It was a culturally charged, publicity-driven showdown that conjured
images of Kenneth Starr and his platoon of report-carrying U-Hauls.
On Wednesday, May 3, metal superstars Metallica marshalled their
team of lawyers, advisers and supporters, and trucked 60,000 pages
of data to Napster's San Mateo, Calif., headquarters. (The band,
admittedly oblivious to MP3 technology, must also be unaware of Zip
disks.) The pages contained identifying information about 335,435
Napster users who had Metallica songs on their hard drives.
But Lars Ulrich and crew didn't do the snooping themselves. The work
was performed by a Cambridge, England-based company that calls
itself MP3 Police. The four-month-old firm -- now in the process of
changing its name to the somewhat less ominous-sounding NetPD --
contacted Metallica last month with an offer to hunt down Napster
users suspected of piracy. Metallica became the Web bobbies' first
MP3 Police's tactics raise many untested questions about Internet
privacy. Did the methods employed by MP3 Police violate not only
Napster's commercial protections, but also the privacy rights of
Napster users? 'Metallica has cloaked itself in the law to protect
its proprietary rights, yet the band seems indifferent to trampling
on the potential privacy rights of others,' said George Spathis, a
technology lawyer at Chicago-based Ross & Hardies.
To compile its dossier, MP3 Police spent 80 hours trolling the
Internet. Using their propietary software, the company obtained the
screen names of the Napster users who had traded Metallica files,
their IP address, the time when they logged on and off to Napster
and which of Napster's 53 servers they used.
MP3 Police did not, however, provide Metallica with the real names
of the Napster users, nor their e-mail addresses. But Bruce Ward,
MP3 Police's technical expert, said it easily could have taken the
next step and outed the alleged miscreants: 'E-mail addresses could
be determined from the data we provided.'
To gain access to the names of Napster users who dialed in via
modem, though, the firm would have needed the cooperation of the
users' Internet Service Providers. That's because most modem users
are assigned a different IP address by their ISP for each session.
By corroborating a user's activity on Napster with a user's activity
on his ISP, MP3 Police could theoretically uncover more detailed
information about a user's identity. (Users of high-speed
Internet-access connections like cable modems and DSL lines have
dedicated IP addresses, making them easier to peg.)
Ward said Metallica has not asked MP3 Police to pursue individual
fans for copyright violations.
The ramifications of MP3 Police's tactics are far-reaching. Internet
security experts say that the firm's methods could be easily copied.
IP addresses, user names and other information always trail a surfer
on the Web or in a chat room. 'Technically, it's a no-brainer,' said
Chris Rouland, a research and development director at Atlanta-based
Internet Security Systems. 'You could have a software agent easily
monitor Napster's servers.'
But the exact means of how MP3 Police monitored Napster's servers is
what makes the situation woolier -- and potentially litigious. Tech
gurus believe the company could have only gained access in two ways:
using Napster's software or bypassing it. Either route is fraught
with legal peril, and MP3 Police won't reveal its surveillance
methodology. 'We might have done it by logging into Napster, or we
might have done it without logging into Napster,' Ward said coyly.
If MP3 Police went through Napster's front door, the firm would have
been required to agree to Napster's user agreement, which is similar
to the agreements found on most Web sites. It states that anyone
using Napster agrees not to 'invade the privacy of, obtain the
identity of, or obtain any personal information about ... any
Napster account holder or user.'
Michael Sobel, an intellectual property lawyer at Palo Alto,
Calif.-based Graham & James, said, 'Napster could file a potential claim, saying that they came onto the site without being authorized
to do so.'
Even if MP3 Police wrote new software to penetrate Napster without
violating the user agreement, it may still have run afoul of
anti-hacking statutes like the 1986 Computer Fraud and Abuse Act.
Some attorneys believe that MP3 Police's action might be analogous
to that of a service called Bidder's Edge, which sucks Ebay's
auction data on to its own site without authorization. Ebay is
currently suing Bidder's Edge.
Ward argued that Napster essentially waived privacy protections when
it publicly challenged Metallica to provide names of potential
copyright violators. Metallica's attorney Howard King agreed: 'We
could care less about Napster's policy. Those people are stealing
our property.' Napster wouldn't comment about the prospect of legal
action against Metallica or MP3 Police.
Could MP3 Police be vulnerable to lawsuits from individuals who
believe their privacy rights were abused? The privacy laws are much
cloudier here. 'Do you have a privacy interest in an arbitrary
selected handle?' asked Rich Gray, an intellectual property lawyer
in Menlo Park, Calif. 'Maybe yes, if it's matched to your computer's
IP address.' For example, the ad firm Doubleclick was forced to back
off its plan to track consumer identities by their IP address amid
intense pressure from consumer and privacy groups.
Ward argued that Napster users have no claim of privacy because they
are operating in a public forum. 'When a Napster user makes files
available for the world to download, it becomes publicly available
information,' he said. 'There's no privacy violation when we catalog
that list.' Some computer privacy experts agree. 'Consumers don't
understand that if they publish information and don't want it traced
back, then they shouldn't use a PC,' said Lance Cottrell, CEO of
Anonymizer.com, an Internet privacy service. 'The Internet is
designed for spying and monitoring on people. We're playing
Cottrell wondered whether fans may yet be targeted by MP3 Police.
Whereas high legal bills once made chasing small-time pirates too
costly, companies today could robo-subpoena thousands of consumers
suspected of illegal activity. In his lawsuit against Napster, King
told the court that he might choose to single out some pirates once
their names have been 'ascertained.' 'All you need is a software
program with a giant mail-merge program writing all the text,' said
Ward refused to say whether MP3 Police's sales pitch would ever
include such an offer. But he's confident that he's in a growth
industry. The International Federation of the Phonographic Industry
(IFPI) estimates that there are currently more than 500,000
copyright-infringing files on the Web. And that's just music. Ward
said his company's proprietary technology can even trace traders'
activities on open-source Napster clones like Gnutella.
'We're talking to major labels and other artists to protect their
copyright,' said Ward. 'I expect you will see a lot more about us in
the coming months.'