For the past few months, the Recording Industry Association of America (RIAA) has been slapping American MP3-swappers with lawsuits in an effort to deter an activity that the entertainment industry claims is costing it millions of dollars. But now, somebody is slapping back. Earth Station 5, or ES5, is a peer-to-peer (P2P) file-sharing network based in the Jenin refugee camp in the Palestinian Territories. The backers of ES5 say that the program can provide complete anonymity for its users via third-party proxy servers (computers that provide a kind of neutral buffer between a file downloader's home computer and the network); has, on average, 16 million members connected to its network; will never contain stealth adware or spyware programs; and -- because it is headquartered in the Palestinian Territories -- is immune from the legal grasp of the RIAA and the Motion Picture Association of America (MPAA).
Moreover, ES5 has taken an aggressively hostile stance against the movie, music and software industries. There's none of the wink-wink, nudge-nudge, we're-not-responsible- for-what-our-users-do stance that goes on with other P2P platforms such as Kazaa, or, once upon a time, Napster. ES5 claims to be "at war" with the major media organizations. The company actively engages in file sharing, streams unlicensed first-run movies, and claims to have 200 terabytes of "free" music and software it plans to release across its network. And how does it respond to demands to cease and desist?
"Basically," says ES5 media liaison Steve Taylor, "we tell them to go fuck off."
"Earth Station 5 is trying to get press by throwing stones at us," says Matthew Oppenheim, senior vice president of legal and business affairs for the RIAA. Maybe so. But if history is any example, Palestinians can be very determined stone-throwers.
Before Kazaa, before Audiogalaxy, before Gnutella, iMesh, LimeWire, MP3.com, or Napster, MP3 swapping was already rampant on the Internet. If you knew where to look, the files were there. On IRC and FTP sites and in newsgroups, MP3 trading raged. But it was all very quiet, very hush-hush. And then along came MP3.com and Napster. Suddenly, you didn't have to know where to look anymore. It was all there for the taking.
But the centralized systems turned out to be easy targets for the RIAA. So the rapidly moving P2P world switched to decentralized servers, the Fast Track file-sharing system used by Kazaa and Grokster, and the Gnutella network used by eDonkey and LimeWire. Although the RIAA has had more difficulty stomping out these networks, it has still been able to uniquely identify users on those systems. These are the so-called "grannies and girl scouts" cases, in which the RIAA has sued end-users to try to stem the tide of file swapping.
As it always does, technology evolved in response. The latest generation of P2P applications, such as WASTE and ES5, are designed to thwart efforts to determine who is hosting or downloading files.
"Filehoover and I were talking about the Kazaa court case and how the Fast Track network lacks the ability to secure itself," says "SharePro," an ES5 programmer, via online messaging. (Like the users themselves, many of ES5's employees rely on anonymity. Although a few of the company's operatives, such as Taylor and company founder Ras Kabir, maintain a public presence, most of the employees tend to go by screen names.)
"Fast Track was built nicely three years ago. But today it is obsolete because it cannot complement modern secure protocols like HTTPS/SSL. Nor can Kazaa support proxies. It supports SOCKS proxies, which are mainly set up by hackers to steal passwords. So Filehoover, I and Ras discussed building a network and program that could support multiple proxies and secure P2Pr's.
"In addition, we were concerned with how Kazaa contains spyware and the fact that they could be putting their entire user database at risk. Spyware sends at different intervals the Internet Protocol (IP) address, MAC address, registry settings, and the entire upload/download log of the P2Pr. In other words, Kazaa has infected over 300 million P2Pr's and sold them out."
But without advertising, or spyware, ES5 would seemingly have no way to make money. Considering the massive infrastructure required to support such an application and network -- according to the European and Middle Eastern domain registry RIPE, ES5 owns blocks of thousands of IP addresses -- as well as likely ongoing legal costs, ES5 would require some sort of major investment and, presumably, a major payoff eventually.
Taylor claims that the company is spending $2 million a month. Behind the scenes, he says, are six investors who fund the project and keep it going, four of whom are billionaires. He claims that the company sees ES5 not as a P2P network, but rather as a full-service portal, complete with voice-over IP for making long-distance calls on the cheap, online dating, and eventually, online gambling.
Yet ES5's business plan -- or lack of one -- has raised all sorts of questions and suspicions. Rumors abound about the company's motives. Many in the online file-trading community have speculated that ES5 is some sort of front for the RIAA and MPAA, engaging in a giant dragnet to snare unsuspecting sharers. Or that the network's list of trusted proxy servers are actually RIAA "honeypots," designed to snag users' IP addresses. Taylor adamantly denies these stories, and points out the volume of financial damages ES5 is inflicting on copyright holders. Likewise, the RIAA's Oppenheim scoffs at such rumors as "nonsense."
Worse for ES5's reputation, however, was a utility built into the software that wasn't readily apparent. When Kazaa-Lite author Shaun Garriock reverse-engineered ES5's software, he found a tool that allows the network to remotely delete files on users' systems. When he disclosed his findings, it caused quite a stink online. ES5 states that the functionality was built in so that it might remotely update users' software, and that it has since disabled the feature. However, the damage has already been done.
"The key to enabling any functionality that changes the user's software or computing base is to fully disclose said behavior," says security consultant and anonymity expert Len Sassaman, "so that the user is entirely aware of the actions of your software. When such functionality is stealthily introduced, it raises suspicions, warranted or not."
Yet the real question for ES5 users is: Are you really anonymous?
"So-called anonymizers have not worked. We are filing actions against individuals who use them," says Opppenheim. However, he concedes that the organization has taken no action against ES5 users thus far. "We haven't filed suit against Earth Station 5 users to date, but we have the ability to identify infringers on that network and reserve the right to do so at any time."
Shenanigans, replies Taylor. "You can't trust anything the RIAA says."
Since the RIAA won't comment on ongoing investigations, we can't know how it's accessing user data. One answer might be that some ES5 users aren't connecting to the network in "stealth" mode, the setting that hides a user's IP address. Another, more likely scenario, is that the RIAA has found a way to exploit the network of third-party proxy servers ES5 relies on to conceal its users' anonymity.
"Anonymity systems are extremely difficult to build," says Sassaman. "What they claim to have is a 'trusted proxy' system, where the user's anonymity is not verifiable, but relies on the proxy he is using being honest. Even if the proxy is honest, there are possible side-channel attacks which could result in leakage of information about the user."
"Unless you know who the proxy is," concurs Taylor, "you really don't know what's happening." He states that ES5 is in the process of releasing a new version of the application (which should be out by the time this article appears) that doesn't rely on proxy servers at all. But he won't say how it works. "We're not going to discuss that," he says, "and the reason we're not going to discuss that is because the bad boys read everything that's out there."
SharePro is equally circumspect on the details of the new network, even if he is adamant about its effectiveness. "We are releasing ... a new version that will change the entire P2P industry," he writes, "[with] the ability to forge your IP address and share/download. There is no way in hell that anybody can track you down using this protocol and there is no need for a proxy. It's like putting a letter in a public mailbox with a fake return address."
But what about the company itself? Isn't it subject to legal action by the RIAA?
"We saw that a court was willing to exercise jurisdiction over [Kazaa parent company Sharman Networks]," says Oppenheim, referring to a court decision in January that found that although the company was headquartered in Vanuatu, a Pacific Island state with no copyright agreements, it could still be sued in the U.S. based on its millions of American subscribers. "And underlying infringers are subject to enforcement here."
"They can try [to sue us in the United States]," laughs Taylor. "What are they going to do? Why don't they sue us in China? Let's say they did sue us and did win a judgment. What are they going to do, wipe their ass with it? How do they enforce it?"
And that does seem to be the question for the RIAA. Palestine is a unique place, but it isn't lawless. ES5 argues that it isn't breaking any laws, that as long as it doesn't violate any Palestinian copyrights, everything's kosher, so to speak. In Palestine, the company claims, all of its activities are entirely legal. This may or may not be true; it's certainly complicated by the unique legal status of the territories in the West Bank and the Gaza Strip.
According to legal experts Salon talked to, the Palestinian autonomous area is a trouble spot for Western copyright holders, but not a complete free-for-all zone. Israel has intellectual property agreements with the Palestinian Authority that provide TRIPS-level copyright protections between the two entities. At the very least, this would secure Israeli copyrights. Even more compelling, however, is a statute dating back to the time when the entire region was a British Possession, the 1911 Copyright Act, which the Palestinian Authority claims to adhere to. Stanford University law professor and copyright guru Lawrence Lessig concurs with the prevailing Western opinion that ES5 is violating the law.
"The RIAA is correct," says Lessig. "When someone downloads something in the U.S., that constitutes a violation in the U.S. So there is a U.S.-based wrong. They could get a default judgment against the Palestine-based P2P network, and then start foreign proceedings to try to get a judgment. But more likely is that they would get companies supplying bandwidth to stop supplying bandwidth. So whether or not it would be meaningless in Palestine, the RIAA can get effective justice just outside the border."
Or can it? Taylor and Kabir provided Salon with copies of numerous complaints sent to Speednet, the ISP listed on RIPE as ES5's access provider, from the MPAA, dating back to September. The company, however, remains online and untroubled. Taylor contends that under the 1996 agreement granting conditional authority to the Palestinian Territories, the Israeli government is obligated to provide Internet and communications access to the territories, and that the Palestinian Authority is of no mind to cut off ES5. Furthermore, he claims that ES5 has backup access, via satellites and other methods.
Yet whatever the truth of the matter is, and regardless of what the courts may decide, as long as the security situation in the Palestinian Territories is what it is, copyright enforcement will remain difficult for reasons that have nothing to do with international agreements, or the vagaries of an emerging legal system.
"A process server tried to serve papers one time," Taylor explains. "Supposedly, there were shots fired."