I think the comment field probably contains some other information. For example, Amazon songs contain a "Song ID" value in the comments field, other sources might contain other song identifiers. I can't tell if the "Song ID" value is unique per purchaser, or if it's unique per song without re-purchasing the same song from a different account. From the article, it looks like the RIAA are using the MD5 hash of the entire file either generated on the fly, or as broadcast by most P2P programs. In any case, it's quite easy for several people to create the an MP3 with the same MD5 hash - if they use the same CD version of the song, and use the same commonly available encoder program with the default settings, they should all produce the same file. In any case, it's easy enough to clear the ID3 tags or otherwise change their contents to throw the MD5 hash off.