File-swapping lawsuits: Are you next?

CNET News.com provides a step-by-step look at how the Recording Industry Association of America finds, investigates and sues file-swappers.

John Borland Staff Writer, CNET News.com
John Borland
covers the intersection of digital entertainment and broadband.
John Borland
4 min read
The Recording Industry Association of America sued 261 alleged file swappers Monday, launching a legal campaign against ordinary Internet users that could ultimately result in thousands of additional lawsuits.

But are you at risk?

If you or a family member have used Kazaa or any other file-swapping application recently and have left your computer open to the Net, the answer is possibly--although the odds of being singled out among an estimated 60 million people using peer-to-peer software remain small. If you've kept thousands of songs in the file you're sharing with other file swappers, then the odds are a little better, though still slim.

Here's a quick look at how the RIAA has done its investigations and what kind of information it has used to find people and file Monday's lawsuits.

Step one: Finding file-traders isn't hard. Anybody who opens a shared folder on Kazaa, Morpheus or any other file-swapping network is susceptible to potentially prying eyes.

In the most recent wave of investigations, the RIAA has used automated tools that look for a relatively short list of files. When it finds a person sharing one or more of those files, it downloads all or many of them for verification purposes. A complete list of these target files is not available, but a sampling of files cited in the early lawsuits includes the following artists and songs:

• Bobby McFerrin, "Don't Worry, Be Happy"
• Thompson Twins, "Hold Me Now"
• Eagles, "Hotel California"
• George Michael, "Kissing A Fool"
• Paula Abdul, "Knocked Out"
• Green Day, "Minority"
• UB40, "Red Red Wine"
• Ludacris "Area Codes"
• Marvin Gaye, "Sexual Healing"
• Avril Lavigne, "Complicated"

This is far from a complete list, but if you've downloaded and shared any of those songs recently, you may be at greater risk of finding your way onto the RIAA's list.

Step two: The RIAA uses features within Kazaa, Grokster and some other software programs to list all the files available within a person's shared folder and takes screenshots of that information. As filed in court, that provides a record of what in some cases has been thousands of songs shared at once.

Step three: The RIAA's software records the Internet address associated with a computer that is sharing one of the copyrighted songs the organization is investigating. Some file-swapping programs try to hide this by using mechanisms such as proxy servers, but most downloads still expose this information.

Step four: According to information filed as part of a related lawsuit, the RIAA also has the ability to do a more sophisticated analysis of the files that have been downloaded. The group checks the artist's name, title, and any "metadata" information attached to the files, looking for information that may indicate what piece of software has been used to create the file or any other. Some files swapped widely on the Net include messages from the original person who created the MP3 file, such as "Created by Grip" or "Finally the Real Full CD delivered fresh for everyone on Grokster and Kazaa to Enjoy!"

The RIAA has also analyzed in detail some files' contents. The trade group has databases of digital fingerprints, or "hashes," that identify songs that were swapped online in Napster's heyday. Investigators check these fingerprints against those found in a new suspected file swapper's folder, looking for matches. A match means the file has almost certainly been downloaded from the Net, likely from a stream of copies dating back to the original Napster file.

Step five: The RIAA files a subpoena request with a federal court. The subpoena allows the group to go to an Internet service provider and request the name and address of the subscriber who's associated with the Net address that was used to swap files. A few Internet service providers (ISPs) have fought back against these requests, but most have been forced to comply with the RIAA's request.

Many ISPs notify their subscribers when a subpoena comes in that targets their information. The Electronic Frontier Foundation has set up a database that allows people to see whether their online screen name has been the target of one of these subpoenas.

The RIAA said it has filed more than 1,500 of these subpoenas to date.

Step six: Once the identity of the ISP subscriber has been exposed, the RIAA puts together all the information gleaned through the earlier technical investigation and files a lawsuit. In earlier cases, it has accepted settlement agreements that range between $12,000 and $17,000. In this case, it has accepted some settlement agreements for as little as $3,000.