How It Does It: The RIAA Explains How It Catches Alleged Music Pirates

May 13, 2008

To catch college students trading copyrighted songs online, the Recording Industry Association of America uses the same file-sharing software that online pirates love, an RIAA representative told The Chronicle at the organization's offices during a private demonstration of how it catches alleged music pirates. He also said the group does not single out specific colleges in its investigations.

The demonstration was given by an RIAA employee who would speak only on condition of anonymity because of concern that he would receive hate e-mail.

The official explained that one way the RIAA identifies pirates is by using LimeWire, a popular peer-to-peer file-sharing program that is free online and used by many college students (there is also a more-robust version of the program sold for a small fee).

Here's how the process works: The RIAA maintains a list of songs whose distribution rights are owned by the RIAA's member organizations. It has given that list to Media Sentry, a company it hired to search for online pirates. That company runs copies of the LimeWire program and performs searches for those copyrighted song titles, one by one, to see if any are being offered by people whose computers are connected to the LimeWire network. For popular songs, the search can turn up dozens, if not hundreds, of hits. A search on Madonna's latest release, "4 Minutes," turned up more than a hundred users trading various copies of the song.

The LimeWire software allows users who right-click on any song entry and choose "browse host" to see all of the songs that a given file sharer is offering to others for download. The software also lists the IP address of active file sharers. (An IP address is a unique number, assigned by Internet-service providers, that identifies every connection to the Internet.) While the names of the people associated with particular IP addresses are not public, it is easy to find out which IP addresses are registered to each Internet-service provider. Using public, online databases (such as those at or, Media Sentry locates the name of the Internet-service provider and determines which traders are located at colleges or universities.


Swift Detection


The process mimics how pirates themselves locate files but with a significant difference: speed. Media Sentry has automated the process by using scripting software that types in the songs, grabs the IP addresses, checks them, and forwards the information to the RIAA.

The RIAA's first step against campus pirates is usually to send a Digital Millennium Copyright Act takedown notice, which asks the college to remove infringing content from its network.

In collecting evidence for those takedown notices, Media Sentry investigators do not usually download suspect music files. Instead, the company uses special software to check the "hash," a sort of unique digital fingerprint, of each offered file to verify that it is identical to a copyrighted song file in the RIAA's database. In the rare cases in which the hashes don't match, the investigators download the song and use a software program sold by Audible Magic to compare the sound waves of the offered audio file against those of the song it may be infringing upon. If the Audible Magic software still doesn't turn up a match, then a live person will listen to the song.

If there is a match, Media Sentry investigators will then engage in a so-called TCP connection, or an electronic "handshake," with the computer that is offering the file to verify that the computer is online and is ready to share the song.

Based on that information, the RIAA will send a letter to the college asking for the song to be removed. The letter lists the name of the file and the date and time when Media Sentry investigators saw it available online.

On listservs and in interviews, some university administrators have recently questioned the validity of some of these takedown notices because they say they do not have any record of a download at the named IP address at the specified time. RIAA officials said this is because investigators performed only a "handshake."


Seeking Settlements


In more serious cases of piracy, the RIAA sometimes decides to send out "prelitigation settlement letters," which asks alleged infringers to cough up several thousand dollars in lieu of going to court and potentially facing a much more expensive punishment.

Before sending out the prelitigation settlement letters, Media Sentry investigators always download music files believed to be infringing on licensed songs. Live human beings then listen to those songs to verify that the files are infringing. A letter goes out to the college with the date and time when investigators saw that the song was available for sharing.

While the process for generating both takedown notices and settlement letters is largely automated, the RIAA said that before each warning is sent out, a full-time RIAA employee reviews each case to make sure the claim is legitimate and that the alleged pirate is in the United States. Thanks to the speed and ease of the automated process, though, the RIAA is "able to identify hundreds of instances of infringement on a daily basis," according to RIAA spokeswoman Cara Duckworth. She also acknowledged that the RIAA can tell only when a song is being offered for users to illegally download; investigators have no way of knowing when someone else is actually downloading the song.

The organization does not perform similar automated investigations for file traders on commercial ISP's (that is, Internet- service providers not operated by universities, such as Comcast). All notices received by commercial Internet-service providers are processed manually.

"The automated takedown notice program we have right now is solely university-focused," said the anonymous RIAA representative. "We're trying to make universities aware that they have an issue with peer-to-peer file sharing on their network, and so we don't send automated notices to commercial ISP's, I think because they are generally aware that there's a problem."

The RIAA said it does not single out particular academic institutions to be "made examples of."

"We have no capability of targeting any school at all," said the RIAA representative, who argued that there is a large "misperception" among university administrators that individual colleges are being picked on. "Technically we can't do it. We find what we find with this process, and that's what we send to schools."