The RIAA is not targeting one specific group of people. It isn't keeping its prying eyes peeled for students sharing files over a University network, adults sharing files at work, kids sharing files at home, etc. The RIAA isn't concerned as to whether you've swapped fifty files or a hundred thousand. There's no specific method or target. The RIAA itself claimed to be sending subpoenas "at random". It's the goal of the RIAA to send warnings or fines to as many people over as wide of a variety as possible. Knowing it's financially and chronologically impossible to take every single file sharer to court, the RIAA uses this method to make it evident that regardless of what, how, where, when, and why you're sharing files, you can be caught. This way it seems as if there's no way to escpape the RIAA. It's due to this strategy that file sharing has faced over a ten percent decline since law suits have been filed against file swappers.
     The RIAA isn't interested in the person actually doing the file sharing. It's impossible to tell who was logged into a specific computer at a specific time; however, it is possible to find out the name, address, and phone number of the person whose internet connection is being used for file swapping. This means whoever the internet connection is registered to is the person receiving a subpoena in the mail.

IV. How does the RIAA detect file sharers?

     It may seem difficult or even impossible/illegal to discover who you're connected to for a download or an upload. In reality, it's extremely simple.
     Any time you connect to another machine your Internet Protocol (IP) address will be exposed to anyone accessing that machine. The only matter of them finding out this information is whether or not they understand how to gain access to it.
     Simply by opening a command prompt (by typing "cmd" with no quotes at the Run dialog) you've done ninety percent of the work to getting the IP address and/or hostname of anything you're connecting to. At the command prompt you'll be able to type any of a list of commands (typing "help" without the quotes will show a list of many available commands). To list any active connections type "netstat" and hit enter. Your screen will display information similar to that of F.1.

     For this task you can simply ignore the columns "Proto" and "Local address". "Foreign address" lists the IP address or the hostname of the machine you're connected to. The first four foreign addresses in F.1 are examples of IP addresses, while the last foreign address is a hostname. Addresses are followed by a colon. The number following the colon represents the port number the connection occurs on. Any connections listed as "ESTABLISHED" under "State" are ones currently in use. There is a wide variety of possibilities as to what else could be written there, but in this case we're only concerned with those listed as "established".
Note: Regardless of your connection type your IP address and hostname are still visible any time you establish a connection.
     But how is it that this ties in with the RIAA? Well, when you connect to upload or download music files via p2p software you're accessing these files from another machine. Running a netstat while downloading or uploading will reveal the IP address/hostname of the machine(s) you're connected to. From the hostname it's simple to find out the Internet Service Provider (ISP) being used to get a connection for this machine. Upon revealing this information, the RIAA contacts the ISP and demands for the information on the user whose IP address was transferring pirated music.
     In the event that only the IP address is displayed via netstat there are two options to discover the hostname of the person. The first and more simple would be to do a whois search. This will do the obvious. The other method (which I prefer) would be to use a different command in the command prompt. This one is a bit more complex than netstat, in that it requires two parts: the command and the IP address in question. For example- to trace the route of 192.168.1.145 you would type the command as such: tracert 192.168.1.145. The following is an example of a traceroute I performed on the bottom foreign address from F.1 (disregard the fact that I already knew the hostname). The bottom line will be the resolved hostname.

Tracing route to 209-122-50-213.c3-0.upd-ubr8.trpr-upd.pa.cable.rcn.com [209.122 .50.213] over a maximum of 30 hops:
1 11 ms 11 ms 11 ms 10.119.88.1
2 11 ms 15 ms 9 ms 172.30.121.17
3 11 ms 11 ms 12 ms 172.30.120.57
4 10 ms 12 ms 12 ms 172.30.120.109
5 11 ms 12 ms 11 ms 172.30.120.122
6 13 ms 12 ms 11 ms 172.30.118.106
7 12 ms 11 ms 11 ms 68.46.144.166
8 12 ms 13 ms 14 ms sl-gw40-pen-11-0.sprintlink.net [144.232.191.21]
9 12 ms 11 ms 13 ms sl-bb25-pen-6-0.sprintlink.net [144.232.16.98]
10 15 ms 12 ms 15 ms sl-bb24-pen-14-0.sprintlink.net [144.232.16.77]
11 39 ms 13 ms 13 ms sl-bb23-pen-8-0.sprintlink.net [144.232.16.65]
12 17 ms 18 ms 20 ms sl-bb26-nyc-4-0.sprintlink.net [144.232.20.94]
13 18 ms 19 ms 16 ms sl-bb20-nyc-15-0.sprintlink.net [144.232.13.10]
14 18 ms 17 ms 17 ms pos1-3.core1.NewYork1.Level3.net [209.244.160.18 5]
15 17 ms 24 ms 18 ms gige7-1.ipcolo2.NewYork1.Level3.net [64.159.17.1 00]
16 17 ms 17 ms 17 ms 166.90.136.138
17 18 ms 17 ms 18 ms ge3-0.core3.nyw.ny.rcn.net [207.172.15.67]
18 18 ms 19 ms 19 ms pos5-0.core2.phdl.pa.rcn.net [207.172.19.10]
19 20 ms 20 ms 20 ms ge0-0-0.gw3.trpr.pa.rcn.net [207.172.29.214]
20 24 ms 21 ms 21 ms upd-ubr8.trpr-upd.pa.cable.rcn.net [209.122.64.2 12]
21 26 ms 49 ms 31 ms 209-122-50-213.c3-0.upd-ubr8.trpr-upd.pa.cable.r cn.com [209.122.50.213]

Trace complete.

     The simplicity of these methods is what makes it so easy for the RIAA to find file swappers. All they have to do is run some p2p software and start a download or upload to someone and capture their IP/hostname.