Legal Issues

First, realize that no book can even begin to replace professional advice from lawyers who are accustomed to dealing with individual or corporate legal issues relevant to your particular situation and location. This section can only attempt to raise your awareness of what issues might be at stake, so that you can intelligently pose the appropriate questions to such professionals.

In fact, even the professionals can get it “wrong” according to after-the-fact court rulings, especially in such complex and changing areas as intellectual property rights, digital rights, and jurisdiction applicability to the Internet.

See this section as an overview of a partially explored land, describing some of the landmarks that have become visible and indicating some of the hazards that will need to be navigated or landscaped away at some future time.

Peer Communication

The root of most of the potential legal problems lies in the fundamental fact that p2p is decentralized by design, at times aggressively so. Because they actively promote the notion of user control of local resources, p2p applications inherently tend to conflict with centralized control, authentication, and traditional corporate security measures. This may or may not be a problem depending on the situation. Unconsidered, it is.

It may seem innocent enough, for example, that a user installs a messaging client in order to converse with other people on the Internet. But as noted earlier, such an action opens an external, uncontrolled access point to that user’s computer through the client software. By extension, it might also open external access (with user permissions) to other resources on the corporate network through the user’s computer. The client might allow any number of other services, such as file sharing, in ways that ignore firewalls and are perhaps unknown to the user, which introduces the risk that legal liabilities arise through actions by the local user or other peer users.

Bit 4.8 Peer clients invariably open unconsidered security holes. If only because of their “uncontrollable” nature, p2p technology must be examined as a potential loose cannon in security-conscious environments and be deployed only after careful consideration of potential effects and applicable precautions.

The worst thing is not knowing what the situation is. A particular IM client might be designed just for messaging, equivalent to a phone call, but then again it might allow much, much more. With some understanding of what a given client might be capable of, and how it does this, informed precautions can at least ensure that inappropriate services are not activated by default, or that the connectivity scope is limited to the LAN or proxy. A clear policy of which client implementations are acceptable or not also helps; some implementations carry greater risks than others or may even include spyware components that the average user is unaware of.

This is nothing specific to p2p technology. It’s been highlighted that much commercial software can pose similar risks. For example, the automated diagnostic reporting in MS Office XP not only “phones home” and sends details of software and hardware status after crashes, but might also include sensitive documents being worked on when the application crashed. Other products might compile profiles of usage or storage that could prove a serious liability in some contexts.

Even “enterprise-approved” solutions, such as Windows Messenger, can mandate the redesign or upgrade of existing firewall products in order to work at all and still allow reasonable intranet security. We may note that the adoption of the Universal Plug and Play ( UPnP) standard by Microsoft enables applications to reconfigure external equipment on-the-fly. Newer firewall products will comply with UPnP, and the stated intent is that, for example, the WM client will be able to open firewall ports on demand, automatically and remotely! (Is it just me, or did I future-sense some especially security-conscious readers fainting at this point?) This is one reason why the recent Windows XP UPnP vulnerability exploit got such immediate attention by security experts.

File Sharing

The legal and ethical issues raised by file-sharing technology can be complex even within supposedly well-controlled, corporate LAN environments. On a public, distributed peer network, the issue of control becomes an illusion—or a nightmare, depending on your perspective. In fact, in some p2p implementations, it’s by design “impossible” to police or censor content, save by shutting down all connectivity.

Deploying a peer network to share content invariably opens at least the potential risk that users will exchange content they legally shouldn’t. The practical point here isn’t whether or not the people involved might have done so by other means anyway, or the legality of such sharing, it’s that the peer technology makes the process immediate, easy, transparent, and hard to detect. In addition, it might involve access by an anonymous external party without the knowledge of the hosting user.

The legal exposure of a company hosting a file-sharing network is unclear, and probably depends both on what the content is and what external policies and control structures are in place—ultimately how public the access is.

Bit 4.9 Even a “closed” p2p network might inadvertently become public. Careless configurations, user-initiated connection to external networks, and dependencies on third-party servers all conspire to make external access possible.

This kind of exposure issue is not however a totally new consideration, because it has been applied to the situation of faxes and individual e-mail content sent (or sent wrongly) through a corporate network. The inherently automatic peer-sharing of content in most p2p clients does aggravate the situation because users can end up disseminating proprietary or sensitive content without realizing it. Just think of how often an e-mail response intended as a private reply is instead broadcast to an entire mailing list, only because the default return address used by mail clients is the usually hidden Reply-to address (to a list relay server), not the visible From address. Worse, it might carry the bulk of the thread, auto-appended as quotes to the bottom.

A further complication is the current shifting of the entire foundations for copyright protection and enforcement, which seriously puts into question even the accepted traditions of fair use. The ultimate results of this have yet to be determined, especially with regard to content sharing, but it must be realized that much of p2p technology is specifically designed to ensure “free information” even in the face of hostile content ownership regulation, censorship, and inspection. The bias, intentional or not, is therefore to facilitate exchange of any content.

Digital content has become the battleground that defines an emerging new economy based on unlimited replication at infinitesimal cost. No matter which views one has about one or the other side in the arguments about content ownership, it’s undeniable that unregulated digital content is a serious threat to those who have investments in traditional commercial content distribution systems. This issue is discussed at length in Chapter 11, where we also look at the social implications.

Exchange Liability

Part of the liability issue was highlighted by Napster’s rapid rise to popularity, mainly because of the focus on MP3 music files and the fact that users wanted to swap and collect any music files. Superficially, the case was simple:

From the perspective of the record labels that own the distribution rights to most of the music on commercial CDs, p2p file sharing represented content piracy on an outrageous scale. In moments of candor, current rights owners also admit to the legal interpretation that any act of copying, even for personal use, must be stopped. This restriction goes far beyond what the majority of consumers are prepared to agree to.

So, predictably, the labels did their utmost to close down Napster, along with any other service that allowed the transfer of music files over the Internet. This included sites like mp3.com, which tried to profile their services merely as a way for legitimate owners of CDs to listen to the musical content from other locations, not exchange promiscuously with others. In legal terms, this may matter little, because as mentioned, any act of copying is now (probably) seen as illegal.

Bit 4.10 Any p2p deployment must consider what the users are likely to use it for, especially when the focus is content sharing. Taking the stance that it is the responsibility of the individual user is clearly not a viable defence, or at least not an easy one, in the current litigious climate.

Napster and other services were immediately held liable and possible to shut down, if only due to their centralized directory services. Without the directory services, there is no search and exchange service and thus no functional network. The ultimatum was that either the directory owners implemented effective filters for commercial content or be shut down. The former proved impossible in the allowed time frame, so the fate for Napster-like p2p was a given. The services are instead being retooled into commercial outlets for the labels, although it’s still unclear whether the stated tight filtering of subsequent user content swapping will prove successful.

The second round of litigation centers on applying pressure to those who develop or provide software for the distributed networks that lack a central server. Several interesting client implementations being developed have already been abandoned in response to such threats.

A possible third round might involve any owners of the systems that in any way host p2p technologies capable of unlawful file exchanges. This last is where a possible, albeit not too likely, crunch can come for those who deploy sharing systems for other purposes. This is probably as good a reason as any to not completely rebuild your infrastructure into the p2p sharing model, but instead “overlay” existing functionality in a way that makes a fast retreat possible.

As broadband connectivity becomes more common, the issue of copies of movies from DVD is approaching a similar situation, with the added dimension of how such exchanges saturate Internet bandwidth with files larger by several orders of magnitude than the music tracks at issue previously. These exchanges are made over decentralized sharing networks as well, and they therefore bring additional litigious pressure to the p2p arena from the studios that own the rights to the movies.

Intellectual Property Rights

The legal dimension of content sharing is not limited to music or video, but includes commercial software, images, books, and pretty much anything. Anytime a claim to intellectual property ownership (such as copyright) is made on digital content, there is likely to be contention about what one can or cannot do with it.

Trying to manage intellectual property rights ( IPR) in an electronic context presents several problems. Distribution contracts, legislation, and judicial practicalities all provide contradictory interpretations and rulings. We can deal only with the “obvious” cases to gain a minimum of insight.

Public Licensing

The simplest situation is when content explicitly states that it may be copied and freely distributed. In a more legally binding (and mind numbing) form, we have numerous “ public licenses” based on the open source and open content movements. There is little problem in such cases: it’s free, it’s fair, it’s legal. One must still be mindful of the license stipulations, however, in details such as whether the material can be distributed, modified, or used in commercial contexts.

Though not always well understood, material where the rights have expired are in the “ public domain” and may also be freely copied and modified. The difficulty with supposed public domain is that additional rights might remain or might have been renewed past an expected expiry date, and different countries have different rules about this sort of thing. The copyright owner can also place material in the public domain at any time prior to expiration—such an action, at least, is an explicit declaration. Unfortunately, the aggressive threats by the commercial interests sometimes extend to what are formally public domain or fair use areas.

A practical example (and by no means unique) is the story of the not-for-profit OnLine Guitar Archive Sites (OLGA) that collected tablature notations for early guitar works. It legitimately provided a valuable cultural resource for music that was unavailable in any format. The Harry Fox Agency (representing the National Music Publishers’ Association) essentially forced the site to close down because it was impossible for the owners to prove that, among the many thousands of tablatures, there was not a single one that might be under copyright protection. Note that HFA itself made no distinction between original music and third-party notations or derivative arrangements.

A problem is that it’s often unrealistic for individuals or even companies to pursue the matter further. Under the threat of immediate closure by Internet service or presence provider ( ISP/IPP) of Web site and e-mail services to an established domain, many site owners take the prudent but unfortunate route of quickly acquiescing to even outrageous demands rather than contesting the legal interpretations.

A vast range of confusion does exist with regard to content on the Internet. Whenever an explicit statement of ownership or copyright is involved, it should be honored, along with any instructions as to fair use. Most people however have a pretty casual attitude to anything published on public sites or available as download, and the attitude extends to much material within corporate networks in the absence of clear rules by management. Because of the ease of digital copying and sending copies, the step in effort and reflection from private copies for home to free copies for friends is infinitesimal. Thus it’s vital not just to clearly mark sensitive material, but also to ensure protection from casual, sight-unseen sharing by p2p clients.

Created or Owned Content

Equally simple, it would seem, is the situation with content you have created yourself or that you or your corporation own outright. Turns out it might not be that simple because ownership and distributive rights are being decoupled in new and unforeseen ways, and sometimes usage and distribution are blindly enforced by third parties.

Recall the view that all copying is illegal? This view is already being extended into the world of physical devices. For example, it’s impossible to copy minidisc MP3 recordings to a second disc, the hardware/firmware won’t let you do it—no matter if the recording is one you created yourself. In a similar vein, you might soon find that videocam recordings archived on digital media can’t be replicated on your VCR. Some new music CDs incorporate strong copy prevention, at times compromising playability on older CD-players or computers. In this case, however, Philips inserted a wrench (or spanner, in UK parlance) by contesting the right to call such a product a “CD”, a registered name that implies a certain minimum quality/playability.

Interesting times.…

Media-embedded copy prevention, or “ digital content management” ( DCM), could spell the end of p2p content-sharing technologies, along with a number of other things we take for granted. Many media player products are already DCM-compliant. A new and different infrastructure of hardware, firmware, and legislation is growing, which full blown and fully deployed could mean that any distribution or usage of digital content would require registration of creative ownership with a central content-tracking server, along with usage and distribution terms, then approval from the same server whenever it is accessed or copied—probably for a per-use fee. Unregistered content would simply be unstorable on legislation-compliant media.

For many, this scenario is a nightmare vision that negates the very idea of personal ownership and media use. Some commercial interests, on the other hand, see it as a highly desirable cornerstone for generic pay-per-use, rent-everything applicable to software, content access, and eternal revenue flow.

If this seems far-fetched or draconian, consider that it has for many years been illegal in most modern countries to play or perform music in “public” places, including background music in shops, without paying a pro rata monthly fee to the RIAA-equivalent national body that collects performance royalties for the music labels, even if the music happens to be original and the rights “owned” by the one playing, or in the public domain. The fees are totally unrelated to what is played, and are distributed centrally according to quotas set by whatever is played most often, as a rule based on radio playlists.

A curious ramification of this one-sided arrangement is that even “obvious” rights to one’s own creative efforts are eroding, the very rights that “copyright” were supposed to safeguard. I surely must own the music, art, photography, writing that I create; yet what good is that right if I can’t store any of it electronically, freely perform it in public, or distribute copies to others at my own discretion? Small wonder that creative people everywhere who realize this fact are beginning to react.

What is the current legal and social state of digital ownership anyway?

Digital Ownership and Fair Use

In the public mind, “ownership” usually has a different meaning than the strict legal sense. With material things, this discrepancy has little consequence. You buy something; you own it. Proof of ownership is pragmatically that you possess the thing—possession is nine-tenths of the law is after all the old Anglo-Saxon adage.

When I buy something, I usually feel that I can do what I wish with it. I can sell it, give it away, lend it to a friend, whatever. I can use it as many times as I wish, until it “breaks” or I no longer possess it. This practical state of affairs has applied to copyrighted material as well—think of physical books or CDs. The commercial transactions were tied to an identifiable original item, never mind that it was mass produced—it could be replicated only by expending resources beyond the means of the ordinary individual. This situation shifted dramatically in just decades.

Enter cheap, fast, ubiquitous photocopying technology. With some transitional problems, a concept of “fair use” emerged. To begin with, it was highly unlikely that anyone would mistake the copy for the original. Copying entire books was possible, but something few were likely to do and hardly for profit. Despite the undisputed legal problem, many would consider photocopying an out of print or otherwise unavailable volume a legitimate, if cumbersome, fair-use action. People did so all the time, notwithstanding compelling reasons why this might be a form of theft.

Enter electronic storage. Now an endless supply of identical copies could be produced at virtually no cost at all. Or put another way: All copies are originals. Although this lossless replication is invaluable in many ways, it caused serious disruption to the traditional interpretations of ownership.

Bit 4.11 Digital items are critically different from physical items, yet the public perception of ownership remains relatively unchanged. It’s unclear at present whether a different view of ownership, as proposed by new DCM legislation, would be generally acceptable to the broad public.

The public paradigm is that possession equates to ownership. The application of this interpretation is simple to see. To own two copies of a book stored electronically, or a CD with favorite music, I no longer need to buy another. I just copy the file, or duplicate the CD, or alternatively make a collection of MP3 files from it. Convenient and practical, copying content for personal use is to most people perfectly OK, and it used to be considered fair use. People do it all the time without a qualm. I can have a “working copy” or several in different locations, yet keep my “original” safe. Digital technology has thus empowered ownership.

Working copies have long been standard procedure with software, even recommended, though many vendors have tried to make the practice difficult or impossible—legally, through restrictive contract licensing, as well as with various copy-prevention tricks. Buyers get upset when their perceived ownership rights are thwarted by such measures. On their part, vendors have tried to redefine the commercial transaction as first a licensing agreement, later a limited pay-for-use agreement, saying you can’t purchase ownership of the product, only a limited usage right. Digital technology is a powerful influence even here because it also makes it possible to monitor, record and restrict what people look at, listen to, read, or use.

The registered license, pay-per-use and time-limited consumption models devised to limit the unauthorized distribution of software are all rapidly entering the arena of digital content management. At the same time, the corporate holders of IPR are actively working to enlarge their rights at the expense of users.

The shift can impact deployment of p2p solutions and security in various ways.

• What has traditionally been seen as legitimate limited copying, in the fair-use sense, and distribution of copyright-protected content can now often be successfully prosecuted as infringement of IPR.

• New media display and storage technologies (for hardware as well as software) can incorporate both “report-home/register” and “blocking” functionality that can seriously compromise network security or seriously impair the reliable function of local machines.

• Some IPR holders have been accused of using the questionable tactic of infiltrating public p2p networks with bogus clients that are capable of automatic denial-of-service (DoS) attacks on nodes and subnets that appear to store copyright-protected content.

The conclusion must be that as long as these free versus protected issues are being debated, deployment of p2p solutions that can be accessed from the Internet can imply significant but largely unquantifiable security and legal risks.

In most cases, individuals, organizations, and businesses tend to “wing it” and just hope the legal issue never comes to a head. Unfortunately, this behavior is based on a perception of a simpler time, when rights to fair use were easier to defend and when the formal rights owners weren’t quite as aggressive about asserting control. In some contexts, notably educational, attempts made to formalize fair-use guidelines for faculty note with some resignation that defence strategy rests on case law as a rule, but as yet no suitable cases exist to refer to that directly address educational, nonprofit fair use in the new and narrower interpretation.

For most, the projected costs of trying to contest the accusation of illegal use is such that the mere threat of litigation forces closure of the contested activity.

The Legislative Mess

In the space of only a few years, and largely as a result of the Digital Millennium Copyright Act ( DMCA) legislation, the United States currently suffers restrictions on fair use of copyrighted material unknown elsewhere in the world, seriously affecting the traditional fair-use areas of criticism, comment, news reporting, teaching, scholarship, and research.

The pending Consumer Broadband and Digital Television Promotion Act ( CBDTPA), formerly called the Security Systems Standards and Certification Act ( SSSCA), if passed in U.S. Congress, would make that situation far more critical. In the opinion of some, it would make even the Internet as a whole essentially illegal the way it works now—see the Electronic Frontier Foundation site (www.eff.org). The criteria set out in the Act don’t require the preservation or protection of fair use, first sale, the public domain, or any of the other rights reserved for the public by copyright law. The Act would furthermore require digital-rights management mechanisms to be embedded in any “interactive digital device” to enforce compliance with the legislated ban on handling unlicensed content. This is the recording block mentioned earlier extended to all content and all devices—past, present, and future.

One might reasonably object that U.S. legislation should not apply to a borderless global medium such as the Internet. However, the rest of the world, led by Europe, is rapidly catching up with equally draconian legislation. The DCMA was after all an implementation of the 1996 WIPO World Copyright Treaty, although the WCT largely reflects American IPR interests. Besides, international compliance to U.S. laws would be automatic if DCM technology is unilaterally embedded in the hardware, firmware, and software used to access content. Analysis and circumvention of DCM would be illegal, with noncompliant foreign interests harshly penalized or prosecuted. What remains to be seen is whether this kind of legislation can be enforced, and whether it can be applied to the globally mobile user of the Internet, even assuming he or she can be reliably identified with any given content transaction.

As a side note, under U.S. law, a claim of copyright violation merits prior restraint of publication—one of the rare exceptions to the First Amendment’s general prohibition on prior restraint. Thus, even media reporting about copyright-related (or IPO) infringement could be muzzled if the climate became that extreme. There have already been tendencies in that direction in the much-publicized case after a then16-year-old Norwegian student posted on the Internet in 2000 a program (DeCSS) that defeats the security software on DVD-formatted movies, with the intent of making DVD movies playable on platforms such as Linux that lack official support for DVD players. Detained and prosecuted by the Norwegian authorities, and sued by the DVD Copy Control Association in December 2000, the boy and his father suffered what many feel is unjust persecution, yet much of the fuss stemmed from the largely unsuccessful attempts to ban both publication of and hyperlink reference to the source code and its documentation. This case led to closure of Web sites and attempts to prosecute others who objected that they were only reporting on the situation. A comprehensive (and in parts, ironic) compilation of material specific to DeCSS and the legal convolutions around the controversy can be found at the university site www-2.cs.cmu.edu/~dst/DeCSS/Gallery/. While the DeCSS controversy is specific to the decoding of DVD recordings, it nonetheless indicates the borderline-absurd interpretational maelstrom that arises around half-baked interpretations of the new copyright laws (such as the DCMA).

Anyone interested in this arcane field of digital rights legislation can do worse than looking up the book Digital Copyright, by Jessica Litman (Prometheus Books, 2001). A part of the material can be read online at www.digital-copyright.com.

Anonymity

A legal issue seldom probed, but made relevant by the way some p2p solutions offer authenticated anonymity to both content publishers and retrievers, is that of secure personal anonymity. Is this a right, or a threat? The interesting thing about this “new” anonymity is how, when combined with the power of digital signatures based on public key encryption, it allows anyone to be both anonymous and trusted (or authenticated) at the same time. In other words, it’s possible to remain fully anonymous, yet be able to publicly prove that you are unrefutably the originator of particular messages or published content.

Some find this new anonymity concept absolutely fabulous, putting a new meaning to the term “trusted but unnamed source”. We meet it again in the contexts of encrypted solutions, examined in Chapter 9, and of p2p journalism, which is discussed in Chapter 12. The concept of anonymity has several dimensions, an analysis of which was developed in detail for a Web context in Anonymous Web Transactions with Crowds by M.K. Reiter and A.D. Rubin (Communications of the ACM 42, 1999). They specified three degrees to any analysis of anonymity.

• Type, which specifies sender or receiver anonymity.

• Adversary, or who is trying to break the anonymity.

• Degree, which may range from absolute privacy (imperceptible presence), through beyond suspicion, probable innocence, possible innocence, exposed (to the adversary), to provably exposed (to others).

Different technical solutions to anonymity plot differently in this T-A-D volume, to which we must in fairness add a fourth dimension of authenticity or trust—it’s not enough to just say an implementation allows anonymous access. An analysis must also factor in what parts of anonymity have priority, so that for example, some “adversaries” might be allowed limited insight, or it might be enough to shelter behind “probable innocence” in most circumstances.