Coping with P2P

I’ve posted about the DMCA before, pointing out that the DMCA is a poorly written law, but it is the law, and must be adhered to, something RIAA subpoenas rely on. There have recently been a number of articles referring to the way UCLA, where I am a student, is dealing with P2P (peer to peer) MP3 file trading, and allegations of a digital copyright violation from rights holders. Most of the articles seem to miss the point, even though UCLA has provided a public statement explaining the process.

UCLA, like most other campuses and networks with any sizable user base (or an Online Service Provider in DCMA terms), is required to have contact information for the DMCA “designated agent” posted on the university’s web site. When a rights holder contacts the DMCA designated agent and asserts the presence of a copyright violation on the network the content in question must be removed, immediately, before a decision about the validity of the complaint. Keep in mind that the claim of online copyright infringement is not a standard, easy to follow memo; it’s a legal document, generated by a culture that gives points for complexity. Sometimes the notifications are incomplete.
Nonetheless the designated DMCA agent has to respond by removing the material, within a very short time, in accordance with the law. That’s a lot of work for a large school, especially a school with 25,328 undergraduates, many of whom live in campus residences connected to the high speed campus back bone. It’s not uncommon for large schools to receive
hundreds of notifications a month.

UCLA, like every other campus with a network connection, is worried about students potentially “trading” illegal MP3 or other files covered by copyright for reasons beyond their concerns about possibly illegal activity on their networks. The popularity of P2P “file trading” among users between twelve and fifty can clog networks, creating so much congestion that users simply trying to send and receive email or browse the web, can’t.

There are a number of ways a campus can deal with potential problems.

1. Some campuses look specifically for users employing P2P clients on their networks, and
   react by shutting off specific ports. Others look for traffic patterns and other indicators of P2P use, and automatically restrict access based on locally determined criteria.
2. This is the approach that the University of Florida’s ICARUS system uses. ICARUS looks for use patterns associated with large-scale “sharing,” then displays a pop-up notifying the student that
   network access has been restricted locally, and why, and how to obtain full access again. I don’t think much of this solution; it’s not always that easy to distinguish between illegal P2P activity and legal P2P activity. It also seems needlessly invasisive. Remember, it isn’t P2P software that’s
   the problem, only the actions of some users. There are also legitimate reasons to use P2P (many of them related to research and
   instruction—think “distributed computing” and “grids”) and some “file trading” is legitimate, and not in violation of copyright. I can think of a number of ways to legitimately use P2P to transfer large files for
   instruction, for instance, in a music composition class. This approach
   makes that kind of use difficult.
3. Some campuses don’t do
   much of anything to educate users or prevent network abuse until the RIAA
   comes calling, subpoena in hand, and then they turn over records, in the
   worst cases, or stall, in the most common reaction.
4. I don’t think much of this solution either. It is illegal to distribute
   copyright protected files without permission from the rights holder. Moreover, it is part of the responsibility of a university to educate students about ethics as well as the standard academic subjects. Students, and all the other users of a network, need to be educated about the
   illegality of distributing material without permission from the rights holders. Finally, students do have certain privacy rights, rights that are explicitly protected via FERPA regulations; this “solution” tends to impinge students’ rights, potentially resulting in violations of FERPA and other
   privacy statutes.
5. Some universities use another form of
   technological prevention; they employ various filtering and packet sniffing
   technologies (both hardware and software) to inspect network data,
   comparing the data to a database of materials, or looking for specific
   protocols associated with P2P traffic, and then stopping the transfer in
   one of several ways.
6. Filtering, unless it is used in tandem with other measures, isn’t a solution; it may well in fact create additional problems. First, it tends to work by paying attention to specific kinds of traffic, like P2P, rather than other kinds (UseNet, for instance). Again, any technology can eventually be subverted, (encryption doesn’t have to be difficult, and soon won’t be) and since these methods rely on letting a download start, so that it can be checked, this approach strikes me as a waste of bandwidth. The likelihood of false positives seems fairly high to me. Generally, with this kind of technology, there are tracking identification methods that are a bit of a problem on a campus, given privacy issues. This solution tends to be expensive, since it relies on proprietary code and hardware. Close monitoring, at the level of
   individual use patterns, can have a chilling effect on research and the academic community, often because to the average user it may appear like “spying,” whatever the intention is. Finally, this kind of solution doesn’t do anything to change the behavior of users for the long term, and therefore isn’t a real solution.
7. Some universities engage in bandwidth throttling, monitoring the network for excess throughput and shutting it off, or shutting off specific users, or in some cases, prohibiting the
   ability to upload files; this was pretty common for reasons of cost and network management long before P2P was an issue, and it’s fairly standard practice for a variety of reasons having to do with network and cost
   management. UCLA does this in part now, by making web and email traffic on the network a higher priority than, say, P2P traffic.
8. This solution doesn’t change user behavior for the long term; it simply masks
   the symptoms of the problem, and it affects the innocent as well as the
   possibly guilty. There are legitimate reasons for academic users to use
   lots of bandwidth, and uploading is necessary for a variety of research and
   educational purposes. However, bandwidth control in combination with other
   methods can be effective as a protective measure.

In general, I’m not impressed with any overly sophisticated or elaborate
technological solutions. For one thing, digital technology changes rapidly,
in a matter of hours, sometimes, and a really clever method of preventing
“file trading” is likely to attract the attention of really clever people
who will subvert it as an interesting puzzle. Moreover, these solutions
tend to be expensive, and I think there are far better ways to spend an IT
budget. The real solution is to change behaviors, not
technologies.

I rather like what UCLA has done.

1. First, though the awkwardly written and scantily researched Chronicle of Higher Education article doesn’t refer to it, UCLA spends a fair amount of effort on educating students regarding appropriate use of the campus academic and residential networks. That includes orientation sessions for incoming students. For obvious reasons, right now the central issue is the use of the residential network (ResNet) associated with campus housing (about 7,500 students and some faculty and staff living in the residence halls), but the entire UCLA community is involved in appropriate use education.
2. Secondly, UCLA doesn’t make assumptions about the
   guilt or innocence of the students. If UCLA is contacted regarding a
   violation, the student is notified by email, and the students computer is
   “quarantined” with respect to the campus network, allowing the student to
   access on campus resources vital for instruction and interaction with
   administration and faculty, but not access other ResNet points or external
   networks.
3. The resident is told to remove the files in
   question, and to sign a statement which indicates that the files have been
   removed but which neither asserts nor requires an admission of
   guilt. The file removal and quarantine are in response to the
   requirements of the DMCA; they are not punitive.
4. If these steps are followed, complete network access is restored, generally within in one business day.
5. If there is a subsequent incident involving the same student, the student’s computer is again placed in quarantine (that is, it’s access to the network is restricted) and the student must go through the standard campus disciplinary process, which generally involves the Dean of Students office. During the time the inquiry is in process, the computer remains in quarantine, with restricted network access, but the student can still use the campus network resources necessary to complete course work.

I like UCLA’s approach since it doesn’t engage in invasive actions, packet sniffing, or assumptions of guilt. UCLA responds with alacrity to allegations of copyright violation, in accord with the DMCA, by placing a computer in quarantine. This method provides an opportunity to educate the user. Even though copyright issues are discussed at orientation, many students don’t really seem to understand that not only are they inadvertently sharing files they may have obtained legally, (naive P2P users don’t realize that
their own files are “shared” when they are downloading) or that even downloading files “ripped” by others is illegal. By applying a quarantine, UCLA prevents possible inappropriate use of the network, without
obstructing the student’s education, protects rights of the rights holder, meets the requirements of the DMCA, and there’s an opportunity to educate the user. UCLA’s approach also allows for due process in the event of a second offense (and second offenses aren’t as common as you might think).

I particularly like the fact that this is a local UCLA solution, created by the UCLA community. Despite what various sites have reported, UCLA’s process does not rely on Universal’s ACNS software nor does UCLA use the University of Florida’s ICARUS system, though UCLA does take advantage of the XML schema for the allegation of a rights violation created by Universal, working with the Joint Committee of the Higher Education and Entertainment Communities Technology Task Force and other concerned parties. The XML schema for the initial notification from a rights holder to an OSP standardizes the format, making a timely response much easier. UCLA’s response is also standardized, so that all students are treated the same way. I also like the fact that this approach is not too technologically clever; UCLA uses the network equivalent of shutting off a valve by removing access to parts of the network, to quarantine the computer in question, and it can be combined with other preventive measures, including user education. Best of all, UCLA’s process was developed as a cooperative effort by a variety of people from the Dean of Students office, campus Counsel, Residential Life, Housing and Hospitality Services, many of them acting as members of committees, including student representatives (like me). UCLA’s approach serves to protect the rights of copyright holders, it educates students, and it protects students’ (and users’) privacy rights.