The RIAA just won what is likely to be a landmark case in establishing the criteria for proving intent in serving copyrighted music over P2P networks. The RIAA has brought thousands of cases against individual users - this was the first one to go to a jury trial. And it raises the stakes surrounding any organization’s liability for ignoring P2P usage on their network.

This is best illustrated by example. I was reminded of a recent issue with an 8e6 customer that Tech Support brought me in on.

Our web filter blocks peer-to-peer applications via packet signatures. There are lots of good reasons to block P2P, but this customer purchased our product because their CIO was receiving emails like this (selected excerpts):

Re: Copyright infringement

Dear Sir or Madam:

I am contacting you on behalf of the Recording Industry Association of America, Inc. (RIAA) and its member record companies.

We believe a user on your network is offering an infringing sound recording for download through a peer to peer application. We have attached below the details of the infringing activity.

You should understand that this letter constitutes notice to you that this network user may be liable for the infringing activity occurring on your network. In addition, under the Digital Millennium Copyright Act, if you ignore this notice, your institution may also be liable for any resulting infringement.

This is an automated message sent out from the RIAA by software that traverses P2P networks looking for copyrighted works. The software is provided by MediaSentry, which was acquired a few years ago by SafeNet.

The software appears to use the name of the file to determine if it’s a copyrighted work, then (I’m guessing), using the IP address of the computer hosting the P2P node, does a WHOIS lookup to discover the administrative contact for the network block that the address is in, and sends this email to that person. In the case cited above, Comcast owned the netblock, so they just identified the user to whom the address was allocated at the time of the detected infringement and sent the RIAA on its merry way.

Our customer, however, is a higher education institution. Liability can’t be so easily forwarded down to a paying customer. The “paying customers” are usually the parents of the kids in the dorms that installed the P2P apps on their laptops and connected them to the school network. I guess they could just forward the emails to the parents Comcast style, but I’ll bet the parents feel like the school has some obligation to assist.

Our customer called because they were seeing more and more traffic on their network. They were concerned about capacity planning; did they need to buy more hardware to continue to cover their bandwidth usage?

The account team and Tech Support team dug into this problem. Why are they seeing more traffic? Maybe they underestimated their user-to-filter ratio. Maybe they have more students or more computers and simply need to add to or upgrade their hardware.

But the truth came out when we talked to the tech: P2P traffic on their network is steadily rising. And it’s rising because they can’t enforce their acceptable use policy (AUP) as broadly as they would like. The Internet is a critical learning tool. Tests and homework assignments are doled out on the Internet. You can’t just shut the kids off, or their grades might suffer, and then their parents will be unhappy, and the parents write the checks.

This is exactly the difference between customers that use our technology successfully and those that don’t. When customers enforce their AUPs by taking any number of well-known and proven steps, the good kids get the message and stop breaking the rules. The bad kids are the bad kids and you’ll always be fighting them. But the vast majority of kids (and adults for that matter) want to play by the rules and don’t want to get in trouble. Kids don’t always understand the consequences of their actions, because they’re kids. Sometimes you have to make the lessons hard-won for them.

So I believe the best answer to this is to get the parents invested in the problem. Show them the letters and explain to them the liability that they, the student and the institution share. The RIAA has brought more than 20,000 lawsuits since 2003, and almost all of them have ended in summary judgment in favor of the RIAA. Once the parents understand, they’ll get the kids in line as much as possible, and the amount of P2P traffic that your web filter has to block will go down. And all of that adds up to less cost for you.

A family friend of mine recently sent his daughter to Vassar. As part of the orientation, the school held a parents only session to explain the AUP and inform the parents about the inherent liability in letting the kids run P2P on their computers. Sounds like a start.

Tags: aup, education, P2P, riaa

This entry was posted on Friday, October 5th, 2007 at 10:10 am and is filed under P2P, Security Best Practices. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.