Page 1

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

J. Curtis Edmondson (CASB # 236105) Law Offices of J. Curtis Edmondson Venture Commerce Center 3699 NW John Olsen Place Hillsboro, OR 97124 Phone: 503-336-3749 Fax: 503-482-7418 Email: jcedmondson@edmolaw.com Robert Robinson (CASB # 131461) Law Office of Robert S. Robinson 2400 Camino Ramon Ste 185 San Ramon, CA 94583 Phone: 925-830-2702 Fax: 925-830-2104 Email: rob@robrobinsonlaw.com Attorneys for Defendant JOHN DOE IP address 76.126.99.126

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA

MALIBU MEDIA, LLC, Plaintiff, vs. JOHN DOE subscriber assigned IP address 76.126.99.126, Defendant.

and related cross actions

) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) )

Case No.: 3:15-cv-04441-WHA DECLARATION OF EXPERT BRADLEY WITTEMAN IN SUPPORT OF THE OPPOSITION TO THE PLAINTIFF’S MOTIONS FOR TERMINATING SANCTIONS

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 1 of 20

Page 2

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

DECLARATION OF BRADLEY WITTEMAN

I, Bradley Witteman, declare the following facts to be true pursuant to 28 U.S.C. § 1746, on the date set forth beside my signature hereinbelow:

I am a designated expert in this dispute, my CV is included in my Expert Report dated

December 15, 2016. My background includes working for BitTorrent Inc. as well as other

Internet and digital media companies for more than 20 years. I have studied the output of the

NARS system and have found several flaws in their system. During my work I have become

very familiar with the various personal computer operating systems used on the Internet

including Windows, Linux and Macintosh computers.

1. In the motion for terminating sanctions plaintiff claims that defendant installed Windows

10 on December 10th, 2015. It is just as likely that Microsoft’s aggressive Windows 10

update policy in Windows 10 “Update Threshold 1” could be the cause. My detailed

analysis is attached as Exhibit A.

2. It is my opinion, from the test results files I was provided, that the deceased principal of

Computer Forensics LLC, Dave Kleiman, was the person who conducted the NARS

system test that produced the provided test results files, and not Patrick Paige. I describe

why this is my belief below in Exhibit B.

3. The testing dates are inconsistent with the file creation dates of the provided test results

files. I describe my findings in Exhibit C.

4. The Dave Kleiman system test in 2013 was not performed on the version of the NARS

system that was active during the complaint in 2015. My findings are below in Exhibit D.

I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct and that this declaration was executed on February 16, 2017, in Vancouver, Washington.

Respectfully Submitted, By: ______________________ Declarant

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 2 of 20

Page 3

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

EXHIBIT A “Windows 10 Update Threshold 1” released November 12, 2015 could

be responsible for the December 10, 2015 upgrade of the Windows operating system on

defendant’s PC.

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 3 of 20

Page 4

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

1. Microsoft Aggressive Windows 10 Upgrade Policies

The Microsoft Windows operating system was upgraded to Windows 10 in July of 2015,

then updated with the public release of “Threshold 1” November 12, 2015.1 Microsoft offered

users a free upgrade to Windows 10 from Windows 7 and Windows 8. Between July and

November, the “Get Windows 10” application, changed its behavior multiple times. In mid-

November 2015, concurrent with the release of “Threshold 1,” Microsoft changed the opt-out

screen to only have the options to “Upgrade Now” or “Start Download, Upgrade Later” –

replacing the text and behavior of the “Do not upgrade” button with “Start Download, Upgrade

Later”.

2

1 https://en.wikipedia.org/wiki/Windows_10_version_history 2 https://twitter.com/BradChacos/status/675122217940860928

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 4 of 20

Page 5

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

From an article in Computerworld covering the Get Windows 10 application’s behavior3:

"Over Thanksgiving weekend I started getting reports that the Windows Update 'AllowOSUpgrade' setting was getting flipped back on on a number of peoples' PCs, and it keeps re-setting itself at least once a day if they switch it back off," said Josh Mayfield creator of GWX… "This is new behavior, and it does leave your PC vulnerable to unwanted Windows 10 upgrade behavior”. ...“Mayfield released GWX Control Panel 1.6 on Nov. 24 then began hearing from users that their PCs were being switched from a "do-not-upgrade-to-Windows-10" status to a "do-upgrade" state, often multiple times daily.”4

Then in early December 2015, press coverage noted the increased pressure to upgrade

and how difficult it was for users to opt out of being automatically updated to Windows 10:

“For users updating their systems to an upgraded version of Windows should be good news, but the tactics used by the technology giant are the same used by spammers ie. tricking users into a situation where they are forced to agree with something against their will...”5 “Microsoft is rolling out software changes which are making it increasingly difficult for mainstream users to avoid upgrading to Windows 10...”6

2. Windows.old Directory is Automatically Deleted After 30 days

In late 2015 I myself found my Windows 7 machine which was set to NOT upgrade

because of the age of the processor, low amount of RAM and underpowered video graphics card,

was upgraded to Windows 10 overnight. After the upgrade to Windows 10, a new folder named

Windows.old is created which includes the user’s items from the previous operating system.

After 30 days, the Windows.old folder was automatically deleted by Windows 10. I was

3 http://www.computerworld.com/article/3012278/microsoft-windows/microsoft-sets-stage-for-massive-windows-10-upgrade-strategy.html as of 10/29/2016 4 http://www.computerworld.com/article/3012278/microsoft-windows/microsoft-sets-stage-for-massive-windows-10-upgrade-strategy.html as of 10/29/2016 5 https://www.hackread.com/microsoft-adopts-spam-trick-to-upgrade-to-win-10/ 6 http://www.forbes.com/sites/gordonkelly/2015/12/16/why-microsoft-said-windows-10-upgrades-cannot-be-stopped/#5b6eafb74fdf

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 5 of 20

Page 6

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

fortunate to not have any critical files on that machine, as many users reported losing data when

the Windows.old directory was automatically cleaned up by Windows after 30 days.

“there were files on my desktop from the previous version of windows. I did not realize that windows 10 would delete those files after 30 days. Is there any way to recover the windows.old files that were automatically deleted after the 30 day period?”7

The plaintiff has asserted that the defendant was responsible for upgrading to Windows

10 and deleting the Windows.old directory, when in fact, this could have been the unexpected

result of the aggressive Microsoft upgrade process detailed above.

7 https://answers.microsoft.com/en-us/windows/forum/windows_10-update/recover-files-from-windowsold-after-auto-delete-30/fbf8d003-7ad7-4d66-a891-1f27bd1ae3b7

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 6 of 20

Page 7

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

EXHIBIT B

From the records I was provided I believe the deceased principal of Computer Forensics LLC,

Dave Kleiman, was the person who conducted the tests, and not Patrick Paige.

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 7 of 20

Page 8

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

From Mr. Paige’s Report,

“Prior to October 2015, IPP used an infringement detection system from Excipio. I tested this infringement detection system. After performing the test, I concluded that the infringement detection system works. Specifically, the system accurately records the IP address of a person using BitTorrent to transmit data to Excipio’s computer servers.”8

However, based upon the test result files produced, Mr. Paige was not the individual who

planned, coordinated, conducted, nor documented the test. I believe Dave Kleiman, Patrick

Paige’s partner in “ComputerForensicsLLC,” conducted the test of the APMCLLC/Excipio/IPP

NARS system for ComputerForensicsLLC, not Patrick Paige for the following reasons:

1. The ZIP File Provided Includes Mr. Kleiman’s Name in the Filename.

The file with the captures of test files uploaded is named DAVEKLEIMAN_1448134.ZIP

8 SIGNED NCA70 FINAL Expert Report.pdf page 2

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 8 of 20

Page 9

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

Dave Kleiman was the one who compressed the .zip file containing the upload receipts of

sending the test files to their rented virtual servers.

3. Four Text Files Recorded Dave Kleiman as the Examiner

In the .zip file, DAVEKLEIMAN_1448134.ZIP, the files that accompany the upload logs are

each signed “Examiner: Dave Kleiman.”

58.158/50.63.58.158-EXOCannibalismFootage2012.ad1.txt

176.61/50.63.176.61-2012nudestcamp.ad1.txt

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 9 of 20

Page 10

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

184.230/50.63.184.230-alienhumanprobing.ad1.txt

188.154/50.63.188.154-Classichowtosex.ad1.txt

Mr. Kleiman was the one who was preparing and documenting the test.

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 10 of 20

Page 11

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

4. Dave Kleiman Rented the GoDaddy Servers with his Credit Card

Mr. Kleiman produced GoDaddy Receipts in his name with his credit card information for the

rental of the virtual servers used for the test.

Mr. Kleiman was the one planning and setting up the test environment.

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 11 of 20

Page 12

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

5. Mr. Kleiman is Directing The Test in the Included E-mail Conversation

Dave Kleiman is the one conducting the test and leading the communication with apmcllc’s Ben

<bp@apmcllc.com> in the email exchange from the file “IPP Communication.pdf”.

February 25th

February 26th

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 12 of 20

Page 13

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

February 26th, #2

February 26th, #3

Mr. Kleiman is the one coordinating and conducting the test of the system. In fact in the

entire produced e-mail conversation, Mr. Patrick Paige does not say anything at all – he is simply

a carbon copy recipient of the e-mail thread – which appears to be in direct conflict with his

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 13 of 20

Page 14

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

statement that he ”tested this infringement detection system. After performing the test, I

concluded that the infringement detection system works.”

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 14 of 20

Page 15

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

Exhibit C

APMCLLC/Excipio/IPP NARS System testing dates are

inconsistent with the file creation dates of the provided test results files.

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 15 of 20

Page 16

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

The files provided for the test have dates that don’t make any sense, calling into question

the timing of the test.

1. PCAPs are Dated Before the End of the Test

The PCAPs provided do not cover the day recorded in the e-mail conversation above –

ending a full day before Mr. Kleiman and Ben at APMCLLC/Excipio/IPP are coordinating the

download of the fourth file. The conversation above ends on February 26th at 12:57pm EST,

however, the PCAPs provided are all dated February 25th as you can see in this image:

2. The Test Was in February of 2013, however, the majority of files are dated August 2014

The test was being set up and run by Mr. Kleiman starting in February, 2013 and

completing February 26th as noted in the e-mail thread above, however, the files in the folder

have dates long after the end of the test (Note: February 2017 dates are when I was provided this

data and uncompressed the .zip files).

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 16 of 20

Page 17

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 17 of 20

Page 18

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

3. The Encase File “CFLLC Pcap Log Files.L01” is Dated Aug 22, 2014

The file “CFLLC Pcap Log Files.L01” is dated Aug 22, 2014 – more than a full year after

the test completed. I would expect that the Encase file that is showing the recording of the test

would be written at the conclusion of the test, in late February or early March, 2013 – not 16

months later in August of 2014.

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 18 of 20

Page 19

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

EXHIBIT D

The Dave Kleiman NARS System test was not performed on the version of

the NARS system that was active during the complaint.

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 19 of 20

Page 20

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

1. The Dave Kleiman Test was of a Different Version of the NARS System Than Was in Use During the Complaint

The test, if conducted in February 2013, was not testing the version of the NARS system

in use during the complaint. From Mr. Patzer’s Deposition October 13, 2016:

“Q. Okay, For example, when was the last time you had to recompile the code? Would guess about a year, last year.”9 Which indicates that the code running the APMCLLC/Excipio/IPP NARS system was updated at least once in 2015. “Q. In 2014 do you recall how may times you had to recompile the code? A. I don't know. A few times. If there were improvements on the code, we did a lot of improvements to get more performance out of the software.”

The testing of the system should have been conducted on the version of the system that

was in operation during the period of the complaint not 4 or 5, or more, iterations removed from

the version that was in operation during the period of the complaint.

9 3:15-cv-0441-WHA – Deposition of Michael Patzer – 13 October, 2016, page 85 line 3

Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 20 of 20