Privacy versus Intellectual Property:
Detection Methods Used by Copyright
Holders
Timothy M. Valdez
tim@idahovandals.com
Department of
Computer Science
University of Idaho
Moscow, ID 83844
Dr. Paul Oman, advisor
Outline
I.
Background
a.
Intellectual
Property versus privacy
b.
Types: mp3’s,
books; Napster, et al
c.
Value of IP (loss
of potential revenue) versus value of privacy
d.
Methods of
safeguarding IP
i.
DRM
ii.
Encryption
iii.
Licensing
(shrink-wrap, et al)
II.
P2P and IM uses
a.
Personal file
sharing
b.
Software and file
backup
c.
Community
building
d.
Freedom from
electronic intrusions
e.
Anonymous
discussion and criticism
III.
Detection and
enforcement against infringing uses
a.
RIAA hires
outside firms for data mining
b.
DMCA; Extravagant
penalties
c.
Legislation
i.
Attempted law to
legalize hacking into P2P computers
ii.
H.R.2752 Author,
Consumer and Computer Owner Protection and Security (ACCOPS) Act of 2003: “To
encourage the development and distribution of creative works by enhancing
domestic and international enforcement of the copyright laws, and for other
purposes.”
iii.
S.2048 Consumer
Broadband and Digital Television Promotion Act (CBDTPA): “A bill to regulate
interstate commerce in certain devices by providing for private sector
development of technological protection measures to be implemented and enforced
by Federal regulations to protect digital content and promote broadband as well
as the transition to digital television, and for other purposes.”
iv.
H.R.2517 Piracy
Deterrence and Education Act of 2003: “To enhance criminal enforcement of the
copyright laws, educate the public about the application of copyright law to
the Internet, and clarify the authority to seize unauthorized copyrighted
works.”
v.
H.R.2885 Protecting Children from Peer-to-Peer Pornography
Act of 2003: “To prohibit the distribution of peer-to-peer file trading
software in interstate commerce.”
vi.
H.R.5211 To amend title 17, United States Code, to limit the liability of
copyright owners for protecting their works on peer-to-peer networks: “Amends
Federal copyright law to protect a copyright owner from liability in any
criminal or civil action for impairing, with appropriate technology, the
unauthorized distribution, display, performance, or reproduction of his or her
copyrighted work on a publicly accessible peer-to-peer file trading network, if
such impairment does not, without authorization, alter, delete, or otherwise
impair the integrity of any computer file or data residing on the computer of a
file trader.”
d.
Offering monetary
rewards for “information leading to...”
e.
Denial of Service
attacks on P2P networks
f.
Napster-era file
hashes
g.
Flooding networks
with fake files
h.
Software written
to sabotage P2P networks and computers downloading copyrighted music
IV.
Problems with
detection and enforcement methods
a.
Loss of online
privacy and anonymity
b.
Possible trespass
to chattels issue
c.
Illegal subpoenas
d.
Presumption of
guilt
e.
Loss of 5th
amendment rights
V.
Legislative
activity regarding privacy and online freedom
a.
Senator Norm
Coleman (R-MN) letter to RIAA, follow-ups, congressional investigations
b.
Pending
legislation
i.
H.R.107 Digital
Media Consumers' Rights Act (DMCRA) of 2003: “To amend the Federal Trade
Commission Act to provide that the advertising or sale of a mislabeled
copy-protected music disc is an unfair method of competition and an unfair and
deceptive act or practice, and for other purposes.”
ii.
H.R.69 Online Privacy Protection Act of 2003: “To require the Federal
Trade Commission to prescribe regulations to protect the privacy of personal
information collected from and about individuals who are not covered by the
Children's Online Privacy Protection Act of 1998 on the Internet, to provide
greater individual control over the collection and use of that information, and
for other purposes.”
iii.
S.563 Computer Owners’ Bill of Rights.
“To protect owners of computers, and for other purposes.”
iv.
H.R.1066 BALANCE
Act of 2003 (Benefit Authors without Limiting Advancement or Net Consumer
Expectations) (formerly H.R.5522 Digital Choice and Freedom Act of 2002): “To
amend title 17, United States Code, to safeguard the rights and expectations of
consumers who lawfully obtain digital entertainment.”
v.
S.692 Digital
Consumer Right to Know Act of 2003. “To require the Federal Trade Commission to
issue rules regarding the disclosure of technological measures that restrict
consumer flexibility to use and manipulate digital information and
entertainment content.”
vi.
H.R.48 Global Internet Freedom Act:
“Establishes in the International Broadcasting Bureau the Office of Global
Internet Freedom to develop and implement a comprehensive global strategy to
combat state-sponsored and state-directed Internet jamming and persecution of
those who use the Internet.”
vii.
H.R.3159 Government
Network Security Act of 2003: “To require Federal agencies to develop and
implement plans to protect the security and privacy of government computer
systems from the risks posed by peer-to-peer file sharing.”
VI.
Proactive methods
and technologies to protect against network surveillance
a.
Conversion of
text file lists into graphic images to bypass automated detection
b.
P2P file lists
employing anti-bot images requiring user interaction
c.
Randomize file
and subdirectory names via script
d.
Tarpits for bots
e.
Use of Wi-Fi
hotspots for anonymous connections
f.
P2P file sharing
software using encrypted communication protocols
g.
P2P2P proxies
h.
Changing MD5
hashes and/or CRC32 checksums of multimedia files
i.
Use of darknets
VII.
Conclusion
Abstract
Numerous methods are used by
copyright holders in an effort to protect their Intellectual Property (IP) rights.
In many cases those methods intrude on the real and perceived rights of
Internet users to participate in private communications. This begs the
question: at what point does privacy lose out against aggressive enforcement
toward possible IP-infringing activities such as peer-to-peer file sharing?
There is a monetary value attached to IP, and it is measured by the loss of
potential revenue. There is also a value attached to an Internet user’s
privacy, of which the loss is measured by the chilling effects imposed upon
their online freedoms. There are many methods available for copyright holders
to protect IP using Digital Rights Management that do not interfere with the
privacy rights of individuals. While it has been shown that a few technologies
such as peer-to-peer (P2P) and Instant Messaging facilitate IP-infringing
activities, there are also many acceptable uses for these technologies. An
example of a law that has privacy implications is the Digital Millennium
Copyright Act (DMCA). This law has been the basis for many recent non
copyright-related lawsuits. Copyright holders are connecting to the largest P2P
networks and filing subpoenas with Internet Service Providers to obtain
personal information about potential IP infringers. This leads to a loss of the
expectation of privacy that Internet users are accustomed to. If the copyright
holders electronically enter the hard drives of P2P users they may be held
liable for possible trespass to chattels
or other legalities. These actions deprive the P2P user of their due process
rights and the expectation of innocence. Recognizing that copyright holders
such as the Recording Industry Association of America (RIAA) may be too zealous
in their detection methods, Senator Norm Coleman (R-MN) has begun proceedings
to investigate the privacy implications of their information-gathering
procedures. In addition, several bills have been introduced in an effort to
curb the misuse of the DMCA. Before these new laws and amendments take effect,
P2P users will need to take steps to protect their privacy from the detection methods
employed by copyright holders such as the RIAA and its subsidiaries.
Background
The passage into law of the Digital Millennium Copyright Act (DMCA)
in October 1998 has affected the balance between consumers’ right to use of
resources, and copyright holders’ desire to control their property. This was a
direct result of the creation of file-sharing software Napster by
Section 107 of the Copyright
Act of the United States defines a four-factor test for the fair use of IP, generally applied by the
courts (when necessary) on a case-by-case basis:
Historically, consumers have
been able to legally make a copy of a VHS movie, and even software, for
archival backup purposes. With new DRM processes and shrink-wrap licenses that
capability can be prevented by the copyright holder, thus preventing fair use
of the content. Recent court cases have upheld the legality of shrink-wrap
licenses preventing the reverse-engineering of software [7], which is a
programming technique used to enable market competition and product
interoperability. You may be held liable for numerous offenses by reverse-engineering
the protection on any DRM in an attempt to bypass or remove the protection to
allow saving the content in a new format or simply backing it up.
Each of these mediums (music
files, movie files, and electronic books) presents unique challenges to DRM
systems. Adobe introduced an encryption scheme based on their Portable Document
Format (PDF) to protect books converted into an electronic version. This “e-Book”
design [8] used a weak password algorithm [9] to encrypt the contents of the
book. This same technique was used to embed software tokens in the data stream
which selectively enabled or disabled the ability to print out or copy the
file. A company in
IM and P2P
Both Instant Messaging (IM)
and Peer-to-Peer file sharing have significant legal uses such as personal file
sharing, archival software backup, commercial software support, and anonymous
discussion, none of which infringe on any copyrights. IM technology provides
the privacy necessary for the freedom of expression and debate of personal and
sensitive issues within the Internet community. This anonymous method of
communication is what has allowed the Internet to be widely regarded as having
freedom from undesirable intrusions. The Supreme Court has consistently afforded
first amendment protection to the anonymous posting of comments and “whistle
blowing”: “Under our Constitution,
anonymous pamphleteering is not a pernicious, fraudulent practice, but an
honorable tradition of advocacy and of dissent. Anonymity is a shield from the
tyranny of the majority.” [1]
In Reno v. ACLU the Court further upheld anonymous free speech and updated
their earlier decision to include the Internet:
“Through the
use of chatrooms, any person with a phone line can become a town crier
with a voice that resonates farther than it could from any soapbox. Through the use of webpages, mail exploders,
and newsgroups, the same individual can become a pamphleteer.” [2] In the conclusion of this case, the Court added: “As a matter of constitutional tradition, in
the absence of evidence to the contrary, we presume that governmental
regulation of the content of speech is more likely to interfere with the free
exchange of ideas than to encourage it. The interest in encouraging freedom of
expression in a democratic society outweighs any theoretical but unproven
benefit of censorship.” [ibid]
Morpheus (a
popular P2P client application) was sued for failing to prevent the
IP-infringing uses of its software by customers. They won a motion for summary judgment
primarily based on the decision in Sony
v. Universal Studios (the famous Betamax
case) where the Supreme Court declared: “…the
mere capability of substantial
noninfringing uses is all that is required to protect a new technology from an
attack grounded on allegations of contributory copyright infringement.” [37]
(emphasis mine)
Separately, in MGM v. Grokster (a case hinging on the
possible requirement of a software company to produce a product that prevents
infringing uses) the Court followed up with a similar decision:
“The doctrine of vicarious infringement does
not contemplate liability based upon the fact that a
product could be made such that it is less susceptible to unlawful
use, where no control over the user of the product exists.” [MGM v. Grokster, 259 F. Supp. 2d at 1045-46 (emphasis in original).] Additionally
the Court said: “It is no surprise that –
just as the studios initially resisted video tape rather than releasing
prerecorded tapes – the established record and movie companies have resisted opportunities
to exploit peer-to-peer technology. When one entirely dominates the existing
means of distribution, one tends to resist change.” [38]. The Court further
states: “In the case of the music and motion picture industries, permitting
the incumbent leaders to suppress disruptive technologies will
leave not just society, but copyright owners
themselves poorer over the long run.”
[39]
These court cases have shown
that the judicial branch of our government is more savvy than anticipated. It
is important to note that the future
use of a product must be contemplated while determining if an infringing
activity is taking place. An analogous case involving a P2P product named Madster (formerly
Aimster) was
lost because the defendant (Madster) used examples with copyrighted music files in their
program documentation tutorials and also failed to produce any evidence of significant
non-infringing product usage.
In an activity related to freedom
of speech, the Sarbanes-Oxley Act of 2002
(as passed by the Senate, titled: Public
Company Accounting Reform and Investor Protection Act of 2002) [10] which
became law in the wake of the Enron debacle gives significant protection to
whistleblowers. More recently a
In an attempt to subjugate
the anti-P2P actions of the RIAA, MPAA, and similar agencies, Sharman Networks,
the creators of the KaZaA file-sharing software,
modified their End-user License Agreement (EULA) in October 2003 to provide for
their indemnification from any illegal or improper use of their software and
network by end users:
2.11 Monitor traffic or make search requests in order
to accumulate information about individual users; […]
2.14 Collect or store personal data about other users [55]
They also added verbiage that
attempts to prevent the use of their software and network for the purpose of
discovering or tracking users’ identities. Historically the courts have upheld
shrink-wrap licenses, and it will be interesting to see if this new tactic
holds up when it is challenged in the current court case wherein Sharman is
suing the record labels and movie studios [56].
Detection Methods
I will concentrate on the
current actions employed by the RIAA in their attempt to detect infringing uses
of copyrighted materials. The RIAA has retained several companies such as MediaSentry, Cyveillance, BayTSP, and Vidius to broaden their detection and
data mining capabilities. Possible detection steps [23] employed by the RIAA
and its hired tracking firms are as follows:
Recently, the RIAA suffered a
setback in their subpoena campaign when a Federal district court overturned a
lower court’s decision on the DMCA subpoena process, stating that the DMCA was passed
by Congress before P2P technology existed thus that activity is exempted from
the subpoena provision [32]. Now they have the added expense of filing an
actual “John Doe” lawsuit against the suspected offender, which then legally
allows them to subpoena the ISP for any requested information on that IP
address. Putting a twist on the outcome, RIAA president Cary Sherman stated
this was an unfortunate event, since it now prevents them from sending letters
to the people prior to filing a lawsuit against them.
This automated method is in addition to the
brute-force approach of simply logging on to the P2P network with a compatible
file-sharing program and searching for potentially-infringing material. In a white
paper dated September 11, 2000, titled To Catch a Cyber Thief Arlington,
Virginia-based Cyveillance introduces
a system of Intellectual Property Protection Solutions they call NetSapien™ Technology:
”the most powerful business
search and analysis tool available” which spiders the billions of web pages on
the Internet for relevant content and assesses the meaning of that information
for marketing intelligence, customer and brand loyalty [11]. This technology
makes searching for unauthorized copies of intellectual property much smarter
than blindly doing a keyword lookup on a web search engine [ibid].
A similar approach is employed by Los Gatos,
California-based BayTSP; however they
go further by actually sending infringement notices to the user and their ISP
as well as monitoring for compliance of takedown notices (international
infringement notification complies with the Berne Convention.) [24] The
automated system runs 24x7 and according to their website “monitors all major
P2P networks … global surveillance of the Internet, including web sites, FTP
sites, P2P networks, IRC sites, newsgroups, and auction/retail sites.” [25] “BayTSP
has patented technology that utilizes the extracted DNA of a specific digital
file - still image, video, audio, etc.- which its spiders track on the
Internet, FTP sites, peer-to-peer networks, IRC, Usenet, and auction/retail
sites.” [ibid]
MediaSentry,
a New York-based corporation, also scans the Internet looking for pirated
copies of music and videos:
“Using a sophisticated network of
Internet-based software and data mining techniques, MediaSentry patrols the
Internet for possible copyright infringements. Full support is offered for
peer-to-peer file trading communities, IRC networks, websites, FTP sites, and
newsgroups. A continuously updated catalog of infringements is cross referenced
against a database of client materials… The core MediaSentry engine uses
advanced heuristics, self-adapting searches, neural search algorithms, and
probability ranking formulas, permitting an unprecedented ability to accurately
detect piracy and ensure compliance with copyright laws.” [26]
MediaSentry is one of the
most hated anti-P2P companies because they actively inject spoofed decoy files
on P2P nodes while simultaneously downloading every available infringing file
to prevent their download by other file sharers.
In a 75-page, 2001 study
titled “The Copyright Crusade” Viant Media and
Entertainment CTO Frank Andrew explored the influence of P2P file sharing
on the business models of copyright holders [27]. His findings suggested that
piracy and copyright infringement via the Internet are runaway activities that
must be curtailed soon by copyright holders, and he offers some rudimentary
statistics on several methods of Internet file trading such as common P2P
clients and the use of Internet Relay Chat (IRC) channels. He concludes that
using IRC is not easy for the majority of Internet customers, yet 22% of daily pirated
movies pass through IRC servers [ibid]. So far, IRC has remained under the
radar of the RIAA, MPAA, and their partners but that is certainly going to
change soon.
Enforcement
The Digital Theft Deterrence and Copyright Damages Improvement Act of 1999
amended §504(c) of the U.S. Copyright Act to allow for fines of
$750 to $30,000 per infringing act and up to $150,000 per each willful infringement (up to $250,000 per
work for repeat offenders) [13]. The
DMCA contains a safe-harbor provision that protects ISP’s from legal action if
they willingly and promptly comply
with subpoena requests. This has led to the ISP capitulating rather than risking
criminal penalties, with a resultant loss of privacy and anonymity for their
customers. Verizon Internet Services recently attempted to quash an RIAA
subpoena seeking the identity of a subscriber who allegedly downloaded over 600
copyrighted music files via the KaZaA P2P network [22]. Verizon cited privacy,
First Amendment, and due process issues, as well as the fact that Congress
never considered P2P technology when drafting the DMCA “because that technology did not exist in 1998” [14]. The motion to
quash was denied by the district court, but on appeal, and after another DMCA
subpoena was served upon Verizon, the appeals court overturned those decisions
and found for Verizon, calling portions of the RIAA’s argument “silly”:
“The issue is whether § 512(h) applies to an
ISP acting only as a conduit for data transferred between two internet users,
such as persons sending and receiving e-mail or, as in this case, sharing P2P
files. Verizon contends § 512(h) does not authorize the issuance of a subpoena
to an ISP that transmits infringing material but does not store any such
material on its servers. The RIAA argues § 512(h) on its face authorizes the
issuance of a subpoena to an “[internet] service provider” without regard to
whether the ISP is acting as a conduit for user-directed communications. We
conclude from both the terms of § 512(h) and the overall structure of § 512
that, as Verizon contends, a subpoena
may be issued only to an ISP engaged in storing on its servers material that is
infringing or the subject of infringing activity. […] Finally, the RIAA argues
the definition of ‘[internet] service provider’ in § 512(k)(1)(B)
makes § 512(h) applicable to an ISP regardless what function it performs with
respect to infringing material – transmitting it per § 512(a), caching it per §
512(b), hosting it per § 512(c), or locating it per § 512(d). This argument
borders upon the silly. […] In sum, we agree with Verizon that § 512(h)
does not by its terms authorize the subpoenas issued here. A § 512(h) subpoena simply
cannot meet the notice requirement of § 512(c)(3)(A)(iii).
[…] We are not unsympathetic either to the RIAA’s concern regarding the
widespread infringement of its members’ copyrights, or to the need for legal
tools to protect those rights. It is not
the province of the courts, however, to rewrite the DMCA in order to make it
fit a new and unforseen [sic] internet architecture, no matter how damaging that development
has been to the music industry or threatens being to the motion picture and
software industries.” [32] (emphasis mine)
Per the decision above it is
no longer appropriate for the RIAA to send discovery subpoenas to ISP’s
requesting file sharing customers’ contact information when the ISP’s are
merely acting as a conduit for P2P network traffic [ibid]. This is perhaps
unfortunate, since it implies that the DMCA will soon have a large sum of
“special interest” money thrown at it in an effort by large corporations to
have this particular shortcoming amended.
Several bills have been independently
introduced by the House and Senate to further protect the interests of big
business IP owners and copyright holders from piracy and infringing uses of
their property:
Anti-P2P Actions and Detection
The RIAA and its hired tracking
firms have several options at their disposal if they wish to lessen or prevent
copyrighted content from being traded over P2P networks. It is known that some
of the following techniques are currently being used or might be used soon, and
at least one is being prepared for use:
If the RIAA or its agents
access a P2P network with the intent to either flood the network with fake
multimedia files or otherwise perform a denial of service action, they could be
liable to a civil lawsuit under the “trespass to chattels” common law. This
intentional tort (a wrongful act…that
injures another and for which the law imposes civil liability) [18] is defined
as: “…an intentional interference with a
plaintiff's right of possession to personal property. This may occur if a
defendant damages the property or deprives the plaintiff of possession of the
property.” [19]
The use of software [15]
written specifically to disrupt network communications or personal computers
engaged in same may also fall under the trespass
to chattels tort. This angle has yet to be explored in court.
Constitutional issues might
also arise. The Fifth Amendment to the Constitution of the
“No person shall … be deprived of life, liberty,
or property, without due process of law; [The Fifth Amendment] can be
asserted in any proceeding, civil or criminal, administrative or judicial,
investigatory or adjudicatory; and it protects against any disclosures which
the witness reasonably believes could be used in a criminal prosecution or
could lead to other evidence that might be so used.” [20]
The “Due Process” clause affords
many rights to the individual, yet the subpoena provision of the DMCA does not
take those rights into account.
The methods employed by the
RIAA for detecting materials being downloaded by web and P2P users, in
conjunction with the associated presumption of guilt, intrude upon the privacy
expectations of Internet patrons with the loss of online privacy and anonymity
as a result. Some of these methods have been mentioned previously.
The issuance of subpoenas to
a P2P-user’s ISP for possibly-infringing file trading activities, in the
absence of solid evidence, could be construed as a privacy invasion. If it is
later determined that no laws were in fact broken, the loss of anonymity, public
integrity, and time spent dealing with the actions of the RIAA can not be regained.
There is also no guarantee that the ISP will be able to identify the actual
person who is performing the action. All they can potentially do is confirm
that the logged-in account’s computer was connected at the time specified in
the subpoena.
The subpoena process specified
in the DMCA runs contrary to the accepted procedure known in legal circles as “Rule 45” (of the Federal Rules of Civil Procedure) which
states: “If separate from a subpoena
commanding the attendance of a person, a
subpoena for production or inspection shall issue from the court for the
district in which the production or inspection is to be made.” [16] (emphasis
mine) This is how both Massachusetts
Institute of Technology and Boston College successfully quashed the subpoenas from
the RIAA attempting to obtain the identities of several students alleged to be
conducting illegal file sharing [17]. In response, the RIAA simply filed the
subpoenas again in the state of Massachusetts. Now that the DMCA subpoena
process has become unenforceable for P2P network traffic, the media companies
are going to have to find a new method for detecting the owners of any IP
addresses suspected of trading copyrighted materials across P2P networks.
Legislation
Congress has recognized the
problem of maintaining citizens’ online anonymity and privacy, and has been
proposing legislation that appears to begin the process of balancing property
holders’ and users’ rights. The most vocal proponent is Senator Norm Coleman (R-MN)
who recently sent a letter to the RIAA [42] asking for the specific methods they
use to identify illegal file sharing and what safeguards are in place to
protect P2P users’ privacy. The RIAA responded to the request quickly [43]. This
action was initiated due to the voluminous number of subpoenas the RIAA has
filed in Washington D.C., currently holding at 382, which required extra court
clerks to process the enormous tide of paperwork [42]. Each piece of proposed
legislation has pros and cons, but all are designed to more equitably balance
copyright law and empower the consumer with knowledge and rights. Senator Coleman
is also holding congressional hearings in an effort to lessen the bludgeoning
of citizens by the RIAA.
The House of Representatives
has the following items on the table:
“(1) include analog or digital transmissions
of a copyrighted work within fair use protections; (2) provide that it is not a
copyright infringement for a person who lawfully obtains or receives a
transmission of a digital work to reproduce, store, adapt, or access it for
archival purposes or to transfer it to a preferred digital media device in
order to effect a non-public performance or display; (3) allow the owner of a
particular copy of a digital work to sell or otherwise dispose of the work by
means of a transmission to a single recipient, provided the owner does not
retain his or her copy in a retrievable form and the work is sold or otherwise
disposed of in its original format; and (4) permit circumvention of copyright
encryption technology if it is necessary to enable a non-infringing use and the
copyright owner fails to make publicly available the necessary means for
circumvention without additional cost or burden to a person who has lawfully
obtained a copy or phonorecord [sic] of a work, or lawfully received a
transmission of it.” [47]
“Establishes in the International
Broadcasting Bureau the Office of Global Internet Freedom to develop and
implement a comprehensive global strategy to combat state-sponsored and
state-directed Internet jamming and persecution of those who use the Internet.
Requires an annual report from the Office to Congress on the status of state
interference with Internet use and of
The Senate has not been
sitting idle either; they have introduced these relevant bills:
“Requires the Federal Trade Commission (FTC)
to: (1) establish standards for the provision of technical support for
computers and computer-related products by computer hardware and software
manufacturers, as well as consultants and resellers that provide technical
support (entities); (2) issue guidelines to encourage each such entity to
collect and submit to the FTC information on the nature and quality of such
technical support; and (3) establish a public registry in which any person or
entity that does not seek to receive unsolicited marketing e-mail to a computer
may register the e-mail address(es) of such computer
for that purpose. Prohibits unsolicited marketing e-mail to registered
computers.” [52]
“Directs the Federal Trade Commission (FTC)
to issue rules to implement requirements that a producer or distributor of
copyrighted digital content disclose the nature of restrictions that limit the
practical ability of the content purchaser to play, copy, transmit, or transfer
such content on, to, or between devices commonly used with respect to that type
of content. Requires such disclosure in the case of limitations on: (1) the
recording for later viewing or listening of certain audio or video programming;
(2) the reasonable and noncommercial use of legally acquired audio or video
content; (3) making backup copies of legally acquired content subject to
accidental damage, erasure, or destruction; (4) using limited excerpts of
legally acquired content; and (5) engaging in the secondhand transfer or sale
of legally acquired content. Provides disclosure exceptions. Requires the FTC
to annually review the effectiveness of such rules. Expresses the sense of
Congress that: (1) competition among distribution outlets and methods generally
benefits consumers; and (2) copyright holders selling digital content in
electronic form for distribution over the Internet should offer to license such
content to multiple unaffiliated distributors.” [54]
Many of these bills are
currently wending their way through the House and Senate, and hopefully most
will be ratified. This would be a boon for American consumers and go a long way
toward bringing balance back to the application of Copyright Law.
Preventing the Loss of Privacy and Anonymity
Several methods exist to reduce the privacy loss
facilitated by automated methods of search and discovery. Each of the following
techniques exhibits both strengths and weaknesses against certain types of
surveillance and monitoring techniques:
1. Conversion of text file lists into graphic images to bypass
automated filename detection: The automated scanning of P2P networks can be
reduced or even eliminated by conversion of available file lists into graphic
images instead of plain text. This simple action would greatly increase the
amount of human interaction required to visually confirm downloads. This might
mean that existing P2P software or even the underlying network protocols will
need to have major reworking in order to maintain ease of use for customers. Instead
of connecting to a potential download client and receiving a plain text list of
files in their shared folders, the P2P software will need to display a graphic
image of the user’s available files. Compiler libraries exist to facilitate the
creation of .GIF images in real time (that image format is now royalty free
since
2. P2P file lists employing anti-bot
images requiring manual user interaction to download: This technique is
already in use today by web-based email providers like Hotmail and Yahoo! mail,
which require a person to type in the value displayed by a random graphic
image. This prevents any automated method of bulk account creation, which was
frequently used by spammers. This would be a relatively easy function to
implement in P2P client software, perhaps even being a server-side only
component.
3. Randomize file and subdirectory names via script: For
files sitting on a web or FTP server, web spiders for any search engine may
access directories and their contents, adding them to a central database for
public use. By randomizing the directory names as well as individual file names
this risk is lessened but not entirely prevented. A simple Perl script can not
only rename files and directories, but can also simultaneously update the web
page or FTP links pointing to the files. If a search engine manages to spider
one set of links, they will only remain valid until the next cycle of renaming
occurs. Scheduling this renaming procedure at a high granularity will mitigate
discovery.
4. Tarpits for bots: This technique is easily used against
web-based bots and to a certain extent FTP-based bots. It could also be used
against P2P-based bots on any of the current P2P networks, however this
particular case would require some custom programming to implement (this case
is covered later.) The basic idea behind a tarpit is to create a bunch of
seemingly-real file links, either on a web page or in an FTP directory. When
the bot follows this link, it merely leads to another web page or directory
with another set of seemingly-real links. Each link can easily be randomly
created by using a small database of common file names. This process continues ad
nauseum. Intelligent bots would perform a breadth-first search, limiting
their search depth to a small value such as five in order to prevent being
"trapped" by this technique. However, this idea would still be valid;
the file sharer would simply place the "real" files on the server at
a level just below this artificial search limit, ensuring that the HTTP_REFERER
environment variable points to the final fake directory that was generated in
the current session. For a P2P network honeypot, the search results returned by
the P2P client software would need to be modified to point to a fake set of
filenames which in turn point to another set of fake filenames, etc. By forcing
the P2P client user to enter a one-time password embedded in a graphic image at
program startup, the network could determine if this was an automated bot or a
real human and thus control the link types presented to the client. It is
important to note that this honeypot technique is only valid against automated
methods of file scanning, however there are so many file sharing locations on
the Internet that everyone becomes anonymous simply by sheer numbers.
5. Use of Wi-Fi hotspots for anonymous connections: By using
free wireless network connections for P2P file sharing the user is completely
anonymous and thus immune to potential liability for alleged illegal activities.
Such so-called "hotspots" are located all over:
6. P2P file sharing software using encrypted communication
protocols: Two different directions can be taken with this technique: using
existing protocols, or rolling your own. The benefit of using your own protocol
is having complete control over every aspect of the data packets. This
generally results in a much faster and secure transfer capability over existing
protocols, yet requires extensive knowledge of low-level protocol programming.
The benefit of using existing protocols such as SSL over HTTPS and SFTP is that
these protocols usually bypass ISP and corporate firewalls. Palestine-based EarthStationV is
one P2P program that uses existing secure protocols to not only connect to
their secure P2P network anonymously, but also allow you to run a secure web
server and private network from your own computer [30].
7. P2P2P proxies: This is similar in concept to anonymous
email “remailer chaining” where all identifying header information is stripped
from the message and forwarded to another remailer, until eventually being
delivered to the recipient. In this case, the data stream for a downloaded file
is split and sent to a random P2P client that forwards this portion of the
download to another random P2P client, until eventually every packet reaches its
destination. Each P2P client will not be downloading a complete file but only
parts of it, and no one knows which client is requesting the file. This might
affect certain legalities of copyright infringement because no single person
ever downloads a complete file. AT&T built a free anonymous web browsing
proxy in 1997 called “Crowds” based on this idea (now defunct), and the U.S.
Navy built an anonymizing network service called “The Onion Routing Project” [31]
also based on this principle. It ran for many years before finally being shut
down on
“The Onion Routing [OR] research project is building an Internet-based
system that strongly resists traffic analysis, eavesdropping, and other attacks
both by outsiders (e.g. Internet routers) and insiders (Onion Routers
themselves). It prevents the transport medium from knowing who is communicating
with whom -- the network knows only that communication is taking place. In
addition, the content of the communication is hidden from eavesdroppers up to
the point where the traffic leaves the OR network. […] Onion routing accomplishes
this goal by separating identification from routing. Connections are always
anonymous, although communication need not be. Communication may be made
anonymous by removing identifying information from the data stream. Onion
routing can be used by a variety of unmodified Internet applications by means
of proxies (non-invasive procedure) or by modifying the network protocol stack
on a machine to be connected to the network (moderate or highly-invasive
procedure).” [ibid]
8. Changing MD5 hashes or CRC32 checksums of multimedia files:
A person only known by the pseudonym nycfashiongirl who decided to challenge her subpoena in a
recent RIAA case prompted an interesting discovery: the RIAA has been
maintaining a large database of MP3 file hashes dating back to the days of the
original Napster file sharing
program. These file checksums are compared against the hashes of
recently-downloaded music files to see if they are identical or not. If the checksums
match, then this file is indistinguishable from one traded on the original Napster network. An obvious solution to
defeating this type of “fingerprinting” is to simply change the file in a method
that impacts the checksum but doesn’t affect the quality of the sound. The
first thing to be done is either eliminate or rewrite the IDv2 or IDv3 info tag
in the music file header, located in a fixed position in the MP3 file. There
are mathematical methods to change certain bits throughout the MP3 file that
affect the file hash yet have no audible affect during playback. A drawback to
this solution is that some P2P networks may use the file checksum to identify a
valid MP3 music file, instead of just by title. By changing this checksum these
P2P networks will need to find another method for identifying known good files
so users don’t waste their time downloading fake or corrupted files.
9. Using darknets: Creating and joining a hidden or “unplugged”
network of P2P clients is probably the most private method of performing file
sharing. Waste [63], MUTE [64], and FreeNet [65] are some proposed
methods for performing this activity. These disconnected networks of peers are
not open to the general Internet, and clients cannot connect without knowledge
of a secret key or password. Thus these “darknets” are highly resistant to
privacy incursions by the RIAA or similar agents. MUTE is one of the newer file sharing clients to appear, and seems
to be highly-resistant to traffic tracing and logging. Each MUTE client generates a unique “virtual
address” upon startup, and only that random ID is returned per client for all
successful search requests. All MUTE
traffic is also encrypted, thus rendering moot any packet sniffing attempts. And
since each request packet (for searches) is routed through a network of peers
only the next neighbor’s IP address could be discovered, which doesn’t matter
because all file transfers are performed directly between peers.
Conclusions
The issues surrounding P2P
file sharing freedoms and DRM are too complicated to offer a quick and simple
solution. As technology becomes more complex and pervasive, it is obvious that
copyright and intellectual property protection laws will always play catch-up. While
copyright infringement runs rampant over the Internet, there exists a need for a
secure DRM technique that also protects an individual’s privacy and allows for
unfettered fair use of protected material. It is perhaps more important that a
user’s fair-use rights be protected than that of a copyright holder’s control
over their material. In this vein, the assumption of guilt for downloading
copyrighted material must be changed to a presumption of innocence by the
copyright holders such as the RIAA, MPAA, and their ilk. Until existing laws
are amended to provide this much needed privacy protection, Internet users will
need to protect themselves.
This protection would best be
implemented as a series of concentric rings or levels around the user. Moving
the privacy protection model from one that is network-based to one client-based
might be a step in the right direction. IP-blocking tools like Peer Guardian and properly-tuned
personal firewall software can prevent unwanted connections from any block of
IP addresses desired. As new addresses to block are discovered they can easily
be added to the blocking rules. Moving a level outward, the actual network
traffic needs to be encrypted and proxies need to be employed so as to prevent
sniffing tactics and name servers from returning useful trace data. Finally, by
simply removing themselves directly off the Internet via the use of darknets,
P2P users can ensure that the weakest link in their file trading hierarchy is
themselves. By allowing only trusted partners into the darknet, they
effectively prevent any outside privacy breaches from occurring. With a
combination of new technology and new protective laws being ratified, the
future of P2P file-sharing remains hopeful.
References
1. Supreme Court Decision: McIntyre v.
Available from HTTP://supct.law.cornell.edu/supct/html/93-986.ZO.html (accessed Sept., 2003)
2. Supreme Court Decision:
Available
from HTTP://laws.findlaw.com/us/000/96-511.html
(accessed Sept, 2003)
3.
9th
4.
Available
from HTTP://www4.law.cornell.edu/uscode/17/107.html (accessed Sept, 2003)
5.
Available
from HTTP://www.theregister.co.uk/content/54/25274.html (accessed Sept., 2003)
6.
Marcus, Sandra. “Napster and Peer-to-Peer Music Exchange”.
Available
from HTTP:://web.utk.edu/~smarcus/History.html
(accessed Sept., 2003)
7.
Harbert, Eric F. “Signed, Sealed, Delivered: You're Mine”. UCLA Journal of Law
& Technology Notes 12 (2003).
Available
from HTTP://www.lawtechjournal.com/notes/2003/12_030730_Harbert.php (accessed Sept., 2003)
8. Unknown.
PDF document: “Adobe and eBooks: Turning a new page in publishing”. September
1999.
Available
from HTTP://www.adobe.com/products/acrobat/webbuy/pdfs/eBookWP12.pdf (accessed Sept., 2003)
9.
Anonymous. “PDF 1.3 Encryption Explained”.
Available
from HTTP://www-2.cs.cmu.edu/~dst/Adobe/Gallery/anon21jul01-pdf-encryption.txt (accessed Sept., 2003). See also Dave Touretzky’s
webpage at HTTP://www-2.cs.cmu.edu/~dst/Adobe/Gallery/
10.
Public Law 107-204. “Corporate and Criminal Fraud Accountability Act of 2002”.
Available
from HTTP://thomas.loc.gov/cgi-bin/bdquery/z?d107:HR03763:|TOM:/bss/d107query.html (accessed Oct., 2003)
11.
Grand, Rick. PDF document: “To Catch a Cyber Thief”.
Available
from HTTP://www.cyveillance.com/web/downloads/To%20Catch%20a%20Thief.pdf (accessed Sept., 2003)
12.
Beder, Sharon. “SLAPPs--Strategic Lawsuits Against Public Participation: Coming
to a Controversy Near You”. Current Affairs Bulletin, vol.72, no. 3,
Oct/Nov 1995, pp.22-29.
Available
from HTTP://www.uow.edu.au/arts/sts/sbeder/SLAPPS.html (accessed Oct., 2003)
13.
“Digital Theft Deterrence and Copyright
Damages Improvement Act of 1999”. 106th Congress.
Available
from HTTP://www.techlawjournal.com/cong106/copyright/s1257is.htm (accessed Oct., 2003)
14. Reply brief of Verizon,
“Oral Argument Scheduled for
Available from HTTP://www.eff.org/Cases/RIAA_v_Verizon/20030717_verizon_reply_brief.pdf (accessed Oct., 2003)
15. Zolli, Andrew. “Monsters
of Rock”. Wired, issue 11.09. Sept.
2003.
Available from HTTP://www.wired.com/wired/archive/11.09/start.html?pg=12 (accessed Oct., 2003)
16.
Available from HTTP://www.law.cornell.edu/rules/frcp/Rule45.htm (accessed Oct., 2003)
17. Federal order granting
MIT motion to quash subpoena.
Available from HTTP http://merlin.raisethefist.com/riaa/order-080703.pdf (accessed Oct., 2003)
18. FindLaw Legal Dictionary.
Search for definition of “tort”.
Available from HTTP://dictionary.lp.findlaw.com/scripts/
results.pl?co=lawcrawler.findlaw.com&topic=71/71cf401e8052ec0c1c26e498c20fb9c3 (accessed Oct., 2003)
19. FindLaw for Business.
Search for “trespass to chattels”.
Available from HTTP://sv.biz.findlaw.com/legal/tort3.html (accessed Oct., 2003)
20. Fifth Amendment to the
Constitution of the United States of America. The 'Lectric Law Library's Legal Lexicon.
Available from HTTP://www.lectlaw.com/def/f083.htm (accessed Oct., 2003)
21. Katalov, Vladimir. ” Press-release: Advanced Acrobat eBooks are NOT Really
Secure”.
Available from HTTP://www.planetpdf.com/mainpage.asp?webpageid=2393 (accessed Oct., 2003)
22. RIAA v. Verizon Case
Archive.
Available from HTTP://www.eff.org/Cases/RIAA_v_Verizon (accessed Oct., 2003)
23. Associated Press. “RIAA
Reveals Method to Madness”.
Available from HTTP://www.wired.com/news/digiwood/0,1412,60222,00.html (accessed Oct., 2003)
24.
Available from HTTP://www.law.cornell.edu/treaties/berne/overview.html (accessed Nov., 2003)
25. BayTSP
(Tracking-Security-Protection).
Available from HTTP://www.baytsp.com/solutions_copyright.html (accessed Nov., 2003)
26. MediaSentry.
Available from HTTP://www.mediasentry.com/about/technology.asp (accessed Nov., 2003)
27. Andrew, Beutler, Markham, et al. “The Copyright Crusade”.
Winter/spring 2001.
Available from HTTP://www.ebcenter.org/download/Inf_Viant_CopyrightCrusade_feb02.pdf (accessed Nov., 2003)
28. Sperry Corporation
Patent. “LZW Compression and GIF”.
Available from HTTP://www-cse.stanford.edu/classes/cs201/projects-99-00/software-patents/lzw.html (accessed Nov., 2003)
29. Union Square Wireless Map
via www.nycwireless.net
Available from HTTP://www.nodedb.com/unitedstates/ny/newyork/view.php?nodeid=805 (accessed Dec., 2003)
30. Earth Station V P2P
software.
Available from HTTP://www.earthstation5.com/benefits.html (accessed Dec., 2003)
31. The Onion Router Project
web site, Department of Defense, U.S. Navy.
Available HTTP://www.onion-router.net/ (accessed Dec., 2003)
32. PDF document: “U.S. Court
of Appeals decision reverses district court decision against Verizon,
Available from HTTP://pacer.cadc.uscourts.gov/docs/common/opinions/200312/03-7015a.pdf (accessed Dec., 2003)
33. “Author, Consumer, and Computer
Owner Protection and Security Act of 2003”. 108th Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:H.R.2752: (accessed Jan., 2004)
34. Naraine,
Ryan. “Michael Jackson Slams ACCOPS Act”.
Available from HTTP://www.atnewyork.com/news/print.php/2238141 (accessed Jan., 2004)
35. “Consumer Broadband and Digital Television Promotion Act”. 107th
Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c107:S.2048: (accessed Jan., 2004)
36. “Piracy Deterrence and Education
Act of 2003”. 108th Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:H.R.2517: (accessed Jan., 2004)
37. PDF document: “Order Granting Defendants Grokster and
StreamCast Networks Motions for Summary Judgement”. MGM Studios v.
Grokster. Case numbers CV 01-08541-SVW & CV 01-09923-SVW.
Available from HTTP://www.eff.org/IP/P2P/MGM_v_Grokster/030425_order_on_motions.pdf (accessed Jan., 2004)
38. PDF document: “Defendant Grokster’s Memorandum in Support
of Motion for Summary Judgement.” MGM Studios v. Grokster. Case number CV
01-08541 SVW.
Available from HTTP://www.eff.org/IP/P2P/MGM_v_Grokster/GROKSTER_MEMORANDUM.pdf (accessed Jan., 2004)
39. PDF document: “Appellee
StreamCast Networks, Inc.’s Opening Brief”. Ninth Circuit Court of
Appeals. Case numbers CV-01-08541-SVW & CV-01-09923-SVW.
Available from HTTP://www.eff.org/IP/P2P/MGM_v_Grokster/20030917_morpheus_appeal_brief.pdf (accessed Jan., 2004)
40. “Protecting Children from Peer-to-Peer Pornography Act of 2003”. 108th
Congress.
Available from HTTP://www.theorator.com/bills108/hr2885.html (accessed Jan., 2004)
41. “To amend title 17, United States Code, to limit the liability of
copyright owners for protecting their works on peer-to-peer networks”. 107th
Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c107:H.R.5211: (accessed Jan., 2004)
42. PDF document: “Coleman to
RIAA Letter”.
Available from http://www.senate.gov/~govt-aff/_files/ColemanRIAALetter.pdf (accessed Jan., 2004)
43. PDF document: “RIAA to
Coleman Response Letter”.
Available from HTTP:://www.senate.gov/~govt-aff/_files/ACF5E9.pdf (accessed Jan., 2004)
44. “Digital Media Consumers' Rights Act of 2003”. 108th
Congress.
Available from HTTP://www.theorator.com/bills108/hr107.html (accessed Jan., 2004)
45. “Online Privacy Protection Act of 2003”. 108th Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:H.R.69: (accessed Jan., 2004)
46. “Benefit Authors without
Limiting Advancement or Net Consumer Expectations (BALANCE) Act of 2003”. 108th Congress.
Available
from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:H.R.1066: (accessed Jan., 2004)
47.
Summary of the BALANCE Act of 2003.
Available
from HTTP://thomas.loc.gov/cgi-bin/bdquery/z?d108:HR01066:@@@L&summ2=m& (accessed Jan., 2004)
48. “Global Internet Freedom Act”. 108th Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:H.R.48: (accessed Jan., 2004)
49. Summary of the Global Internet Freedom Act.
Available from HTTP://thomas.loc.gov/cgi-bin/bdquery/z?d108:HR00048:@@@D&summ2=m& (accessed Jan., 2004)
50. “Government Network Security Act
of 2003”. 108th Congress.
Available from HTTPhttp://thomas.loc.gov/cgi-bin/query/z?c108:H.R.3159: (accessed Jan., 2004)
51. “Computer Owners' Bill of Rights”. 108th Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:S.563: (accessed Jan., 2004)
52. Summary of the Computer Owners’ Bill of Rights.
Available from HTTP://thomas.loc.gov/cgi-bin/bdquery/z?d108:SN00563:@@@D&summ2=m& (accessed Jan., 2004)
53. “Digital Consumer Right to Know Act of 2003”. 108th
Congress.
Available from HTTP://thomas.loc.gov/cgi-bin/query/z?c108:S.692: (accessed Jan., 2004)
54. Summary of the Digital Consumer Right to Know Act of 2003.
Available from HTTP://thomas.loc.gov/cgi-bin/bdquery/z?d108:SN00692:@@@D&summ2=m& (accessed Jan.,
2004)
55. Dennis. “Kazaa
changes its End User License Agreement to block RIAA”.
Available from HTTP://www.cdfreaks.com/news2.php?ID=8221 (accessed Feb., 2004)
56. raoulduke1. “Kazaa Owner Cleared to Sue Record Labels”.
Available from HTTP://www.boycott-riaa.com/article/10031 (accessed Feb.,
2004)
63. Software. “Waste”.
HTTP://sourceforge.net/projects/waste (accessed Feb.,
2004)
64. Software. “MUTE”.
HTTP://mute-net.sourceforge.net/ (accessed Feb.,
2004)
65. Software. “FreeNet”.
HTTP://freenet.sourceforge.net/index.php (accessed
Feb., 2004)
Appendix
List (as of August 2003) of
companies providing P2P identification services to the RIAA/MPAA: