Brawl over online music file-swapping spawns 'secure' software

By ALEX VEIGA
AP Business Writer

LOS ANGELES (AP) As the recording industry prepares hundreds of copyright lawsuits against online music swappers, the makers of file-sharing software are fortifying their programs to try to mask users' identities.

Some of the upgrades reroute Internet connections through so-called proxy servers that scrub away cybertracks. Others incorporate firewalls or encryption to thwart the sleuth firms that the recording industry employs.

``Everyone is concerned about their privacy,'' said Michael Weiss, chief executive of StreamCast Networks. The upgrade to his Morpheus file-sharing software has been downloaded more than 300,000 times since its release last week.

Music industry officials insist file-swappers can't hide.

``Nothing that has been invented has prevented us from being able to identify substantial infringers and collect evidence,'' said Matt Oppenheim, senior vice president of business and legal affairs for the Recording Industry Association of America.

Yet experts say some of the countermeasures could make it more difficult to trace individuals on peer-to-peer networks. Though none can guarantee total anonymity, they ultimately may not have to.

``With enough technology it may not be worth the effort for the RIAA to come after somebody,'' said Mark Rasch, a former U.S. Justice Department computer crimes prosecutor. ``At some point it can become so difficult to find out who did something that it becomes practically anonymous.''

Seth Schoen, staff technologist at the Electronic Frontier Foundation, an advocacy group for online civil liberties, said many of the upgrades remain unproven.

``I'm not aware of independent testing or review to verify the claims that people are making,'' he said.

The RIAA, which represents the major recording companies, announced last month that the industry would soon begin suing individuals who swap copyright music online in a bid to discourage piracy. It has already issued more than 900 subpoenas and its lawyers say they expect to file lawsuits in the next few months.

The RIAA scours the most popular file-swapping systems for users with large collections of copyright works and tries to identify their Internet service provider through the Internet Protocol, or IP, numbers assigned to computers on the Internet. The RIAA can then subpoena a service provider demanding a user's identity.

Upgrades to the file-sharing software seek to short-circuit that detection process.

Morpheus, for one, lets members connect to a Web site that links to several public proxy servers, which help mask the user's IP number. The more proxy servers involved, the more difficult it can be to trace connections to their source.

The chase is further complicated because proxy servers operate independently of Internet providers.

The RIAA would not say whether it would subpoena proxy server owners. Even if it does, trails could quickly end if a proxy server is located in a nation that does not recognize subpoenas.

Nonetheless, tracing is not impossible.

``You're putting all your trust in that box. Can they be subpoenaed? Can they be forced to testify, forced to turn their logs over?'' said Errol Weiss, vice president of technical services for Solutionary Inc., a McLean, Va., computer security firm.

Rasch, who also works at Solutionary, said proxies only make tracing more difficult. ``That's all it is, a cat-and-mouse game.''

In a separate countermeasure, the new Morpheus edition and several other file-sharing programs, including Kazaa Lite and Shareaza, help users identify the IP addresses of companies hired by recording companies to troll networks for pirates.

Users can then try to block access from those addresses using software such as PeerGuardian. The tactic forces investigators to change their addresses.

Sharman Networks Ltd., which owns Kazaa, released updated software within days after the RIAA announced it would take individual file-sharers to court. Among other things, the update reconfigured settings so users have to grant permission for others to see their files.

Two Spanish-based peer-to-peer services Filetopia and Blubster claim to have the strongest privacy protections.

Filetopia uses encryption to scramble data on its network. Users also have the option to use a program that reroutes data similar to a proxy server.

Pablo Soto, the developer of Blubster, said his program scatters packets of data at random using other computers on a file-swapping network. Each data packet eventually finds its way to the computer seeking the file, where the packets are reassembled.

The scattering process makes it difficult to gather evidence because transmission logs don't reveal a file exchange has taken place, Soto said.

Errol Weiss, the security expert with Solutionary, disagreed. He said the data traveling through Blubster-type networks still carry enough information to track their origin.

``I can still tell where it's coming from,'' he said.

(Copyright 2003 by The Associated Press. All Rights Reserved.)