Archive for the ‘Privacy’ Category

Every pirate knows that the only way to block the copyright trolls from identifying their true IP addresses (and thus sending out DMCA copyright infringement notices, as outfits such as CEG-TEK have been known to do) is through the use of a Virtual Private Network (VPN) [, and not just any VPN, but a paid VPN provider which does not track their subscribers’ activities*].

In recent weeks, I have heard from various copyright trolls that bittorrent users are “winning the piracy war,” in that their activities have thwarted the copyright holders from learning who they are. Armed with what is becoming common knowledge of free software which can be configured to stream pirated content (e.g., Kodi, formerly XBMC), internet users who wish to “unplug” from the cable companies are able to do so in a way in which it becomes difficult if not next to impossible to be caught viewing streamed content**. Not only this, but many have even purchased Amazon Fire sticks which can be jailbroken to allow the Kodi software to be installed on it, and they are watching pirated videos from their HDTV without even needing a computer.***

But what is the effect of “winning the war” on those who are left behind and don’t realize that they need to use a VPN if they are going to bittorrent their favorite movie, software, or video game? This is the point of the article.

The unintended consequence of bittorrent users learning to use a VPN, or migrating away from bittorrent and towards free streaming services is that copyright holders [who for three years now have enjoyed easy settlement money] are realizing that there simply are not enough people to send DMCA / copyright infringement notices to in order to line their pockets with gold and dirty cash. As a result, it is my experience that they are becoming “less nice” and they are trying to make more money from fewer downloaders. Case-in-point: Girls Gone Wild DMCA notices used to ask for one $300 settlement for a whole page of 60+ videos, but now they are asking for tens of thousands of dollars for that same “click” of a bittorrent file.

I am also noticing that CEG-TEK is acting differently, perhaps in response to what has been described to me as a steep decline in numbers of “pirates” to whom they can send DMCA notices. In the past few weeks, it has been my experience that Copyright Enforcement Group (CEG-TEK) is now sending multiple notices out to the ISPs for the same download. In one case regarding their Girls Gone Wild client that I mentioned above, CEG-TEK sent literally over 1,000 notices to one ISP for the alleged download of one bittorrent file.

At first I thought this was a glitch in their computer system, but then it occurred to me that maybe CEG-TEK somehow benefits from keeping the numbers of DMCA notices sent to the ISPs artificially high. Is there any benefit to them to be doing this? I have been racking my brain on this topic and I still cannot come up with a reason.

Honestly, here is my concern. When an animal is backed against the wall, what does it do? It attacks. If indeed we are winning the bittorrent piracy war, I am concerned that CEG-TEK will begin taking on new clients who thrive on stacking their bittorrent files with hundreds of adult films. Those who are sophisticated will understand exactly who I am speaking about.  

They will then trap the unsuspecting bittorrent user who “clicks on ONE bittorrent file” in their spider web, and that user will receive hundreds of DMCA notices which will scare the b’jeebies out of him.  Then they will give in to the urging of their less-than-ethical client, and they will agree to start charging more than the $300 per title that they currently do (remember, at one point, CEG-TEK used to charge $200 per title, and then at what I understood to be the urging of their client, they raised the settlement amount to $300 per title).  So they are pliable, as we have seen in the past.

In the end, just as we saw hints of this with the recent Girls Gone Wild debacle, CEG-TEK will morph from a $300 per title copyright enforcement outfit (lamb) into a $3,500 per title shakedown outfit (wolf) where they base their settlement amounts on the client’s ability to pay rather than what they believe is a “fair” amount to compensate the copyright holders.

Last, but not least, I learned that CEG-TEK threatened an accused downloader with criminal prosecution this week. For those of you who know me, I have spent almost every day since 2010 working on copyright infringement cases. NEVER until last week have I seen a copyright holder threaten an accused internet user with criminal charges for a copyright infringement matter.

In sum, the times they are a changin’. If we are indeed winning the war, what will CEG-TEK turn into in order to survive?  And, what will their copyright holders (who for the most part have been docile and lazy these past few years) do when their easy income stream dries up?


*[UNRELATED PERSONAL NOTE: I am a fan of such VPN providers not because they make piracy more difficult to detect, but because I believe strongly in a person’s right to be anonymous. The amount of snooping that happens with internet trackers, cookies, and newer methods literally sickens me, and I do not believe that advertising companies and ISPs should have so much knowledge about their customers. For this reason, I have nothing wrong with sharing for privacy purposes that examples of VPNs that you can rely on can be easily found by searching “torrentfreak secure vpn” on Google, or just by going to TorrentFreak’s website where they review VPN providers which take your anonymity seriously. Just be sure to have some mechanism in place that if the VPN connection goes down, even for a second, that your real IP isn’t exposed to whatever site you happen to be visiting, or to whatever server you happen to be connected to. This is called a “DNS leak,” and there are easy ways to configure your system to lock down the connection if or when the VPN goes down, even for a second.]

** NOTE: There is a popular software called PopcornTime which I am sad to share has given our firm many clients who have been caught downloading mainstream movies (e.g., The Dallas Buyers Club cases, Voltage Pictures’ Fathers & Daughters Nevada, LLC cases, and most recently, Millennium Film’s London Has Fallen (“LHF”) movie cases, etc.). Most recently, I have been seeing new CEG-TEK notices for Millennium Film’s “Criminal” movie which the copyright holders have already started suing in “Criminal Productions, Inc. v. John Doe” copyright infringement lawsuits . The reason for so many getting caught is that PopcornTime appears to be a software which allows you to stream video content, but it uses bittorrent as its back-end to download the movies.

*** NOTE: The Amazon Fire sticks which have Kodi installed in my opinion can still get you caught for copyright infringement. The reason for this is that they connect directly to the internet exposing your real IP address. Most people don’t realize that they need to also configure their ROUTER to connect to the internet through their paid VPN provider.

CONTACT FORM: If you have a question or comment about what I have written, and you want to keep it *for my eyes only*, please feel free to use the form below. The information you post will be e-mailed to me, and I will be happy to respond.

NOTE: No attorney client relationship is established by sending this form, and while the attorney-client privilege (which keeps everything that you share confidential and private) attaches immediately when you contact me, I do not become your attorney until we sign a contract together.  That being said, please do not state anything “incriminating” about your case when using this form, or more practically, in any e-mail.

Read Full Post »

Off the cuff, this is a post about PGP (a.k.a., “pretty good privacy”) and encryption.

When I was in college in the 1990’s, encryption was the easiest thing to set up. We’d download some freeware, set up a few encryption keys, upload the keys to the MIT servers, and send around “how are you, aren’t we cool because we’re using encryption” e-mails to friends and family. Little did we know those keys would be permanently there years later, and most of us lost our keys over the years, and forgot to set expiration dates on our keys (so my old college keys are still available somewhere on the net).

After a phone call today, I realized that after so many years, I have not used PGP, and I did not have a PGP key handy to encrypt an e-mail and its contents. “No problem,” I thought, I’ll just go online, grab the free software from Symantec, and I’ll set up a key and forward the documents. NO GO.

Symantec purchased the rights to the PGP software from Phil Zimmerman, and they TOOK AWAY the ability for individuals to set up PGP encryption on their machines (unless they purchase an elaborate suite of programs for $$$$). And, even if I wanted to purchase the software, they have made it next to impossible to acquire it using a few clicks, a credit card, and a website checkout.

Honestly, I have nothing wrong with companies selling premium features on top of their free software, but ENCRYPTION SOFTWARE SHOULD BE FREE!!! In order to have a free society where individuals can speak and express themselves freely without need to censor themselves in fear of a snooping government, encryption is needed! Because Symantec took away the ability for individuals to use PGP, in my opinion, this in my book is considered unethical and “mean” business practice. Shame on you, Symantec.

[ON A SIDE NOTE: I want to point out that in college Phil Zimmerman was my hero. Now on his “Where to get PGP” website, he states that he doesn’t care that PGP is no longer free, as long as Symantec kept the source code available to the public. Phil Zimmerman, for the reason that you have made it so that companies can make it difficult for users to access and use encryption, now almost twenty years later, you are no longer my hero.]

Since PGP has become monetized and corporatized for corporate profit and control, for those of you who want (and should) set up encryption, there is still a way. GnuPG (part of the OpenPGP Alliance) has made encryption available to Windows PC users using their GPG4win software. Essentially, the software appears to have originally been written for the Linux operating systems, but it has been ported for those of us that are still shackled to a Windows PC operating system.




The link to download the latest version of GPG4win is here:


– For those of you more techy, the keys they set up are 2,048 bit keys, which are the standard for today’s encryption. However, technology does advance quickly, and if you are anything like me, you’ll want to use the 4,096 bit keys (which is more encryption than you’ll ever need, but why skimp on privacy when such a key is available?)

So if you want this stronger key, when the software asks you if you want to create keys, say “no,” click “File, New Certificate,” and click on the advanced settings. There, you will be able to 1) choose the heightened security 4,096 keys, along with 2) the ability to SET AN EXPIRATION DATE FOR YOUR KEYS.


NOTE: All of us have set up keys, and have lost them due to computer malfunction, hard drive crash, or just losing the secret key files. ***IF YOU DO NOT SET AN EXPIRATION DATE ON YOUR KEYS, THEY WILL BE ON THE MIT SERVER FOREVER!!!*** And, you will be unable to delete the keys later on. So please! Set an expiration date on your keys. I set mine for 12/31/2016 (at the end of next year), and next year, I’ll set up another set of keys.


For some reason, the Kleopatra Windows PC software does not have an option to set up a revocation certificate so that you’ll be able to revoke (or inactivate) keys on the MIT server that you no longer use.

For this reason, and this is easy to do, the superuser.com website has described a way to set up a PGP key revocation certificate using a command terminal (“CMD”) code.

In short, open a terminal in Windows (using “Run, CMD”), and type the following:

gpg –output revoke.asc –gen-revoke [MY KEY-ID]

(NOTE: The MY KEY-ID is the “Key-ID” for the key you created using the Kleopatra software.)

Then save it somewhere where you cannot lose it. Print it out and save it offline if you need to.


This is the step that you should be most careful about. Once you upload the key, it’s on the server forever (viewable at https://pgp.mit.edu/). So just double-check your steps before you take this step.



Once you’re all set up, you’re set for the life of your encryption keys (remember, I set mine to expire at the end of next year.)

Below are the steps to use PGP:


You can search for their key by either:

1) On the Kleopatra software, click “File, Look Up Certificates on Server,” and then you would type in either their name or e-mail address and select which key you want to use (best to use their most recent key if there are multiple keys).

2) Alternatively, you can accomplish the same result by entering their name or e-mail address on the MIT server (https://pgp.mit.edu/). For example, for mine, you would search for rzcashman@cashmanlawfirm.com, and my key would show up.


On the Kleopatra software, you would click on the “Clipboard” button on the toolbar and select “Encrypt.” A new screen will open, and you’ll write your message.

Once you have written your message, click on the “Add Recipient” button and select the key of the person you are sending the e-mail to. Remember, you did this in STEP 1.


This is the easy part. Once you have the message you wrote encrypted to the key of the person to whom you wrote the message, a string of letters will appear in your window. Copy and paste it (all of it) into an e-mail.

REMEMBER, encryption protects the CONTENTS of an e-mail not the META DATA, meaning, it only protects the contents of what you wrote. It does not protect who you wrote it to, or what server you were logged into when you sent the encrypted text. This was part of the issue with the NSA claiming that they were “only” pulling meta data, and not the contents of the e-mail themselves.

NOTE: If you also encrypted a file to attach to the e-mail [I did not describe how to do this yet], attach the .gpg file that your software created as an attachment to the e-mail. The person to whom you encrypted the e-mail will be able to decrypt the attachment as well as the contents of your e-mail.


Since you encrypted your message with the intention that only the recipient sees it, when he receives your e-mail (and any encrypted attachments you also sent), he will be able to use his own software to decrypt what you have sent to him.

Why is this possible? Because you encrypted the contents of your message to his key, and thus only he can unencrypt and read your message. When he replies to you, he will write the text into his software, and he will encrypt the message (and any files he also wants to attach) using YOUR key that he pulled off of the server, and he’ll send it over to you.



Encrypting one file at a time using the Kleopatra software can be done by clicking “File, Sign / Encrypt Files.” From there, another window will open up, where you can select which file to encrypt. When the software asks for whom you would like to encrypt the file, just use the key of the person to whom you want to send the file. The software will make an encrypted copy of the file in the same folder, just with the .gpg file type. Use that file when sending the encrypted file in an e-mail as an attachment.

If you want to encrypt the file using your own key file (meaning, only you can unlock it), you may (for example, if you are sending yourself a private file to be accessed somewhere else). But if you only want the encrypted file to remain on your computer, remember to manually delete the original file, or you’ll have both the original and encrypted files in the same directory.


The topic of encrypting entire files, folders, or entire hard drives is outside the scope of this article. Doing so requires software such as Truecrypt, and it is a different process than encrypting and decrypting e-mails and messages using PGP as we have described here.


TERMINOLOGY: There are two PGP encryption keys that you create when you set up your “key pair” — a “public” key and a “private” key. The public key is the one that is uploaded to the server, and if you provide someone your encryption key for them to send you e-mails or files, it is ALWAYS the public key that you send to them. The “private” or “secret” key is the one that remains with you or on your computer, and it is used to decrypt messages and files that were encrypted to your public key. Never give out your private key to anyone.

Read Full Post »

Last month, I wrote an article entitled, “Whether internet porn viewers ‘should expect viewing histories to be made public.”  The fear that prompted that article was that someone could hack into the logs of a porn-streaming website, and with that information, expose the porn viewing habits of millions of Americans.  The conclusion of that article was that it would be difficult for a hacker to hack into a website which streams adult content, steal the website’s logs containing the IP addresses of those who have viewed the web pages which stream the videos, and then somehow correlate that IP address list with the actual identities of the internet users.  Thus, I do not expect to see any Ashley Madison hacks for websites streaming copyrighted content anytime soon.

The next question people asked was, “can I be sued for viewing copyrighted content on a YouTube-like site?”  In short, the answer is yes, you can be sued, but it will likely never happen.  Here’s why:


While a hacker would likely be able to obtain the IP address records from a pornography website’s analytics through theft, a copyright enforcement company such as CEG-TEK or RightsCorp would be unable to get this information without 1) a court order, or 2) the cooperation of the adult website itself.  The reason for this is that 1) porn website owners are notoriously outside the U.S., and thus, they are outside the jurisdiction of the U.S. federal courts.  The copyright holders could try suing the website owners, but this is often a difficult task (finding an elusive website owner outside the U.S. is a much more difficult task than suing internet users who participate in a bittorrent swarm to obtain files using BitTorrent).

While the analytics companies could be sued and forced to disclose the list of IP addresses for a particular website, this is also an unlikely scenario because complying with such a court order directing them to turn over records for one of their clients’ websites could be 1) illegal, and 2) it could put them in jeopardy of being sued by their customer.  So this is not a likely outcome.

Secondly, the copyright holders could “join forces” with the website owners to participate in the financial earnings of going after the downloaders (alternatively, they could be outright paid to disclose this information), but again, doing so would put the websites own visitors (their own customers) in financial jeopardy, and thus they would likely not participate in such a scheme.

In short, it is unlikely that a copyright holder would be able to obtain this needed list of IP addresses of those who viewed certain copyrighted content, and thus, with a streaming site, the copyright holders would likely not be able to learn who you are.

NOTE: It is still advisable to use a VPN when accessing a site streaming content, because your own ISP could be monitoring your web viewing habits, and they ARE in the U.S., and they could be sued and/or pressured to hand over “evidence” that your account visited a particular web page at a certain date and time.  It is unlikely this would ever happen, but it is best to err on the side of caution.


To date [and as far as I am aware], all of the copyright infringement lawsuits filed in the U.S. District Courts (the federal courts) across the U.S. have been for BITTORRENT ACTIVITY.

With very few exceptions where the copyright holder identified and sued the UPLOADER (the one who POSTED the video onto the website) based on a watermark or secret code embedded into the copyrighted video that identified the accused infringer as being the one who disseminated the copyrighted materials, there has never been a “John Doe” bittorrent lawsuit against a downloader who got caught by viewing content streamed on a YouTube-like website.  This is not to say that there will not be one in the future based on future internet fingerprint IDs forced upon internet users by government entities, or the like.

Thus, copyright holders have not yet and likely will never go through the initial step of 1) suing the website owner to obtain the list of IP addresses, and for this reason, I have not seen and do not foresee seeing lawsuits filed against internet users who view copyrighted content using a YouTube-like streaming service.

This is not to suggest or encourage that someone use this medium of viewing copyrighted films as technology can change, laws can change, and as the courts loosen their long-arm jurisdiction against foreign corporations and entities (weakening the Asahi case), the United States might start asserting its jurisdictions over foreign countries or foreign entities or corporations, and they might start forcing an internet fingerprint ID on the citizenry to track each citizen’s internet usage.  The takeaway, however, is that it is a lot harder to sue someone for viewing streamed content rather than suing someone for downloading content via bittorrent.

NOTE: An obvious exception to this article are those who have created accounts using their real identity or contact information, either 1) to participate or comment on forums or in the comment sections of the websites, or 2) those who pay a monthly or annual membership to access the premium content (e.g., faster speeds, unlimited content, etc.).  If you have an account on a website which streams content, then YES, your identity is at risk, and your viewing habits could be exposed for the world to see.  Otherwise, likely not.

Read Full Post »

The first rule of Usenet is “you do not speak about usenet.”  While writing something like this can upset those I would not want to upset, there is a bigger problem — what happens when the Usenet service provider (or more accurately, newsgroup service provider) fingers you as the internet user who is accused of committing a crime you did not do?

My mind can swirl with the possible implications of the above inquiry (oh what crimes can one commit), but in the context of this TorrentLawyer blog, there is a Usenet provider which is causing problems for their subscribers by identifying them as being the users who downloaded one or more copyrighted videos.

Many privacy-minded individuals flock to a service called Giganews because the content they provide is parallel to none.  The problem is that Giganews providers their subscribers with a Virtual Private Network (“VPN”) called VyprVPN (in conjunction with their Golden Frog service), where their VPN is supposed to hide the identity and the activities of the users while they are logged into the Giganews service.  This is effective for privacy-minded individuals who wish to communicate with others privately (e.g., stream a VoIP phone conversation over an encrypted connection) or mask their IP address from websites they visit.  Similarly, a VPN is useful when your ISP monitors your connection for the purposes of what is known as “traffic shaping” — making certain activities happen faster, and slowing down less-favored activities.

[To those that have been paying attention, VPN providers are not created equally.  Notoriously, some (e.g., HideMyAss) have turned over the identities of their subscribers causing their arrest and incarceration.  Giganews has also been implicated as being infiltrated by the FBI, and they are known to track and log all of their subscribers’ activities, even those activities apparently masked through their VyprVPN service.]

To the chagrin of those who have placed their trust in the VyprVPN service, many have received notices from Giganews implicating them as being the downloaders of copyrighted materials.  They are sent one or more DMCA settlement demand letters from companies (such as CEG-TEK), even when they have not done any downloading at all.

While in this case I cannot fault any of the parties (accused subscriber, CEG-TEK) who are now enmeshed in a “yes you did,” “no I didn’t” fight, I can fault Giganews / Golden Frog / VyprVPN for mistakenly pointing the finger at one of their users for activities that user did not partake in.

Now obviously as an attorney, I represent many accused internet users, many of whom “have always been downloaders, and will always be downloaders,” but specifically with Giganews, too often there is an inaccuracy where the wrong user is accused of downloading copyrighted media when that user was not even logged into the Giganews service at the time the downloads allegedly happened.

This is a problem with timekeeping and recordkeeping, something Giganews (or Golden Frog) should remedy ASAP.

Read Full Post »

[This is a post about security and privacy.  In this post, I speak about what could go wrong if you do not properly secure your computer, and my thoughts about encryption and privacy.]

I am reviewing a case where a group of “zombie” infected computers have been hacked to work together (a “botnet”), and it appears as if the courts are going after ZeroAccess as the crime ring behind the botnet. In my readings, a federal judge has blocked the IP addresses belonging to ZeroAccess-infected computers because they allegedly directed many of their millions of infected computers to click on a number of paid ads, where the advertisers using Google, Bing, and Yahoo! have paid out an estimated $2.7 Million per month from the ad revenue generated as a result of these clicks. The lawsuit is for what is known as “click fraud,” and it got me thinking about 1) the application to the bittorrent lawsuits, and 2) to privacy and security in general.

While I have NO REASON to think the following is happening, it is completely plausible that one or more “infected” computers could be directed to connect to various bittorrent files without the computer owners being aware of the “zombie” status of their computers (e.g., the software is being run as a service, or minimized without an icon showing on the desktop).  While the connections to the bittorrent swarms are happening, the copyright trolls could be “coincidentally” monitoring the bittorrent swarms as the downloads are happening unbenownst to the computer owner. When the copyright holders (“copyright trolls”) send the DMCA letters to the ISPs, or when they file John Doe copyright infringement lawsuits against the subscribers, the ISPs would correctly confirm and coroborate that it was the subscriber’s ISP who was connected to the bittorrent swarm at that particular date and time, and the problematic conclusion would be that it was the subscriber who downloaded the file. And, when the download was complete, even though the malware would likely “cover its tracks” by deleting all traces of itself, it would be programmed to leave the downloaded copyrighted file in some obscure randomized file folder on the subscriber’s computer to be “conveniently” found by the forensic examiners during the lawsuit. I understand that malware could also actually alter the computer’s logs based on analyzing the computer owner’s past browsing history and program usage (most people do not clean this) to make it look as if it was the ACCUSED SUBSCRIBER who was “at his computer at the time of the download.” This could all happen without the knowledge of the subscriber being aware that the computer was infected with the malware or that the illegal downloads were taking place.

While this feels a bit sci-fi’ish, and again, I have no reason to think this is actually taking place, the technology is certainly around for this to happen.  I have personally watched enough podcast videos on Hak5 demonstrating how this could be done, and I could figure out ways to alter the malware program to gain administrator access to the computer and change the system logs on the computer before deleting itself.  If someone as simple as me could figure out how to do it, for sure the more crafty ones will eventually stumble onto this scheme as well. For this reason, I am writing this article as a warning to take your computer’s security and your online privacy seriously, and here are the simple steps I would take if it were my own computer.

Step 1: Don’t balk, but make sure you have antivirus software and anti-malware software running on your machine. Also make sure your software and virus definitions are up to date. I have my personal favorites as far as software goes, but quite frankly, free or paid software both do their job fine. There are many free anti-malware programs out there, so make sure the one you use is not malware itself. For free malware detection, I find SuperAntiSpyware and MalwareBytes to be sufficient.

Step 2: Protect your identity and your browsing habits. This depends on how much “tin hat” you want to go, but I personally use JonDoFox’s version of the Firefox browser. There is a STEEP learning curve to use it (meaning, the add-ons will initially break most of the websites you use, and most websites need to be configured once before you get it the way you like it), but in my opinion it is worth the effort to learn. You can check your current browser security at http://ip-check.info/ (by the way, I do not use JonDo anonymization software because they charge by the actual usage; rather, I opt for the less secure route of encrypting my traffic using a secure VPN provider). On the flip side, for convenience, I also use Comodo Dragon Chrome which is a faster, less secure browser, but I have many add-ons that I’ve installed (e.g., Scriptsafe, AdBlock Plus, etc.), and I keep the software running in the Sandboxie software. That way, if some critter gets past my defenses (e.g., think, “CryptoLocker,” or other ransomware which encrypts your files and charges you hundreds of dollars in bitcoins as ransom to decrypt them), it won’t get access to my hard drive files.

Step 2.1: This belongs to the previous step, but encrypting your traffic is very important. There is a phrase, “I have nothing to hide… from people I trust,” and I stand by that phrase. With the NSA and government snooping, and the ISPs watching your every move, regardless of whether you are doing something wrong or not, it is a smart idea to not give all of your shopping and browsing activities to your ISP and to Uncle Sam. There are also many commercial trackers and social networks who track you for commercial purposes as well — everything I say above applies for them too.

Step 3: Secure e-mail, secure chat… The best way to protect your e-mail is to encrypt it.  Unfortunately, e-mail by its nature is insecure, and even if you encrypt the contents of your e-mail, the METADATA (e.g., your own e-mail address, to whom you are e-mailing, the time and date of your e-mail, along with the geolocation of you IP address you use to connect to the e-mail server, etc.) remains exposed.  The only foolproof way I know to encrypt e-mail is to use Pretty Good Privacy (PGP) software.  The problem is that it is simply inconvenient.  In order to encrypt your e-mail, you need to not only setup and share your own public and private keys, but you need to find and look up the keyrings of those you want to communicate with.  While there are attempts to incorporate encryption into e-mails (e.g., projects such as gnupg), the average person does not encrypt their e-mails, and trying to get everyone to do so is just an exercise in futility.  Plus, we know that the NSA saves encrypted e-mails for the sole purpose of trying to “break” the encryption because “if you use encryption, you are presumed to be using it for a criminal purpose.”  Thus, I am unhappy with the current state of technology with the adoption of encryption for sending e-mails, but for the time being, this is the way it is.

Secure chat is very easy, and there are many convenient ways to encrypt your instant messages.  Whether you are using the Pidgin software with the encryption plug-in, or whether you are using Cryptocat or any of the secure chat softwares readily available for the PCs, iPhones, and Androids, achieving perfect security is very doable.  For me, I do not encrypt my e-mails, and whenever I have a friend or peer who has the capability to encrypt our chat sessions, I have him do so just for the “geeky” fun excitement of it.

Step 4: Keeping your own computer clean and neat. Your Microsoft Windows operating system keeps logs of pretty much everything you do, and it is specifically the failure to clean up after yourself which can give malware the chance to impersonate you. Similarly, by not regularly cleaning up after yourself, should you one day face a lawsuit, a forensics expert can glean an ungodly amount of information about you, your whereabouts on a certain date and time, and your activities (e.g., whether you were surfing the web or writing a text file, and, which text file you were writing at that particular time and date) just by reviewing your logs. Now I personally do not trust my Microsoft Windows operating system not to “spy” on me, and if I had it my way, I’d run a Linux operating system (I have in the past, and I may in the future), but for the time being, be aware that the “privacy” settings in Windows stops NOBODY from snooping on you. I have not figured this one out yet (especially since most of my law firm’s software are Windows-based), but Windows is simply a minefield of privacy leaks and data you don’t want about yourself recorded and logged.

While this is certainly not even close to a solution, I run CCleaner from Piriform regularly to clean up the logs and to keep my computer relatively clean.  I would love to delve into the depths of my operating system and tweak certain settings to shut off the “phone home” leaks in my system — I simply do not have the time, the “tin hat” motivation, or the skill to do so.

Step 5: Lastly (and there are probably a million other steps I could take, but I like to keep things simple). I encrypt my hard drive data 1) in my computer, 2) outside of my computer (e.g., external drives and thumb drives), and 3) in the cloud. There are many ways to do this, most popularly is the “TrueCrypt” software. If you cannot encrypt your drives (I cannot, since my computer is a Windows 8 machine and TrueCrypt has not figured out how to encrypt UEFI systems yet), then create a large container, and set up your programs (e.g., Thunderbird Mail) to store your files in your encrypted container.  Better yet, install the program onto the encrypted drive so that it is not in your C:\Program Files folder.  That way, if your computer is ever stolen or lost, your programs and your data will remain unusable and encrypted. I often take this one step further and have Windows configured (to the extent possible) to use the encrypted drive to store my “Desktop” and my “My Documents” folder. Thus, if I do not unlock the encrypted drive when I first log in, my computer does not work properly, and I get a blank desktop. Along with this, my computers have log-in passwords which I have activated before the operating systems even boot. I have this running because even little me knows which piece of software one can run to bypass the password on Microsoft Windows machines.

In sum, you could take privacy to an extreme. The best privacy is the “trust no one” type of privacy. For some cases (e.g., our cloud storage backup servers are “trust no one,” meaning not even the company who hosts our data has the keys to unencrypt the encrypted data which is stored on their servers), using the best security is feasible and doable. But there are limits and there are sacrifices to your privacy, and it usually comes at the benefit of having more convenience. Truly, the most secure password is one not stored in a text file, or written on a piece of paper, but one that is in someone else’s head (not even your own).  The best security is not using a computer or connecting to the internet at all. Then again, that is not feasible to most of us who live in the internet. However, learning to take steps to protect your privacy (within reason) can only work towards your benefit.

Read Full Post »

“Oh what a tangled web we weave, When first we practise to deceive!”
– Sir Walter Scott, Marmion: Canto VI. (1771 – 1832)

My greatest effort in this blog is not to decide what to write about, but what NOT to write about. I’ve been very aware of John Steele’s issues in Minnesota (where he made an appearance for one of his cases, and was served by Paul Godfread’s process server on the Alan Cooper identity theft issue). I’ve also been aware of the issues as to whether AF Holdings, Guava, (and we won’t mention Ingenuity 13, or the older MCGIP lawsuits) are in fact entities or whether there is an bit of sham involved in their formation and/or the enforcement of the intellectual property they appear to hold. I have also noticed the clear trend from the smarter lawsuits where Steele moved from suing hundreds of John Doe Defendants to him suing smaller numbers of John Does (20-75) in smaller “under-the-radar” lawsuits, and then finally to the “John Doe” individual lawsuits, some of which ended up with named defendants who were not served, others where the defendants were actually served, and finally others where a defendant and his attorney agreed to allow Prenda to add hundreds of unrelated defendants to the lawsuits as potential co-conspirators.

Then when even the individual lawsuits looked to no longer be fruitful for him, I noticed the move from copyright enforcement to absurd tactics, some of which involved having Mark Lutz pose as a representative for a production company.  I noticed when Prenda had their own local counsel (Joseph Perea) shift titles to avoid unauthorized practice of law issues (e.g., in Florida), and I noticed when local counsel Brett Gibbs ended up as “of counsel” for Prenda Law Inc., only to later disavow association from the firm when federal Judge Otis Wright mentioned the word “jail.” These absurd tactics have gone even farther, most recently with the creation of the Livewire Holdings, Inc. entity (see, Part I; Part II) using fake pictures on their website for their so-called “partners,” and reports that Mark Lutz (Prenda Law Inc.’s former paralegal, now pictured as “partner” in the Livewire Holdings, Inc. site) is back at it, calling dismissed defendants using a fake name.  I almost fell off my chair when I read local counsel Brett Gibbs’ most recent declaration [under oath] that [he has been informed that] Mark Lutz was the CEO for AF Holdings, LLC (p.4, paragraph 7), and that he was also the CEO for Ingenuity 13, LLC (p.4, paragraph 8).  Really?!?

All of this drama (including the Minnesota lawsuit and the so-called fake Alan Cooper issue) are topics I have purposefully chosen NOT to write about for the sole reason that they do not help my clients or potential clients understand the issues surrounding the copyright infringement lawsuits they face when they receive a subpoena notice from their ISP in the mail.

Behind the scenes, as owner of the Cashman Law Firm, PLLC, I and my staff have spent literally months building up local counsel networks and researching each federal court’s rules to properly defend clients who are named as defendants in their copyright infringement lawsuits. I personally warned a number of copyright trolls that if they named my clients, myself and the attorneys I work with would find a way to make defending these cases affordable. So you can understand why I was amused when the principals at Prenda Law Inc. shifted from what looked to be a trend towards individual lawsuits against former John Doe Defendants to their more recent “world domination” shenanigans which led to widespread questions as to the identity of the “real” AF Holdings, LLC Alan Cooper, which of the copyright troll entities are real and which are shams, and then once caught, which led to the finger-pointing which began between their local counsel and other defense counsel, and then ultimately to the finger-pointing towards the principals at Prenda Law Inc. I’m happy that their lawsuits have gone nowhere these recent months, but personally I feel that their focus has shifted to “doubling down” on what appear to be outright lies rather than representing their clients to stop the piracy of their copyrighted films.  I often stop myself from asking, “wasn’t that the whole purpose of this grand charade?”  At least the war I thought I was fighting was to defend internet users from being subjected to copyright extortion-like lawsuits for the downloading or viewing of copyrighted movies and videos.

For these reasons, I really have nothing to say or comment because what Prenda Law Inc. / formerly, Steele|Hansmeier PLLC/ or more recently, the Anti-Piracy Law Group / John Steele / Paul Duffy / Brett Gibbs / former paralegal Mark Lutz (and their local counsel, many still disgruntled) have been doing and their antics have little-to-nothing to do with the so-called “rampant piracy” and the copyright infringement I thought they were here to stop.

So now John Steele and the entities he supposedly has nothing to do with are suing Paul Godfread, the real Alan Cooper (as opposed to the one they have not yet produced), along with all of the anti-copyright troll internet population, probably most notably, Sophisticated Jane Doe (http://www.fightcopyrighttrolls.com), Die Troll Die (http://www.dietrolldie.com), and probably a handful of others who have been hugely helpful to our law firm over the years through their reporting on Twitter. I could easily be part of this group of anti-copyright troll “Does” from all the posts I have written on his cases.

The problem with the “sue everyone for defamation” approach is 1) the elements of defamation are simply not there (as Forbes Magazine might report, John Steele is clearly a “public person” who has cast himself forth as being one of the foremost and first copyright trolls), 2) his lawsuits likely invoke the anti-SLAPP laws because they appear to have been filed to “create chilling effects and to stifle speech,” and most importantly, 3) people like Sophisticated Jane Doe, Die Troll Die, and the others blog and tweet anonymously. Thus, even if they figured out which IP addresses did the posting or the tweeting, the IP address will likely point to a private VPN service who have no ability to even know who these anonymous bloggers are.

In closing, there is not much to say about these lawsuits. Techdirt wrote about them here.  ArsTechnica wrote about them here.  Sophisticated Jane Doe wrote about them here. Copyright Clerk wrote about them here. Jordan Rushie wrote about them here. No doubt there will be many more articles, and no doubt there will be much more drama. However, as far as these lawsuits affect his copyright infringement and “hacker” lawsuits (the purpose for which I write this blog), I cannot see them affecting his lawsuits positively, and if anything, this was a misstep for Steele and his affiliates.

UPDATE (3/9/2013): DENIED. Automattic, Inc. letter to Prenda Law Inc. (on behalf of WordPress.com sites) rejects Prenda’s attempts to ascertain the IP addresses of the anti-troll community citing five (5) deficiencies in their subpoena. Other notable reasons for non-compliance with the subpoena include: 1) rights under the First Amendment to anonymous speech; 2) right to privacy; 3) subpoena (“outrageously”) overly broad; 4) subpoena seeks information that is not likely to lead to discoverable information.

Read Full Post »

This will be a tough article to write, but someone needs to say this.  If you are accused as a John Doe Defendant in a bittorrent lawsuit, your first step needs to be to make your identity online disappear. 

I would use politically correct terminology such as “manage your online presence,” but simply quite frankly, “disappearing” yourself and making your online presence go away is probably the most effective thing that you can do in order to avert the attention of the copyright trolls to other John Doe Defendants.  If they cannot find you online, then they will not know how to pressure you to pay them their extortion settlement amounts.

This is obviously not well known or else we all would do it, but quite frankly, everything you do online is tracked these days.  Marketing companies, commercial websites such as common as Amazon.com, social networking websites such as Facebook, LinkedIn, Twitter, Myspace, Google+, etc. all track you by 1) the information you provide them, and 2) by your activities.  Have you ever wondered why you can log onto so many sites using your Facebook login?  Is this because they are being nice or because they are recording your search habits to create massive portfolios all about YOU.  Even when you are smart and you manage your privacy settings in these sites, they still tell volumes about you and your friends without your permission.  And, even when you lock everything down, there are still companies who create profiles on you based on your credit card transactions, where you register your driver’s license, and where you choose to keep your body (e.g., where your smart phone’s GPS logs the location associated with your cell phone provider’s account).

Quite frankly the lack of privacy we have is staggering, and what little we can do to protect ourselves online we should do.  And, for the inevitable volumes of data that are compiled on each of us without our permission, there are mechanisms in place to remove yourself from their databases.  Since much of this is online, removal in many cases is instant, and it is worth the effort and time to do this (even if you are not accused in a lawsuit).

Just a few days ago, there was a LifeHacker article entitled, “AdjustYourPrivacy Locks Down Your Entire Internet Life from One Page,” where Lifehacker discussed a website — http://www.adjustyourprivacy.com — which has buttons that you can click on to manage your online privacy.  The website has essentially five steps (detailed below), and I suggest that each one of you visit this page and work through the links on the site.


This is a bit complicated, but the amount of information about you that you can prevent from being leaked to the world is staggering.  I am not advocating closing down your Facebook or your LinkedIn accounts, although in my opinion this is the best option, especially for those of you who take pictures and videos of yourselves when you are at a bar after a few drinks.  I am also not advocating making yourself invisible to your friends, but I do think that you should be vigilant to make sure you actually know the people who are your friend, because for all you know, a plaintiff attorney can look at one social network of yours where you have 800 friends and choose a buddy of yours from that account and do a friend request which most people will approve and click “okay” without thinking twice or investigating who is really “friending” them.  This is called social engineering and is outside the scope of this article.

What I AM suggesting here is taking the time to read the privacy options and setting your privacy settings to avoid outside “non-friends” from seeing your posts or your profile.  I would also obviously shut down all applications “apps” linked to your account which often report everything you do to the companies I am discussing in this article.  Take “Angry Birds,” “Farmville,” or any of the online free games as an example.  Did you ever wonder why these game are free and what they report about you?  Did you think they merely show banner ads to you? Or are they also installing cookies and do they stay resident on your machine after you close the game watching and reporting your every move?  I am not being paranoid here, I am merely telling you to be smart.



You’ll notice that to do a full search, many of these services charge a subscription fee which no doubt your plaintiff attorneys pay.   You’ll also notice that there are likely MULTIPLE RECORDS on you based on the many places you have lived in the past.  Don’t just look for your current information and your current e-mail.  Dig a bit.



Even though everything that I blog about and everything that I post online is not done anonymously, if I was not an attorney helping clients accused in these bittorrent cases, I would certainly be anonymous.

When I surf the web, I do it anonymously.  When I make financial transactions, I always make sure I am using SSL or a secure and encrypted connection.  When I browse my personal e-mail or even check the news, I do it using VPN software and if this is not feasible, I use a custom browser (e.g., JonDoFox) on top of my Firefox browser for complete protection.  I also always have OpenDNSCrypt running (which in my opinion doesn’t do much, but for whatever it is worth, I have it running because I am not paranoid, but I am not giving the ISPs (who also collect information on you) data on me if I don’t have to).  I also encrypt my drives on all my computers and regularly clean traces of my activities on my computer.  That way, if my computer is taken at an airport, or if for some reason I am accused of something (e.g., copyright troll tries to get MY computer to learn about a client), everything is encrypted.  This is simply a responsible and prudent thing to do.  With everything I have written here, in my opinion, it is irresponsible NOT to be vigilant with your private information.

All this being said, there is a lot about me which is still online.  But what you see online, chances are that I LET IT BE ONLINE knowing that many will see it.


This is probably the most important point, and it is counterintuitive.  If you are named in a lawsuit, eventually a site such as RFC Express (http://www.rfcexpress.com) or other legal docket websites will index your name and search engines will post it online making it obvious to employers and peers that you have been implicated in a lawsuit, sometimes for embarrassing content.

While overtly saying this is outside the scope of this article, it is probably a good idea to create as much content as you can (e.g., join social networking sites, and “manage your online presence”) to BURY the lawsuit (e.g., 12 pages in) so that when someone searches for your name on a search engine, the lawsuit will not show up.  That way, your involvement in this lawsuit will not hurt your future chances for employment, or for your business to get contract with customers, etc.  

If you are named in a lawsuit, my opinion is that you should not only TAKE DOWN the information about yourself in STEPS 1-5 that I have outlined above, but you should SET UP SOCIAL NETWORKING ACCOUNTS AS POSSIBLE, FILLING IT WITH CONTENT THAT YOU WOULD LIKE THE WORLD TO KNOW ABOUT YOU.

I cannot say this strong enough.  You need to protect your privacy, and if you are involved in a lawsuit where opposing counsel is a copyright troll, a patent troll, or anyone who will want to use the information online against you to solicit or extort large sums of money from you, it is wise to protect yourself and manage your online profile.  I hope this helps.

Read Full Post »

Older Posts »