Case Document 37-11 Filed 06/03/13 Page 1 of 31 Page|D 424 Exhibit Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 2 of 31 PageID 425 UNITED STATES DISTRICT COURT MIDDLE DISTRICT OF FLORIDA ORLANDO DIVISION FIRST TIME VIDEOS, LLC, ) ) ) ) ) ) ) ) ) ) ) ) Plaintiff, v. PAUL OPPOLD, Defendant. Civil Action No. 6:12-CV-01493-CEH-KRS May 25, 2013 DECLARATION OF DELVAN NEVILLE I, Delvan Neville, declare under penalty of perjury as follows: 1. I am owner of AMARAGH ASSOCIATES and the creator of a proprietary BitTorrent monitoring suite titled EUPSC2k. EUPSC2k uses a variety of software components conceptualized, developed, and maintained in order to collect data about both unauthorized and authorized distributions of any kind of file that could be shared via the BitTorrent protocol. As the author of EUPSC2k, I am fully aware of the efficiency and accuracy of the software and was personally in charge of its development, features, and code modification. 2. I was contacted by the Defendant's counsel and requested to passively gather data regarding the use of a BitTorrent monitoring system purportedly used by a company named 1 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 3 of 31 PageID 426 "6881 Forensics" for lawsuits involving copyright infringement, as well as to attempt to determine the likely identity of Pirate Bay user "sharkmp4". Defendant's counsel provided me with several hash values relating to the Pirate Bay user using the alias "sharkmp4" Defendant's counsel requested that I gather information sufficient to presumptively identify sharkmp4 as well as the likely origin of the videos that sharkmp4 was releasing. Defendant's counsel offered me a limited number of torrent identifiers relating to torrents created by sharkmp4 known to be monitored by 6881 Forensics. (hereinafter hash values/infohash(es)). Before being contacted by Defendant's counsel, EUPSC2k had already passively monitored some of the infohash(es) provided to me by Defendant's counsel. Such data collected before Defendant's counsel requested collection was also used in this analysis. Fearing that the limited data set offered by Defendant's counsel would be insufficient for proper identification of 6881 forensics software, I independently reviewed multiple court dockets and extracted a larger set of hash values previously admitted to be monitored by 6881 forensics. These hash values collected reflect a sample set from a wide variety of Plaintiff's, filing attorneys, states, and various different works. Gathering this information was impeded to some degree by filings (such as the complaint for the case at hand) where the infohash(es)- although a fundamental part of any forensic evidence necessary to show swarm identification- are not cited in court documents. Because of an absence of evidential infohash in the complaint in this matter and the previous Miami case, it is unknown whether all alleged participants involved in First Time 2 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 4 of 31 PageID 427 Videos v. Does 1-76, 1:12-cv-20921, (Miami Case) were all participating in the same swarm of the work "FTV-Tiffany" as there are several unique swarms associated with similarly titled works. IDENTIFICATION OF THE MONITORING SOFTWARE 3. EUPSC2k was designed to monitor multiple BitTorrent swarms simultaneously and locate common IP addresses among many BitTorrent swarms. During a "Passive Soak" as employed in this case (hereafter "soak"), EUPSC2k does not download nor upload any pieces of potentially copyrighted material- it merely gathers data regarding the participants of included BitTorrent swarms. In this mode, EUPSC2k notifies other peers that it has no pieces for that torrent, and that it is not interested in downloading any pieces, but otherwise communicates in the same manner as a normal peer. 4. I was not given any information as to the nature of 6881 Forensics monitoring software, or what IP address or Internet Service Provider (ISP) that might be used in their data gathering efforts and thus my inquiry into identification of the 6881 forensics peer was blind. I examined previously gathered logs of EUPSC2k, and began several soaks of the recently collected hash values. In my examination of the data, I was looking for common peers among the many swarms, as denoted by their IP, software, peer ID and any anomalous behavior. 5. I was able to identify a common peer among many in the various swarms based on these techniques and several anomalous behaviors a normal peer does not exhibit. Based on the intended target of these multiple swarms, this unique common peer among the many swarms 3 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 5 of 31 PageID 428 is the peer controlled by 6881 Forensics.1 I will address each of these behaviors individually, which suggest that 6881 Forensics is not merely collecting logs, but actively sharing the contents of the copyrighted works in question.2 Background 6. Any given swarm is defined primarily by the infohash for the torrent in question. This infohash is a unique identifier generated using the SHA-1 algorithm. Once connected to a swarm, a peer initiates communication with another peer with a specially formatted handshake. The handshake identifies: ? the protocol the peer wishes to use ? any advanced/alternative protocols the peer supports ? the infohash for the swarm ? an identifier used by that peer (peerID) 7. The peerID has two parts: the first part usually identifies the software and version number used by that peer, although a handful of unusual clients omit this first part. The second part is a randomly generated set of characters, with the intention of giving that peer a unique peerID in that swarm. Most users, by default, will use a different peerID for different infohashes EUPSC2k is based upon the concept that an original sharer of material via BitTorrent would 1 be tied to a user name on a website and that user name would have multiple uploads of different materials with different hash values. Examination of the multiple hash values can lead to a common IP address or peer ID among the many hash values, leading to information which can help identify the original pirate of copyrighted materials or the original sharer of non-copyrighted material. 2 Due to the passive nature of the soak for fear of claims of copyright infringement, EUPSC2k did not accept offers, made by the 6881 peer, to download pieces of these works. 4 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 6 of 31 PageID 429 in an effort to maintain some level of anonymity. 8. The handshake is then transmitted by the receiving peer to the initiating peer. If both peers support the same advanced protocols, there may be an additional handshake specific to that protocol as well, identifying which non-standard messages those peers support. Common advanced protocols are the Fast extension, the LibTorrent (LT) and the Azureus (AZ) protocols. 9. With the inclusion of the LT and AZ protocols, the number of types of messages that can be exchanged is immense. The messages relevant to this discussion, however, are the basic messages interested and bitfield, and the advanced message allowed_fast. 10. The bitfield message is a complete list of those pieces3 a peer does or does not have. The interested message means, in plain English, "You have pieces of the file that I would like." When two peers handshake, they are both by default considered uninterested. The interested message is sent after a peer notes that another peer has pieces that it does not have and that it does want to download, usually based on a recently received bitfield from that peer. For the version and settings enabled in EUPSC2k for this soak, the monitoring software categorizes peers from the bitfield into two types: peers who are "seeders" that have 100% of the file and are only connected to the swarm to share with others, and peers who are not seeders that still have missing pieces. 11. The allowed_fast message is part of the Fast extension. A plain English meaning of 3 Bittorrent divides a video, music, or any other kind of file into pieces for exchange between peers in the swarm. 5 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 7 of 31 PageID 430 the allowed_fast messages is "I will let you download this piece from me, even if you aren't sharing any pieces back." It serves two purposes: 1) for the initial uploader/seeder, it helps ease transactions in the earliest stages of a BitTorrent swarm when no other peers have any pieces and 2) it bypasses the tit-for-tat nature of BitTorrent allowing other peers quick downloads of pieces. Because the BitTorrent protocol is a tit-for-tat based system, peers within the swarm will normally upload very slowly to other peers who are unwilling or unable to upload any pieces back. Allowed_fast, when enabled, bypasses the tit-for-tat nature by allowing those other peers to quickly gain parts of the file so that they are able to share with others. Identification of 6881 Forensics 12. When seeking out a forensics provider with EUPSC2k, there are anomalous behaviors that set these members of the swarm apart from normal peers. These include unusually aggressive requests, falsified or rotating bitfields, and falsified software identification. Additionally, cross-swarm analysis allows for the identification of peers who are common to many or all swarms known to be monitored by the provider in question. 13. Cross-swarm analysis was conducted on a total of 15 unique infohashes derived from a mixture of direct citation in complaints, equivalent video titles that did not cite the exact infohash, and infohashes provided by Defendant's counsel, with a total of 997 unique IP addresses (IPs) between the swarms. Some Prenda-related works that were not associated with sharkmp4 were included intentionally- if 6881 and sharkmp4 were separate and distinct entities, 6881 would appear on both sets of hashes, while sharkmp4 would appear primarily on 6 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 8 of 31 PageID 431 his/her own uploads. This was to prevent the likelihood of a type I error (false positive). Four IPs were found to be seeds common to 9 of the 15 infohashes, which resolve to de2x.mullvad.net, se2x.mullvad.net, nl5x.mullvad.net and nl4x.mullvad.net (Mullvad exit nodes). Two additional IPs that resolve to de1x.mullvad.net and se1x.mullvad.net were listed for 7 of the 16 infohashes on trackers but did not initiate communication with EUPSC2k during the soak. All other IPs observed were active in no more than 2 swarms, and no other IP was listed for more than 3 swarms on the trackers. 14. Mullvad is a paid VPN provider.4 When a user sets up a VPN connection through Mullvad, their external IP will be one of the handful of IPs that Mullvad controls. This allows users to achieve some degree of anonymity. However, Mullvad is not an especially common VPN provider for BitTorrent traffic: for instance, out of 16.4 GB of logs gathered over 15 days on approximately 50 swarms unrelated to 6881 Forensics, the de2x.mullvad.net exit node has not attempted a single incoming connection to EUPSC2k. 15. All four of these IPs reported the exact same client software and version (Vuze 4.7.1.2), listed the exact same port number5 on the tracker for each swarm (10203) and were connected to the exact same 9 swarms. A summary of all tracker messages for these four IPs is 4 VPN or "Virtual Private Network" services have legitimate uses by corporations to eliminate privacy concerns while using public Internet locations such as Coffee Shops, Airports, or Hotels. They may also be used nefariously by people evading detection on the Internet. 5 For the BitTorrent protocol to exchange content or handshakes, a port number must be defined. Port assignment is a necessary element of the transport layer of Internet communication. RFC 1122, pages 77-116 accessible at http://tools.ietf.org/html/rfc1122 Odds for an identical port number between two different peers is roughly a 1/16,384 chance (based on the unassigned range from http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml) or 1/65,536 based on the entire range of valid port numbers. 7 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 9 of 31 PageID 432 included in Exhibit "K-1". Their claimed software version (Vuze 4.7.1.2) was only available for a 2 month period in 2012 making it rare among the swarms. They were in fact the only peers claiming that software version during the entire soak. The likelihood that four separate Mullvad users would happen to choose the same port number is 1 in 72,057,594,037,927,936, or even higher if we assume either might choose an IANA reserved port. I have therefore concluded that communications from these four IPs are coming from the same source, who is merely changing which Mullvad VPN proxy is used as a middleman. My analysis lead to the opinion that this source is in fact 6881 Forensics, and will hereafter refer to this peer by that name. Analysis of 6881 Forensics Peer 16. All four IPs used by 6881 Forensics (6881 peers) used the Mullvad VPN service and exhibited the same anomalous behavior, none of which is characteristic of a stock version of the Vuze 4.7.1.2 client. A summary of received messages is included. Exhibit "K-2". The first anomalous behavior was the unusually aggressive transmission of interested messages: 6881 peers sent 33 interested messages to EUPSC2k over a 12 hour period. As EUPSC2k was operating in passive mode, it had no pieces, and thus no peer could truthfully claim to be interested in the pieces it had available. In each instance, 6881 Forensics had already received a bitfield message from EUPSC2k when it sent its interested message. Of the 997 IPs in these swarms, no other peer sent interested messages to EUPSC2k. This behavior encourages file piece exchange from every peer a 6881 peer contacts evidencing an intent to identify peers 8 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 10 of 31 PageID 433 who are willing to share the file. 17. Handshakes from 6881 peers were also outside the normal characteristics of a BitTorrent client. The peerID of their software, though formatted as if they were using Vuze 4.7.1.2, only uses number characters (0-9) in the random portion of their peerID. For example: "-AZ4712-704276267518". See Exhibit "K-3". Genuine 4.7.1.2 Vuze clients, as well as other software versions of Vuze, use the full range of printable characters for the random portion of their peerID, such as "-AZ4712-3evNZLiW6lFq". 6881 peer handshakes indicated they supported the LibTorrent protocol6, but the LibTorrent handshakes received from 6881 did not include any information a modern version of Vuze would typically include. Exhibit "K-2" (line 3 is lacking a "1:v12:Vuze 4.7.1.2" entry in the LT handshake as well as metadata normally included by Vuze in such handshakes). Also outside of normal, the 6881 peer did not claim to support the Azureus protocol.7 An especially unusual and unique oddity, however, was that they did not use a different peerID for each swarm as most clients would. For instance, -AZ4712-201614746815 is reused by the 6881 peer for 8 of the 9 swarms. Exhibit "K-2" lines 43,44,57,59,335,336,376,1123. 18. The 6881 peer's bitfields identified it as a seeder (a peer who has the entire contents of the torrent) for all 9 swarms. The peer continuously sent EUPSC2k allowed_fast messages, even though EUPSC2k had previously notified the 6881 peer that it was not 6 Libtorrent is a highly customizable implementation of the BitTorrent protocol. http://www.rasterbar.com/products/libtorrent/ 7 Azureus & Vuze are two names for the same software family. After the implementation of Azureus version 3.1, Azureus started to use the name Vuze. It goes without saying that Azureus/Vuze should support the Azureus/Vuze messaging protocol. 9 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 11 of 31 PageID 434 interested in downloading any pieces. As noted in the above, this message is a standing offer by 6881 to hand out the file, regardless of whether they get anything back from the user. This is not an especially useful tactic for forensic monitoring: a user's history is already established by their bitfield messages and a few other advanced protocol messages. It is solely useful for the 6881 peer to share pieces of the file. Because of the tit-for-tat nature of BitTorrent, handing pieces of the file to a peer would increase 6881's likelihood of downloading pieces of the file back from those same peers. 6881 was particularly aggressive in the area of broadcasting the allowed_fast messages as well- 1,040 allowed_fast offers to distribute were made by 6881 to EUPSC2k over a 12 hour period. Despite nearly a thousand other IPs involved in these swarms during that same soak, 6881 was responsible for over thirty percent of the total allowed_fast traffic sent to EUPSC2k during that period. Among those hashes in the swarm that were originally uploaded by PirateBay user "sharkmp4" (discussed further below), 6881 was responsible for 96.8% of the total allowed_fast traffic. Mullvad VPNs and comments from Websites that Oppose Prenda Law 19. As mentioned in footnote 3, above, VPNs have a legitimate purpose but are often used nefariously by those wishing to conceal their identity online. DieTrollDie.com and FightCopyrightTrolls.com are Defendants in three lawsuits where attorneys of Prenda Law have sued the website operators and commenters for defamation.8 Defendant's counsel and I 8 John Steele v. Godfread, Cooper, et. al., 1:13-CV-20744 (S.D. Fl.) ? Paul Duffy v. Godfread Cooper, et. al., 3:13-cv-00207 (S.D. Il.) ? Prenda Law v. Godfread Cooper, et. al., 1:13-cv-01569 (N.D. Il.) 10 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 12 of 31 PageID 435 requested DieTrollDie and FightCopyrightTrolls, respectively, to provide logs of comments made on their website which tended to show intimate knowledge of the details of Prenda Law litigation, Prenda Law attorneys, or an aggressively pro-Prenda Law stance. The logs generated by the software of the various websites confirmed that several comments9 were posted via IP addresses from a Mullvad VPN exit node. Exhibit "K-3". Other comments produced by FightCopyrightTrolls and DieTrollDie appeared from Minnesota, and Florida IP addresses. Due to the adverse nature of Prenda Law with the websites, and the fact that 6881 Forensics is the technical provider of Prenda Law in their litigation and uses a rare Mullvad VPN, such inquiry concluded with a finding that it is merely probable the person responsible for the 6881 Forensics peer is actively commenting on those websites. Relation Of DieTrollDie.com and FightCopyrightTrolls.com logs to Go-Daddy Records 20. Defendant's counsel provided me with exhibits from the internet domain registrar Go-Daddy (hereinafter Go-Daddy Records). I am informed they will be filed as Exhibit "E". In relation to the domain names, included are IP addresses of several ISPs that made direct changes to the domain settings of wefightpiracy.org. Such records also reflected telephone calls made by an individual by the name of John Steele that also related requests for wefightpiracy.com. Exhibit "E" pg. 65, 66, 68, 113. Such records also reflect that John 9 These Mullvad VPN comments appear to be responding and commenting on Prenda Law cases with a Pro-Prenda law stance. These comments were selected by the owners of those website as being pro-Prenda Law, or an effort to "set the record straight" as to Prenda Law. 11 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 13 of 31 PageID 436 Steele registered the domain name 6881forensics.com, proving that he has ultimate control over the 6881forensics.com domain name, e-mail addresses, and websites, suggesting that he has control of 6881 forensics operations. Exhibit "E" pg. 86, 106, 107, 117. 21. Included in those records provided from the Go-Daddy Records are the IPs of: ? 24.118.198.196 and 50.77.50.222 which are Minnesota Comcast IP addresses (which I am informed is the state of residence of both Peter and Paul Hansmeier), ? 72.28.155.178 and 174.140.100.242 which are both Atlantic Broadband IP addresses in Florida, ? 66.202.128.10 host resolves to host10.connectregus.com belonging to a Regus business office in Florida. 22. Comments identified by FightCopyrightTrolls and DieTrollDie records have much in common with both the previous information of both the "sharkmp4" user and the go-daddy records. Exhibit "K-4". Comments strongly suggesting they were from John Steele or another Prenda Law insider were sourced from either: ? Mullvad VPN exit node IPs (95.75.220.253, 94.75.220.77, 46.21.99.22) ? Miami Beach Business & Residential IPs: ? 66.202.128.10 (host10.connectregus.com) ? 174.140.100.242 (Atlantic Broadband IP address in Florida) ? 204.195.150.212 (Atlantic Broadband IP address in Florida) ? One Chicago Business & Residential IP (64.190.14.220) 23. Of these, 72.28.155.178, 66.202.128.10, 64.190.14.220, 174.140.100.242 have been confirmed to be used by someone with access to John Steele's Go-Daddy account. Exhibit "E" (72.28.155.178, pg. 63, 77, 78) (66.202.128.10, pg. 67) (64.190.14.220, pg. 113) (174.140.100.242 pg. 58, 59, 65, 66, 71, 80, 81, 111). Such inquiry concluded with a finding that it is likely that the person responsible for the 12 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 14 of 31 PageID 437 6881 Forensics peer is actively commenting on those websites, such comments showing "insider" information or bias toward Prenda Law. Piratebay User sharkmp4, Ingenuity 13 and naughty-hotties.com 24. The purpose of the investigation requested by Defendant's counsel in this matter was to pinpoint the likely origin of the user "sharkmp4" on the website known as Pirate Bay that originated torrents relating to copyrights held by companies named "AF Holdings" and "Ingenuity 13". 25. The website "Pirate Bay" is a website that hosts user generated content relating to torrent information to help others locate copyrighted and non-copyrighted data files but does not distinguish between copyrights as it does not edit the content of its users. Notoriously and openly, the Pirate Bay hosts sufficient information to locate seeds of copyrighted materials being shared by whomever cares to release such materials. The founders of Pirate Bay were found guilty of "promoting other people's infringements of copyright laws" in Sweden. Sharkmp4 Shares Works of AF Holdings 26. Sharkmp4 posted on the Pirate Bay torrent information sufficient to locate works of AF Holdings, specifically the works "Popular Demand" and "Sexual Obsession" and posted hash values of a torrent that the user created on to the Pirate Bay. The work "Popular Demand" shared by sharkmp4 had a infohash value of 96D3F116657D8723EFE8DC6F0ADD398A68D421A8, a unique fingerprint for identifying the torrent swarm and downloading the work. See Exhibit "K-5". 13 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 15 of 31 PageID 438 The work "Sexual Obsession" was shared by sharkmp4 in two different formats with infohash values of F00A7C83D6C7F61FEFA07BD916A50C90A16048E8 and B919A8A93612DD2FD623AF90F15926A662522FF2 both unique fingerprints for identifying the torrent swarm and downloading the work. See Exhibit "K-6". Such works allegedly held by AF Holdings appear to be commercially available for both online streaming and purchase through pornography distributors and could have been gathered, pirated, and uploaded by sharkmp4 in any number of ways as would be expected in a typical episode of copyright infringement.10 Sharkmp4 Shares Works of Ingenuity 13 Anything for Daddy, Teen Sex First Anal, A Peek Behind the Scenes at the Show 27. Unlike those works of AF Holdings, Defendant's counsel contacted me with the proposition that sharkmp4's uploads of certain works copyrighted by Ingenuity 13 appear to be works that were not commercially available at the time that they were shared by sharkmp4. 28. I reviewed the copyright dates of the following works of Ingenuity 13 gathered from complaints filed in Federal Courts and compared them to the Copyright Registration dates and found as follows: ? Anything for Daddy: 5448D6C00CE82F71AE8570EAB2480FC277916E8B - Hash Value. Earliest found release on Piratebay by sharkmp4 - 7-18-2011 - Copyright Registration PA0001739839 filed on 7-5-2011 (same publication date)? 10 "Sexual Obsession" is available for purchase on DVD and Streaming at http://www.excaliburfilms.com/AdultDVD/829246D1_Sexual_Obsession_dvd.htm and "Popular Demand" is available for purchase on DVD at http://www.excaliburfilms.com/AdultDVD/3004326D1_Nina_Mercedez_Popular_Demand_dvd.htm. The original author of the works, Heartbreaker Films (who sold the copyrights to Prenda et al's AF Holdings), is the original author for other sharkmp4 uploads. 14 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 16 of 31 PageID 439 ? Teen Sex First Anal: DBEE600A2FCED4FC9E28AB0261909522813BFC44 - Hash Value. Earliest found release on Piratebay by sharkmp4 - 10-10-2011 - Copyright Registration PA0001751393 filed on 8-24-2011 for publication date 8-22-2011? ? A Peek Behind the Scenes at the Show: 7571E2F7C1972FC5A383A4D87DA00CC3333FB32E - Hash Value. Earliest found release on Piratebay by sharkmp4 - 08-21-2012 - Copyright Registration PA0001802629 filed on 8-24-2012 for publication date 07-25-2012. Information provided by sharkmp4 on the Pirate Bay did not readily relay any information regarding whether any such Ingenuity 13 works were copyrighted. Although the torrent information for "Anything for Daddy" relays information for location of a swarm sufficient to download a movie file that is 702.17 MB, the screen captures11 made by the user sharkmp4 evidenced a file that was 1.58 GB in size, roughly twice the size of the file released- and such screen captures denote "MASTER" in the filename. (snippet from http://bayimg.com/haJcmaadD - Listed as "Screen Shots" of Anything for Daddy released by sharkmp4 on the Piratebay) This strongly suggests that the individual responsible for the creation of the sharkmp4 torrent and sharkmp4 screen captures had access to a higher resolution copy than he/she made 11 Screen captures, or "screencaps" as they are commonly called, refer to the generation of an image through the selection of various frames of a movie file. The resulting images are essentially a chronological layout of scenes creating a sort of storyboard for the movie file. 15 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 17 of 31 PageID 440 available on BitTorrent- and such file name suggests that the individual had an original "MASTER" of the work. References to the infohash for "A Peek Behind the Scenes at the Show" in complaints filed by Prenda et. al. cite their initial detection of infringement by the Doe on the same day the torrent was created by sharkmp4. Composite Exhibit "K-15" In at least two instances the infringement was reported as "detected" an hour before the infohash appeared on Pirate Bay (2012-08-21 00:54:51 GMT upload to pirate bay versus 2012-08-21 00:09:42 & 00:42:12 UTC time of alleged infringement). Composite Exhibit "K-15" How 6881 Forensics was able to detect an infringement on a swarm before it apparently existed could be explained, to some degree, if 6881 did not account for daylight savings when converting their system clock (local time) to UTC. Another alternative would be clock skew, which in networking refers to differences in the time reported by different nodes in the network, which can be considerable (on the order of tens of minutes) when transit times or distances are high. In such a case, they would still be connected to a swarm they've already identified as infringing on one of Ingenuity13 LLCs copyrights within minutes of its creation. Regardless, it suggests, at minimum, "insider information" between sharkmp4 and 6881 Forensics. Five Fan Favorites 29. I further reviewed the uploads of sharkmp4 to locate additional works which may be attributable to copyrights held by Ingenuity 13. One work, titled "Five Fan Favorites" was a registered copyright of Ingenuity 13, PA0001791654 on 5-24-2012. Sharkmp4 used the term 16 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 18 of 31 PageID 441 "Fan Favorite" to describe some files shared, but there was no indication from inspection of sharkmp4 releases of their being numerically designated as "Five Fan Favorites" shared by sharkmp4. 30. I inspected complaints filed by copyright attorneys for Ingenuity 13 and found four infohashes referenced within them relating to alleged infringement of the work "Five Fan Favorites" and complaints featuring such infohashes are in the hundreds, but examples of those citation of those unique infohashes are as follows: ? F016490BD8E60E184EC5B7052CEB1FA570A4AF11 from Ingenuity 13 v. Doe, 8:12-cv-01691, Doc. 1, ? 24 (M.D. Fl) (Signed by attorney George Banas with blgibbs@wefightpiracy.com e-mail address)? ? 0D47A7A035581B0BA4FA5CB86AFE986885F5E18E from Ingenuity 13 v. Doe, 1:12-cv-22756, Doc. 1, ? 24 (S.D. Fl) (Signed by attorney Joseph Perea with joperea@wefightpiracy.com e-mail address)? ? DBB7ABE11CB844FD84686DEAD98F9A6828D7FCC0 from Ingenuity 13 v. Doe, 3:12-CV-04977, Doc. 1, ? 24 (N.D. Cal) (Signed by attorney Brett Gibbs with a blgibbs@wefightpiracy.com email address)? ? and 5985BD79F92F9725772383E89597B58409F82504 from Ingenuity 13 v. Doe, 1:12-CV-22757, Doc. 1, ? 24 (S.D. Fl) (Signed by attorney Joseph Perea with joperea@wefightpiracy.com e-mail address. 31. After review of the complaints, many of which I retrieved from wefightpiracy.com, I noted that though John Steele has complete control of e-mail accounts, the domain, and FTP (File Transfer Protocol) for the site, his name was typically absent from the complaints that I examined. See generally Exhibit "E". 32. Upon verifying each infohash for "Five Fan Favorites", often called the "fingerprint" 17 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 19 of 31 PageID 442 of the work, as present in the complaints, I again returned to the Pirate Bay and inspected the releases of sharkmp4. 33. I found that sharkmp4 posted all four corresponding info hashes relating to the work Five Fan Favorites to the Pirate Bay. They corresponded as: ? F016490BD8E60E184EC5B7052CEB1FA570A4AF11 from Ingenuity, 8:12-cv-01691 (M.D. Fl) corresponded to sharkmp4 release on 6-2-2012 GMT: "Rosemary Radeva: Petite, Sexy Asian Plays with Herself [2012]" also labeled in description as "Fan Favorite - Rosemary Radeva [2012]." See Exhibit "K-7" ? 0D47A7A035581B0BA4FA5CB86AFE986885F5E18E from Ingenuity, 1:12-cv-22756 (S.D. Fl) corresponded to sharkmp4 release on 6-1-2012 GMT: "Amy Brooke - Anal Dildo and Squirting" also labeled in description as "Fan Favorite - Amy Brooke." See Exhibit "K-8" ? DBB7ABE11CB844FD84686DEAD98F9A6828D7FCC0 from Ingenuity 13 v. Doe, 3:12-CV-04977 (N.D. Cal) corresponded to sharkmp4 release on 6-1-2012 GMT: "Madison Fox - Busty Beauty in Red Lingerie" also labeled in description as "Fan Favorite - Madison Fox." See Exhibit "K-9" ? 5985BD79F92F9725772383E89597B58409F82504 from Ingenuity 13 v. Doe, 1:12-CV-22757, (S.D. Fl) corresponded to sharkmp4 release on 6-2-2012 GMT: "Fan Favorite - Tory Lane: Pink Heels [2012]" also labeled in description as "Fan Favorite - Tory Lane." See Exhibit "K-10" 34. I located one additional "Fan Favorite" shared by sharkmp4, that of "Fan Favorite - Spencer Scott: Playmate on a Motorcycle [2012]" but that hash value was not referenced in any complaint that I could locate. See Exhibit "K-11". With the strong match in copyrights at this point in the inquiry, I sought out the US Copyright records for Ingenuity13 LLC. Of the 9 works registered to Ingenuity13 LLC since 197812, 8 of these were uploaded to 12 Online searchable copyright records at www.copyright.gov/records only extend back to January 1, 1978. Given that Ingenuity13 LLC did not appear to exist until the late 21st century, I deemed it unnecessary to 18 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 20 of 31 PageID 443 Pirate Bay by user "sharkmp4" shortly after the copyright was registered. In the case of "A Peek Behind the Scenes at a Show", the copyright wasn't filed until 3 days after sharkmp4 uploaded the work. 35. Based upon the inquiry "Five Fan Favorites" I concluded my research and delivered my findings to Defendant's counsel, and closed my inquiry finding: a. User sharkmp4 had access to at least four of the "Five Fan Favorites" on or about 6-2-2012 GMT. b. The copyright registration PA0001791654 date of "Five Fan Favorites" was on 5-24-2012. c. Most sharkmp4 torrent swarms contain a unique peer in the swarm that uses a Mullvad VPN service with behavior unique from that of a normal client within a swarm, evidencing monitoring. d. The unique "6881 Forensics" peer reports as a "seed" and sends Allowed_fast messages. e. Among the several swarms of sharkmp4, the only consistently common IP addresses and peer IDs were those of Mullvad VPNs associated with a peer which appeared to be attempting to simultaneously download, or be "interested" in pieces although such peer also reported as a seed, which is a contradiction. Such a peer would only be "interested" in pieces for the purpose of collecting evidence of infringement and is seek out earlier entries from the copyright card catalog. 19 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 21 of 31 PageID 444 therefore likely a copyright monitor. f. Mullvad VPNs were used to make several comments on FightCopyrightTrolls and DieTrollDie, relaying messages which show "insider" information into Prenda Law. g. It would be nearly impossible to search all pornography websites to verify that an Ingenuity 13 work wasn't available commercially, or that it was available commercially prior to publication by sharkmp4 via Pirate Bay. h. That upon cursory inspection, Google did not return any results of commercial availability of the materials of Ingenuity 13. i. The actresses named in the four Fan Favorites have large volumes of work listed on the Internet Adult Film Database (iafd.com), but have never been featured in the same film, nor do any of their 2012 films appear substantially similar to the screenshots and descriptions given for the Fan Favorites. j. That apparent agents with inside knowledge and an agenda promoting and lauding the activities of Prenda Law posted comments on DieTrollDie and FightCopyrightTrolls using Mullvad VPN IP addresses, Minnesota Comcast IP addresses, and Florida Regus Virtual Office & Atlantic Broadband IP addresses. k. That John Steele and an individual named "Paul" used Minnesota Comcast IP addresses, and Regus Virtual Office & Atlantic Broadband IP addresses to login to the domain registrar Go-Daddy, many of which are identical matches to those IPs featured in the DieTrollDie & FightCopyrightTrolls.. 20 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 22 of 31 PageID 445 l. Ingenuity 13 has sued on works uploaded by sharkmp4 alleging infringement times before the timestamp on Pirate Bay show sharkmp4 made such work available to the general public. If such evidence was not completely incorrect or falsified (adjusting for possible clock skew on the Pirate Bay server and the software of 6881 Forensics, or failure to account for Daylight Savings) 6881 Forensics seemed to have immediately located the infohash of Ingenuity 13 works at the exact moment that they were uploaded. m. The behaviors of sharkmp4 in obtaining "Anything for Daddy - MASTER" with a higher resolution than actually released by sharkmp4 means that user sharkmp4 is likely someone on the "inside" of Ingenuity 13. n. The behaviors of 6881 Forensics in immediately locating infringement of the work, either before or simultaneous to upload, suggests 6881 Forensics show that they were someone on the "inside" of sharkmp4. o. Therefore, it appears that there is sufficient evidence to conclude that Ingenuity 13 is sharing its own works via sharkmp4 and identifying such swarms to 6881 Forensics upon creation.13 36. Unlike the previous works of "AF Holdings," I could not readily find that these works were commercially available on the Internet in streaming or DVD format for sale to the 13 Not just AF Holdings and Ingenuity 13 are involved with sharkmp4. Sharkmp4also uploaded the works of VPR, Inc. who filed suits under Prenda Law under the name VPR Internationale. This titles of the copyrighted works of this company, called "Viper" also match with the domain names registered to Steele's Go-daddy records (i.e. IraqCarePackages.com, MyGirlfriendLostABet.com correspond to works PA0001732176 "Iraq Care Package" and PA0001732178 or PA0001732159.) 21 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 23 of 31 PageID 446 general public. I did not inspect all pornography websites on the Internet, as such a task would be nearly impossible or a lifetime task, and cost prohibitively expensive. 37. This portion of the inquiry also concluded that sharkmp4 is related to a Mullvad VPN via the 6881 peer and such Mullvad VPN is also linked to "Prenda Law insider" comments on FightCopyrightTrolls.com and DieTrollDie.com. John Steele and "Paul" are linked directly with Minnesota Comcast IP addresses, Florida Atlantic Broadband & Regus Virtual Office IP addresses. The same Internet Service Providers (Mullvad, Regus, Comcast and Atlantic Broadband) that show up as posting those comments match the Go-Daddy Records and the sharkmp4 swarms monitored by . The inquiry concluded upon these findings until later resumed. Ingenuity 13 and www.naughty-hotties.com 38. Defendant's counsel again contacted me after I reported to him my findings and discussed the matter. He requested that I take a look at the website "www.naughty-hotties.com" (hereinafter Naughty Hotties) and make findings and report based upon previous investigation and to answer the question if sharkmp4 could have obtained the materials that he willingly uploaded to Pirate Bay from that website. 39. Defendant's counsel informed me that he inspected the Naughty Hotties website offered on the May 7th which contained a statement that "All models on naughty-hotties.com/ were 18 years of age or older when photographed 18 U.S.C. 2257 Record-Keeping Requirements Compliance Statement" but lacked any details required by 18 U.S.C. 2257 22 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 24 of 31 PageID 447 Record keeping requirements. 40. On May 28th, 2013, I inspected directly the website of naughty-hotties.com and specifically visited the URL http://naughty-hotties.com/tour/en/legal to look for 18 U.S.C. 2257 Record keeping requirements. Unlike the status of the page as reported by Defendant's counsel during his May 7th visit, the information containing the record keeping requirement was then present, listing: 2257Sentry, LLC, Administrator, 361 Rt. 31, Bldg. E, Suite 1402, 2nd Floor Flemington, NJ 08822 as the records keeper for 18 U.S.C. 2257 compliance. 41. Based upon the observations of Defendant's counsel regarding the absence of 18 U.S.C. 2257 statement, a comparison of the website as it stood upon on my inspection May 28th, 2013, and the below facts, lead to the conclusion that it is more likely than not that the site was still "under construction" in May of 2013. Those facts are: ? The website has embedded the font "Angilla Tattoo Personal Use", a copyrighted font that is not for commercial use. See Exhibit "K-12" pg. 2-5. ? The code embedding the sample video player on the page references videos that do not yet exist on the site. See Exhibit "K-12" pg. 6-7. ? The code that wraps said video player incorrectly attempts to apply an overlay, and bears the marks of hastily written code by its use of undescriptive class and variable names. See Exhibit "K-12" pg. 8. ? There are still large swaths of commented-out example code likely part of the template used to produce the site. See Exhibit "K-12" pg. 9. ? The "Category" filter has a drop-down box that features only a single category, the generic (and likely automatically generated) "Updates" category. The link to the third page of updates leads to an empty template, and selecting "Category" from the drop-down box instead of "Update" directs the browser to an erroneous page. The "Models" page is similarly devoid of its proper content. 23 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 25 of 31 PageID 448 See Exhibit "K-12" pg. 10-13. 42. On May 28th, 2013, I inspected the content in the "free tour" portion of the naughty-hotties pornography website. I made the following observations: a. Upon entering the website I was presented with the ability to play a 42 second clip titled "I'll Do Anything." I immediately recognized this first clip from the pornographic screenshots posted by sharkmp4 at http://bayimg.com/haJcmaadD as being identical in visual depiction of 42 seconds of the sharkmp4 release "Anything for Daddy." Compare Exhibit "K-12" pg 14. and screenshots in ?28 at 00:08:33. b. The second clip available titled "Rosemary" I immediately recognized from the pornographic screenshot posted by sharkmp4 at http://bayimg.com/NAOBLAadP as being identical in visual depiction of 39 seconds of "Rosemary Radeva: Petite, Sexy Asian Plays with Herself [2012]" also labeled in description as "Fan Favorite - Rosemary Radeva [2012]. Compare Exhibit "K-12" pg. 15 and "K-7". c. The fifth clip, "18 Year Old Hookers" (Exhibit "K-12" pg. 16) is another Ingenuity13 LLC registered work that was uploaded to Pirate Bay by user sharkmp4. d. Below the videos in the "Latest Updates" section, I was presented with a series of 12 images. I immediately recognized visual still depictions of 1. "Rosemary Radeva: Petite, Sexy Asian Plays with Herself [2012]", 2. "Fan Favorite - Spencer Scott: Playmate on a Motorcycle [2012]", 3. "Fan Favorite - Tory Lane: Pink Heels [2012]" and 4. "Madison Fox - Busty Beauty in Red Lingerie". Compare Exhibit 24 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 26 of 31 PageID 449 K-7, K-8, K-9, K-10, K-11 with images in K-12 p17 & 18. e. Examining the PHP calls made by the page to produce these stills, I noted that the internal language for the site agrees with my recognition, as the file names reference Tory Lane, Spencer Scott, Rosemary Radeva, Madison Fox, and Anything For Daddy Scene 3. Exhibit "K-17". Two of the other images found on this page (Jynx Maze & Tasha Reign) also match screenshots from sharkmp4 uploads (infohashes 4582A802B1299DC8F692FE29B1FA1F5118FFD79A & 4CD530FB5541E587B1254A58A1885C4A18F3D819). Screenshots from "A Peek Behind the Scenes at the Show" and the Amy Brooke Fan Favorite appear on the second page of updates. Exhibit "K-12" pg 19. f. Upon locating four out of Five Fan Favorites, I conducted an inquiry into the ownership of the domain naughty-hotties.com. Whois records attached, acquired May 28th, 2013 from domaintools.com, show that the ownership of the domain name naughty-hotties.com was only very recently acquired by the current owners.. See Exhibit "K-13", presented in reverse chronological order. The current owners of the domain acquired it on December 20th, 2012 (), registered through GoDaddy.com by "Domains By Proxy, LLC". See Exhibit "K-13" pages 2-4. Domains By Proxy, LLC provides its clients with a level of anonymity, preventing a Whois record from demonstrating the real operators of the site. The prior owners of the domain, "naughtyhotties" organized in Houston, Texas released ownership of the domain some 25 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 27 of 31 PageID 450 time between January 2nd, 2012 and March 13th, 2012 (Exhibit K-13 pages 5-6). GoDaddy records acquired by Defendant's counsel (Exhibit E) show that John Steele has used Domains By Proxy, LLC for all 11 domains registered and maintained between 2010 and 2013 with the exception of snakebite.cc and notissues.com (which list Alan Cooper for the name but with the email address of John Steele). g. I also conducted inquiry into the history of IP addresses to which naughty-hotties.com has been registered. The domain, though registered by its current owner December 20, 2012, has no records I could locate of actually resolving to an IP until January 3rd, 2013. Exhibit "K-13" pg. 13. Given that the it is the current owners of the domain who also purport to have the rights to distribute Ingenuity13 LLC copyrighted works, and said owners did not have an accessible website until 2013, there is little chance that sharkmp4 obtained the materials he seeded (in 2011 & 2012) from the website of naughty-hotties.com (inaccessible until 2013). h. I conducted further inquiry on the domain name naughty-hotties.com by using internet domain name servers to resolve the current IP address from the host name of the naughty hotties website. i. On May 28th, at 9:05am PDT, the IP address associated with the website naughty-hotties.com had address 75.72.88.156, matching the prior history for its registration (Exhibit K-13, page 13). This IP address is a Minnesota Comcast IP address resolving to c-75-72-88-156.hsd1.mn.comcast.net, indicating that Comcast 26 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 28 of 31 PageID 451 has labeled that IP address via nameserver as a Minnesota IP address. I ran a traceroute to the IP address 75.72.88.156 and noted the path of the traceroute went through recognizable Internet locations toward Minnesota. j. The last hop in the traceroute "te-1-0-0-ten02.nmpls.mn.minn.comcast.net (68.85.167.162)" suggests that the endpoint location for the device routing traffic for 75.72.88.156 is located more specifically in Minneapolis, MN. Geolocation for 75.72.88.156 via www.plotip.com as well as www.ipdb.at also concur with Minneapolis, MN based on the location of other users from the same IP block. k. I inquired of Defendant's counsel how he found naughty-hotties.com, and he reported that he received information from DieTrollDie stating that the IP address 75.72.88.156 made a comment on a website showing intimate knowledge or presence in Prenda Law litigation.14 Exhibit "K-14" l. I noted that the same IP, 75.72.88.156, was used by someone with John Steele's Go-Daddy login and password on 11/13/2012 at 10:57:37 AM to login to his Go-Daddy web hosting account. See Exhibit "K-16". Such domain names in John Steele's Go-Daddy records appear to be controlled by IP addresses in Florida and Minnesota. Paul or Peter Hansmeier's Go-Daddy records were unavailable to me. 43. I concluded my inquiry into the Internet presence of naughty-hotties.com, with a 14 Yuen filed actions on behalf of Doe defendants against agents of Prenda Law and Prenda Law in general. It is obvious from the text statements "Keep wasting your time Yuen. It was hilarious watching your face when you got your entire case kicked out with $0 after 6 months of work. I knew the first day you filed your silliness that you would not be allowed to proceed. I figured, why not let you spend 6 months wasting your time." 27 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 29 of 31 PageID 452 finding that such website contained material copyrighted by Ingenuity 13. Such webserver is a device located in Minneapolis, MN. An identical IP address made comments on the website DieTrollDie tormenting attorney Steven Yuen who has opposed Prenda Law in litigation. Exhibit "K-14" 44. The Go-Daddy records noted that the IP address of naughty-hotties.com is related to John Steele's domain accounts. Exhibit "K-16". Such billing records indicate that shortly after prendalawfirm.com was registered as a domain, such Go-Daddy account was accessed by an individual with the IP address 75.72.88.156, an address now belonging to the naughty-hotties.com website. Exhibit "K-16" 45. Therefore, I concluded that John Steele or his agents are in control of Ingenuity 13, the naughty-hotties.com domain name, and the webserver attached to 75.72.88.156. Due to Steele's apparent use and control over the IP address 75.72.88.156 in the Go-Daddy records, John Steele had access to the copyrighted works of Ingenuity 13. 46. Pirate Bay user sharkmp4 also had access to the original works of Ingenuity 13 before the existence of the current incarnation of the naughty-hotties.com website. 47. It appears from all the evidence that John Steele (or someone under his control or with access to his Go-Daddy account records with authorization to make changes to domain names) is the most probable candidate for the identity of Pirate Bay user sharkmp4. Sharkmp4 was the originator of the only found public releases of Ingenuity 13 works prior to the creation of naughty-hotties.com. Some works were shared by sharkmp4 prior to the registered 28 Case 6:12-cv-01493-CEH-KRS Document 37-11 Filed 06/03/13 Page 30 of 31 PageID 453 copyright date with indications of access to a higher resolution copy (more related to the direct source). Therefore further inquiry would need to be made upon John Steele, and all those within his control, to identify if he is infringing the copyrights of Ingenuity 13, AF Holdings, and others through the Pirate Bay user "sharkmp4". 48. The nature of 6881 Forensics software which appears to be seeding files, paired with its detection of alleged infringement somehow before or immediately upon creation of the swarm by sharkmp4 also suggests that the identity of sharkmp4 may be somehow linked with an employee or agent of 6881 Forensics. Because 6881forensics.com is owned by John Steele, it leads again to the conclusion that John Steele or his agents are sharkmp4. I concluded my inquiry into the identity of the Internet pirate sharkmp4 upon the foregoing conclusions, not excluding all possible candidates, but without any other candidate available. There is an incredible weight of circumstantial evidence for further inquiry into identities and involvement of John Steele and 6881 Forensics and therefore Prenda Law, with regards to Internet piracy of Ingenuity 13 registered works. 49. I am informed by Defendant's counsel that he is unable to conduct discovery or issue subpoena to confirm findings regarding the identity of whoever shared the work "FTV-Tiffany", the nature of 6881 Forensics software, the involvement of John Steele in 6881 Forensics, the logs of the 6881 Forensics evidencing the Defendant's alleged download of the work "FTV-Tiffany," information from Comcast regarding the ownership of 75.72.88.156 and naughty-hotties.com, information regarding Mullvad VPN subscriptions, or even information as 29 Case Document 37-11 Filed 06/03/13 Page 31 of 31 Page|D 454 simple as the infohash associated with the alleged download of the Work. My own attempts to track down evidence provided by 6881 Forensics on PACER in other cases establish a consistent history of reporting no evidence beyond a "hit. date" and usually the infohash (not present in this case) despite declarations by Peter Hansrneier that their practices' generate "granular level data" on the history of for each member of the swarm. 50. Normally, in situations where a copyright is being enforced, based upon the investigation, I would advise the owner of the copyright to pursue fiirther inquiry of John Steele and/or 6881 Forensics to determine the identity of Pirate Bay user Because all three entities appear under the same control, it is my belief that the purpose of sharing the file by sharl<1np4 appears to have been in an efi"ort to induce infiingement for the purposes of monetization of copyrights of commercially low value. FURTHER DECLARANT SAYETH NAUGHT I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. 3 re? Executed this day of June, 2013 I Delvan Neville, Manager AMARAGH ASSOCIATES, LLC 30