Copyright Troll Malibu Media and their “Evidence” – AKA: Forcing A Settlement

Douchebag1When Malibu Media files a case against a Doe, I often get questions asking what evidence do they have and what will they be looking for.  Now when I say “Evidence,” I will define it to mean what Troll Lipscomb/Malibu Media uses to justify their actions and gives them a higher probability (in their view) that they can force a settlement.  Many people have the first impression that these cases are decided on a high standard of proof.  Actually the vast majority of Malibu Media/X-Art cases ended in some form of a settlement agreement.  None of these cases have truly been judged on their merits (EDPA was a show trial) and Troll/Plaintiff likes it that way.  The Troll actions are best seen as a poker game where Plaintiff has lots of chips and likes to use their power to bluff more than show its hand.  So far this strategy has paid off and they are able to get many people to “fold” (settle) based on their “evidence” and the associated high-cost of putting forward a good defense.  Their evidence initially comes from the German BitTorrent monitoring firms (IPP/Guardaley/Excipio), supplemental background checks, ISP records, depositions, and computers forensics (as needed).

Evidence From The German Firms

Public IP Address.  The IP address (using BitTorrent) is monitored and recorded for over a month.  This long time period shows (in their view) that it is unlikely to have been a one-time guest or passing hacker; the infringer is most likely an authorized network user. This of course does not take in the possibility of a long-term neighbor on the network.  The longer the monitoring happens, the better in their view – BUT it does also call into question their lack of action to prevent further infringement.

BitTorrent Client.  The BT client identified on the IP address is also recorded (BT Client Name and version of it – i.e. uTorrent version x.x, etc.).

Plaintiff’s Movies.  Which of Plaintiff’s movies/files were being shared over BT? Single movies and/or site-rips.

Non-Malibu Media/X-Art Files Being Shared via BT.  These are the “Other” files that were recorded as also being shared via the BT client/Defendant’s IP address.  These files were initially known as “Exhibit C” to the complaint in past cases.  In the more recent cases, this information was not filed with the court, but it is still used by Troll/Plaintiff.  The Troll uses it to possibly identify who the BT user is, as well as to force a settlement.  These recorded files can also be searched for during any forensic examination – thus linking the computer in the residence to the infringing activity.

Other Evidence They Will Be Looking For

Internet Connection.  The Troll will eventually try to get the defendant to tell them how their WiFi Internet connection was run. Was is “Open” or secured with a password? What encryption was used, WEP, WPA, WPA2? Was WiFi Protected Set-up (WPS) on?  If the Doe states the WiFi was encrypted/password protected, they feel it further shows that an “authorized user” (ISP subscriber or other resident) was the offender. This is why they really don’t like to hear that someone ran their network open.

Who Are the Authorized Network Users?  Determining who the other possible residents and network users is very important.  The 50-year-old female ISP subscriber is unlikely to be the infringer, but her 18-year-old adult son is more likely.  Finding this out can give the Troll a huge negotiation advantage.  Most parents are not going to let their children face the fire even if they did it.  I would assume this part would not come about until after the Troll/Plaintiff was unsuccessful in getting the defendant to first settle.  This information could be obtained from the ISP subscriber directly, but also can be come from doing a LexisNexis check on the ISP subscriber and residence.  Addition information could also come from interrogatories and depositions if/when Discovery happens.

Computer Systems On The Network.  What are the number and types of computers on the network? Many households will have one system per individual. They will also likely try to find out how many external hard drives have been used on the network systems.

Internet Service Provide (ISP) Records

The Troll may subpoena the ISP to locate any records pertaining to bandwidth usage and other allegations of copyright infringement in the form of Digital Millennium Copyright Act (DMCA) take-down notices.  They will try to find excessive bandwidth use and claim that it indicates possible BitTorrent usage.  The DMCA take-down notices will be used to add more weight to the claim that the Defendant is a serial-infringer.  I find this ironic as Malibu Media/X-Art does not send DMCA take-down notices to the ISP subscribers (via the ISPs) for allegedly downloading/sharing their movies via BitTorrent.


This is where the Troll will try to lock-down the Defendant’s story and see if they can poke holes in it. They will seek to find out the detail on the network, authorized users, Guests on the network, any past/present BT usage, other file sharing activity, numbers of computer and external hard drives, was the systems and/or router ever compromised, hobbies and interest of the users, computer knowledge/experience, etc. Once they have deposed the ISP subscriber, they may move onto other network users (family members) or even possibly neighbors.

Computer Forensics

Computer forensics is usually the last step and by this time, a good amount of money has been spent by the Troll. Most cases will never get this far. The reason it is often done last is because it costs a significant amount and often the Troll can get a settlement without having to result to this. The forensic consultant will use the previously gather evidence and case details to tailor his searches. Don’t kid yourself, the Forensic software they employ is good (EnCase & FTK) and well-tested – in a various courts of law. They will first attempt to find direct evidence of the Malibu Media movies, BitTorrent client, torrent files, Web searches for torrents, and any of the “other” files (non-Malibu Media) that was recorded as being shared via BT. They will also look for facts that tend to indicate that the Defendant lied or that he destroyed evidence. They will look at when the operating system was installed, as well as general activity on it. An operating system installation that occurred after they were notified of the case by their ISP is suspicious. The same goes for indications that files were deleted or wiped (overwritten) prior to being provided to the defense. Even if the forensics comes back completely clean and there is no indication of evidence destruction (spoliation), the Troll is likely to claim the offending system was not provided to them for analysis – it was hidden.

So What Will They Do With All This Information?

All the information is put together to paint a picture and give them the most likely outcome they will face, as well as the likelihood that a Doe will settle under pressure. This is the same thing a good defense attorney will do for their client. Note: this picture will changes as the case progresses.  You just need to remember that for the Troll, this is strictly a business model and making a profit is the general goal.


Fictional Case #1:

Defendant’s public IP address was recorded sharing of 15 of Plaintiff’s copyright protected movies over two months (via the same BitTorrent client). The “other” non-X-Art media/files being shared were the complete 4th Season of “Game of Thrones,” 10 eBooks on various topics of digital photography and editing digital images, a pirated copy of Adobe Photoshop (plus key generator), 11 other pornographic movies (not belonging to Plaintiff), 7 non-pornographic movies of various titles, and one eBook for game “Assassin’s Creed IV: Black Flag.” The Defendant told the Troll that the WiFi was encrypted with WPA2 and there were no other authorized users besides the ISP subscriber, his wife, and two children (Boy 15, and girl 16). Seeing this, the Troll is likely to be confident that they have the right people – most likely the Father or the son. For Troll/Malibu Media, the usual procedure is to let the ISP subscriber contact the Troll and start any discussion – this is why you don’t see Malibu Media settlement letters. If the Troll doesn’t hear from the ISP subscriber (or his attorney), then they have to assess if it is financially worth it to go after this person. As has been stated repeatedly by various Trolls, they are only going after people with the means to pay.  Here is an older case that Copyright Troll Keith Lipscomb had his hands in – K-Beech v. Does 1-85, 3:11-cv-00469 (VA).  Also take a look through the Anti-Piracy Management Company (APMC) presentation (start at slide #287) concerning this. Anti-Piracy Management Company Slide #303 is very clear –

Stage 7 – Using the monitoring system 2, BPO… will select individuals who are wealthy and are likely to settle & put those in an individual lawsuit.

So for this scenario, lets establish that the family is financially well off ($80K a year and owns the residence). By looking at the above case details, the troll is going to be fairly confident they have a persistent infringer who is “wealthy,” enough and likely to settle when faced with the evidence. So to possibly induce a settlement, the Troll could run a LexisNexis check, as well as conduct other background checks to tie one of the family members to the offense. Let’s say that the addition checks disclose the father (ISP subscriber) is very knowledgeable concerning computers. He is also a fan of “Game of Thrones” series, even so far as to making Facebook comments to watching the shows and complaining that everyone keeps getting killed off.  They also determine the father has a keen interest in digital photography, a very nice digital camera (Nikon D7100), and likes to post his pictures to Facebook along with links to his Professional Flickr account. Many of the digital images have metadata showing they were edited with Adobe Photoshop.  From the sons Facebook account, the troll determined he has a PS4 game system as well as the game, “Assassin’s Creed IV: Black Flag.”  A subpoena for ISP records disclosed one DMCA  take-down notice (3 months prior) from Rightscorp, for 5 songs belonging to Round Hill Music.

Fictional case #2:

For the second scenario I will use the same general details – Family of four (Father, Mother, Daughter, & Son); Sharing of 15 of Plaintiff’s movies was recorded for two months via the same BitTorrent client. The “other” non-X-Art media/files being shared is the same as the scenario #1.  The difference is the WiFi Internet connection was run “Open” (No password required) and multiple guests have used the Internet connection during the dates in question. Seeing this, the Troll is going to have some doubts as to if this ISP subscriber (or family members) did it, as well as proving it. It is extremely possible that a neighbor has been using the Internet connection and the family is not aware of it. For this scenario, the family is financially OK, but not well off ($35K a year and rents a home). LexisNexis check and other background/records checks fail to provide any relevant information.


This is where the subjectivity of the Troll comes into play. Obviously Scenario #1 looks better for the Troll.  Not perfect, but highly workable in their view.  Individual personalities (on both sides) will affect the outcome, but there is a very good chance a settlement will be reached.  Scenario #2 is not so easy, but if the Troll applies enough pressure, the ISP subscriber MAY settle for possibly some amount, if only to make the nightmare go away.  It does not matter to the Troll/Plaintiff that the ISP subscriber (or family members) were the infringer. It only matter that they will pay some sort of settlement.

If the Troll is unsuccessful in getting the Defendant to discuss a settlement, they are only left with naming/serving them, dismissing the case, or letting the case die on the docket for lack of action. Serving a complaint/summons is likely to either get the Defendant to contact the troll directly or hire an attorney to respond (and start the discussions).  Based on their findings in scenario #1, The Troll will be confident a settlement will be reached.  Their evidence is by no means perfect, but in the civil law arena, they are confident they are into the 51%+ area – “Preponderance of Evidence.”  If a settlement does not happen, they will next have to depose the defendant and family members.  The depositions will possibly provide them with more direct evidence and/or statements that will be shown to be lies on the part of the defendant.  Again a settlement will be attempted.  Following this (if needed) is the forensic examination of the computers in the house.  The results of the examination will be compared to the previous evidence (Malibu Media movies, “Other” shared files, BT Client, etc.) and statements from the defendant/family members. For both scenarios, let’s say the forensic examination comes back with no evidence. This will not kill this case, as Troll/Plaintiff will simply claim the Defendant hid the offending systems and did not make it available for analysis.

Now based on scenario #1, it doesn’t look that good for the Defendant. The Troll knows this and will use it in the settlement negotiations.  We have seen time and again that Troll/Malibu Media does not want to go through a full trial even if the evidence is overwhelming. This is a clue that the Troll and their German background firm do not want to expose the inner workings of their operations.  They may still win, but that exposure just opens up more possible avenues of attack for us to explore. Their operation is not bullet-proof (figure of speech, not a threat in ANY way) and they know this.

Now Scenario #2 is a different matter.  The Troll knows that unless the depositions and forensics come back with something substantial, they are hurting. At this point the Troll is likely to motion for a dismissal. The problem is that the Defendant (Pro Se or via Attorney) can also motion for a summary judgement.  In my view, a scenario such as this clearly has Troll/Plaintiff lacking in enough evidence to sway the court or jury.

Now I know that most Defendants will not fit perfectly into either of my scenarios, but it does shows you how it can range.  Even with this range, Troll Lipscomb and associates are unlikely (IMO) to easily walk away from ANY case, even the weak ones.  To show any weakness costs them credibility points in the area of pursuing alleged infringers.  One aspect of playing poker is that to win, you sometime have to take calculated risks.  But as very few things are perfect, as well as the odds do not always come out in your favor.  Just ask John Steele (Steele|Hansmeier/Prenda Law) about his 1% theory concerning Appellate court rulings.

DieTrollDie 🙂    There’s a special rung in hell reserved for people who waste good scotch. Seeing as how I may be rapping on the door momentarily…   {Lt. Archie Hicox, Inglourious Bastards}

About DieTrollDie

I'm one of the many 'John Does' (200,000+ & growing in the US) who Copyright Trolls have threatened with a civil law suit unless they are paid off. What is a Copyright Troll? Check out the Electronic Frontier Foundation link -
This entry was posted in Keith Lipscomb and tagged , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

11 Responses to Copyright Troll Malibu Media and their “Evidence” – AKA: Forcing A Settlement

  1. Quiet Lurcer says:

    So, in your opinion, what will the troll do if the (alleged) pirate answers the settlement letter by indicating a strong willingness, if not desire to bring criminal complaint against the troll for, among other things, unlawfully accessing the (alleged) pirate’s computer? And then actually pursues the matter?

    • DieTrollDie says:

      Based on previous actions of the Troll, I don’t think they will take the Doe serious. They will not back down, as this would get out and then more people to respond to them in the same way. And I don’t think the part about unlawfully accessing the Doe’s computer is going to fly. The nature of BT is that people running it are wanting others to access the content they are sharing – i.e. consent.

      DTD 🙂

      • Quiet Lurcker says:

        I agree that the nature of BT is such that consent is implied. That implied consent does not fly in this instance, however.

        Guardeley – under whatever name they care to use – is accessing computers and dowloading information from them for the stated purpose of gaining information to be presented in court. Under the laws of several states that I’ve researched, that action is specifically named in state law as that of a private investigator, and does not differentiate between physical access or remote access. Those states also require that investigators be licensed in the state(s) where they operate, and as far as I can tell, Guardeley aren’t. Therefore, Guardeley’s using BT *in this manner* is illegal, and therefore deprives them of the implied consent of the various wiretap laws and CFAA. There are also provisions regarding accessing computers in support of various forms of fraud and theft, which I believe would apply in this case.

      • DieTrollDie says:

        Well, that is the issue – that these aspects have not ben decided on in the courts. Maybe someday we will get to that point.

        DTD 🙂

  2. Keyser says:

    Superb article!

    When you say “how many external hard drives have been used on the network systems” do you mean a Network Access Storage drive (NAS) as most external hard drives would just be plugged into the computer via USB? Does the forensic software pick up that external hard drives were plugged in via USB to the computer?

    • DieTrollDie says:

      They will be trying to find out any/all drives – internal/external/NAS, etc. They are looking for places that Plaintiff’s movies (and the non-Plaintiff files) might have been stored. Yes, the forensic software can tell you that certain drives were connected to the system – as Windows and other OSs often have logs of such activity. Note: if the logs are off or missing, then so is what the examiners sees.

      DTD 🙂

  3. Leo says:

    If the operating system is Windows, there are several locations in the registry where previously attached devices are stored.

    However, using a readonly WinPE cd leaves no permanent trace in the registry.

    To avoid an external device being discovered, it’s possible to backup the operating system before first using the device, and restoring it after all work is done.

    Also, an opensource program like Eraser can not only wipe files and folders but can also make discovery of the names very expensive.

  4. John D. says:

    In your observations, what percentage of John Does will Malibu Media go after, once they send out and receive ISP subpoenas?

  5. curious says:

    if a troll could possibly try to obtain records from an ISP such as CAS/DMCA notices and bandwidth usage to demonstrate a supposed behavior conducive to pirating could not a John Doe present that very information, or lack there of in regards to CAS/DMCA notices if there are none, to show a lack of behavior making them a suspect? A John Doe accused of downloading x number of files over a six month period that has never received a strike and uses the average amount of bandwidth would seem to be a less likely pirate then someone that has received 3 notices.

    Just a thought as I read about the recent requests by MM for CAS logs from Comcast.

    • DieTrollDie says:

      Yes, evidence can be used to prove or disprove an allegation. It just take someone to explain (or spin) the facts to what ever you want. There is also NO set standard that applies to every ISP subscriber. An ISP subscriber with 6 DMCA take-down notice within a 6-months period is not necessarily a “serial infringer.” It of course would require the ISP subscriber to explain this, but there are many possibilities – i.e. The WiFi “guest” Internet connection was was left open and a neighbor was using the Internet connection. Not that a Troll is going to believe anything a doe has to say. The bandwidth issue is another sad joke of an attempt to bolster the extremely weak evidence they have. There are so many variables that can make bandwidth a non-reliable indicator of copyright infringement. How many people in the residence? How many guests use the network at various times? Devices that connect to the network? Desk-tops, lap-tops, Smart phones, Kindles, iPads, Game Systems (XBox360, PS4), Smart-TVs, streaming Netflix, etc.

      DTD 🙂

  6. johndoesnt says:

    It’s so funny.if bandwidth can proof your the serial-infringer. my mother in law must be one of serial infringer. She used the streaming box to watch the foreign channel. She is old and if she turn it off she does not know how to turn it back on. She keeps the streaming box on all the time and only turn off the tv. When I check her usage she use about 280gb bandwidth every month. 280gb is a lot of X-@rt videos.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s