Sentence-by-sentence analysis of Nicoletti on IPP
On February 6 Paul Nicoletti filed a response to a defendant’s motion to compel (embedded below). The defendant in this case (Malibu Media v Hind, et al, INSD 12-cv-01117) demanded that Malibu hand over, among other things, the PCAP files that IPP collected. The section at III(A)(1), “The Nature of IPP’s Evidence” (starting at page 4) is possibly the most detailed description yet of precisely what IPP does — and what they have to hide. Here I go through sentence by sentence, explaining what the significance of each sentence is.
IPP establishes a direct TCP/IP connection with a computer that is distributing a “piece” of Plaintiff’s copyrighted work.
Nothing terribly controversial here. The use of the term “direct” is somewhat odd — the IPP servers most certainly do not have a direct physical connection to the defendant in question. On the networking front, assuming that Nicoletti isn’t just an attorney far out of his element and making stuff up, we are apparently to conclude that IPP does not make use of proxies or VPNs. (This will be important later.) TCP/IP is only mentioned to lend the sentence a false air of technical gravitas.
Note that it is never mentioned precisely how IPP finds this computer…
The “piece” is a packet of data. The packet of data correlates to Plaintiff’s copyrighted work because it has a unique cryptographic hash value.
Here Nicoletti trips up. Yes, each BitTorrent piece is accompanied by a cryptographic hash. (In traditional BitTorrent, these hashes are in the .torrent file.) However the only thing that can be calculated is whether the downloaded piece is what the .torrent file describes.
There is no way any investigator could a priori say that because the piece corresponds to its hash that it corresponds to a portion of an X-Art movie. In fact, downloading the entire torrent from the defendant and hashing it would not help; the video file spread on BitTorrent would generally not be identical to the file sold by X-Art¹. This is why Tobias Fieser declared in 2012 — in what I can only assume was a poor attempt at a joke — that after the torrent was downloaded from a host he would sit down and watch the whole thing side-by-side with a copy of the movie provided courtesy of X-Art.
Again, Nicoletti uses big technical-sounding words to mask the fact that he has no idea what he’s saying. Spoiler alert: this will be a recurring theme going forward.
Cryptographic hash values act as digital fingerprints. They are long alpha-numeric codes.
They’re binary (hexadecimal when displayed), Nicoletti, not alphanumeric.
Via the algorithms governing the hash system, hash values are capable of being calculated with the type of mathematical certainty and precision as 2 plus 2 equals 4.
This is largely meaningless chest-pounding. He is trying to convince a non-technical audience that the existence of cryptographic hashes is incontrovertible (“mathematical”, even!) evidence of infringement. The argument does not hold water. In fact, there is no argument there, just rhetoric and fluff.
IPP servers are synchronized to both an atomic clock and GPS clock.
This just refers to NTP; Tobi Fieser has said so before. It means that their servers’ clocks can be considered somewhat accurate (in Fieser’s own words, to about 1/10 s). This is so the logs have the correct time. This is standard practice for pretty much every server in the world.
Now we finally get to the meat of the matter: the PCAP files. Nicoletti:
IPP logs transactions between its servers and a person distributing a piece of a copyrighted work on a log file. Each transaction is saved in what is called a PCAP. A PCAP is an electronic recording of the transaction. It is analogous to a video recording. The software that IPP uses to create PCAPs is called TCPDump. TCPDump is one of a handful of widely recognized forensically sound Packet Analyzers. It is an open source free software program.
A “PCAP”, i.e. packet capture, is not analogous to a video recording. It would be more like the results of a wiretap. (In fact, a packet capture is precisely that: a recording of every packet of internet traffic going in and out of a computer.) Regarding tcpdump (properly all lowercase), yes, it is a venerable piece of software whose reliability is beyond reproach, but there’s nothing “forensically sound” about it. Not sure what it being open source has to do with anything.
It turns out that Nicoletti’s exposition is also bad, so let’s skip ahead a bit…
PCAP files can be read by anyone with the equipment to read them. The information contained in them can also be converted to word documents. The PCAPs speak for themselves and conclusively establish that the infringing transaction occurred. IPP charges Plaintiff to produce PCAP files. At trial, Plaintiff intends to introduce one PCAP file for each copyrighted work as well as the log files associated with the Defendant. Put another way, Plaintiff does not intend to introduce the thousands of PCAP files that evidence each infringing transaction committed by Defendant. That evidence is contained in the log file which, as previously stated, is also simultaneously created and saved in the same way that the PCAPs are created. To be clear, Plaintiff will produce to Defendant everything that it intends to introduce at trial. And, Defendant can subpoena IPP to produce any other evidence that Defendant wants from IPP.
You might have noticed that IPP really, really doesn’t want the PCAP files published. Why? Let us back up and cover what we skipped to find out:
Each PCAP covering each transaction is stored on a WORM tape drive. So too is the MySQL database log file to which the PCAP correlates. WORM stands for “write once, read many.” IPP uses a WORM drive because it is impossible to modify data after it is written onto a WORM drive. In addition, it is impossible to delete any data, outside of destroying the tape drive itself. Additionally, within twenty-four hours of a PCAP file’s creation, a German government-issued time stamp is placed on the WORM drive.
Now the reason is laid bare. The “German government-issued time stamp” is a requirement under the German Digital Signature Act. (There is no corresponding requirement under US law.) I have to correct Nicoletti once more—the timestamps (formally, Qualifizierte Zeitstempel, ”qualified timestamps”) are not issued by the German government, but by approved private “certifiers”. The function of the timestamp is to certify that some file existed at a particular time (the time of submission to the certifier).
Given a file and its qualified timestamp (in reality, a digital signature), you can confirm that the file you have been given is the same one that was submitted to the timestamper at the listed time. The problem is this: you cannot modify the file at all, even innocuously, otherwise this timestamp confirmation process will fail.
Why won’t they give up the PCAP files?
Note that they are willing to give up the logs, but not the PCAP files. This is because PCAP files contain everything. In particular, someone looking at the PCAP file (which IPP, because of the timestamp and WORM drive, would not be able to redact) would be able to ascertain the IP addresses used by IPP’s servers. This is of course something IPP would very much like to be secret, as if it were public infringers could simply block it. (The PCAP file might also reveal which BitTorrent trackers IPP is monitoring, another thing that would blow their cover.) The files would also detail how IPP goes about showing infringement — the sort of thing found in Delvan Neville’s famous analysis outing John Steele as sharkmp4.
IPP has so far given few details about its INTERNATIONAL IPTRACKER client and how it determines infringement; those that it has given sound technically questionable and legally unsound. The PCAP files would confirm this.
Nicoletti seems to say that he is willing to provide one PCAP file per claimed infringement at trial. This is complete BS and should not be accepted. Nor should the thousands of PCAP entries corresponding to the defendant demanding discovery be accepted. The only useful — the only meaningful — thing in this case is the entire WORM drive with the qualified timestamp (yes, all 3 terabytes of it). Any excerpt of the PCAP record can and will be selectively taken, redacted, modified, etc. in order to facilitate IPP’s continued unwillingness to transparently describe their monitoring process. The log files are worse; they record exactly what IPP wants them to (they are written to a database by the INTERNATIONAL IPTRACKER software itself) and provide zero transparency.
The next few pages are full of whining about how it would be difficult to provide the PCAP files that I won’t reproduce here. I must note, however, one thing…
Further, IPP charges Plaintiff a fee to extract information from its servers. Therefore, in this one request alone, Plaintiff would have to spend several if not tens of thousands of dollars to produce this information.
Soapbox time: a message to Doe defenders
Nicoletti’s response contains several potential lessons for Doe defenders.
First, familiarity with the technical side is crucial. Don’t be like Paul Nicoletti, and don’t be fooled by Paul Nicoletti. At least know what a cryptographic hash is, how the BitTorrent protocol works, and so forth. Discovery isn’t of much use if you don’t understand what you’re getting. It is much more useful if you have advanced technical knowledge. A great deal of BitTorrent copyright trolling, X-Art’s included, is based on extremely shoddy and fundamentally unsound technicals, but to date no Doe defenders have been able to take plaintiffs to task for it — and now a body of BitTorrent-trolling caselaw has formed which is highly unfavorable to Does.
Second, aggressive discovery works. Even in cases like this when all it gets is a bunch of whining, it can still be useful.
A more serious closing thought
There is one small aside nestled inside the response that I would like to draw attention to:
The WORM tape drives used by IPP contain three terabytes of storage. […] IPP goes through several of these tape drives each week.
That some company is keeping data — indefinitely — on Internet users’ activity to the tune of more than a terabyte a day is a sobering thought and should trouble everybody.
¹ Careful readers may have noted that there is one way in which this hashing method could work, which is if X-Art made the torrent themselves. I think it is far more likely that Nicoletti has no idea what he’s talking about.