One of the problems with the RIAA's lawsuit campaign is that it's heavily reliant on the assumption that tying an IP address to a person sitting at a PC at a particular time is a trivial matter. The reality is much messier, as a case involving 11 students at Tufts University in Massachusetts demonstrates. A vice president at the school has written to a federal judge, pointing out the difficulty of tying the 11 IP addresses logged by MediaSentry to specific MAC addresses (and users).
Under a March court order, Tufts (and other schools and ISPs in that particular district) are supposed to provide the court with a list of all possible matches when unable to determine the identity of the user sought by the RIAA to a "reasonable degree of technical certainty." The judge then reviews the list and makes a determination on how to proceed. In the case of Zomba Recording v. Does 1-11, Tufts argues that there are just too many possible users involved, which has implications for this particular RIAA fishing expedition.
While Tufts can tie three IP addresses to particular MAC addresses with reasonable certainty, two of the other IP addresses fingered by MediaSentry could have been used by as many as forty users during the time in question. "It is therefore difficult to conclude with any reasonable level of certainty that any one of those users was actually using the IP address in question at the relevant time," writes the university. "We believe, in these two instances, that it would be unfair to identify all possible individuals meeting the plaintiffs' criteria, given the low likelihood of identifying the guilty party."
Tufts keeps data on MAC addresses—all of which are registered to particular users—for a period of years. The IP addresses assigned to those MAC addresses via DHCP, however, are only kept for 10 days before being overwritten. The school also uses Address Resolution Protocol to grab entries from routers around the campus at various intervals, but as it only records the first and last times a particular user is assigned an IP address, it is an imprecise and incomplete record.
In other cases where a school is only able to narrow down the list of possible P2P users to a dorm room with two or more residents, the RIAA has typically sought to obtain the names of all possible infringers in an attempt to discover the identity of the P2P user in question. With 40 possible users for two IP addresses, such an approach is impractical. Moreover, there are privacy implications for the at least 38 innocent students involved. We asked the RIAA how it would handle the situation with the two Tufts IP addresses. "As we do in all of our cases when issues are presented, we will work with the school to determine the most reasonable course of action to prevent further abuse of its network," an RIAA spokesperson told Ars.
One way to solve this problem from the RIAA's perspective would be tighter record-keeping and networking monitoring by the schools themselves. Tufts even admits that it could do a better job with data retention: "We recognize the inherent limitations of the network data retention system that we are currently using, and are actively looking at possible adjustments." The RIAA has joined the MPAA in pushing for legislation on the federal and state level that would require colleges to crack down on P2P use on campus, which would presumably involve longer retention times for network data. The recently passed College Opportunity and Affordability Act will require colleges to start working on formal piracy deterrence plans, and Big Content has also been lobbying states to pass more stringent antipiracy laws.
Further readingTufts University's letter to Judge Nancy Gertner (PDF) Found via Recording Industry vs The People