In the War on Napster, a New Ally: The MP3 Police
An ominous-sounding British company executed Metallica's Napster-snooping coup and upped the stakes in the battle over copyright. But was it legal?
by Warren Cohen


Inside.com
Wednesday, May 10, 2000

It was a culturally charged, publicity-driven showdown that conjured images of Kenneth Starr and his platoon of report-carrying U-Hauls. On Wednesday, May 3, metal superstars Metallica marshalled their team of lawyers, advisers and supporters, and trucked 60,000 pages of data to Napster's San Mateo, Calif., headquarters. (The band, admittedly oblivious to MP3 technology, must also be unaware of Zip disks.) The pages contained identifying information about 335,435 Napster users who had Metallica songs on their hard drives.

But Lars Ulrich and crew didn't do the snooping themselves. The work was performed by a Cambridge, England-based company that calls itself MP3 Police. The four-month-old firm -- now in the process of changing its name to the somewhat less ominous-sounding NetPD -- contacted Metallica last month with an offer to hunt down Napster users suspected of piracy. Metallica became the Web bobbies' first major client.

MP3 Police's tactics raise many untested questions about Internet privacy. Did the methods employed by MP3 Police violate not only Napster's commercial protections, but also the privacy rights of Napster users? 'Metallica has cloaked itself in the law to protect its proprietary rights, yet the band seems indifferent to trampling on the potential privacy rights of others,' said George Spathis, a technology lawyer at Chicago-based Ross & Hardies.

To compile its dossier, MP3 Police spent 80 hours trolling the Internet. Using their propietary software, the company obtained the screen names of the Napster users who had traded Metallica files, their IP address, the time when they logged on and off to Napster and which of Napster's 53 servers they used.

MP3 Police did not, however, provide Metallica with the real names of the Napster users, nor their e-mail addresses. But Bruce Ward, MP3 Police's technical expert, said it easily could have taken the next step and outed the alleged miscreants: 'E-mail addresses could be determined from the data we provided.'

To gain access to the names of Napster users who dialed in via modem, though, the firm would have needed the cooperation of the users' Internet Service Providers. That's because most modem users are assigned a different IP address by their ISP for each session. By corroborating a user's activity on Napster with a user's activity on his ISP, MP3 Police could theoretically uncover more detailed information about a user's identity. (Users of high-speed Internet-access connections like cable modems and DSL lines have dedicated IP addresses, making them easier to peg.) Ward said Metallica has not asked MP3 Police to pursue individual fans for copyright violations.

The ramifications of MP3 Police's tactics are far-reaching. Internet security experts say that the firm's methods could be easily copied. IP addresses, user names and other information always trail a surfer on the Web or in a chat room. 'Technically, it's a no-brainer,' said Chris Rouland, a research and development director at Atlanta-based Internet Security Systems. 'You could have a software agent easily monitor Napster's servers.'

But the exact means of how MP3 Police monitored Napster's servers is what makes the situation woolier -- and potentially litigious. Tech gurus believe the company could have only gained access in two ways: using Napster's software or bypassing it. Either route is fraught with legal peril, and MP3 Police won't reveal its surveillance methodology. 'We might have done it by logging into Napster, or we might have done it without logging into Napster,' Ward said coyly. If MP3 Police went through Napster's front door, the firm would have been required to agree to Napster's user agreement, which is similar to the agreements found on most Web sites. It states that anyone using Napster agrees not to 'invade the privacy of, obtain the identity of, or obtain any personal information about ... any Napster account holder or user.'

Michael Sobel, an intellectual property lawyer at Palo Alto, Calif.-based Graham & James, said, 'Napster could file a potential claim, saying that they came onto the site without being authorized to do so.'

Even if MP3 Police wrote new software to penetrate Napster without violating the user agreement, it may still have run afoul of anti-hacking statutes like the 1986 Computer Fraud and Abuse Act. Some attorneys believe that MP3 Police's action might be analogous to that of a service called Bidder's Edge, which sucks Ebay's auction data on to its own site without authorization. Ebay is currently suing Bidder's Edge.

Ward argued that Napster essentially waived privacy protections when it publicly challenged Metallica to provide names of potential copyright violators. Metallica's attorney Howard King agreed: 'We could care less about Napster's policy. Those people are stealing our property.' Napster wouldn't comment about the prospect of legal action against Metallica or MP3 Police.

Could MP3 Police be vulnerable to lawsuits from individuals who believe their privacy rights were abused? The privacy laws are much cloudier here. 'Do you have a privacy interest in an arbitrary selected handle?' asked Rich Gray, an intellectual property lawyer in Menlo Park, Calif. 'Maybe yes, if it's matched to your computer's IP address.' For example, the ad firm Doubleclick was forced to back off its plan to track consumer identities by their IP address amid intense pressure from consumer and privacy groups.

Ward argued that Napster users have no claim of privacy because they are operating in a public forum. 'When a Napster user makes files available for the world to download, it becomes publicly available information,' he said. 'There's no privacy violation when we catalog that list.' Some computer privacy experts agree. 'Consumers don't understand that if they publish information and don't want it traced back, then they shouldn't use a PC,' said Lance Cottrell, CEO of Anonymizer.com, an Internet privacy service. 'The Internet is designed for spying and monitoring on people. We're playing catch-up.'

Cottrell wondered whether fans may yet be targeted by MP3 Police. Whereas high legal bills once made chasing small-time pirates too costly, companies today could robo-subpoena thousands of consumers suspected of illegal activity. In his lawsuit against Napster, King told the court that he might choose to single out some pirates once their names have been 'ascertained.' 'All you need is a software program with a giant mail-merge program writing all the text,' said Cottrell.

Ward refused to say whether MP3 Police's sales pitch would ever include such an offer. But he's confident that he's in a growth industry. The International Federation of the Phonographic Industry (IFPI) estimates that there are currently more than 500,000 copyright-infringing files on the Web. And that's just music. Ward said his company's proprietary technology can even trace traders' activities on open-source Napster clones like Gnutella. 'We're talking to major labels and other artists to protect their copyright,' said Ward. 'I expect you will see a lot more about us in the coming months.'