June 8, 2008 / 9:02 PM / 11 years ago

Inside the music industry's piracy battle

WASHINGTON (Billboard) - Deep inside the national headquarters of the Recording Industry Assn. of America (RIAA) is a purple room.

Tinted windows shade the faces of young men and women working behind computer screens. They are part of the team investigating the illegal sharing of music files over peer-to-peer (P2P) networks, and they protect their identities carefully.

Such precautions are a reflection of the charged environment in which the music business is operating. The RIAA, the trade group for the major U.S. labels, views anti-piracy enforcement as vital to the recording industry’s future.

Since 2003, labels have filed more than 28,000 lawsuits against individual file sharers. Only one suit has reached trial. Jammie Thomas, a single mother who was ordered by a federal jury in Minnesota last October to pay $222,000, is waiting for the federal court’s decision on her request for a new trial.

Piracy on university campuses is a big part of the problem. In the past year, the RIAA has sent more than 6,000 “pre-litigation settlement letters” to students around the country, giving them the opportunity to avoid a potential lawsuit by settling out of court for a reduced fee. About half have settled, and the other half face formal lawsuits.

Some university administrators complain that record companies unfairly target their campus networks to find infringers. Some judges have questioned whether proof of users making music files available in a P2P network’s “shared folder” is sufficient evidence of copyright infringement. Emotions have run so high that death threats targeting RIAA lawyers and executives haven’t been unheard of.

Despite the RIAA’s efforts, data suggest that demand for pirated content remains strong. A recent NPD Group report estimates that 19% of U.S. Internet subscribers 13 and older download free music from P2P services, barely less than the 20% reported when the RIAA began its user litigation campaign in 2003.

While it is all but impossible to gauge how much additional illegal downloading its enforcement actions may have deterred, the RIAA remains determined to clamp down on Internet piracy. Billboard visited the trade group’s Washington, D.C., offices for a demonstration of how it tracks down file sharers.

In their world of “hash” files and virtual handshakes, the investigations don’t seem dark and sinister. The search begins simply — with a song.


An RIAA investigator and technology specialist, who asked for anonymity, clicked the keyboard on his laptop. The LimeWire interface appeared on a large screen.

New York-based LimeWire LLC touts on its Web site that its software is “the fastest file-sharing program on the planet.” The site offers a free version of its software, but it also offers the revenue-generating upgraded version for around $20. LimeWire is one of many software programs that run over the Gnutella file-sharing network.

To root out illegal file-sharing activity, the RIAA works with Maryland-based MediaSentry, which has developed customized programs that also operate over the Gnutella network. MediaSentry has a list of recordings owned by RIAA-member companies and, like any P2P user, can search for a music file by song title.

MediaSentry then collects alphanumeric “hash” codes it discovers online that are associated with these recordings. LimeWire and similar programs will identify how many users are sharing the same file as identified by the hash code. The combination of song titles and hash codes listed in the ever-growing database are the foundation and starting point of all RIAA investigations.

When a consumer rips a song from a CD and gives the digital file a name, the computer hardware, ripping software and other digital data together create a digital file identified by a distinct hash code. If the user rips the same song with an older computer — even with the same software — the file will have a different hash code. The slightest change in the music source, computer hardware, ripping software, P2P protocol, file name or length of recording will change the hash code identifying the resulting MP3 file.

For example, while searching for a Madonna song at the RIAA offices, dozens of users were sharing the same Madonna title over LimeWire — but six users were sharing the digital files with identical hash codes. Since it is highly improbable that more than one user would have the exact combination of equipment and timing to create identical hash codes, the investigator says, the six users are likely sharing copies of the same file that one person originally uploaded to the Internet and that was later downloaded and shared by other users.

When MediaSentry observes that an MP3 file of a particular song is available for sharing over a P2P network but the hash code doesn’t match one in its database, the company downloads the file. Then it runs the file through a digital fingerprint system operated by Audio Magic to verify that it is an RIAA-member recording, which has been fingerprinted by the record company when the recording was made. If the file is in fact a copy of the recording, MediaSentry saves the hash code in its database.

What MediaSentry and RIAA investigators do next depends on whether they’re preparing a take-down notice for a university or planning to pursue litigation against an individual.


Copyright holders cannot possibly sue every copyright infringer. But they can notify an Internet service provider when a user is infringing a copyrighted work. The ISP is required under federal law to block that material from the Internet after receiving a take-down notice from the copyright holder, as long as the notice complies with requirements set out in federal regulations. Many universities have their own computer networks and, as such, act as ISPs.

A take-down program begins with the RIAA’s list of about 700 current, popular titles of recordings owned by its member companies. The list is compiled — and continually updated — from Billboard and online music services’ sales charts. The user-litigation program uses many more titles, but the RIAA won’t disclose the number.

Once the MediaSentry search for a title identifies a hash, the software then tries to match it with popular hashes shared among P2P users listed in the database.

“We look for the most popular hashes,” the RIAA investigator says. “It’s then very unlikely that the person ripped it from his or her own CD collection and is making it available for the first time. It’s more likely this person has downloaded it from somebody else. The hash can’t be one we’ve seen many times before if somebody ripped it for the first time.”

Once the popular hash is identified, the MediaSentry program makes contact with the user through a “TCP handshake” — essentially a conversation between the Web server and the Web client, like LimeWire, via the Internet transmission control protocol.

“Are you online and do you have this hash code?” the program asks. If the user’s program says “yes,” then the user is pegged. Just one digital file is enough for the RIAA to send a take-down notice.

The user doesn’t have to be sitting at the computer to be sharing a file. LimeWire and similar programs continue to share files over the P2P network as long as the computer is on, the program is open and the file-sharing component is on.

MediaSentry records the IP address, the name of the company or university that owns the ISP, the date and time of the handshake, the user name and the infringed title. The company sends it to the RIAA.

RIAA personnel then review the information, manually prepare the take-down notices and send them to the university.

“There is an idea that we target certain universities,” the investigator says. “That is completely incorrect and, technically, not possible. We find what we find by song and through public means; we don’t try to get into a university’s internal system.”


The RIAA uses litigation to target some of “the most egregious users we find,” the investigator says.

This process, too, begins with the song search, but entails the collection of far more data on an individual user than is required for a take-down notice. After MediaSentry finds popular hash codes, the company’s software — just like LimeWire — allows a search of all the files the user is sharing.

The company collects the list of music files the user is sharing, identifies songs that belong to RIAA-member companies and downloads the files. MediaSentry also collects very detailed text logs as evidence of its activities throughout the entire process.

The ISP associated with an IP address is easy to identify. The American Registry for Internet Numbers, a nonprofit organization, provides the information via a search on its Web site.

MediaSentry sends the information to the RIAA, which has staff that listen to each downloaded file to verify the identify of the song. The RIAA notifies the ISP to preserve the evidence connected to the IP address. The record companies then file a lawsuit naming “John Doe” as the unnamed defendant.

Once they file the suit, the labels may then have the court issue a subpoena for the ISP to identify the registered user for the IP address. That person then replaces John Doe as the defendant.


0 : 0
  • narrow-browser-and-phone
  • medium-browser-and-portrait-tablet
  • landscape-tablet
  • medium-wide-browser
  • wide-browser-and-larger
  • medium-browser-and-landscape-tablet
  • medium-wide-browser-and-larger
  • above-phone
  • portrait-tablet-and-above
  • above-portrait-tablet
  • landscape-tablet-and-above
  • landscape-tablet-and-medium-wide-browser
  • portrait-tablet-and-below
  • landscape-tablet-and-below