pageok
pageok
pageok
Filtering For Copyrighted Content and Liability Under the Wiretap Act:
The New York Times "Bits" Blog reports:
  At a small panel discussion about digital piracy here at NBC's booth on the Consumer Electronics Show floor, representatives from NBC, Microsoft, several digital filtering companies and telecom giant AT&T said the time was right to start filtering for copyrighted content at the network level.
  Such filtering for pirated material already occurs on sites like YouTube and Microsoft's Soapbox, and on some university networks.
  Network-level filtering means your Internet service provider -- Comcast, AT&T, EarthLink, or whoever you send that monthly check to -- could soon start sniffing your digital packets, looking for material that infringes on someone's copyright.
  "What we are already doing to address piracy hasn't been working. There's no secret there," said James Cicconi, senior vice president, external & legal affairs for AT&T.
  Mr. Cicconi said that AT&T has been talking to technology companies, and members of the MPAA and RIAA, for the last six months about implementing digital fingerprinting techniques on the network level.
  "We are very interested in a technology based solution and we think a network-based solution is the optimal way to approach this," he said. "We recognize we are not there yet but there are a lot of promising technologies. But we are having an open discussion with a number of content companies, including NBC Universal, to try to explore various technologies that are out there."
  I hope that "open discussion" includes a frank discussion of legal liability under the federal Wiretap Act.

  The Wiretap Act makes it a federal crime and a civil wrong permitting the recovery of punitive damages and attorney's fees for intercepting the contents of a person's communications over an interstate communications network. Although there are no cases directly on this, network-level scanning of traffic for copyrighted content is likely to be deemed an "intercept" of the contents of communications. And while there are exceptions for interceptions by parties to communications (18 U.S.C. 2511(2)(d)) and for monitoring narrowly tailored to protect the network provider (18 U.S.C. 2511(2)(a)(i)), it's hard to see how those exceptions would apply to network-level monitoring for copyrighted information.

  To avoid liability, these providers probably would need to amend their Terms of Service so that users would explicitly consent to allowing their ISPs to monitor them for copyright violations. Assuming customers didn't revolt against this, that would permit monitoring under the consent exception, at least when a user who actually signed the contract was being monitored. But even the explicit okay in the Terms of Service wouldn't allow all monitoring. The consent would only cover those who signed the contract and the parties to communications with them, and would not automatically extend to those who used the network but had not consented (such as family members of those who agreed to the ISP contract). And of course the ISPs wouldn't know who was being the keyboard, so they would never know if the monitoring was lawful.

  I suppose ISPs could then argue that the monitoring was not an "intentional" intercept, as required by the statute, 18 U.S.C. 2511. But that raises a difficult question of how the mens rea requirements of liability interact with the consent exception — in particular, whether an intentional interception that is not intentional as to the lack of consent counts as intentional. I don't know of any cases on this, but off the top of my head it seems like a 50/50 issue. And then there's the issue of liability under state wiretap laws that go beyond the federal wiretap act, and especially those that require all party consent to monitoring.

  Would ISPs risk massive liability under the Wiretap Act to try to combat copyright infringement? I can't imagine why they would do that, but I suppose that's a question to ask them and their lawyers.

  Thanks to Instapundit for the link.
EE John:
Isn't this similar to the situation that Comcast is currently in, using Sandvine at the network level to filter and limit bittorrent traffic? I suppose in that situation they aren't reading the content of the packets, just looking for a specific packet type, but if I remember correctly those tactics are being attacked under the Wiretapping Act as well
1.10.2008 12:29am
Tyson Stanek (mail):
Umm, won't Congress just change the Wiretapping Act to allow for this sort of filtering? It's not like NBC, AT&T, and Microsoft don't have the lobbying resources to make that happen.

I think we may need to look to the 4th Amendment for protection here...

-Tyson
1.10.2008 12:39am
OrinKerr:
Tyson,

The Constitution doesn't apply, as the ISPs are not government actors. As for amending the Wiretap Act, that's an interesting question: I don't know how easy it would be for such an amendment to be passed in the current legislative climate.
1.10.2008 12:49am
33yearprof:
Umm, won't Congress just change the Wiretapping Act to allow for this sort of filtering?


Doesn't RIAA and MPAA own a majority in each chamber of the Congress?
1.10.2008 12:59am
Oren:
As a practical matter, even the most basic encryption schemes will play havoc on such a scheme. For instance, every popular bittorent client now supports RC4 which will defeat almost all attempts by the ISP to discern the content.

Technological attempts to filter copyright content are just not possible and the sooner the content producers come to terms with that reality, the better off we will all be.
1.10.2008 1:10am
UW2L:
Setting aside the viability of technological schemes for copyright detection and the policy considerations that go with them - how would the determination that content was copyrighted be made? Is there any way that, say, a watermark on a file, identifying it as copyright-protected, could be interpreted as header information rather than content? That would seem to be the easiest way to dodge this bullet, though it would seem to require a court to agree or, as has been suggested, congressional amendment to the Wiretap Act.

One also suspects that the "consent" would be gotten from the customer with the least notice and most obfuscation that ISPs could possibly get away with. Not really meaningful. There seems to be a bit of a revolt by courts at the moment against that kind of quiet, one-sided changes to contracts that customers generally agree to without realizing it, though. As to customer "revolt": doubtful. That would require not only that a large percentage of subscribers be aware of the monitoring that their ISP was trying to impose on them, but that a large percentage of that group rebel against the monitoring - large enough to be a viable counterweight to the influence of the RIAA, MPAA, etc. Moreover, the ability even to make a choice about whether to "revolt" against one's ISP requires other options for high-speed Internet service - and there are plenty of people in the U.S. who live in areas where such service is a local monopoly. In many instances, the contract change to consent to monitoring would be pretty "adhesive": agree to let us monitor what you do, or no high-speed Internet for you. In that situation, your consent isn't really. And if enough people are in that situation, critical mass to counteract rights-holding organizations' influence is pretty much impossible. It will be positively a privilege if citizens live in an area where not only there are multiple high-speed Internet providers, but some of them spy on you and some of them don't (and maybe make that a selling point, even?), so you can pick the latter.

Maybe if the issue could be framed as "Internet monitoring will make us more like the French! And you don't want to be like the French, do you?", that would be enough to trigger mass revolt.

Regardless of what they anticipate customer response will be, I would imagine that ISPs' going forward with this plan may depend on the outcome of e.g. Hepting and the congressional hemming and hawing over wireless carrier immunity for that whole NSA phone eavesdropping thing. The outcome of that firestorm will signal to ISPs whether or not the judicial/legislative environment is such that they could get away with mass monitoring. Might take awhile, though.
1.10.2008 1:13am
Bruce Hayden (mail) (www):
Another problem is that with current technology, it is likely computationally infeasible to do what is proposed very well. I have been dealing with the patent side of this recently, and the recent patent applications and issued patents make it appear that there are still a lot of activity here, with a lot of things being tried, but it doesn't appear that there is any consensus yet on what would work.

About the only thing that I think might work is to put fingerprints or watermarks of some sort in digital works, and then look for them. Or, of course, using some sort of metadata, including, for example, file names.
1.10.2008 1:19am
Bruce Hayden (mail) (www):
Let me add that if anyone has some good ideas of how to accomplish this, other than the ways I suggested above, I am always interested in seeing them, if for no other reason than advising clients who want to file patents on something already being done.
1.10.2008 1:23am
Cornellian (mail):
And I'm sure that ISP will make 100% flawless determinations of fair use in real-time, unlike anyone else who has ever tried.
1.10.2008 1:46am
Cathy (mail) (www):
I don't think there would be any issue of whether the interception would be intentional for purposes of the statute. It's not like packets would be incidentally or accidentally intercepted by a device specifically put on the network in order to intercept and identify them.

I also don't think the statute reads in a way where consent affects the mens rea of the interception. I think consent just stands as an exoneration to what otherwise would have been a wiretap act violation (when there's been an intentional interception of the contents of a communication with a device). The ISPs would be better off challenging the definition of "interception," or trying to argue that the maintenance exception might also exonerate what they're trying to do, although I think (as well as hope!) that both arguments would be unlikely to succeed.
1.10.2008 2:06am
Laura S.:
You have to wonder why anyone thinks this sort of thing is practical. I'd guess that it will simply create more pressure to encrypt the payloads of frames.
1.10.2008 2:28am
Scote (mail):
The easiest thing for them to do is filter traffic by protocol, anything else would be an intercept. However, there is already precedent for the attempts to filter traffic by name or hash signature that have been implemented by universities. They presumably require students and faculty to give up any right to privacy in exchange for use of the network, but one wonders to what extent they may tend to give up their protections as a common carrier once they start filtering for content. Today, copyright, tomorrow, obscenity, and the day after, anything else that could be considered illegal, perhaps links to copyrighted material.
1.10.2008 2:50am
David Schwartz (mail):
My bet is that the bigger providers and the manufacturers of technology that can (at least today) do just this are conspiring to drive costs up for smaller providers and bring revenue to filtering technology providers.

They'll push first for a law to make this legal and then push for ways to make it as close to mandatory as they can. This won't hurt the larger providers very much but will seriously cramp the smaller ones.

The filtering technology providers will benefit massively from round after round of escalation. The filtering will get more and more invasive to combat encryption, and eventually we'll wind up with an ugly unworkable mess.

Fortunately, none of that will ever happen, as this idea is clearly dead on arrival for so many reasons.

How would this technology determine if copyright was being violated exactly?
1.10.2008 3:15am
MR (mail) (www):
I think the CDA would also have something to say:
230(c)(2) bars liability for good faith restriction of access to particular material. The CDA says that it shall not impair the electronic communications act of 1996 (which I assume the Wiretap Act would fall under), but given the fact that a party to a communication is exempted, then all ISP's would need to do is have their subscribers agree (and I use "agree" very, very loosely here) that the ISP may filter, and the CDA would kick in.

Indeed, if I were with an ISP, I would argue that there is no way the wiretap act can mean "no filtering" because interpreting it that way would make 230(c)(2) meaningless, which violates a key canon of statutory interpretation.

(2) Civil liability
No provider or user of an interactive computer service shall be held liable on account of—
(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected;
1.10.2008 7:27am
Happened:
Copyrights? I thought Comcast is already censoring political content of private communications, even though sometime they only suspect incorrect standing.

Makes you wonder what chances Copernicus would have to publish his book had market was monopolised by RIAA' RICO.
1.10.2008 8:15am
ES:
One of these things is not like the others:

obscene, lewd, lascivious, filthy, excessively violent, harassing, copyright infringement

Are you proposing that screening for copyrighted material falls under the "otherwise objectionable" category? That's placing a fairly broad construction on the term. Otherwise, it doesn't look like the proposed filtering can slip in via the 230(c)(2)(A) "good faith to restrict" exemption.
1.10.2008 8:19am
Volo2:

(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected;


Has anybody heard of a criminal acting NOT in his/her "good faith"

"Obscene"? Didn't we have guy named Comstock giving us the New York Society for the Suppression of Vice?

"otherwise objectionable"Well, I don't like you Mr. Jew - signed A. Hitler. Enough?
1.10.2008 8:38am
ES:
Unfortunately, there is probably a more legally and technically robust solution available to ISPs. With 99% of the user base running Windows or Mac computers, ISPs could develop software for these platforms that runs on the end user's computer, and which vets files that have been downloaded. Some technical barrier could be imposed such that access to the ISP's network would not be possible on a PC not running the software (sorry Linux users). This would also possibly overcome end-to-end encryption schemes employed by P2P software, as the software could review the unencrypted file on the hard drive (although this could simply prompt more clever techniques in P2P software, such as encrypting any working files). Consent to execution of the software by the user might be obtained through contract (for ISP service or click-through license on the software), or to deal with the issue of multiple users could pop up a box requiring consent on a regular basis (although this would be very annoying).

Once files land in a user's computer, software screening of these files might no longer be considered a prohibited "intercept" under the Wiretap Act. However, there appears to be dicta in US v. Councilman that suggests a requirement for real-time interception may not apply to electronic communications.

Further, by requiring the use of such software to access the network, it may fall under the 18 USC 2510(5)(a) exemption for "any telephone or telegraph instrument, equipment or facility, or any component thereof, (i) furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business and being used by the subscriber or user in the ordinary course of its business"

Given the lack of choice in ISPs in most locations, even this scheme may not be enough to result in any "revolt" by consumers - particularly if this were adopted by most of the big ISPs.
1.10.2008 9:02am
billb:
Umm, isn't basically everything that I transmit over the Internet copyright protected--including, for example, the content of this post? I can't see how this technology going to distinguish between unauthorized copies of copyright-protected works, unauthorized but fair uses of said works, and authorized copies.
1.10.2008 9:29am
MR (mail) (www):
Are you proposing that screening for copyrighted material falls under the "otherwise objectionable" category? That's placing a fairly broad construction on the term. Otherwise, it doesn't look like the proposed filtering can slip in via the 230(c)(2)(A) "good faith to restrict" exemption.

Sure, why not? I understand that reasonable minds can differ in that "otherwise" must follow from the terms listed, but if 230(c)(1) has been construed as broadly as it has, why should (c)(2) be any different?
1.10.2008 9:43am
roller:
Has anyone thought about what happens after the carrier's monitoring produces a "hit"? A warning? How would that be done? Email? Phone? Or simply terminate the transmission without notice? How about a false positive? Would the carrier then be liable for damages caused by their action? Would a false negative (not finding protected content) open the carrier to damages from the content owner? The implications are mind-bending. I'd run not walk away from this one, but they seem too stupid or too greedy (or both) to do so.
1.10.2008 10:57am
Anderson (mail):
They'll just get retroactive immunity.
1.10.2008 11:28am
NicholasV (mail) (www):
ES: Perhaps they could call it "BigBrother.exe".
1.10.2008 11:40am
Tony Tutins (mail):
Whatever happened to this lawsuit (from wikipedia)

vs. RIAA

In 2005, Tanya Andersen of Oregon responded to a lawsuit on behalf of Atlantic Records by in turn suing them under the RICO laws. Her suit alleges that RIAA members, in this particular case Atlantic, engaged in illegal computer trespass, extortion, and unfair trade practices under Oregon state law.
1.10.2008 11:44am
Andy Freeman (mail):
> Some technical barrier could be imposed such that access to the ISP's network would not be possible on a PC not running the software (sorry Linux users).

That would require not running standard internet protocols on the local loop.

While possible, that would require writing a comparable protocol stack. That's non-trivial (MS bungled this job a couple of time). It has to run on XP and Vista at the very least. Since that the standard IP code is deeply embedded in those OS, installing it will be "interesting". It will require lots of "truck rolls", which will make internet access unprofitable at current price levels.

I'm ignoring the fact that the protocol stack doesn't know that it's downloading a file; applications do. You have to get all applications that can down load files to do the actual verification. Congrats - you have to replace all of the aps that people use over the internet. (For example, lots of folks use VPNs to work from home. There are at least a dozen VPN applications, and almost all of them can transfer files.)

While each person may only use one or two aps, different people use different aps. If you break the aps that they use, they have no reason to use your service.

Even if they can solve the technical problems, the open source community has repeatedly reverse engineered such protocols. Why won't they succeed this time? (Remember, they can observe the bits on the wire AND they can monitor what's happening in the PC.)

And, once they do so, why won't they produce applications that don't obey the rules?
1.10.2008 11:49am
Taeyoung (mail):
To avoid liability, these providers probably would need to amend their Terms of Service so that users would explicitly consent to allowing their ISPs to monitor them for copyright violations.

Isn't the concern not so much that every ISP will run scans, but that AT&T will, on every communication on their network? My understanding, perhaps faulty, was that AT&T and a few other companies control much of the "backbone" of the internet. Isn't the risk mostly that once communications pass from your local ISP's network onto AT&T's wires (or Qwest's wires, or Level3 or whatever), these companies will scan it?
1.10.2008 11:51am
Philistine (mail):

Whatever happened to this lawsuit (from wikipedia)


RIAA couldn't get evidence, dismissed its case with prejudice, and the person they sued dismissed their counterclaim, sued for malicious prosecution and got attorneys fees.

See Here
1.10.2008 12:44pm
Bruce:
Doesn't RIAA and MPAA own a majority in each chamber of the Congress?

They would, except the Carlyle Group managed to buy a majority before they could get them all. They used the extra money to install radio transmitters in critics' dental fillings.
1.10.2008 12:52pm
BRM:
What about a movement to have Congress grant the FCC regulatory power over ISPs as common carriers (as a response to the Brand X case)? If Congress makes ISPs subject to common carrier requirements under the Telecommunications Act, that might be a way to prevent this sort of abuse separate from the Wiretap Act.
1.10.2008 12:57pm
Mary Katherine Day-Petrano (mail):
"Network-level filtering means your Internet service provider -- Comcast, AT&T, EarthLink, or whoever you send that monthly check to -- could soon start sniffing your digital packets, looking for material that infringes on someone's copyright"

This raises the inquiry whether the Internet providers ALREADY have liability for assisting in the wrongful dissemination of copyrighted material occuring by a pirate without consent of the copyright owner. Suppose Tennessee Lawyer over the Internet fraudulently pirates a disabled Bar Applicant's copyrighted work for the purposes of disseminating it extra-judicially to (1) a Law Clerk assigned to Bar applicant's Title II ADA cases \, and (2) to raise money for a legal defense for the Law Clerk, Tennessee Lawyer, and others who are involved in case they are caught -- does the Internet provider have liability for lacking adequate safeguards to prevent the piracy from occurring?

"Would ISPs risk massive liability under the Wiretap Act to try to combat copyright infringement? I can't imagine why they would do that, but I suppose that's a question to ask them and their lawyers"

I can't imagine why they would do that, either, unless the Sabinesque Chief of DOJ Counterterrorism directed certain individuals assisting in the piracy of the copyrighted work to flash a law enforcement badge requiring the Internet provide to do so and to maintain secrecy -- the ultimate objective being, of course, to derail by irreparably prejudicing a DREDDED civil right lawsuit under Title II of the ADA.

Then, it would appear certain defendants might attempt to invoke a Sec. 2520(d) defense (and would the Internet providers attempt to take cover under the same defense). However, it appears 42 U.S.C. Sec. 12201(b) would amend and/or repeal in whole or part Sec. 2520(d) to the extent it is not possible to construe "good faith" in Sec. 2520(d) to exclude Title II or V (retaliation) ADA violations in which there is no legitimate law enforcement interest/purpose.

There may be other defenses raised, but it appears they would also fail on there being no legitimate law enforcement interest/purpose in a discrimination/exclusion/retaliation in violation of a civil rights statute such as Titles II and V of the ADA. Especially ones accomplished for the purposes of stamping out such a civil liberties challenge occuring in the very courts hearing the case.
1.10.2008 1:25pm
Ryan Waxx (mail):
The consent would only cover those who signed the contract and the parties to communications with them, and would not automatically extend to those who used the network but had not consented (such as family members of those who agreed to the ISP contract).


IANAL, but it seems to me that there is a serious problem here, because there does not seem to be any sort of protection granted to people who did not directly sign the contract, like family members.

ISP's regularly enforce their contracts on family members who did not directly sign the agreement. Either that, or more likely they hold the person who DID sign the contract responsible for the family member's actions.

I know this because I work for one, and enforcement actions happen all the time. Some copyright holder sends us a complaint, we call the customer and explain the situation and offer help to get the offending copyrighted material and/or the sharing software removed from their system. Then we explain that if it happens again we have to terminate their service, because if we don't then the copyright holder can sue us.

Very often, it turns out a family member (like the teenager in the family) is the cause of the problem, not the person who signed the contract. From an enforcement point of view, it simply doesn't make a jot of difference.

Can you help me to understand why detection at the network level instead of by the copyright holder would change this legal relationship in such a way that weather or not the infringer hasn't directly signed the contract suddenly becomes relevant?
1.10.2008 1:50pm
quaker:
Andy Freeman: Of course you're right about BigBrother.exe, but there are other ways to think about this piece of snoopware. It needn't scan all network traffic in real-time.

Imagine an Evil Norton Anti-Virus that, instead of protecting you, tattles on you. It periodically scans your file system and reports the result to your ISP. And it generates an app-level token without which your ISP won't grant access to its network.

- If EvilNAV.exe finds infringing content, Evil_ISP knows.
- If EvilNAV.exe doesn't give Evil_ISP its cryptographically signed report each month, Evil_ISP denies you access.
- If EvilNAV.exe is disabled or removed so it doesn't provide Evil_ISP its token, Evil_ISP denies you access.

As an added EvilBonus(TM), MPAA/RIAA could even incent users, e.g. by giving free downloaded goodies to users with valid EvilNAV tokens and clean scans. Even MPAA/RIAA are smart enough to see the value in paying a few pennies for the guarantee of a "clean" user.

Of course a hacker can find ways around this, but most users are not hackers.
1.10.2008 1:55pm
Thomas_Holsinger:
ES,

Invasive access by ISP's on user computers gives criminals the same access. It would turn a hundred million computers into zombies. The idea is dead on arrival.

While ISP's might obtain special legislation immunizing them from class action civil negligence liability, the business community which relies on internet access has far greater political clout than the ISP's or those business interests pushing this damn fool idea.
1.10.2008 2:45pm
Thomas_Holsinger:
I tend to agree with David Schwartz - that the alleged anti-piracy purpose of non-invasive intercepts is merely a smokescreen for the real purpose of anti-competitive effects. Because Congress can be bought with purported good intentions.

The ban on incandescent light bulbs is a perfect example of this.
1.10.2008 3:53pm
Oren:
The easiest thing for them to do is filter traffic by protocol, anything else would be an intercept.
It is trivial to encrypt the header information making it virtually impossible for the ISP to know what protocol is being run.

Imagine an Evil Norton Anti-Virus that [blah blah blah] without which your ISP won't grant access to its network.
Since this program is running locally it would be trivial to run it in a sandbox where it doesn't have permission to scan anything bad. Remember that a program cannot tell whether it is being run on the hardware or in a virtual machine. Alternatively, someone could patch evilNAV to remove the scanning part of the code and just have it generate tokens.

Of course, now the ISP can make evilNAVchecker program to make sure that evilnav is really running. Lather, rinse, repeat. There is a bedrock principle here - if a user has full control over the computing resources (i.e. the ability to read and write to arbitrary memory locations) then there is nothing you can do to get remote attestation - hence the interest in hardware that will allow such a thing.

Furthermore, there are tons and tons of devices that do not run modern OS's that are now f***ked. Game consoles, ebook readers, WiFi enabled phones. Do you suggest that ISPs deny all those devices access?
1.10.2008 3:58pm
ES:
Thomas_Holsinger: I fail to see how BigBrother.exe has more invasive access than any other piece of software running on one's computer. On many platforms, especially Windows, once your code is running on the PC, you can do pretty much anything you want (either directly or by escalating access via some known hole in the system). Sandboxing generally has not been popular. Plenty of other pieces of software (e.g., Internet Explorer, Entourage) have been vectors for viruses, botnets, etc. BigBrother.exe would pose no more threat for zombification than what is already on PCs (see, e.g., my mother-in-law's computer).

Andy Freeman: I believe quaker, by way of the token-based approach of the EvilNav.exe example, has demonstrated that there is no need to rework the network stack. Plus, there is no need to modify applications to perform file tracking. As far as I am aware, modern OSes provide a mechanism for notification of when files are updated, and often by which program. As a simple example, just watching out for access to 1+ GB files is likely to be helpful in identifying HD movies. Or files matching *.mp3. Alternatively, BigBrother.exe could apply more of a brute-force approach, and scan the entire hard drive. Of course, there are probably more interesting/devious approaches.

As for reverse-engineering, I wouldn't necessarily count on open source efforts being capable of hacking arbitrary cryptographically secure systems. Doing so often depends on the incompetence of the designers of the crypto system (see, e.g., the details of hacking the WEP protocol or hacking CSS (sloppy key management in DVD player)). Also, key revocation or a complete overhaul of the authentication system works a lot faster for software products than WEP, DVDs, and HD-DVD (some of the more visible crypto-hacking successes).
1.10.2008 4:22pm
ES:
Oren:

In an ideal, but nonexistent, virtualization system is it true that "a program cannot tell whether it is being run on the hardware or in a virtual machine." There is pretty much always something, such as hardcoded virtual hardware or emulated instructions which take more time to execute than the actual hardware, which can tip off an inquisitive program. Run a Google search for "detect virtual machine" for plenty of examples.

Also, I would dispute that "a user has full control over the computing resources" - there are plenty of things that my PC does that I am not aware of, and probably don't even want it to do. Given the expertise developed in creating software-based DRM systems, I would not underestimate the ability to successfully obfuscate cryptographic operations so as to render them essentially opaque and irreproducable.

I would propose a different bedrock principle: once someone has their code running on your system, you're pretty much screwed.

On the other hand, you have an interesting point on non-PC devices. My narrow conception of BigBrother.exe doesn't cover that angle.
1.10.2008 4:38pm
Oren:
ES, DRM is not cryptographically secure because the private signing key must reside somewhere where the "attacker" (the user) can read it. There is no DRM system currently deployed that has not been cracked: HDDVD, BlueRay, WMDRM, FairPlay are all cracked even though many of them (WMDRM especially) go through a whole rigmarole of trying to hide the key by obfuscation. A good debugger and a lot of patience are all that's required to trace through the steps.

A VM would be total overkill for dealing with evilNAV - all that's really required is writing a wrapper that redirect all calls to /dev/hda to /dev/fake (in Windows you'd redirect the equivalent APIs). There is no way for the program to know that it's not reading the actual hard drive.

This is an arms race that evilNAV cannot win and never will be able to.
1.10.2008 5:02pm
Oren:
I fail to see how BigBrother.exe has more invasive access than any other piece of software running on one's computer. On many platforms, especially Windows, once your code is running on the PC, you can do pretty much anything you want (either directly or by escalating access via some known hole in the system).
This is beside the point. The idea is to only run software that you trust for other reasons. If you don't trust the software, run it in a VM or not at all.
1.10.2008 5:06pm
Thomas_Holsinger:
ES,

BigBrother.exe in your scenario is supposed to search hard drives for files, and report back, without users being aware of it, let alone consenting to it. There is a difference between programs which are unintentionally vulnerable to misuse, and those which are intentionally malign. Microsoft gets trouble about forcing automatic updates when users try to block that.
"It's a feature, not a bug!"

This invasive proposal would be used criminally. ISP's are not as technologically capable as Microsoft.

Such widespread zombificaiton would so injure internet access generally in this country as to impede commerce. I.e., the commercial interests which would be harmed by this have far more to lose than ISP's and their dead media friends have to gain. It would be a brief money tree bill (congress-critters shaking the money tree for contributions) only.

I repeat, David Schwartz has it right. The non-invasive, traffic monitoring, method is IMO what the major ISP's really want. Not to actually work as purportedly intended, but to give them an unfair competitive advantage over smaller competitors.
1.10.2008 6:08pm
Ari Tai (mail) (www):
Are their respectful of privacy mechanisms that can accomplish the goal of lowering non-authorized internet distribution of copyrighted content? Can this be accomplished without undue compromise of fair-use at least to the degree that the interests of the owner and customer are balanced?

Consider: ISPs and Carriers could change their terms of service to state that they will cap residential "masked" traffic to some small amount (say a music CD or so worth of bits per month) -- where after the cap is exceeded bandwidth for these streams drops to a trickle. Where "masked" is undefined but is likely a measure of randomness in a bit stream (suggesting encryption). Traffic to and from businesses and registered providers (IP addresses) is passed without constraint (anyone who is willing to warrant they protect IPR and host regular 3rd party audits).

For residential streams that aren't masked, if the data is in a registered DRM wrapper or is watermarked, perhaps signed as public-domain or in the general case doesn't set off watermark alarms, it is also uncapped. The IPR industry detectives then get to ignore the residential customers and police a much smaller set of providers, ISPs, and related services. The signatures for what's considered masked and not, watermarked and not becomes another race between the industry and hackers, with industry winning 3 out 5 times (like satellite cable boxes), and as with cable and satellite set-top box hacking, they are able to use criminal prosecution to jail and/or deter the worst (cleverest) offenders.

Granted, Moore's law improvements seldom accrue to the end customer directly in rented networks (sadly), but Moore's law does make schemes like the above increasingly affordable in the network, services and billing layers.

Note that network neutrality will suffer the same fate if regulated into existence. The carrier does not need to know what traffic or type of service is transiting their network to reward locality and extract rents from those who demand timely delivery, v. those willing to wait an arbitrarily long time for delivery (i.e. where the price of service approximates the equivalent of every packet bidding for carriage as if it is were the packet that overfilled the (narrowest) pipe (of any provider along the path), and has to pay to bump the lowest bid and/or finance a fractional increase in infrastructure capacity). Note if this is the case that the only thing that can keep an unregulated carrier from demanding an arbitrarily large ROI in the presence of smart-networks is competition (not some notion of must carry implied by network neutrality).
1.10.2008 9:19pm
TechieLaw (mail) (www):

To avoid liability, these providers probably would need to amend their Terms of Service so that users would explicitly consent to allowing their ISPs to monitor them for copyright violations. Assuming customers didn't revolt against this, that would permit monitoring under the consent exception, at least when a user who actually signed the contract was being monitored.


The problem is, they won't revolt. Big, big, big collective action problem.

When people are comfortable, they really don't have much interest in protecting their civil liberties and other freedoms. My best guess is that the vast majority of people won't read the clause, won't understand it, and even those few who do read and understand it won't care because they don't think it will apply to them.

For whatever reason -- and societies like China are a possible example of this -- people who have most of their creature comforts frequently don't give a rat's ass about their personal freedom of speech, privacy, etc. They just want to be able to browse the Internet, chat with friends, etc.

T'would make for an interesting law review (or sociological) article to probe the counters of what precisely would get people to start caring and want to rock the boat.

(Example: I've often mentioned to people that remote road toll collecting systems (like NY's EZ-PASS) can be used to monitor your comings and goings, and could theoretically be used by police (or even commercial systems) to track you. The usual response? "The government and/or My Credit Card Company is perfectly welcome to know where I am at all times because I have no intention of ever doing anything wrong!")
1.10.2008 11:08pm
Andy Freeman (mail):
> As a simple example, just watching out for access to 1+ GB files is likely to be helpful in identifying HD movies. Or files matching *.mp3

It's not hard to design a player that plays a movie that is stored in dozens of small files. (And no, those files need not store the movie sequentially, so "water marks" will be spread across multiple files.) File extensions also don't work.

And, lots of folks have multiple computers. Even if you guarantee that the one that has net access can't persistently store "bad" files, you're going to have trouble doing the same for a not connected computer.

One fatal problem with all of these schemes is that they dramatically increase the ISP's end user support costs. They also dramatically decrease user satisfaction.

How does imposing DRM provide comparable revenue?

Back in the day, a "friend of a friend" went to Intel with a suggested CPU modification to reduce software piracy. The folks at Intel listened politely, acknowledged that his scheme was effective, and then asked "Why would we want to do this?"
1.11.2008 10:43am
David W. Hess (mail):
Where "masked" is undefined but is likely a measure of randomness in a bit stream (suggesting encryption).

As you point out, this only suggests encryption because well compressed data will have a similar signature. Simply measuring entropy of a data stream will not be enough. To make things even more difficult, it is possible to mask real entropy in an encrypted data stream by adding unneeded redundancy (reverse compression or steganography) which has the effect of increasing the number of bits sent for a given amount of data. I bet ComCast with their recent complaints about limited bandwidth would love that.

Client side monitoring fails if the client can act as a router since nothing needs to be stored locally. This is actually a well supported configuration even on Windows with its ICS (Internet Connection Sharing) functionality. Remove the router functionality and someone will use or write a proxy to replace it.

Ultimately I suspect a better approach would be to ignore the content of the data streams and just rely on traffic analysis. Unfortunately, this will not be able to distinguish legitimate traffic from unlawful traffic unless everything is client/server and block lists are used.
1.11.2008 11:28am
Ari Tai (mail) (www):
re: masked or not (crypto, compression, steg, inter-frame modulation techniques of one form or another).

I agree, but I think this is where the cap and trickle changes the balance of power. If the (residential, university dorm room, ...) stream cannot be understood well enough to determine data hiding or not, it gets charged against the "CD a month" limit. P2P (residential to residential) now has an incentive to be transparent. It need not be perfect, just raise the cost illicit acquisition to something within an order of magnitude of the licit in either inconvenience, real cost, and/or risk of successful policing. Wrt policing, much of this should be a misdemeanor, equivalent to running a red light or speeding, a few hundreds of dollars per incident (thousands if in Virginia). Could make it painful, especially for teenagers and college students, by adding points to their driving license (cross domain penalties). "Deny someone else their freedom (to contract), lose your freedom (to drive)."

("Speaking of driving" :-) traffic analysis will certainly be an important component of approaches like this (reducing false positives), as well an interesting class of inference engines, similar to those that rank credit card fraud likelihood ("which ten customers should I call next?") And taking the long view, as IPV6 emerges and IPV4 rusts out, policing will have markedly improved attribution.

It's important to keep the miscreants guessing (not disclose the detection algorithms or answer the "Why me and not him? It's not fair." questions, and when discovery or equivalent causes a disclosure have 10s of alternatives ready and more under development). Eventually the system will come to some equilibrium - a balance of false alarms, help-desk costs, inventory "shrinkage," and improving returns to those who create and finance intellectual works (v. today's decreasing returns).
1.11.2008 9:15pm
Jeremy Schaefer (mail):
I live here in central Minnesota. My isp is based out of Perham Mn. They have the local monopoly on high speed internet where I live.
I received a Call on Monday of this week from one of there technicians. He left a message stating it was in reference to the download of copyrighted material. I called him back on Tuesday and asked to what he was referring exactly. He said that I had downloaded Harry Potter the Rise of the Pheonix and was storing it on my computer. I then assured him I was not and asked him to find out exactly when I supposedly downloaded this and get back to me. Knowing full well that I did not have this file. I told him when he asked about it that, yes I did run P2P occasionally.
He called back 2 days later and left another message stating that I did indeed have that file on my computer and I had to remove any P2P and this was my first warning. I intern called said rep for the ISP and left a message that, I did not have said file(which I didn't) and that I would remove the P2P as a precaution.
Over the last 2 days I have read hours of posts because of this. It brought to mind the whole legality of my situation. And I think this is the place to ask the readers for help.
P2P software is legal. This I found out and they(ISP) had no right in telling me to get rid of it. To what extent would an ISP have to go to to tell someone exactly what they had downloaded? And how many laws would they have broken doing it?
One more fact. My contract with said ISP ran out already, so there is no legally signed contract. I am month to month.
I posted because there was no examples and I thought mine fit exactly. All help appreciated.
1.12.2008 10:53am
Ari Tai (mail) (www):
re: Minn P2P.

Unless you have some sort of personal knowledge of the internals of your P2P software, there's no way to know exactly what's transiting or being cached on your machine. Meaning if all you're caching is a portion of the directory that points to pieces of illicit content in the cloud and someone uses your directory entry, are you or are you not complicit in the theft? In a real sense you've become an ISP because you're serving bits no differently than, say, youtube. Skype is an example that is explicit about its borrowing of resources from customers. So you and the ISP could both be right.

And since the ISP is legally required to pursue IPR complaints, he likely put a network monitor on your connection's traffic and perhaps saw a directory entry transiting your wire. If not watermarked data. (I suspect IPR owners are seeding lots of watermarked / discoverable data into the pirate nets given they've little more to lose.) You could do the same when you're running P2P software to see what other purposes your link has been put to use.

Makes for an interesting legal discussion. If my garage is used by, say, pedophiles because I promiscuously hand out keys but choose to keep my eyes closed, do I have any liability? Or if I hand out keys to others' garages? Perhaps it's not me, and I can defer to the people that, say, I contracted with to build my garage who said "we'll build it a bit bigger and not charge you if you let us arrange for others to occasionally use your garage. In addition, if you need a garage anywhere, we'll let you use someone else's nearby."

I suspect the judge and jury won't be too interested in the nuances after the child testifies.
1.13.2008 8:52am