More from the Copyright Enforcement Follies

Unlike US corporations, IP addresses are not people. At least according to a UK patent and copyright judge. But I’m ahead of myself. In an entry from just over a year ago entitled Cyber-bullying by the copyright Gestapo the shenanigans of ACS:Law described as a “rogue law firm run amok” in this story by Nick Farrell in the Inquirer were reported. Briefly the story goes like this.

[ACS:Law] sent out letters to thousands of Brits accusing them of ‘piracy’  and offering them a chance to settle by paying about £500.

However, loads of people are being accused with what must be inaccurate information. One was a 78 year-old accused of downloading pornography and others are unaware of having done any downloading at all.

Furthermore Andrew Crossley of ACS:Law actually made this profoundly asinine statement to the BBC.

The method used to detect the IP address used for illegal downloads was foolproof.

So now that this fiasco has finally made it into court as we all knew it would, apparently the judge has the same skepticism of this egregious misunderstanding of how the Internet Protocol technology actually works. This piece by Matthew Lasar in Ars Technica entitled Court confirms: IP addresses aren’t people (and P2P lawyers know it) reports it as follows.

“What if the defendant authorises another to use their Internet connection in general and, unknown to them, the authorised user uses P2P software and infringes copyright?” asked His Honour Judge Birss QC last Tuesday.

That’s not the only legal snag Judge Birss noticed. He was particularly irritated over evidence that ACS was trying to withdraw the questionable complaints in a bid to sue the defendants again under better circumstances, and with a new firm: GCB.

“The GCB episode is damning in my judgment,” Birss warned. “This shows that Media CAT is a party who, while coming to court to discontinue, is at the very same time trying to ram home claims formulated on exactly the same basis away from the gaze of the court. That will not do.”

But what makes the England and Wales Patent County Court ruling particularly interesting is the jurist’s obvious skepticism about what has become the central dogma behind these suits—that a torrent share associated with a specific IP address is grounds for legal action against a specific human being. The lawyers argued that, even if the Internet subscriber hadn’t done the deed, he or she had presumably let someone else use their network, and so were therefore responsible for this “authorized” use.

But authorizing a guest to play some online game can hardly be seen as an authorization for that guest to start downloading copyrighted material; if that happens, why would the subscriber be responsible?

Birss had even more concerns:
Then there is the question of whether leaving an Internet connection “unsecured” opens up the door to liability for infringement by others piggy backing on the connection unbeknownst to the owner. Finally, what does “unsecured” mean? Wireless routers have different levels of security available and if the level of security is relevant to liability—where is the line to be drawn? No case has decided these issues but they are key to the claimant’s ability to… say—one way or another there is infringement here.

Judge Birss [stated,] “Proof that a person owns a photocopier does not prove they have committed acts of copyright infringement,” he continued:
“All the IP address identifies is an internet connection, which is likely today to be a wireless home broadband router. All Media CAT’s monitoring can identify is the person who has the contract with their ISP to have internet access. Assuming a case in Media CAT’s favour that the IP address is indeed linked to wholesale infringements of the copyright in question… Media CAT do not know who did it and know that they do not know who did it.”

The judge has given ACS:Law two weeks to continue the case or pay “wasted costs”.

In case you were wondering (as I was) what “wasted costs” are, a clarification by an Ars reader describes them thusly.

“In UK law there is a distinct difference between being awarded costs and ‘wasted costs’ which are awarded where a legal firm has acted improperly or merely incompetently (and is clearly seen as such) wasting the court’s and others’ time. These costs can be punitive. Wasted costs do not reflect on those the law firm represent.”

“Wasted costs” sounds like a really great idea and I would dearly love to see Mitch Bainwol and Co. – Recording Industry Association of America (RIAA) smacked with that particular legal stick. But alas, here in the US where the entertainment industry controls the public discourse on copyright and more than a few politicians I don’t see that happening any time soon. But fortunately there is at least one jurist in the civilized world who gets it. Bravo Judge Birss!

Of screen doors and submarines – locking down your iPhone

It’s about as useless as
A screen door on a submarine
Faith without works baby
It just ain’t happenin’
From Screen Door by Rich Mullins

In a recent post, to the extent that any post here is recent, I wrote about the threat to personal privacy – yea even freedom posed by smart phones. Actually the threat was not so much from the smart phones themselves but the potential of exploitation of them by law enforcement contrary to your best interests. The obvious answer to this problem, as every portable computer using reader of this blog surely knows, is to fully encrypt the device. Locking that bad boy down tight will blow those law enforcement fishing expeditions out of the water. But alas, this is not a realistic option with most smart phones. There are several notable exceptions to this including the RIM Blackberry, mentioned in the earlier post,  which can be configured to be secure and some Linux-based smart phones such as the Nokia N900 described in this comment to that post by reader Gino.

There actually is a solution for full phone (filesystem) encryption: the Nokia N900, a Linux phone that supports Crypto LUKS. I know this for fact as I am typing this with one that has it :)

Albeit there is quite a bit of legwork needed and a fairly good bit of Linux knowledge required to set it up initially, it’s well worth the effort.

Unfortunately that excludes the many smart phone users, including myself, with iPhones. I did find some information in this article in Lifehacker entitled Common Sense Security for Your iPhone about locking down iPhones. To the extent that they can actually be “locked down”. Here are the high points.

Lock Your Phone
The most basic security precaution you can take is to make sure that your iPhone is using a passcode lock—and that the passcode lock will automatically engage after a brief period of inactivity.
Choose a Hard-to-Guess Passcode
On newer versions of iOS, you’ll have an additional option in the Passcode Lock settings labeled “Simple Passcode”. By default, “Simple Passcode” is on—and it essentially means that your passcode will need to be a 4 digit number that you’ll type when unlocking the phone. You can, and should, turn this setting off and enter a passcode that is more difficult to guess than the simple 4 digit pin.
Limit the Maximum Number of Unlock Attempts
To prevent someone from trying to break in to your phone if it’s stolen, take advantage of the setting at the bottom of the “Passcode Lock” settings page, labeled “Erase Data”. By default, this is set to off. Turning it on tells the iPhone to completely wipe the content of the device if 10 failed attempts to unlock the iPhone are recorded.
Take Advantage of the Free “Find My iPhone” App and Remote Data Wipe
Apple provides a great service called “Find My iPhone” that is available for free to any iOS device owner using their Apple ID (the same email address and password you use to purchase apps in the App Store). Complete instructions for setting up Find My iPhone are available on Apple’s Web Site. By default, the free Find My iPhone is only for 2010+ devices, but anyone can enable and use Find My iPhone on the 3GS and other pre-2010 devices. Here’s how.

While these are certainly valuable steps to take towards basic iPhone privacy, the efficacy vis-a-vis keeping out determined and well equipped snoopers is akin to locking the screen door on a submarine. This article by the oft-quoted [in this blog] Sharon Nelson of {ride the lightning} for the American Bar Association’s Law Practice Magazine entitled Why Lawyers Shouldn’t Use The IPhone: A Security Nightmare explains thusly.

The words iPhone and security do not belong in the same sentence, although you would never know it from the Apple marketing blitz. Some of the advertised features of the iPhone 3GS are the inclusion of encryption and remote wipe functions. As most folks know, encryption is a killer for computer forensic examiners and a fine way to protect your data. So what does encryption do for the 3GS? Not a heck of a lot. From my foxhole, it appears that encryption was an afterthought and not inherent in the iPhone design.

Jonathan Zdziarski has demonstrated how easy it is to gain access to a supposedly secure iPhone 3GS. Should we believe him? I certainly do, especially since I own his book on iPhone forensics and have personally seen the mountains and mountains of electronic evidence that is stored on an iPhone. The key to gaining access to the data is to extract a disk image from the device. First off you “jailbreak” the phone by placing it into recovery mode and installing a custom RAM disk to the iPhone. Jonathan mentions that the tools are only available to law enforcement (nice thought, but not so), but also acknowledges that it is fairly simple to develop your own. Several products like Red Sn0w and Purple Ra1n are freely available to “jailbreak” the phone. You then install a Secure Shell (SSH) client to port the raw disk image onto your computer.

Those of us in the forensic community know that sucking a disk image from an encrypted drive to a destination drive just gets you another encrypted image which is no earthly good to you. What makes the iPhone 3GS any different? This is the part where Apple is so very, very helpful. Even though the data on the iPhone disk is stored in an encrypted form, the iPhone actually decrypts the data as it feeds the zeros and ones through the SSH connection.

In order to secure your iPhone, make sure you configure an unlock code. Then again, perhaps you shouldn’t waste your time. Jonathan has another demo where he replaces the passcode file with one that contains a blank password, effectively removing the unlock code. How is this possible? Just like the previous explanation, putting the iPhone into recovery mode doesn’t require the passcode PIN.

Apple says losing your phone is not a problem, you just use the remote wipe feature to “kill” all of the personal data. There’s a problem with that too. The remote wipe feature requires that the iPhone be connected to the cellular network and removing the SIM card or placing the phone in a Faraday box would solve the network connection problem. Take the phone off the cellular network and you can take all day to retrieve the disk image (in an unencrypted form) from the iPhone.

Yep. Screen door on a submarine. In a follow up entry on {ride the lightning} Sharon finds even more reasons to declare “iPhone security” an oxymoron.

Most users are not aware that the iPhone conveniently creates a screenshot and saves it as a temporary file on the phone. Wired has an article that explains the how and why and is available at http://www.wired.com/gadgetlab/2008/09/hacker-says-sec/. The end result is that there is a very complete “audit trail” of activity that is done on an iPhone, even if the user doesn’t save any data. As an example, you can open a message that contains personally identifiable information and then immediately delete it. Guess what? All of that private data is on the phone until it is overwritten, which could be some time. As we mentioned in the article, the iPhone is an “evidence rich” device. These recoverable screenshots are one reason why and we’ve verified the existence of them through a ton of real world investigations. We’ve never seen this type of activity on any other phone.

Does all of this mean that the iPhone is the ONLY insecure cellular phone on the market? Obviously not, but it is at the top of our list, especially considering the hundreds of phones we get each year for evidence analysis. Any smartphone with a browser is subject to the same attacks and infection as any Internet user. We know many iPhone users are saying that security is the issue and is not unique to the iPhone. Perhaps the truth hurts. Security is a major issue for any law firm, but using a device that does not enforce PIN integrity is a little crazy in my book. I wouldn’t want to make that argument to a malpractice carrier.

Well so much for the delusions of privacy and security on the iPhone. I guess now we’re back to putting it in a bag in the trunk when we travel. At least in California. Or switching to Blackberry or N900 if we’re lawyers.