RIAA, MPAA threaten software cluster bombs

WE'VE TALKED a fair amount lately about the RIAA / MPAA / music downloading issue, what with the recent federal decision that Morpheus and Grokster were not illegal and Apple's launch of its new iTunes software, but it appears the record industry is hardly standing still. According to Cnet, all of the major record companies including Vivendi's Universal Music Group, AOL Time Warner's Warner Music Group, Sony Music Entertainment, Bertelsmann's BMG and EMI Group have invested into small software companies dedicated to building programs to attack the PCs of people who download pirated music or movies.

The effects of such programs range from re-directing the user to a site where they can download the media legitimately -- which is rather harmless -- to locking up a system for minutes or even hours. It's been suggested that other programs are under development that would trigger a DoS (Denial of Service) attack against an offending customer as well. The last method of protection the article discusses is the RIAA's already implemented idea of uploading hundreds of fake copies of a song or movie. This has been proven to have limited success in practice.

Its an unquestionable fact that the RIAA/MPAA have the right to protect their members' content from being stolen online, and no one has contested their right to upload false music or movies in order to seed the networks with bad copies. Granting that, however, a theoretical deployment of the above software by the MPAA/RIAA could raise serious legal questions.

First and foremost there's the question of whether or not the punishment fits the crime. Even if an individual is proven guilty of content theft, the degree of damage which the RIAA/MPAA-sponsored programs inflicted on his machine could be contested as excessive, particularly if measures even more stringent than the ones above were adopted. Instituting a mandatory format of someone's hard drive would remove the offending data, after all, but would also completely destroy the person's system. To draw a rough parallel, shopkeepers are allowed to apprehend shoplifters, but not by shooting them in the kneecaps as they run away. Whether or not this type of clause would come into effect obviously will depend on the type of program used and the severity of the infraction, but its existence should give the MPAA/RIAA reason to think very carefully about their decisions in deploying such technology.

Perhaps more seriously, however, what happens when the software makes a mistake? We all know that no software package is perfect and there's already evidence suggesting the RIAA/MPAA does occasionally misidentify pirates. One notable case involved the RIAA's fingering of an 84 year old woman as a pirate with a library of over 50,000 songs. Needless to say, it turned out to be a case of mistaken identity.

Such cases might occur rarely, even very rarely, but they will inevitably occur, and the courts have traditionally taken a dim view of the ends-means rationale that believes the innocent must suffer to catch the guilty. Porn filtering in libraries has been blocked thus far precisely because no filter has been able to properly separate the pornographic from the informational, for example. Similarly, the government will not accept a security system that occasionally blitzes the machine of an innocent user in the name of catching the guilty, especially when said user may have little to no recourse before the penalty goes into effect.

The programs in question may turn out to be little more than an investigatory pathway and never see the light of day — for the RIAA/MPAA's sake, I hope so. The reaction of consumers should the more destructive of the programs mentioned above activate and begin (mis)targeting individuals could be dramatic. µ