P2P Threats Call In The Copyright Cops

Jan 25, 2008 (07:01 PM EST)

Read the Original Article at

The pervasiveness of digital media has changed the nature of the intellectual property game and, to a large extent, perception of the issue among users. A poll we conducted recently on a Northeast college campus highlights the dichotomy: While 85% say copyright pirates are criminals, 76% believe it is legal to share copyrighted music files with friends if the music has been purchased legally. This wasn't a trick question, and it illustrates the need for corporate IT groups to issue clear policies on all copyrighted material, both internally produced and what may be brought onto your network.

9 Ways To Stay Out Of The RIAA's Sights
1 Ensure that your organization's IT policies explicitly forbid unauthorized hosting or sharing of copyrighted material. Period.
2 Include warning language to that effect on guest machines and guest wireless if provided.
3 Provide user training on copyright and fair use. Materials are available from industry groups, the Electronic Frontier Foundation, and others.
4 Lock down computers you control to regulate user-installed P2P apps.
5 Get help from perimeter defenses— network access control systems, packet shaping tools, and other security apps often provide P2P filtering.
6 Check to see if you need a specialized system from one of the RIAA's three recommended vendors or other alternatives.
7 Assess whether your operation could be classified as an Internet service provider; currently, educational institutions are under that umbrella, but as others start to offer ubiquitous Wi-Fi, the definition is expected to broaden.
8 Review peer organizations and assess the likelihood your shop may be targeted for investigation.
9 Discuss your risk exposure with corporate counsel and develop a response plan ... before an industry group knocks on your door.
Think that because your company produces lattes, not IP, you're off the hook? Say you oversee IT for a chain of coffee shops providing free Wi-Fi. What's your legal responsibility for policing the infrastructure for copyright violations?

It depends on whom you ask.

According to the Recording Industry Association of America and the Motion Picture Association of America, their member companies, and the artists they represent, as well as U.S. and some international law, your company is liable for any file sharing of copyrighted material on its network. If you provide Internet access and are defined as an Internet service provider, you can either provide legal authorities with the identities of copyright violators or be culpable yourself. Educational institutions are under that ISP umbrella, and municipalities that offer Wi-Fi are now in the RIAA's sights. Closed corporate networks are not considered ISPs--for now, anyway--but that doesn't mean you're immune.

One vendor rep interviewed for this story, who asked to remain anonymous, made it clear that his company's marketing plan has two faces, one touting peer-to-peer and copyright enforcement aimed at the educational, public, and small- and midsize-business markets, and a second pitch focusing on data leakage risks associated with P2P platforms for corporate clients. "I have never met with a large company that has been named in an RIAA suit," he says. "You draw your own conclusions."

InformationWeek Reports


First, some background. In 2003, the RIAA attempted to use a subpoena provision of the 1998 Digital Millennium Copyright Act, or DMCA, to require that Verizon provide the name of a customer allegedly engaged in P2P file sharing. Verizon challenged the ruling of a lower court and won on appeal, setting precedent that reduced the subpoena power of the DMCA. As a result, the RIAA now files so-called "John Doe" lawsuits to determine the identity of an ISP's users; it then files a separate copyright infringement suit directly against those users. The RIAA has brought more than 25,000 lawsuits as part of its campaign to reduce piracy.

Section 504 of the Copyright Act, from Title 17 of the U.S. Code, recognizes three forms of damages: actual damages, infringers' profits, and statutory damages. The Copyright Act gets its teeth from automatic statutory damages above and beyond the loss or profit that may have resulted from, say, sale or purchase of a protected song. Penalties of $750 to $30,000 per instance add up quickly: A federal jury ordered payment of $220,000 against a single person in a case involving 24 songs. That's $9,250 a pop. With that level of potential risk, most ISPs and schools have been quick to disassociate themselves from alleged copyright offenders, coughing up names for associated IP addresses with little fuss. Most users who are implicated settle rather than go to court.

The bottom line for enterprises here is that industry organizations have thus far mostly chosen to go after the low-hanging fruit: individuals on public networks and campuses. But some schools, notably Harvard and the University of Oregon, are standing up to the RIAA, causing it to expand its range. For example, the move to free municipal Wi-Fi service in a number of communities has resulted in subpoenas levied at towns and cities as anonymous users download copyrighted content. The question of who's accountable if file sharing occurs within a private company is still open. However, considering the number of discovery requests already pending in most enterprises, you don't want your company to be a case study.

chart: Should copyright pirates be prosecuted?
For companies whose business is intellectual property, this issue hits home as well. IP theft is on the political agenda, in the form of the Prioritizing Resources and Organization for Intellectual Property Act of 2007, which seeks to beef up policing of IP theft. The bill's sponsors peg the worldwide cost of counterfeiting and piracy at $500 billion to $600 billion a year in lost sales, $200 billion to $250 billion of that in the United States. Last year in Davos, Switzerland, the World Economic Forum hosted a session called New Frameworks for Tackling Digital Piracy to assess the global impact of media piracy. Its conclusion: Technology has facilitated IP theft, and it will be key to solving the problem as well.

Legal issues aside, control of unauthorized file sharing is in the best interest of businesses. P2P apps tend to be inconsiderate, gobbling bandwidth to the detriment of mission-critical network traffic. This applies at the macro level as well; Comcast took some heat last year for throttling Torrent traffic on its backbone. The FCC is investigating Comcast's network management policies and techniques at the urging of privacy and Internet-rights advocates, looking to assess what practices constitute management versus censorship. Meanwhile, AT&T has announced that it will develop and deploy technology to filter illegal traffic on its network while maintaining customer privacy; details are still to come.

While the ability of an ISP to effectively limit or restrict specific types of traffic is under debate, enterprises with closed, private networks don't have to engage in semantics. Technology is available now to make sure you don't become an object lesson.


The Motion Picture Association, the RIAA, the Electronic Frontier Foundation, and numerous advocacy groups offer free education packages that provide a good base for end-user training.

The RIAA recommends three vendors for network monitoring and traffic screening: Audible Magic, Enterasys, and Red Lambda. All offer software to manage P2P traffic in the enterprise, but each takes a slightly different approach to reducing file-sharing traffic.

Red Lambda's Integrity runs on the company's cGrid architecture and spreads detection of file sharing and P2P offenders across existing resources as part of the Red Lambda security suite. Integrity's sales pitch is that cGrid leverages surplus server cycles as needed to detect and mitigate file sharing. Red Lambda's cGrid grew out of the University of Florida's Icarus project and is designed to scale. Integrity starts at $10 per seat, with volume and educational discounts available. Ongoing support is 20% of the initial purchase price.

Enterasys' Secure Networks Dynamic Response isolates and categorizes P2P incidents, tagging the user and reconfiguring the network as required to penalize machines exhibiting behavior that violates policy. Dynamic Response is designed to work with either Enterasys Dragon security appliances or other third-party security event detection products. Enterasys says it views Dynamic Response as a complement to traditional packet inspection and edge defense offerings. The product starts at $19,995.

Audible Magic ups the ante by finding copyrighted material based on digital fingerprints. The company says its CopySense technology won't be fooled by compression or distortion as it scans the contents of a file rather than looking for metadata or telltale watermarks or embedded tags. In addition to the education market, Audible Magic has a number of municipal customers protecting large-scale public Wi-Fi deployments. The company also hosts an enormous content registry--the CopySense appliance relies on a growing database of more than 6 million copyrighted works to validate music, video, and software.

We see Audible Magic as holding the most promise for accuracy and limiting false positives, but we haven't tested the platform in our lab. Our biggest concern would be efficacy versus encrypted data streams. Audible Magic's pricing model is tied to monitored bandwidth, starting at $5,000 for a T1 and going up from there. Annual support and maintenance run 20% of purchase.

chart: ignorance of the law?
If you're concerned about piracy of your self-produced software or digital media, companies like Arxan Technologies can help implement DRM to secure intellectual property at the binary code level. Active filtering tools from Astaro, Blue Coat Systems, Websense, and others enable you to intercepting file-sharing traffic at the edge of your network. Packeteer and other bandwidth shapers offer granular control and analysis at the packet level to sift TCP and UDP flows. All of these vendors continually update their signature files and detection methodologies as new P2P variants emerge.

If there's no room in the budget for specialized software, established strategies, such as locking down the desktop, stateful traffic monitoring, storage analysis, and gateway filtering, still make sense. Often, the functionality exists in your existing security infrastructure to block P2P. Heck, even basic virtual LAN ACLs may minimize illicit internal file sharing without impacting access to legitimate resources.

There are legitimate uses for peer-to-peer traffic and distribution of media files. To paraphrase, P2P apps don't pirate music, people pirate music using P2P apps. Still, IT pros should apply reasonable effort to lock nonbusiness P2P file-sharing applications off the network--better safe than sued.

Continue to the sidebar:
Oregon AG Discovers New Way To Stand Up To RIAA