Monday, June 28, 2004
BayTSP Inc. - a rant about p2p
Peer to peer filesharing has become a serious problem at Rhodes this year,
in part because so many people are now doing it, and in part because most of
these people lack clue(tm). I've had to give the matter a serious amount of
thought recently, so I thought I'd share some of it.
The question I get asked most often, in one form or another, is what we do
to restrict peer to peer type filesharing at Rhodes. The short answer to
this is "not very much" — not directly at least. There are measures in
place to limit the amount of bandwidth available to people, which will have
the direct effect of limiting the amount of p2p stuff that can happen. We
also run a default-to-deny firewall, which means that if we haven't
explicitly allowed it through the firewall, it doesn't happen.
This should be the first clue ... We allow some of the p2p control ports
through the firewall. Why on earth would we want to do that?
The reasons are many-fold. The first is that peer-to-peer networking isn't
in itself illegal in any way. Nor for that matter is downloading MP3 format
audio. There are plenty of examples where both mp3 audio and p2p can be
used for legitimate, legal uses and you'd be hard pressed to find a legal
precedent that says they aren't. What may be illegal (in that it violates
copyright or other IP rights) is the content people choose to download. The
distinction is subtle but very clear — it is the difference between a
transport protocol and the content you use that protocol to transport.
Rhodes' AUP makes any content you
download your responsibility, and requires that you respect the relevant
legislation. When cases of users violating the AUP are brought to our
attention, we can, and have on occasion, deal with, and if necessary, take
disciplinary action against them, albeit internally. We don't however
actively police the issue, for reasons I'll go into a bit later.
The second is that many peer-to-peer type programs go out of their way to
make blocking them difficult. Short of stateful packet inspection type
filters, blocking them without affecting other, legitimate services is near
impossible. As soon as we block a known P2P port, it'll just use another.
IRC has proved this time and time again, and we have no reason to believe
(and in fact evidence to suggest) that P2P systems will do the same. Given
the sort of zero budget we, and most other institutions in our position,
operate on, we simply can't afford the types of stateful inspection
technology that'll handle the traffic volumes we process without impacting
on our ability to provide the sorts of services we do. That said, we don't
necessarily believe it is a priority either.
By blocking known p2p ports, we end up driving things underground. People
will simply work out ways past the restrictions, and we'll end up in a
position where we don't know what's going on and we don't have any useful
statistics or numbers to back things up. That said we could go the
completely dracontian route and block everything. This is
the status quo on the residence network, and it works quite well. Do we
really want to do this for the rest of campus however? My personal opinion
is that we don't, because it'll ruin the sort of freedom to experiment that
makes Rhodes attractive in the first place. So what we need is to let
people do their own thing, but gently prod them in the right direction when
they're stupid about it. Which is what the quota system does.
Further to that, why should we be the police? To use an analogy, when was
the last time the Rhodes librarian stopped you photocopying a book?
Particularly if it was a book you'd taken out and had sitting on your office
desk. There are plenty of notices up in the library telling you about the
copyright act, but they don't stop you from using the photocopier. We're in
a more complicated position than this, of course, because often we don't
even own the "photocopier" — ie the user's computer.
In addition there is precedent to suggest that being the police is a bad
position to be in. What happens when, as it inevitably will, we miss
something — perhaps because P2P technology advances faster than our
blocking technology. Who is then liable? By taking the roll of a carrier
(the same roll that any ISP or telecoms player takes), we remove ourselves
from this position.
Which brings us to the heading of this post: BayTSP. For those of you who don't know,
BayTSP has been contracted by various major movie distributors (paramount,
warner bros, etc) to keep an eye on their intellectual property interests on
various peer to peer networks. They trawl shared files and I suspect check
the checksums on files to determine if copyright has been infringed. They
then send a cease and desist type letter to the owner of the netblock — in
our case, abuse@ru.ac.za.
We've had lots of these letters recently — at least eight in the last three
weeks — which is a sign that things at Rhodes are getting out of hand. At
first we took them with a pinch of salt. They referenced bits of US law
(digital millennium act) and didn't really seem geared to dealing with an
international type problem. Offenders at Rhodes got a slap on the wrist and
were told not to do it again.
Things got more complicated however. BayTSP picked up on the Berne
Convention — a document that South Africa is a signatory of that outlines
international copyright law. At that point things became more serious. It
isn't so easy to ignore a cease and desist that points out bits of South
African copyright law.
The other thing that made life difficult is that people DIDN'T BLOODY LEARN.
You'd think that the first time was warning enough to at least get some
clue(tm) and go about these things with appropriate protection. Use the
right condoms for your peer to peer intercourse dammit. The worst offenders
live in Hamilton building, and yet no amount of gentle (and not so gentle)
STOP BEING SO BLOODY STUPID type messages seem to get through to them.
You'd think computer science and information systems type people would get
it. But they don't.
Anyway, rants aside, we started getting some "second infringement" type
letters which promised more dire consequences. As a result, we needed to
take things more seriously.
After much deliberation between Jody, Jacot, myself and a few other people,
we decided that the best course of action was to follow the example set by
the University of Chicago and issue a
general warning to all staff and students. The University of Chicago's Network Security Center had
obviously put a lot f thought into the matter, and had worded a rather nice
letter
to their campus. We based our letter
on theirs, and the result was a circular that wen out on Friday to
university mailing lists and noticeboards.
All of which means that the old excuse "I didn't know" isn't going to cut it
any more. The warning
letter states:
Failure to restrict p2p applications appropriately — whether you are
aware of the violation or not — will result in your machine being
removed from the network until the copyright violation is rectified. It will
also cause a report to be sent to University Human Resources Management, the
Dean of Students, or the University Proctor, as appropriate. This will lead
to disciplinary action within the University.
which might seem a bit drastic. To be perfectly honest, I'd rather not have
to send letters to the university disciplinary authorities, but the way
things have got out of hand it seems the only way to educate people.
So I guess we wait to see who has the first disciplinary hearing. We know
students can't read, so someone will probably be silly enough to ignore the
warnings.
Oh and anyone who hasn't figured out what the condoms I was refering to are
all about should read http://forum.emule-project.net/index.php?showtopic=10128.
posted by guy at: 12:33 SAST |
path: /issues |
permanent link
