI”) issue which is becoming more relevant to digital forensics in light of Texas’ opinion on digital/computer forensics needing to be done by PIs.

Here, the Defense is arguing MediaSentry violated several state and federal laws in performing its investigation without having a PI license. I am a little biased here, so my personal view is that digital forensics is an expertise based field just as any other forensics field is and PI licensing is inappropriate. I picked out a few sections of the brief which I want to look at from a technical perspective. One of my interests right now is examining intersections of law and technology specifically in terms of what I like to call the “Abstraction Lie.” Technology is presented as an abstraction, and we tend to think of it in abstract terms which hide the ugly implementation details. We may see a picture on the screen, but the actuality of that image exists as bits, gates, registers, and so forth. I’ve observed the legal system often, for want of a pertinent example, tries to fit a technical abstraction into an existing mold but the underlying implementation does not fit this contrived congruence.

MediaSentry violated the Pen Register Act when they recorded the TCP/IP packets
that included the IP address of the sender. It is a misdemeanor under 18 U.S.C. § 3121(a)
to install or use a pen register or trap and trace device. In 2001, the Pen Register Act was
amended to broaden the definition of “pen register” to any “device or process which records
or decodes dialing, routing, addressing, or signaling information transmitted by an instrument
or facility from which a wire or electronic communication is transmitted, provided, however,
that such information shall not include the contents of any communication.” 18 U.S.C. §

Importantly, the definition of pen register has not been read to exclude address-recording devices that also record content, but instead the definition has been read to prohibit court orders allowing the use of pen registers that also collect content. In re U.S. for Orders (1) Authorizing Use of Pen Registers and Trap and Trace Devices, 515 F.Supp.2d 325 E.D.N.Y., 2007, citing 147 Cong. Rec. S10990, *S11000 (Oct. 25, 2001) (“When I added the direction on use of reasonably available technology … to the pen register statute as part of [CALEA] in 1994, I recognized that these devices collected content and that such collection was unconstitutional on the mere relevance standard.”). Thus, MediaSentry’s software that records the IP addresses of senders violates the Pen Register Act.
pages 8-9.

Right off the bat the Defence team is going after the network dump. They are referring to a “Pen Register” and the Pen Register Act. This is a prime example of the law’s favorite recourse when dealing with digital territory – compare it to a phone. Pen registers record outgoing calls, there’s a separate term for recording incoming calls (Trap and Trace) – why two terms, I have no idea. The defence is saying here MediaSentry’s network dump is equivalent to them recording outgoing and incoming calls on someones phone and then cites relevant laws saying they can’t do that.

The crux of the issue as I see it comes down to who the actors are. Falling back on crypto naming conventions let’s look at Alice (Defendant), Bob (MediaSentry), and Carl (Hypothetical third party). In this case Bob connects to Alice using the FastTrack network (Kazaa) and performs normal P2P actions by listing files, requesting a download, etc. Alice sends data to Bob and Bob records everything he sends or is sent – this recording takes place inside his computer. In the case of Pen Registers and Trap and Trace devices the defense is arguing Bob recording his conversation with Alice is equivalent to Bob recording the conversation between Alice and Carl – or at least that’s what their doing by calling a network dump a Pen Register. But this isn’t just recording numbers dialed (IP Addresses), it’s recording the conversation as a whole which naturally brings up wiretapping which the defense addresses next.

One last humorous point on this one, my cell phone records outgoing and incomming calls – its called caller ID. Do cell phones violate these acts? Somehow I think not.

MediaSentry violated 18 § 2511(1)(A) by intercepting electronic communications, namely, the packets traveling between the KaZaA clients on Jammie’s computer and MediaSentry’s computer.       The Wiretap Act defines intercept as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of
any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4).
page 10.

This one is _very_ weak. Classical wiretapping would involve Bob physically tapping into the wire Alice and Carl are using to carry on a conversation. Carl is not involved at all, and Bob is recording his conversation with Alice making it closer to one party recording a conversation without informing the other. Closer but not quite. Bob is not really recording anything so much as retaining the copy already recorded. This situation is not one in which the capture machine is operating in promiscuous mode because it is one of the parties. The packets are being copied or “recorded” into memory, they have to be in order for them to be processed otherwise the internet wouldn’t work. The network capture device is simply making a copy of the copy. Alice sends Bob a fax, Bob tells his fax machine to print out a second copy. This is different than Alice sends Carl a fax, Bob records the fax communications and prints his own copy.

In this case the screen communicated information about the files on the sender’s computer. When MediaSentry recorded the image of the screen they “intercepted” these electronic communications. O’Brien v. O’Brien, 899 So.2d 1133 (Fla.App. 5 Dist. 2005) (recorded screenshots constitute interception of electronic communications)
pages 10-11.

This one is especially silly. MediaSentry is intercepting electronic communications by using print screen. I’m loathe to make a football analogy but it begs for one. If Alice throws Bob the football, how can Bob intercept the football by taking its picture after he’s caught it? Interception comes from the latin Inter+Capere. Literally To Seize Between. Interception implies it is obtained between the initial and terminal points, not once it has gotten to the terminal end. He might as well have said “When MediaSentry recorded the image of the screen they ‘Peanut butter and Jellied’ these electronic communications.” The defense cites a case O’Brien v. O’Brien which I had to look up to see how this could possibly be true, and it turns out to be a different situation. In O’Brien v. O’Brien, a Wife uses spyware to record screenshots of her Husband’s computer activity thus learning of his affair. In that case the Wife is intercepting because she is not the intended recipient, she is seizing the data as it travels BETWEEN the husband and the mistress.

We also note that Minnesota recognizes the tort of intrusion upon seclusion where one “intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns . . . if the intrusion would be highly offensive to a reasonable person.” Lake v. Wal-Mart Stores, Inc., 582 N.W.2d 231, 233 (Minn. 1998) (citing Restatement (2d) of Torts §652B (1977)). The kind of unauthorized, unlicensed hacking that MediaSentry engaged in would be highly offensive to a reasonable person and is therefore tortious in addition to criminal.
pages 11-12.

First, nothing was hacked. Seriously. Second, how can you intrude upon solitude and seclusion when the person supposedly conducting private affairs is doing so on the internet by offering the downloads to anyone who asks? That is, in effect, what P2P sharing is. Bob asks Alice for a list of files, Alice sends a list of files, Bob asks Alice for file X, Alice sends file X. Bob is not taking file X, or forcing Alice to send file X, he is only asking for file X.

MediaSentry also does not qualify for the exception in § 2511(2)(g)(i). That section provides:
It shall not be unlawful under this chapter or chapter 121 of this title for any
person — (i) to intercept or access an electronic communication made through
an electronic communication system that is configured so that such electronic

communication is readily accessible to the general public

18 U.S.C. § 2511(2)(g)(i). This section does not apply because the KaZaA network is available only to users of KaZaA who consent to certain terms of use, not to the general public. Further, KaZaA encrypts the information it sends between different nodes, and that information is not generally visible or available to the public. Thus, the electronic communications over the KaZaA network that MediaSentry monitored were not “readily accessible to the general public.”
page 12.

This is the start about the part which really interests me: Terms of Use/Service, or End User License Agreements. The defense is saying because KaZaA has ToU/S or EULA terms and because traffic is encrypted between nodes, it is not public and MediaSentry could only obtain access by violating the terms. Let’s look at what terms are being referenced.

The KaZaA terms of use forbid exactly what MediaSentry did in this case: (1) making
requests to gather information about other users; (2) storing information about other users;
(3) violating state and federal laws; (4) developing and deploying separate software to
monitor the network; and (5) altering data stored by KaZaA on MediaSentry’s computer.
Specifically, MediaSentry violated the following terms


These terms of use, violated by MediaSentry, show that KaZaA was not a network
containing electronic communications generally accessible to the public, but was instead a
private network for communications between users who had obtained special usernames and
passwords and who consented to certain restrictive terms and conditions.
pages 13-14.

Also included as exhibit F, these terms are for the KaZaA software. There is a difference between the client software, the P2P protocol, and the network. These are three distinct concepts. The brief does not detail what software MediaSentry used, but there are clients which access the same network (FastTrack) as the KaZaA client, but do not have the same terms. The defense attempts to bundle them both together, but terms governing software use does not govern network use if you aren’t using that software.

The ruling should be interesting to say the least.

Posted in Law Tagged with: , , ,