Alternative Measures and illicit (P2P) file sharing: enforcement issues. Allard Ringnalda Willem Grosheide CIER

Transcription

1 Alternative Measures and illicit (P2P) file sharing: enforcement issues Allard Ringnalda Willem Grosheide CIER

2 Outline What are technical measures Why would we need them Three practical enforcement issues Legal framework Desirability from an enforcement perspective

3 Technical measures? TPM? ISP Filtering? UK: s. 124G (3) Communications Act 2003 (as amended): A technical measure is a measure that (a) limits the speed or other capacity of the service provided to a subscriber; (b) prevents a subscriber from using the service to gain access to particular material, or limits such use; (c) suspends the service provided to a subscriber; or (d) limits the service provided to a subscriber in another way.

4 Enforcement Regulatory measures: aimed at correcting behaviour deterrent, retribution (punishment, compansation of damages, but aimed at deterring/preventing), retrospective Traditional: criminal, civil (damages) Alternative: three strikes Technical because of nature of sanction Technical measures: techno-prevention not retroactive, aimed at making infringement impossible. TPM, encryption etc. ISP filtering and blocking

5 Three strikes-approaches Three strikes/gradual response France: criminal sanction UK: possibly self-regulatory with statutory basis

6 Why three strikes? Warnings thought to be effective Digital Entertainment Survey 2008, 2009: 70% -> 33% US: 70-97% (sanction mentioned) Sanctions thought to have preventive effect Little evidence

7 Benefits of three strikes Essential condition: three strikes works because the chance of being sanctioned is very high: deterrent Sanction can be imposed in for all file sharers: proportionality Sanctions can easily be enforced Three strikes is thought to have an educative effect But is enforcement more effective?

8 Three steps in enforcement 1. Detect infringements, initiate procedure 2. Identify infringer 3. Send warning, impose sanction

9 (1) Detecting infringements Gather and log data required for enforcement IP address Time of infringement Work How to detect? Monitoring Automated scanning of network traffic (access provider) Monitoring companies (MediaSentry, DTecNet, Trident) Connect to users (trawling) Creates logs, generates warnings/notices Already done on large scale (12-17%, 2008) But: two practical issues

10 Monitoring issue 1 False positives (no infringement) Method of monitoring Indirect: tracker notification, no exchange Direct: actual exchange of data What to look for File names Fingerprints/hash code Download content/match (Audible Magic)

11 Monitoring issue 2 Avoiding detection user responses to monitoring Avoid tracker: DHT, PEX VPNs; proxy servers (BTGuard) Monitoring works only in public networks, such as BitTorrent: move to private networks (F2F, index website) RapidShare; Limewire Web based/streaming Anonymous ( anarchic ) networks: Mute Encrypted/hidden IP address Darknets : encryption of traffic data Detect IP addresses of trawlers: avoid, blacklist Studies suggest relation between lawsuits and development of such alternatives

12 (2) Identification ISP need to link IP address to a subscriber But subscriber need not be infringer: IP address may be shared by multiple users, use may be unauthorised (wireless networks) or public (hotspots); identity theft Solutions? France (originally): duty on subscriber to monitor connection use UK: subscriber is liable Reversal of burden of proof Record additional data (OS, physical device fingerprinting)

13 (3) Imposing measures What type of procedure should be followed? Civil/self-regulatory (UK) Criminal (France) EU Telecoms package Member States wishing to implement measures regarding end-users access to and/or use of services and applications must respect the fundamental rights of citizens, including in relation to privacy and due process, and any such measures should take full account of policy goals defined at Community level, such as furthering the development of the Community information society (2009/136/EC, (29))

14 (3) Imposing measures due process EU Telecoms package (cont d) Any of [the] measures [taken by Member States] regarding end-users access to, or use of, services and applications through electronic communications networks liable to restrict [ ] fundamental rights or freedoms may only be imposed if they are appropriate, proportionate and necessary within a democratic society, and their implementation shall be subject to adequate procedural safeguards in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms and with general principles of Community law, including effective judicial protection and due process. Accordingly, these measures may only be taken with due respect for the principle of the presumption of innocence and the right to privacy. A prior, fair and impartial procedure shall be guaranteed, including the right to be heard of the person or persons concerned, subject to the need for appropriate conditions and procedural arrangements in duly substantiated cases of urgency in conformity with the European Convention for the Protection of Human Rights and Fundamental Freedoms. The right to effective and timely judicial review shall be guaranteed. (2002/21/EC, art.3a)

15 (3) Imposing measures Procedure must provide for safeguards of due process and privacy But: legal obstacles Admissibility of evidence? Statutory provision for monitoring by authorities needed? Civil/criminal procedure? Private monitoring permissible? Private detective agencies permitted? Therefore: elaborate procedure required

16 Legal issue: privacy Traffic data (IP addresses) need to be retained by ISPs Store and disclose Art. 6 E-privacy directive: no storage Art. 15 allows exceptions to be made Promusicae: fair balance Personal data Processing: gathering (monitoring), disclosing, blacklisting May require statutory basis; safeguards

17 Synthesis Extensive prior procedure may be required Fairness, safeguards Privacy Automated monitoring not sufficient: false positives Identification of infringer requires additional investigations Not technology neutral (easily avoided) It seems that alternative technical measures are not as easily enforced as expected

18 What remains of three strikes? ATM can still be used to combat those responsible for most of the content in file sharing networks Study of INRIA (2010) Disrupt networks Transactional watermarks Evidence of infringement Limited to uploaders

19 Future of combating file sharing Presumption proved to be false Back to normative question: prevent or repress? What is legitimate? Repress = regulatory measures Type of procedure Surveillance duty Privacy Effective protection of copyright Prevent = technical measures Possibility of abuse Monitoring of network traffic Or something completely different?