This is a guest post by the Political Penguin.
Although I’m overtly a Labour Blogger and on the whole supportive of most of what the Government does. From time to time I can be equally as critical of my own side as of the assembled rabble of opposition parties. Today is such an occasion.
A while back in response to a speech made by David Cameron to the British Phonographic Industry I penned this rather naughty but pertinent article on his suggestion that Internet Service Providers (ISP’s) should police the internet to stop all those naughty people on peer to peer (P2P) networks sharing copyright infringing copies of, primarily music.
So it is with great annoyance that I read today that the Department for Culture, Media and Sport have had this wonderful idea.
First up though, let’s just see how this made the news. Originally appeared in the Times and everyone else picked up on it. I’m rather hoping it’s one of those, not meant to be actual plans for legislation but more of a hurry up for the BPI and the ISP’s to sort their own affairs out without the need for Government intervention but if anything can be read into it then it’s that the inclination of the Government is to line up with the BPI to put the emphasis and responsibility in the hands of the ISP’s.
So what’s the problem with this proposal?
Well, there’s those pesky lot over in Brussels that drew up the European Directive on Electronic Commerce Directive 2000/31/EC. The important bit is contained within article 12 which I’ll happily reproduce again below:
1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:
(a) does not initiate the transmission;
(b) does not select the receiver of the transmission; and
(c) does not select or modify the information contained in the transmission.
2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.
So we’ve got our starter for ten, the ISP’s are merely conduits of data flow across the net. It is no more their responsibility under EU legislation to check on every packet of data flowing across their network than it is the Royal Mail’s responsibility to open, inspect and check every bit of mail that flows through its sorting depots to see if someone’s dropped a burned copy of the Spice Girls Greatest hits into a jiffy bag.
I’m sure plenty of people will look at the civil liberties angle so I’m not, apart from saying that the allowance for, or even the desire to implement the hardware capability to do so under the guise of detecting copyright infringement is probably not a very good idea.
So apart from this contradicting EU legislation, generally not being a good idea on civil liberties grounds there is and probably more interestingly from my own perspective, the technical angle.
Is this possible? Well, yes, it sort of is, but isn’t. I know, not exactly a clear answer, more of a LibDemmish sit on the fence answer but bear with me because we really have to ask what is it we (not sure about the use of the word we, should be the BPI/music industry/rights holders) are trying to achieve?
In essence, the control of information and the protection of content against it being copied and distributed without their permission for which they usually levy a fee so they’re attempting to protect one aspect of their income stream.
Why is this an issue now?
Technological change. Up until relatively recently there were albeit not substantial; costs involved in the reproduction of, and we’ll be sticking to audio content for now, copyrighted material. It required someone you knew who had a CD burner to copy the disc, scan the album cover, buy the disc and case and put it all together for you ready to meet up down the pub for a quick exchange. A bit stereotypical I know but up until the large scale adoption of devices to play compressed audio content like MP3’s, music was still very much a physical thing in terms of it’s storage stretching back through tapes to vinyl and way back to wax cylinders. With the capacity to store 36,000 music tracks on a chip smaller than your fingernail that happily slots into a plethora of mobile devices, the physical manifestation of music is largely gone and it is the actual content that is the focus.
Coupled to this the rise of compression formats making the actual data footprint of the song relatively small compared to increasing broadband connection speeds and flat-rate packages, the ability to transmit this data has now reached a point where previously there were still cost implications to consider. There is of course still a cost but it has reduced to such a point that it is no longer a relevant factor.
This has all been brought about by improvements in technology that has undermined the core business model on which the music industry has been based for most of the previous century and I had anticipated penning a mischievous article on that along the lines of ‘How Marx killed the music industry’ but I’ll leave that for another day.
How can the industry attempt to protect its content against infringement?
We’re going to get down to the nuts and bolts of trying to protect data here but I’ll try to keep it simple.
There are a few approaches that can be taken. Up until recently the big talk was for Digital Rights Management, (DRM). It’s all gone a bit quiet lately on the DRM front which could possibly be why the industry is now trying this approach through the ISP’s.
Some have already written off DRM technology but it’s not dead yet. Here’s how it works in general. The content is encrypted and can only be un-encrypted by a playing device that has the capability to do so or software on a PC which is why Windows Vista came in for so much stick. There’s an inherent problem with this approach that whatever is encrypted can be cracked and pretty much that is what has happened. As more and more sophisticated levels of encryption emerge, so do, a few months later the decryption tools somewhere on the net and they’re back to square one. It’s an arms race that the content rights holders can’t win no matter how many billions they spend on the technology.
It’s also important to note that the use of DRM slows performance and access to the actual content meaning that the more complicated the encryption becomes, the more time it takes for the legitimate devices to decrypt it and in most cases relating to music, we’re talking pretty low end processing capable MP3 players which then require their firmware to be upgraded to decrypt newer music with higher level encryption technology.
Put simply, this one ain’t gonna fly long term.
With DRM out of the picture, what else do the industry have in their armoury to prevent copyright infringement?
Here’s where it gets complicated because there are a couple of other main options.
DRM’s focus was primarily on prevention in the first place. What is left to the industry is a mix of spying and or moving the legitimate responsibility and liability on to third parties.
We’ll deal first with this concept of spying. It’s not widely used but those who are regular users of MP3 files will know what I mean. When you play a song, you not only get the music, you also get perhaps the song title on some form of display, the artist, the running time and also the genre so that you can sort it into a specific collection of similar music. All things that make life that bit easier but are nothing more than tags attached to the actual content file.
However, more than just these bit of information can be tagged onto an audio compression file format, you can add lots of things. One that has been muted is an individual identifier tag. Here’s how this works. My name is Mr Smith, I go to thebigonlinemusicstore.com (I just made that up, if it does exist I’m not implying them personally) I have an account with them with my address or some other personally identifiable information. As I’m paying for this music I’m going to have to have some form payment system so whether it’s my own Visa/Delta/Mastercard whatever or an online payment service like PayPal, somewhere along the line there’s something that can finger me directly.
When I purchase a music track and download it, a personal identifier is tagged on to the file. I’m a naughty file sharer so I stick it in my bit torrent shared folder and anyone on the same file sharing network can pick it up.
Should it then get back to the original copyright holder (we’ll discuss how later) that this file has been knocking about and I’ve been infringing the copyright and distributing without permission then all they need to do is have a look at the file, match it up to the personal identifier data and I’m nicked.
Apart from the obvious data protection and privacy issues inherent in such a scheme there are also the rather annoying practical issues surrounding jurisdiction and proof required that make it unworkable.
Just for a rather quick example, me, that’s Mr Smith is married to Mrs Smith. Things got a bit rocky, we broke up, it was all rather acrimonious. Mrs Smith being the vindictive sod that she is had half my music collection on her MP3 player because in those days when everything was rosey we shared everything. She then uploaded them to the net so that anyone could download them and the police knocked on my door.
I know it’s a rather far-fetched scenario but these things do happen and a world where content ownership, or to be more precise rights of usage start to get rather absurd, not to mention the obvious about similarly creating another arms race to remove such identifying data from music tracks which pretty much gets us back to why DRM won’t work.
How does all this get back to the rights holder?
What this announcement today deals with is primarily this issue. At present there are file sharing networks that exist that distribute copyrighted material that isn’t with the consent of the rights holder. There are also dedicated sites that do exactly the same.
Here we need to make a clear distinction between the two and how the interaction works.
File sharing works on the principle (bit torrent being probably the best known system) whereby an individual user installs the software and to keep it simple, this sets up a separate folder on their PC which is shared with everyone else on the network. People put whatever they want into that shared folder so that others on the network have access to it.
Although much that is written about file sharing is aimed specifically at the distribution of copyrighted material such as music, there are a plethora of legitimate uses for it. I use it, primarily for the download of large ISO files, usually large bits of software or entire operating systems (free open source ones). The principle behind torrents are that the same file may exist in lots of different places and whereas downloading it from one location limits you to the upload speed of that one place, through file sharing you can download bits of the file from numerous places at the same time so you are only limited by your own download speed which is always faster than your upload speed. Put simply, it’s a way to download big stuff faster, that’s the point of it in the first place.
The alternative model for the dissemination of copyrighted material is a simple core source. Some server somewhere, a website which is only an interface sitting on top of a server after all but you get the drift, all the files are located in one place and people download them from there either freely or for a charge below what they’d pay from iTunes or whatever.
In the second case of there being one location where the music files are being taken from there is not so much of an issue. They’re relatively easy to find, even for the music industry people and if not, the execs should just ask their teenage kids where they are. Then there’s the obvious process of locating them and getting them shut down. Easier in some parts of the world than others of course and the core focus of this approach is to knock out the supplier, not the consumer.
In the case of file sharing networks it is slightly more complicated but not beyond the realms of possibility. Discounting any legal issues relating to what could be defined as entrapment or indeed jurisdiction issues given that these networks tend not be confined to one single country, it’s as hard as asking the kids which file-sharing systems are hot, joining them, having a mouch around, logging the IP addresses of where which files are coming from then requesting the relevant information from the ISP’s to track down the individuals in question and prosecute them.
The industry is quite entitled to request this information from ISP’s and they are obliged to hand over the information to assist in any criminal or civil proceedings, at least in the EU anyway.
So with this in mind, why exactly are we talking about getting ISP’s to enforce this?
Are the music industry simply being lazy or trying to pass the buck? It’s not hard to get hold of the information, find out where the sites/networks are, so why can’t the music industry carry on the way they have been?
Well, finding the people/sites isn’t the hard bit. It’s the ability to form coherent cases against individuals even discounting the nightmare that is jurisdiction that getting at and taking out the actual suppliers isn’t always easy. Particularly if they happen to be located in countries that have far more liberal interpretations to such activities like say Sweden or they don’t give a toss, like say Russia or China.
What this amounts to is a shift from the supplier to the consumer and it’s based on the principle that ISP’s, the companies we all connect to the internet through, should monitor that traffic flow, catch out and somehow take action against people. In this case according to the proposal, it’s a three strikes and you’re out system which always plays well to the headlines but never really translates into good practice.
There’s no mention of any kind of civil or criminal proceedings taking place, it seems more of a make the ISP’s the regulatory body that also then take any arbitrary action as and when required while presumably making a note on it and sharing that information with other ISP’s.
This makes the music industry happy because it’s no longer their responsibility to take long and complicated action through courts which require legally testable evidence and if the problem still persists then they can always claim compensation from the ISP’s for not enforcing what they want.
What are the problems with ISP’s undertaking this role?
We’ll do technical later, let’s do the legal bit. Apart from the EU saying that ISP’s are mere conduits of data flow an
d not responsible for the data that passes through their networks even if it is temporarily cached there is a big problem with them being both the gatherers of evidence and one can only presume the people who discharge punishment, which it appears to be a couple of polite e-mail warnings then snip to the connection.
This would be fine if the ISP’s could categorically prove easily without a shadow of a doubt that the person in question is the culprit. However, here’s a few scenario’s. Mr Smith, that’s me again, before I split up with Mrs Smith and everything was rosey, we had a 15 year old daughter Ms Smith. She’s been naughty and been downloading loads of copyrighted music from her laptop in her bedroom unbeknown to either myself or Mrs Smith but it’s my name on the contract. So who’s responsible then? Are we to assume that the person named on the broadband contract is wholly responsible or should Ms Smith get it in the neck?
Or how about Smith Junior who’s a whiz kid at computers but under 10 and not legally accountable for his actions? How about Mr Jones next door? You see me, Mr Smith, I’m a bit of a technical idiot. I can just about use a computer but that bloke from BT installed everything and set up this lovely WEP encryption enabled wireless connection so Ms Smith could use her laptop in her room without me needing to get anyone in to drill holes in the walls and stick cables everywhere. The problem is that Mr Jones next door is a specialist in data security and a cracker who knows how to hack into my wireless connection and download what he wants. Mrs Smith runs the local Starbucks where there’s a free wireless hotspot for coffee lovers and I run a pub where we’ve just installed free wireless to try and attract punters, are we getting the idea now?
Once we get to this point, enforcement, except against the most stupid of downloaders of copyrighted material becomes a farce because proving the matter becomes far too difficult which is probably why the music industry want to shift the burden on to the ISP’s. Not counting the problems, there’s also the small matter of how much this is going to cost the ISP’s and what that’s going to mean to consumers bills when those costs are passed on.
Back to the technical angle about how ISP’s can achieve this.
What we’re looking at is nothing more than sniffing on the line. It’s a non-too-uncommon sys-admins task, sometimes legitimately to seek out problems on the network, where there’s blockages in flows, other times used by unscrupulous employers to spy on their employees but it’s not a big thing. You can relatively easily on a small sized business network drop a sniffer in to look for various file types, extensions or sizes to diagnose problems.
Scaling that up rather a bit and again discounting the extra cost of the actual hardware to achieve this at an ISP level, or any effect that such sniffing would have on network traffic flow and possible deterioration in performance for the end user. Even discounting any privacy or data protection issues there is the actual practicality of tracing and ascertaining whether there has been any kind of copyright infringement having taken place.
Although impossible to do, ISP’s could look for the obvious, say MP3 files for a start. See where they’re coming from and maybe prove it and maybe take action. We are then back to the arms race scenario. I mentioned it as an example in my previous post but lets zip these files up. Or to be more precise compress them of which ZIP is only one form, there’s RAR’s and a plethora of other methods. So now the ISP’s will have to uncompress every compressed file flowing across their network which will include a healthy amount of corporate stuff so they’ll need a shiny load of new energy gobbling servers to achieve this. Oh, there is of course password protected compressed files so they’re going to have to introduce cracking tools to get at those as well which doesn’t bode well for those in business or in Government that would rather like people not being able to access certain information.
Then of course we could be really naughty and use other file formats, other compression formats like OGG’s, or embed media into other objects which is really going to be fun. We’re getting to that point again, it’s an arms race that is only going to won by one side and it’s not the ISP’s or the music industry.
However, let’s assume it is possible for ISP’s to actually monitor every single packet of data flowing across their networks decrypt it and scan within each and every possible embedding method.
There are two rather big problems.
The first being encrypted pipes. SSL anyone? That’s Secure Socket Layers or to everyone who uses the net for shopping, that bit where the URL bar turns yellow or a little padlock appears depending on your web browser. It’s secure, which is rather useful when you’re typing in your credit card number, expiry date and security code on the back. Last time I checked my webhosting company would do me an SSL for 300GBP a year, probably less these days and I’m sure cheaper if you shopped around. Not really a lot of money to factor in to the setup of an illegal music store really. So how are ISP’s going to combat this as the core principle of SSL is that the data flow cannot be sniffed and this would equally apply to an encrypted file sharing network as well.
The second big problem is legitimate transfer of music files. Me, Mr Smith again. I’m too technically daft to set up a complete home network that allows me to share files between Mrs Smith’s (prior to the divorce) desktop and Ms Smith’s laptop in her room but Mrs Smith wants to listen to some of the tracks from a CD I turned into MP3’s using Nero 7 which is fully legal to buy in the UK and contains this facility. Apart from it being technically illegal to actually convert my music off a CD to MP3 format as Britain has some archaic phonographic laws but no one has ever been convicted of it so we’re pretty safe. I don’t have a shared drive or anything so I’m going to do the only thing I can which is to e-mail it to her. Let’s say the ISP monitors attachments to e-mails, picks up this MP3, what happens then? I own the rights in regard to enjoy the music and I’ve only transmitted it from one side of the house to the other albeit via a data centre in Birmingham. Is that illegal? Let’s say that idea of everything being tied to an individual purchaser through tags is in place, is it illegal to give that to the missus to play on her machine because she didn’t purchase it in the first place and how are ISP’s going to tell the difference? Say there’s another kid hanging around, Smith not quite so junior. He’s at university in Edinburgh but desperately wants some of his death-metal to play. They’re his CD’s that he purchased when he was 14 and me, Mr Smith converts them to MP3’s and sends them off, what would the outcome that be as the recipient is clearly not at the same abode but bought the things in the first place or how about I bought the music as a present and transmitted it?
Some more examples.
Not me Mr Smith, Mr Jones the tech savvy neighbour now. I’ve been a bit of a smarty pants and hooked up my home network so that I’m able to access my system remotely. I’m on my way to a business meeting in London and I’m waiting for a train in an area with a wireless hotspot. Bored stiff with the music on my iPod I decide to get the laptop out, login to my home network and transfer across a few tracks to keep me going. Apart from the obvious why I wouldn’t be doing this through SSL in the first place to protect my security, how does this work if I’m downloading something from my home system remotely?
Still Mr Jones, the tech savvy neighbour. I’m in Bankok on another business trip. Can’t find a wifi hotspot for love nor money and am not going to use the mobile as the data charges are extortionate so I drop into a cyber cafe and do the same thing. Note, not that tech savvy if I’d actually c
onsider doing this but I login to the home network, take some music off and then transfer it to the trusty iPod via USB. Again, how does this work out? How would the ISP ascertain the difference between this instance and some far more tech savvy person having simply hacked into the system and nicked the data?
Or will this then mean that the burden of ensuring all activity that goes through your net connection falls on the individual or business that allows open access?
This is important because apart from it being almost impossible to ask your average member of the public to be both aware of the complexities and take measures to ensure their connection is not being abused, it is also potentially dangerous to what is a fledging industry, that of providing public access wifi.
I think we’ll leave it at that for now and not get on to the concept of virtual networks as another area of potential growth to combat energy consumption that could be hit by such a daft proposal.
On a final note, when are the music industry going to shut down YouTube? They do know how easy it is to download the flash file, strip out the audio content and encode it to something useful like an MP3 don’t they?
Note: I’m a techie, I do this sort of stuff in a wholly legitimate manner as part of one aspect my work. I do not condone the infringement of copyrighted music and my own collection is wholly legal and purchased by myself. I do not have any copyright infringed music because I’m far too much of a goodie two shoes and I’m involved in politics so that wouldn’t be a good idea now would it?