Ole asserts that there are two key infotainment revenue streams that content providers, such as ISPs, maintain: the $150 Cable TV stream and the $50 Internet stream. Given that content providers are required to redistribute some of the $150/month to content creators (often between 0.40-0.50 cents of every dollar collected), Ole argues that ISPs should be similarly required to distribute some of the $50/month to content creators that make the Internet worth using for end-users. Unstated, but presumed, is a very 1995 understanding of both copyright and digital networks. In 1995 the American Information Infrastructure Task Force released its Intellectual Property and the National Information Infrastructure report, wherein they wrote;

…the full potential of the NII will not be realized if the education, information and entertainment products protected by intellectual property laws are not protected effectively when disseminated via the NII…the public will not use the services available on the NII and generate the market necessary for its success unless a wide variety of works are available under equitable and reasonable terms and conditions, and the integrity of those works is assured…What will drive the NII is the content moving through it.

Of course, the assertion that if commercial content creators don’t make their works available on the Internet then the Internet will collapse is patently false. As written about by Middleton in “What if there is no killer application?“, an early study in Littleton about how individuals use high-speed networks in the mid-90s found that customers were most engaged with amateur content production (i.e. that of their neighbours) and entranced by the communicative possibilities made available through broadband (i.e. e-mail and mailing lists). In essence, from this we can suggest that the empirical study demonstrated that the ideological and financial values placed on commercial cultural artifacts by bureaucrats and commercial content producers is less obvious than they (loudly) state. Further, the value of commercial content is arguably diminished even more in an environment where people spend increasing amounts of time engaging with the generative elements of the Internet, often referred to as amateur-dominated social media environments. In essence, the undertone that ISPs can only sell their data transmission services because of commercial content is at the very least shaky, and more likely to be empirically unsupportable if posed as a strong correlation between the value of transmission capabilities and commercial content availability.

Depressingly, Ole believes that a broadcast-based (historical) business model should be imposed on ISP transmission-based companies in an effort to regenerate the value of their (now somewhat devalued) intellectual properties. Specifically,

The ISP business model for the Internet could and should mimic that of Cable/ TV. Modern technology allows the ISP to identify what content is being used and then they can allocate the appropriate share to the creator or supplier of that content.

This would put ISPs in the situation of somehow being liable to the collection societies, and also require substantial telecommunications investment in labour and sunk capital to establish an (ineffective) network surveillance policy designed to monitor the amount of copywritten content flowing across Canada’s networks. Most likely, such a proposal would turn ISPs into content police and require the use of some kind of packet inspection equipment to survey Canadians’ data traffic, pick out that which is believed to be infringing, and pay some kind of monthly tax for the transport of customers’ content. This amounts to a suggestion that ISPs become content police on the basis that only by doing so would they evade being identified as encouraging copyright infringement. Ole is intimating that ISPs must implement surveillance one the networks if they are to avoid third-party liability.

There are systems on the market that claim they can analyze data traffic to develop ‘piracy’ indexes. CView is used by Virgin in the UK (though we’ve no idea how effective it is) and Audible Magic has been successful in forcing some ISPs and campuses to adopt their technology. In most cases, such content analysis technologies require the offloading of data traffic suspected of being infringing in high-traffic networks, doing a one-way hash of the data, checking the hash against known copywritten files’ signatures, and then aggregating the overall amount of infringement and particular cases of infringement on a per-file basis. This is substantial overhead for any party, especially one that is just trying to move data from one place to another. Moreover, any such massive dragnet analysis of content raises real questions of whether ISPs could then be considered ‘transport’ facilities; while presently there is substantial monitoring for particular protocol types, Canadian ISPs are not searching for particular content-types. This is an important distinction, insofar as ISPs can understand what application-types are generating traffic on their networks but not what those application-types are actually being used to transmit and receive. For all Canadian ISPs know, Canadians might have some strange obsession with massive downloading and sharing of Linux .ISO files and the entire Canadian population actually avoids downloading copywritten music.

There continue to be doubts concerning whether any kind of massive copyright-analysis engine could work – prominently by companies that actually sell the solutions and those that would be responsible for deploying these fears – and further whether such engines could ever competently detect fair use/fair dealing of some material. YouTube’s algorithms are relatively notorious for censoring uses of copywritten material falling under fair use and fair dealing provisions; what guarantee do citizens have that any algorithmic surveillance and monitoring system deployed on communicative networks would avoid the YouTube problem? Should the content creator-owner get restitution for fair dealing of works? How would this be adjudicated – by determining where the data was to and from (i.e. if to an educational institution, we must assume that it’s for fair dealing research purposes) or on a case-by-case challenge basis? Moreover, doesn’t the provision of funds for fair dealing uses modify the provisions of fair dealing, insofar as content creator-owners would receive a fiscal benefit even for fair dealing whereas presently fair dealing falls outside of their revenue traps?

Of course, even the suggestion that Canadian ISPs should be required to cough up money to content creator-owners is absurd in the face of a recent Federal Court of Appeals ruling that asserted that ISPs are not broadcasters. The question of ISPs’ status was punted to the Court by the CRTC, who wanted judicial guidance before it proceeds to determine whether ISPs can be legally required to establish copyright levies. Since ISPs fall under the Telecommunications, and not Broadcasting Act, they are seen as solved involved in providing,

the mode of transmission, they have no control or input over the content made available to Internet users by content producers and as a result, they are unable to take any steps to promote the policy described in the Broadcasting Act or its supporting provisions. Only those who “transmit” the “program” can contribute to the policy objectives.

Under this decision, so long as ISPs are not involved in discriminating against any particular content and thus making an input into the content made available on the Internet to and by users (i.e. so long as Canadian ISPs adhere to a form of network neutrality), any levy-based system is dead. The very system that Ole is advocating for has already fallen before the Court of Appeals.

Now, out of all of this, we might be expected to feel poorly for the content creator-owners that depend on selling and licensing content for their commercial success. I think that if we look at the history of these companies’ digital involvement, however, we quickly disenchant ourselves of this position. Major labels refused to license recordings to Napster and subsequently engaged in what Jessica Litman refers to as a process of “suing upstart new businesses into bankruptcy” to try and stem the Internet as a disruptive factor in their businesses. This saw content creator-owners financially assassinate Napster, Scour.com, iCraveTV, RecordTV, mp3.com, Aimster, Grokster, Streamcast, KaZaA, and others. Authors have gone after Google for the mere action of scanning books for search index purposes, a purpose that would enable authors to sell additional texts when the texts appeared through a Google book search. That the copying a text, even for fair-use purposes, is grounds for massive legal obstruction speaks volumes of content creator-owners general willingness to genuinely deal with the digital reality they are immersed in. Broadly, instead of working to establish a marketplace for digital manifestations of content creator-owner works there have been, and continue to be, mass efforts to shut down marketplaces that don’t grant total control to content owner-creators and their associated companies. As such, customers have become used to going to illicit sites that offer superior selection with fewer restrictions than label offerings. This indicates a failure in big content’s rent-seeking business model and the truth that modern customers are rational economic actors. It does not indicate that ISPs are somehow required to prop-up a rent-seeking model, nor a moral deficit on the part of customers.

Labels were, and remain, in a state of ontological insecurity that accompanies their plunging into a decade-long existential crisis: how can they maintain their rent-seeking behaviour in the face of disruptive technologies. Answers to this existential question are out of reach of most companies on the basis that their perception of the world markets preclude taking risks that could see a (necessary) cannibalization of short-term revenue streams for long-term survival. Unfortunately, while adherence to historical models was effective last decade in colonizing their futural existences – in assuring them of how to approach the world and guarantee particular revenue streams – that old model leaves them grasping at new rent-seeking behaviour instead of adopting novel business strategies. While we can all appreciate just how devastating existential crises can be on a personal level, when we consider the multi-billion dollar record industry we tend to have far less sympathy. Just as you or I are unable to let a crisis linger for a decade – we go to a therapist, get straightened out, and get back on our way – neither can these companies. At best we might feel pity as we watch them wallow in their crisis. At worst, we fear what they might crush as they roll around on the ground like starving dinosaurs and demolish other elements of civil society in their throes of panic and fear aimed at extinguishing the generativity seen as endangering their ontological security. They’ve already made a mess of copyright and cultural transmission possibilities; let’s hope they don’t damage the conditions of democratic communication itself while they’re working out their problems.

Other posts you might be interested in:

1. Comment: Canadian ISPs and Internet Traffic Management
2. Update: Associating Canadian ISPs with Anonymized Data Traffic Submissions
3. Deep Packet Inspection: What Innovation Will ISPs Encourage?

The COUNTER project is a European research project exploring the consumption of counterfeit and pirated leisure goods. It has a series of primary research domains, including: (1) frequency and distribution of counterfeits; (2) consumer attitudes to counterfeit and pirated goods; (3) legal and ethical frameworks for intellectual property; (4) policy options for engaging with consumers of counterfeit; (5) the use of copyrighted goods for the creation of new cultural artifacts; (6) impacts of counterfeiting and control of intellectual property.

What quickly became evident in the course of conference presentations was that there was a relative dearth of reasonable, well-articulated, and non-partisan work devoted to unearthing empirical data about how consumers engage with ‘illegitimate’ sources of content prior to the COUNTER researchers beginning their European data collection. Even where legitimate data sources existed (e.g. OECD data on counterfeit goods) there was rarely a common standard for gathering and archiving that data (e.g. do you measure counterfeit items by discrete number of items, number of shipping containers, street value, manufacturer value, etc.). These issues stemming from data collection were noted by the COUNTER Project Coordinator, Dr. Jo Bryce, as well as the representative from the European Union’s Intellectual Property Unit, Phil Lewis. The latter, in particular, noted the importance of establishing observatories that could gather data and statistics about the use and transit of pirated works, information that could subsequently be used to change public perceptions and attitudes to the usage of infringing works. The EU representative, and the parties he has been working with, are particularly interested in preventing infringing content from ever getting to the ‘net in the first place, though stated in response to a question I raised that deep packet inspection is not something that they are presently thinking of including in their observatories. Their unwillingness to use the technology stems from the fact that they might be unable to legally use it for data surveillance and, even they could use it legally, are uncertain that they want to adopt this mode of data collection.

Dr. Bryce identified consumer behaviour as the problem – or, in other words, the driver – of the the trafficking in counterfeit and pirated goods. Partially as a result of the disorganized responses to infringing uses of content, enforcement and education mechanisms alike have been largely ineffective in stemming the traffic of counterfeited goods or illicit trading in copywritten works. Her research found that while consumers tend to adopt various ethical perspectives on why file-sharing is socially acceptable, by educating consumers on the challenges transit of infringing intellectual properties imposes on individuals working in content generation industries it is possible to reduce consumers’ inclination to engage in file sharing. Moreover, her work noted that the content industries have lost a great deal of consumer trust and remain opaque organizations; consumers need to trust and appreciate the bodies generating content if content industries are to develop a positive relationship with their customers. This need for openness and transparency was regularly noted throughout the conference, though some academics and industry representatives alike dismiss the need for a positive relationship to exist between consumers and content production industries.

In a panel on consumer perspectives on downloading, empirically grounded research was provided to express the position of consumers in relation (primarily) to peer-to-peer filesharing. Emergent from the research presented, we found that consumers actually have a decent intuitive understanding of the world of filesharing, insofar as they differentiate between copyright infringement and stealing. Perhaps worryingly, researchers, consumer advocates, and rightsholders alike (and this is true across much of the conference) struggled with notions of enforcing copyright. Precise concerns and solutions varied, but we regularly heard ruminations about methods to impress upon consumers the moral right to copyright, numbers of ‘coercive impacts’ required to adjust behaviour, need to introduce copyright education to parents and into schools, and so forth. As it stands, research showed that most filesharers fail to see their actions in a moral light and are unworried about the possible consequences of being caught. Effective enforcement, members of the content industries and academics alike noted, requires there being a 10% chance of being caught. As it stands today, enforcement techniques are limited by:

• judicial resources;
• lack of clear sanctions;
• failures in educations (i.e. what does/doesn’t constitute infringing use);
• poor marketing campaigns;
• the use of generic, over specific, messages.

Emergent from this session it was evident that a key issue facing rights holders, and the advocates of rights holders, is the cultural and legal differences that impede uniform positions on copyright. In particular, differing nations adopt differing legal positions concerning downloading, uploading, the degree of criminality of file sharing, and so forth. One academic tried to make the boldfaced equation of copyright infringement and theft…it left him in a very hostile room, and arguably weakened the likelihood that his data will be adopted more widely into the literature.

In a panel where industry experts spoke of the harms caused by file sharing and counterfeit goods – damages ranging from 200 million pound a year, to 43 billion Euro lost in 2008, to equations of counterfeit with organized crime – a member of the audience asked: where is this money going? The thrust of the question was that consumers are choosing to allocate their monies to different areas of the economy, and so assertions that any economy was seeing a removal of monies is only true when economic sectors are seen in absolute isolation to one another. The complexity of the copyright environment, and its necessary interelation with a much more substantive socio-economic domain, should require the content industries to engage in holistic surveys if those surveys are to carry weight amongst critical audiences. Members of industry uniformally lacked such holistic surveys.

I sat in a panel on deep packet inspection – the draft of my paper that touches on deep packet inspection as it related to privacy and freedom of expression has been made available – alongside Klaus Mochalski of Ipoque and Paul Polanski, Director of Electronic Publishing for C.H. Beck Publishing. Klaus noted the capacities of Ipoque’s equipment (and inability for DPI to be used for totally effective inline copyright filtering) and Paul the problems surrounding ISP liability that arise when DPI is used for copyright enforcement purposes. Both were excellent speakers, and all three of us recognized the dangers that DPI threatens to pose for essential liberties in constitutional democracies. On a more personal note, it’s moderately disconcerting about speaking to Brits about the value of privacy, and harms of surveillance, and it felt nice to try and articulate the position that constitutional rights are more important than copyright. The latter position, in particular, wasn’t well received by representative of the content industry in the audience, but was certainly something that needed to be said more regularly than emerged over the course of the conference.

Arguably the most heated session I attended was the last session of the conference, the three strikes panel. It drew together academics, an ISP representative, copyright holder advocates, authors, and a member of the Pirate Party. There was an almost all out assault on the controversial sections of the UK’s Digital Economy Bill, with Richard Mollett of BPI (yes, that Richard Mollett) becoming the punching bag of the panel and audience. Mollett is the directory of policy for BPI and was clearly used to working in hostile rooms, but the vitriol was between members of the panel was particularly thick. Vanessa Mortiaux, Senior Legal Counsel for Orange, made very explicit that Orange was entirely against any requirement that ISPs monitor for copyright enforcement. To the detriment of the panel, however, there was almost exclusive focus on the Digital Economy Bill, to the point where the broader issue of three-strikes was largely implicit, rather than explicit.

Overall, the conference was excellent. It drew together academia, industry, and civil society in productive ways, though largely absent were the actual content creators we were so often speaking about. Consumers were (I would suggest) well represented by the consumer groups and large division of the Pirate Party (local UK, Swedish, and EU levels being represented) present at the conference. I was, however, largely disappointed with attempts to shuffle copyright from an economic privilege to a moral right and the commonly espoused unwillingness to think through the potential harms that threaten to follow from further augmentations of copyright ‘protection’. Admittedly this speaks to my own personal interests – I’m insatiably curious about how economic privileges threaten to upset and disembowel constitutional protections given my own academic background – but also to a culture of what might be called ‘copyright blindness’, where copyright blinds us to the larger issues at play in the copyright debates.

Depressingly, it isn’t that my position is unique or shared only by a handful of people; informally most academics and academically-trained people that I spoke with at the conference were in agreement that the potential harms of copyright must be carefully, and seriously, considered. Publicly, however, this worry and accompanying strong language demanding a rethink of the present copyright regime was largely absent from conference presentations. There were only a few strong voices addressing copyright in light of the larger social good, and while they were (arguably) positive beacons it would have been nice to have much of the ‘informal’ consensus be more formally presented to rightsholders and other members of the conference. Having said this, generally the research presented was well-rooted in rigorous methodological techniques, and perhaps this research might be adopted and leveraged by policymakers in their ongoing engagements with copyright, content producers, and the public. My expectations, however, are less positive: I fear that the work of the COUNTER research project will remain sheltered in academia, sequestered from the public, and consequently ineffective in reshaping the copyright debacle in but the most limited of fashions. Hopefully this is a case where academia can successfully puncture the academic/public divide and breech the public policy debate, but I’m not holding my breath.

Other posts you might be interested in:

1. Draft – Deep Packet Inspection: Privacy, Mash-ups, and Dignities
2. Universities Struggle to Cope with Anti-Piracy Requirements
3. Thoughts: P2P and Complicity in Filesharing

I’m composing the beginning of this article to the sounds of Girl Talk’s ‘Like This’ from his Feed the Animals album. His artistic technique is to take very short samples from a variety of artists – twenty-nine samples are taken in the three minutes and twenty-one seconds of ‘Like This’ – and remix the work to create entirely new songs.[i] He isn’t a DJ but a self-described musician of the digital era, and when his work was presented to Marybeth Peters of the US Registrar of Copyrights she recognized that his music was amazing. She also recognized it was likely illegal, and the fact that his own creativity clearly imbued his creations offered no defense against copyright infringement: “You can’t argue your creativity when it’s based on other people’s stuff.”[ii] This position is mirrored by Barry Slotnick, head of the intellectual property litigation group at Loeb & Loeb, who has stated that “[w]hat you can’t do is substitute someone else’s creativity for your own.”[iii] Girl Talk’s work is recognized as amazing and creative, even by defenders and advocates of the present copyright regime, but is still questionably legal (at best). Feed the Animals is a popular album that pulls together anthems of pop culture, and its artist has been used as a defender of copyright reform movements,[iv] but it is only one item in a rapidly developing and emerging ‘mash-up’ culture that draws together existing cultural artifacts to in the creation of a recombinant digital culture.

Rather than stepping into the technical (il)legalities of mash-ups in any depth in this article I engage with mash-ups at a normative level. I aim to construct a normative argument for the cultural value of mash-ups, recognize some issues concerning expressive and cultural dignity that emerge alongside the ubiquitous surveillance and censorship of mash-up data traffic that may be identified as ‘infringing content’, and offer both a practical and a political solution to alleviate surveillance dangers and secure our emerging digital culture. To this end, I first outline the importance of mash-up culture, and then proceed to sketch a set of dignities that citizens in Canada (and other Western countries) should be able to expect in the digital domains they routinely roam in: citizens should be meaningfully able to possess expectations of contextual privacy and engage in civil expressions in domains of digital hybridity. It is with the shift to previously implausible ubiquitous digital surveillance and control systems, such as deep packet inspection, that Western citizens are again forced to worry about their privacy and expressive capacities in communal, rather than merely individual, senses. Accompanying this surveillance and control system is the threat of chilling speech, limitations of civil expression, and infringements on the possibilities of innovation. The technical structures that wait for copyright infringement should not be permitted to threaten innovation, criminalize otherwise routine communication, or undermine cultural development and experimentation without a full and transparent discussion of the costs such infrastructure could pose to the emergence and development of Western cultures, states, and citizenries.

To this end, I argue that there is a need to moderate the legal considerations of copyright, perhaps by adopting a hardware tariff model or developing distinctions in what constitutes infringing use. This will alleviate the demand to use technologies such as deep packet inspection for copyright enforcement, but is insufficient to genuinely alleviate the more general threat to civil dignities posed by these ubiquitous digital surveillance instruments. To better secure civil actors from the threats posed by these instruments there must be increased transparency surrounding digital networks, insofar as both vendors and Internet service providers must be required to disclose to the public, and its civil advocates, the technologies under development/in use, motivations driving development and usage, and modifications that are made to already deployed systems.

Why Mash-Up Matters

The public domain operates as the basis “for our art, our science, and out self-understanding. It is the raw material from which we make new inventions and create new cultural works.”[v] The public domain is from where the majority of our culture emerges from, and in the face of an ever-extending capture of the public domain by the advocates of strong copyright reform mash-up artists and citizens have taken to the ‘net to (re)generate their cultural heritage. Mash-up matters because it’s the beachhead upon which (dominantly) youth are mounting their critiques about the current legal conditions of their cultural existence. Mash-up matters because if the dogs-of-law do not release this mode of cultural formation from their jaws, then the equivalent of the future’s jazz and rock-and-roll will be criminalized, and the electronic culture of the future put in jeopardy. Mash-up matters because it can be read as the exemplar of the praxis of digitality itself.

Digital technology facilitates the engagement with culture in a massive way. Whereas folk and jazz music alike historically saw relatively small groups coming together to ‘remix’, or modify, add, and subtract, pieces of the music, the Internet has given today’s equivalent of folk and jazz musicians a global audience. There is, however, a clear difference between those musicians that used non-digital instruments and those using laptops, Garageband, and electronic keyboards; the former were limited in the acquisition and distribution of cultural artifacts, whereas the globe is the limit for the former. Lawrence Lessig, Paul Virilio, and Matt Mason recognize that there has been a shift in the speed and virtuality of informatic-creation, movement, and communication. In his recent book Remix, Lessig argues that there is a kind of ‘Read-Only’ culture – one where citizens could only purchase and enjoy culture in relatively static ways – and ‘Read-Write’ culture – a cultural situation where citizens modify and freely exchange new cultural creations.[vi] In the former, culture retains its agency by refusing to let the audience engage with the work itself to unlock its creative possibilities. Expensive equipment or highly specialized training was required to take up film, music, and similar ‘technical’ arts to creatively engage with the material itself in a way that directly copied and implicated the content itself in the development of new cultural artifacts. In the latter situation, culture’s agency becomes shared between the artifacts and those engaging with it: culture becomes ‘active’, as it was in the heydays of folk and jazz music.

In his discussion of the globalization of communications networks and the heightening velocities of contemporary technologies, Virilio ominously writes that we understand nothing of the information revolution, nothing of digitality itself, unless we recognize that it “ushers in, in purely cybernetic fashion, the revolution of generalized snooping.”[vii] With the shift toward ever-increasing standardization of the digital ecosystem – manifest in Internet’s technical architecture in the TCP/IP protocol suite, standardized ‘content containers’ such as JPEG, MP3, AVI, and uniform modes of measurement and signature analysis – comes the capacity to monitor, control, and mediate the objects enclosed in such standardized containers. Simultaneously, there is a division of object, a mass multiplication and exponential enumeration of such objects given that “data objects are nothing but the arbitrary drawing of boundaries that appear at the threshold of two articulated protocols.”[viii] Protocol, the medium binding and delivering cultural artifacts, functions as an instrumental or technical addition, as a necessary element of control that rests upon and frames the playful capacities inherent with digital cultural expression. The protocol that facilitates the playful engagements of youth with their culture simultaneously establishes the mesh within which their cultural artifacts can be scanned, probed, analyzed, and censored.

The search for control over intellectual creations maps onto the logic of perfect control annunciated by James Boyle: there is an argument, routinely touted by copyright holders, that the strength of intellectual property rights must vary inversely with the cost of copying to ensure a vibrant for-profit cultural environment. He calls this ‘the Internet Threat’, the stance that “without an increase in private property rights, cheaper copying will eat the heart out of our creative and cultural industries.”[ix] It is (partly) in reaction to the Internet Threat that Mason examines the effects of the rapid development of the digital ecosystem, and digitality’s potential to enable citizens to engage with cultural artifacts new and novel ways. As we will revisit, shortly, it is the Internet Threat that leads deep packet inspection equipment to be purposed to secure intellectual property.

A clear result of the digitization of cultural artifacts has been the near-instantaneous delivery of cultural content to meet the desires of particular individuals. This is most evidently manifest with Napster’s explosion onto the digital scene, which subsequently lead to the branding of filesharers as pirates. Instead of seeing pirates as the doom of culture, Mason asserts that “[p]irates highlight areas where choice doesn’t exist and demand that it does… this mentality transcends media formats, technological changes, and business models.”[x] A component of transitions to digitality, in particular, entail the ability to enjoy and develop culture through ‘remixing’.  Remixing “is about taking something that already exists and redefining it in your own personal creative space, reinterpreting someone else’s work your way . . . It’s about shifting your perception of something and taking in other elements and influences . . . your originality should outshine the borrowed elements, or at the very least, present them in a new light. A good remix adds value to something.”[xi] In the language of generating cultural artifacts, this means that with the emergence of a new set of tools (cheap, yet technically sophisticated computer software and accompanying cheap, yet powerful, computer hardware) and new communications mediums that realign ‘personal creative space’ with YouTube, the youth of today have begun ‘editing out’ their own cultural commons. The challenge they face can be put thusly: the public domain and the relative anonymity provided in a world of analogue search-and-lawsuit practices are being dissolved in the face of legally driven protocological conflict. Without access to the public domain, without access to anonymity, youth and other participants in recombinant digital culture are under legally sanctioned siege, a siege that is criminalizing an outrageous percentage of the population.

To summarize, mash-ups matter because they can be seen as the resurgence of the past, of a time where individuals could take up and share the cultural artifacts they were immersed in. Mash-ups, in their massively available form, are presently made possible through the usage of contemporary computer systems; the systems of simulation that can be used to play video games, listen to music, and display YouTube videos are the same systems that encourage cultural generativity and massive instances of self-expression. Code can be, and is, taken from disparate sources, tinkered with, and subsequently emitted to the Web. This is an example of mash-up culture. Various musical albums that span various genres are recombined in fits of creativity to generate new conditions for cultural possibility. This constitutes a mash-up. Citizens draw pieces of video from music videos, news, advertisements, and government announcements to inscribe their own social, political, or banal commentary on the actions of the day. This too, is part of mash-up culture. Each of these three elements (of many more!) of mash-up culture play a role in defining how the digital generation will engage with their world; this generation has moved well beyond the recombination of words in blogging, to the recombination of the audio-visual facets of culture to transmute sterile corporate cultural artifacts into invigorated and vibrate artifacts endowed with cultural meaningfulness and life.[xii]

Next Section: As We Walk Into the Valley of the Shadow of Surveillance…

[ii] RIP A Manifesto, at http://www.nfb.ca/film/rip_a_remix_manifesto/

[iii] Steal This Hook? D.J. Skirts Copyright Law by Robert Levine, August 6, 2008. New York Times. Link: http://www.nytimes.com/2008/08/07/arts/music/07girl.html?pagewanted=2&_r=1

[iv] Pennsylvania Congressman Mike Doyle – member of the Subcommittee on Commications, Technology, and the Internet – has spoken highly of Greg Gillis (aka Girl Talk) in Congressional hearings. For more, see: http://www.rollingstone.com/rockdaily/index.php/2007/04/27/why-one-congressman-wants-you-to-borrow-more-music/

[v] Boyle, James. (2008). The Public Domain: Enclosing the Commons of the Mind. P 39.

[vi] Lessig, Lawrence. (2008). Remix: Making Art and Commerce Thrive in the Hybrid Economy.

[vii] Virilio, Paul. (2005). The Information Bomb. P. 62. Emphasis from text.

[viii] Galloway, Alexander. (2004). Protocol: How Control Exists After Decentalization. P 54.

[ix] Boyle, p. 60.

[x] Mason, Matt. (2008). The Pirate’s Dilemma: How Youth Culture is Reinventing Capitalism. P. 46

[xi] Mason, Matt. (2008). The Pirate’s Dilemma: How Youth Culture is Reinventing Capitalism. Pgs. 71, 81, and 83. Emphasis added.

[xii] Something about Adorno and the culture industry

Other posts you might be interested in:

1. Draft – Deep Packet Inspection: Privacy, Mash-ups, and Dignities
2. The Role of Digital Surveillance in Stopping the Past’s Rebirth
3. Will Copyright Kill eHealth?

While I pay attention to copyright developments in Canada and abroad, and have strong stances on how academics and the Canadian government should licence their publications, I’m not a lawyer. I do, however, know that government documents in Canada are governed by Crown Copyright – unlike in the US, the Canadian government maintains copyright over its publications – and thus I wanted to check with the CRTC if there were any problems hosting documents from their site, including those presumably under a Crown copyright such as the CRTC’s decision.

Today I spoke with someone at the CRTC and received word that I could rehost the documents, without any problems. They were ‘in the public domain’ and so I could do with them what I wanted. I was pleased to hear this, as I wasn’t sure if the Reproduction of Federal Law Order would apply to the filings of private companies – it should apply to the CRTC’s decision itself, but as the order is written it’s ambiguous (to me) where and how private filings ‘fit’. In any case, I’ll take the CRTC’s word and be pleased that their public notice filings, including the filings by private corporations, are ‘public domain’ works and not governed by crown copyright. In case someone is wondering why I even bothered checking with the CRTC, given that my intended uses of the works arguably fall under under the research and review criteria of Canada’s fair dealing provisions, I expected that my use was legitimate but wanted to check with some lawyers that I was actually in the clear. I didn’t want to have a project go live, only to receive lawyer-grams from the CRTC or private companies! The CRTC has lawyers, and I thought it’d be a decent idea to draw on their expertise. Had I gotten a baffling response (e.g. no, for copyright reasons you cannot host anywhere else!) I’d have gotten a second opinion.

So, that’s fine and good: I can use the documents. It was the rest of the conversation that was particularly interesting, and more than a little disturbing.

I learned that the CRTC occasionally removes documents included in public filings and, far more significantly, sometimes changes the actual documents themselves without notifying anyone, not ever parties who were involved in the public notice. Such changes are made to correct misstatements of fact, to redact content already on the record or make available incorrectly redacted content, and so forth. This has far-reaching implications: closed public notices can have documented modified, where such modifications could potentially have affected public awareness of the notice as it was ongoing. In the case of some ‘corrections’, this could be incredibly important: what if in PN 2008-19 (and this is entirely hypothetical and meant as an example: I have ABSOLUTELY NO REASON TO BELIEVE THIS IS THE CASE) it turned out that one of TELUS’ redacted sentence was made available to the public, and it stated that TELUS was in early consideration stages of using Deep Packet Inspection in their networks? Such a ‘correction’ would have substantial effects on the arguments put forward by various civil advocates, and would render someone who was not involved with the public notice as it was ongoing very confused about the apparently contradictory filing between (in this example) TELUS and public advocacy groups. Thus, not only do these secretive changes risk contaminating later research, but it could also undermine public confidence in the public notice process itself.

The other very interesting copyright-related item that I learned was that, while hosting the documents isn’t a problem, were I to scrape and do a check-sum between what I have hosted and what the CRTC hosts that would be considered a copyright infringement. The gentleman I spoke with professed not understanding how that would be a copyright issue, and was just passing on the message from the lawyers, but it’s incredibly bizarre. In effect, it states (to me) that I can host but cannot check to guarantee that what I’m hosting is ‘the most accurate/recent version’ unless I want to eyeball the documents and look for ‘corrections’ that may or may not be announced anywhere in the document or public notice website itself. From a government transparency point of view, this is deeply concerning: members of the public, if aware of the potential for relatively secretive changes to public filings, cannot automate any system to watch for such changes without running afoul of lawyers. The resources thus required to ‘check up’ on the CRTC would be enormous for the poorly funded civil advocacy groups and members of the public (neither eyeballs or time are in abundant supply!). Moreover (and again, I am not a lawyer!) in my reading a check-sum or something like it is required to actually comply with Canadian copyright law. The law,

authorizes anyone, unless otherwise specified, to copy federal legislation, statutes, regulations, court decisions and tribunal decisions without the usual restrictions that govern Crown copyright materials, provided that one is careful to ensure the accuracy of the materials reproduced and that the reproduction is not represented as an official version. (emphasis added)

Given that I’ll be hosting documents, to ‘carefully ensure the accuracy of the materials reproduced’ aren’t I required to set up some automated system, given that the CRTC can potentially just change or remove documents without any public notification or transparency? Does this mean that compliance requires me to manually check on a daily/weekly/monthly basis that all the files on the CRTC’s webpage are exactly as they were when I first copied them?

Admittedly, these changes to documents in public notices are supposed to happen ‘fairly rarely’ and there isn’t any reason to expect that the filings for PN 2008-19 (which is what I’m interested in for this project, right now) are going to change. It’s possible that there was miscommunication as a result of interjecting an intermediary between myself and the CRTC’s lawyers. I’m very happy that I can host the filings for PN 2008-19 and that all of the items in that filing (including the CRTC decision) are apparently ‘public domain’ and thus outside of crown copyright. Those are all great things and I appreciate that the CRTC was fairly quick in getting back to me (it took about 4 business days). I’m far less impressed with secretive changes happening to public filings, and am disturbed by the position that scraping for check-sum purposes would somehow violate copyright.

I’m not a lawyer, and I’ll be following this up with the CRTC to try and get additional transparency into what’s going on. Hopefully there was just a miscommunication; I would understand if regular scraping was a problem because it could bog down their servers, and that on that basis they could drum up DDOS charge or something, but to construe server access to guarantee I’m hosting the most up-to-date documents with a copyright violation is mind boggling, and screams of misuse of copyright to this non-lawyer.

Other posts you might be interested in:

1. Update: CRTC PN 2008-19 Filings
2. Update: CRTC PN 2008-19 ISP Filing Summary Document
3. Summary: CRTC PN 2008-19; Requests for Public Disclosure Filings

What we see less of in the eHealth debate are the prevalent dangers accompanying threats to cut citizens off of the ‘net as a consequence of copyright infringement. It’s this issue that I want to briefly dwell on today, in part to start ramping up some thoughts on the wide-ranging effects of three-strikes laws that are starting to be adopted and/or seriously discussed in various jurisdictions around the world.

To give an overview, three-strikes laws in the copyright context are generally presented as a way of curtailing copyright infringement. Often acting under the assumption that a downloaded copy of a file is the equivalent of a lost sale, major content and rights holders insist that they are losing billions of dollars per year to Peer to Peer (P2P) filesharing. While I will note that this is a relatively insane equivalency (it is largely like arguing that every person who opens a book in a bookstore, reads it for about 10 minutes, and then puts it down constitutes a ‘lost sale’ – for more on this read Doctorow’s Ebooks: Neither E, Nor Books), there are lots of great articles you can read that deal with this issue and so I’m not going to dip my feet into that argument here. You might ask how it is possible to identify copyright infringing work, and one of the ways of doing so is through specific implementations of Deep Packet Inspection (DPI) appliances by Internet Service Providers (ISPs). Virgin Media is trialling a system that will generate a copyright infringement index (though won’t identify particular individuals who are infringing on copyright) and DPI vendors such as iPoque have already produced equipment that is designed to identify infringing file transfers in realtime.

Three-strikes laws have a common, general, format: after an individual is found, or believed to have been found, infringing on copyright three times they are forcibly disconnected from the Internet by their ISP either at the behest of the government or content holders. The particular legal structure that facilitates these ejections from the Internet differs – sometimes there is a presumption of innocence and requirement that infringing use is proven, whereas in other systems accusations alone suffice – but the common end is the same: during an era when broadband is seen as a key to performing job searches, gathering academic research, developing knowledge about our illnesses, and discovering new cultural artifacts, copyright holders want to insist that their intellectual property rights should be foregrounded and other social goods put to the back of the line.

This bring us to the question posed by this post’s title: “Will copyright kill eHealth?” What happens when, after investing billions of dollars in ‘revolutionizing’ the current health system so that individuals are ‘empowered’ to access their health records, governments and their citizens realize that they are in a digital wasteland, where accessing health records is dependent on good copyright-related behaviour? When I’m tasked with absolutely securing my wireless network so that a war driver can’t access my network and download some pop track, does this mean that I should sign up for expensive third-party services to guarantee access to my ‘newer and better’ health records and other government services? To alleviate these anxieties, perhaps I’ll be able to pay a small monthly fee to my ISP and they will, on my behalf, block anyone on my network from accessing potentially copyright infringing work from non-sanctioned repositories so that I can participate in the new digital economy.

I’m not suggesting that health authorities are necessarily experts in areas of copyright, network management, network surveillance, or data transactions. Typically, they’re not, and citizens don’t expect their M.D. to understand the ins and outs of file transfer protocols, file signature analysis, or data packet analysis. While I’ve suggested (recently, no less) that it is important to consider the particular impacts of certain ‘high-functional’ technologies, such as deep packet inspection, we do still need to step back occasionally and think of some of the possible impacts that high-functioning technologies and the surrounding basin of law might have on the delivery of core, newly digitized, government services. I don’t want to live in a world where my ISP has a real market incentive to ’sell’ me the equivalent of copyright-infringement ‘insurance’ on a monthly basis so that I can view the digital records that governments and corporations retain about me. I actually don’t think that ISPs want to live in this world either; in such a world they would be placed in a position of liability upon failing to prevent me from accessing infringing material! It’s because of the wide-ranging possibilities of network intelligence and the laws around it that research into network intelligence and security is so interesting – with the Western transition to the digital, and the ability to watch and impact digital flows, the role of the ISP will only become more and more significant to citizens’ daily lives.

Who can we turn to in the event that some kind of a three-strikes law becomes manifest in a Canadian context? It’s entirely possible that the inspection of data flows for copyright infringing material might be ‘privacy protective’ – privacy might be built into the infrastructure by design per the governing ethos of the Information and Privacy Commissioner of Ontario – and this suggests that the language of privacy may be insufficient to really limit the challenges of any three-strikes law. I have similar worries about the ability for consumer protection laws to effectively limit the negative consequences of a three-strikes law (though Canada does have one of the world’s forefront copyfighter’s on the people’s side), and if we require judges to hold real cases before individuals have their digital lifelines terminated then court costs over what are (likely) just people ‘browsing content’ will be exorbitant. The transition to electronically delivered content has (supposedly) been devastating for how the major content owners have been able to turn profits, but we need to go further than just say they need to develop better models instead of suing people. We need to ask this: should government be developing laws the prop up questionable current-day business models at the potential expense of wasting billions in public infrastructure upgrades, or should government be taking a longer view of things and start siding with both citizens and their own allocation of infrastructure dollars? I worry that if government doesn’t more prominently side with themselves and their citizens, we’ll see eHealth and other eGovernment ventures die under the knife of copyright reform and protection, and that would be a tragic shame and absolute waste of citizens’ tax dollars.

Other posts you might be interested in:

1. Three-Strike Copyright
2. Virgin Media to Monitor Copyright Infringement
3. Update to Virgin Media and Copyright DPI

The story about Detica’s involvement really broke with Chris Williams’ piece over at the Register entitled, “Virgin Media to trial filesharing monitoring system.” In the piece, he recognized that the trial will encompass roughly 40% of Virgin’s customers, that the aim is to measure overall levels of filesharing rather than identify individual customers, and (at least initially) will focus on music. After I read the piece, I send some questions off to Detica and posted them (“Virgin to Use DPI to ID Copyright Infringement“) based on my reading of Williams’ piece and Detica’s consultation paper, and shortly thereafter followed up with Detica’s responses and thoughts on CView and privacy infringements (“Update to Virgin Media and Copyright DPI“). Between the posting of my questions, and the response from Detica, Richard Clayton had a meeting with representatives from Detica and posted the information they released to him over at Light Blue Touchpaper in a posting “What does Detica Detect?” The Register was also able to get face time with people working at Detica, leading Williams to produce his second piece “Spook firm readies Virgin Media filesharing probes.”

In the rest of this post, I want to pull together the information that has come to light so that we can get a better picture of what is known about CView. As such, this is very much a summary rather than an analytic post; hopefully I’ll have time to delve the information more critically in the near future.

How does CView integrate with the ISP network?

In the interview with Williams, Dan Klein of CView acknowledged that the CView appliances are expensive enough that ISPs are unlikely to purchase very many of them. The system,

starts by using fibre taps to pick off traffic from an appropriate part of the ISP network. They use a fibre tap rather than “port mirroring” to make it easier for the ISP to be sure that they won’t disrupt any traffic. The links that they monitor need not be carrying all of the ISP’s traffic — they merely hope that it will be a statistically significant sample.

The raw traffic is then sent to the CView box, which can handle multiple 10Gbit links. The first stage of processing is in hardware (FPGAs), then software takes over. The “external” endpoint identity is discarded and the “internal” identity is encrypted using a key that is not made available outside the box (ie: the intent is to make the customer “anonymous” but to be able to link different activity from the same source). (“What does Detica detect?“)

Put in other words, the Detica CView system engages in a passive, offline (as opposed to inline) analysis – the traffic is split (i.e. mirrored) from the ISP network so that consumers don’t experience any meaningful impact on their speed, if any impact whatsoever is even felt.

What does CView detect?

The Register, in their December 7, 2009, article revealed that eDonkey, Gnutella, and BitTorrent were the protocols that were to be inspected by the CView. At the moment, the appliance is geared to examine for music files, but the original Register piece raises questions of whether or not it will necessarily be limited to just music files in the future.

How does CView perform detections?

After splitting the traffic into the CView appliance, it examines data traffic to determine if data is being carried along one of the three aforementioned file sharing services. Even when encrypting your data traffic, it is often possible to identify the protocol used based on the cleartext data that precedes the encrypted flow. It should be noted that the most recent Internet Evolution test of DPI provided test results confirming this capacity to detected encrypted P2P flows. Detections are performed passively, out-of-line from the ISP’s traffic. When data traffic is identified as being P2P a content field is generated with the below information:

• the encrypted (and thus anonymised) customer identity
• the type of P2P protocol
• the content identifier value
• the file size
• a timestamp

Where the P2P flow is encrypted, while a record is generated no data can be entered into its fields. In addition to this information, the CView appliance will generate an ‘acoustic fingerprint’ from the file – this is, perhaps, the ‘content identifier value’ that Clayton notes? – and then passes this information along to a separate statistics box that will identify whether the P2P file is copyright infringing.

What about anonymity?

Of course there are worries that a system like CView could be used to rapidly identify the copyright infringers that are operating on a particular ISP’s network. Given the information provided by Detica, the company certainly is trying to secure the anonymity and identificatory privacy of ISP customers. Specifically,

IP addresses are anonymized at the source/DPI device using a pseudo-random replacement algorithm, which also entails ignoring the external IP addresses. The key generation system is managed automatically by the device (and thus an ISP can’t muck around with the system), and keys are periodically cycled and redistributed. The keys are never made available outside of the device, and once a set of keys for a given time period are discarded they cannot be recovered – the process is irreversible. On this basis, we can argue that no subscriber ID is associated with the randomized replacement algorithm, there is no way to associate a subscriber ID with the pseudo-random number after the fact, and as such the anonymization system should serve its purpose. (“Update to Virgin Media and Copyright DPI“)

Richard Clayton maintains, as I do, that CView is employing DPI in a manner that addresses individual privacy and data protection concerns though is mindful of the possible RIPA issues. Specifically, he writes:

I should also address (especially given the huge fuss over Phorm) the rather important question as to whether the system is lawful to operate? Please note thatIANAL, but I’ve studied their writings in this area a fair bit…

The design as explained above seems to address issues of privacy and data protection (amalgamating statistics and discarding identifiers is a sound technique for jumping these hurdles). But there is then the vexed question of illegal interception. The system does “wire-tapping”, that’s obvious, but the criminal offence is called “interception” and that is carefully defined within the Regulation of Investigatory Powers Act 2000. I expect that Detica would wish to argue that there is no interception because no content is seen by any humans… however, spitting out the file identifier might in itself be sufficient to infringe. It may take some case law before anyone can say for sure. (“What does Detica detect?“)

It will be interesting to see whether or not CView faces the same calibre of public outrage as Phorm did; Phorm ran up against Alexander Hanff (amongst others) but Hanff has recently noted his inability to work as a privacy advocate ‘full time’ this round as he did against Phorm. Admittedly, I see Phorm as engaging in different activities as Detica, but the emphasis often placed against Phorm (as I read things) was DPI first, and behavioural advertising second. That might, admittedly, be a coloured reading on my own part. Regardless, I’m sure that Detica’s PR staff is breathing some small sigh of relief that they won’t be dealing with Hanff full-time.

What is the utility of CView to ISPs?

Detica is promoting CView as a way for ISPs to establish an ‘index’ of copyright infringements. As noted by the Register,

Perhaps most importantly, at least at first, CView will measure how the overall level of copyright infringement via peer-to-peer networks responds to Lord Mandelson’s letter-writing campaign. If the Digital Economy Bill is passed in what remains of this Parliament, those observed by rights holder groups sharing copyright material could start receiving statutory warnings in the post from their ISP as soon as April.

A year later a system of “technical measures” – bandwidth restrictions, blocked protocols and disconnections for the most persistent – imposed on ISPs by Ofcom, is likely to follow. If successful in trial, CView will allow Virgin Media to monitor how its customers respond to the regime, although it will not be involved in idenfiying infringers. (“Spook firm readies Virgin Media filesharing probes“)

Richard Clayton notes that it might be the case that a small number of files might be ‘incorrectly’ identified as infringing, but such identifications are likely small enough to be inconsequential. The worry, of course, is that minor tweaks might turn CView into a “first-class monitoring system” that can be used to identify and target individual users. While an injunction would be required for this, the pushes for such injunctions in the EU mean that this is something that must be kept in mind, even though UK media conglomerates have not previously sought such injunctions.

What isn’t (totally) clear to me

I think that we’re developing a pretty good understanding of what the Detica system entails, as well as its characteristics ‘out of the box’. I’m still unclear about how the ‘audio fingerprints’ are taken – I assume (based on Occam’s razor) that based on what has been released to Richard that hash-based, rather than fingerprint-based, methods of analysis are being performed but can’t be totally certain. (Note: fingerprinting can be used to detect infringement where only a fragment of a file is identified as infringing, as in a mashup that includes a second or two of a song, whereas a hash-based analysis would only examine the totality of the file, as in a .mp3 file of Madonna’s ‘Like a Virgin’.)

The other, fairly major, element that isn’t clear is just how easy it is to ‘tweak’ the CView system as Richard suggests is possible. If we’re talking about a firmware update, that’s a fairly low cost with potentially very major functionality changes to the device, and would run counter to the assurances provided by Detica to Richard, the Williams, and myself that the system is designed to provide anonymity. On the other hand, if it would take a hardware modification, then the infrastructure, manpower and capital expenditure costs to ‘upgrade’ the device might alleviate the drive for ISPs to implement a genuinely granular user-identification system. Function creep with these devices, of course, is a real worry – it would be great for Detica to clarify how these ‘tweaks’ are technically possible as part of their ongoing efforts to be transparent.

Other posts you might be interested in:

1. Update to Virgin Media and Copyright DPI
2. Virgin Media to Monitor Copyright Infringement
3. Draft – Deep Packet Inspection: Privacy, Mash-ups, and Dignities

The key question that is lurking in my own mind – if not that of others interested in the CView product – is whether or not the appliance can associate inspected data flows with individuals. In essence, I’m curious about whether or not CView has the ability to collect ‘personally identifiable information’ as outlined by the Privacy Commissioner of Canada in her recent findings on Bell’s use of DPI. In her findings, the Commissioner argues that because Bell customers’ subscriber ID and IP address are temporarily collated that personal information is being collected that Bell does collect personal information. In the case of Bell, this didn’t mean that they had to stop the collection, but that they had to adjust their privacy policies to reflect this collection (though it should be noted that any such association and collection will happen, with or without a DPI appliance, because Bell always associates a subscriber ID with dynamically assigned IP addresses).

Now, this means that my examination of the CView system and consideration of privacy is different from those approaching the system from the stance of Regulation of Investigative Powers Act which might be seen as putting me off-side of some privacy advocates. I don’t necessarily have an issue with that, and in fact think that strong, well meaning discussion amongst the privacy community can be quite healthy – different levels of analysis and approaches are called for when facing particularly novel technological systems, and expecting a lockstep approach of these technologies and their accompanying politics is somewhat absurd. For my purposes, I’ll simplify things and identify a privacy infringement (for my purposes, if not those of RIPA) as entailing:

1. A collection, processing, storage, or analysis of data that is associated with an individual, or a very specific set of individuals;
2. A case where whatever is collected, processed, stored, or analyzed is done so to influence the individual, or specific set of individuals, in a particular and reasonably direct manner;
3. An instance of data anonymization where there is the strong likelihood that such anonymization is either intentionally compromised or unlikely to be effective.

In terms of the CView system, let’s first address the concern of anonymization. Specifically, we have to ask how stringent the anonymization system actually is. When I asked Detica about this process, they informed me that because the CView device is intended to produce a Copyright Infringement Index (aka the ‘Piracy Index’) by evaluating the overall filesharing on a network that identity information isn’t required for this objective. IP addresses are anonymized at the source/DPI device using a pseudo-random replacement algorithm, which also entails ignoring the external IP addresses. The key generation system is managed automatically by the device (and thus an ISP can’t muck around with the system), and keys are periodically cycled and redistributed. The keys are never made available outside of the device, and once a set of keys for a given time period are discarded they cannot be recovered – the process is irreversible. On this basis, we can argue that no subscriber ID is associated with the randomized replacement algorithm, there is no way to associate a subscriber ID with the pseudo-random number after the fact, and as such the anonymization system should serve its purpose. Of course, there is a concern that there are no such things as anonymization processes – as noted by Paul Ohm – but I think that a more technical analysis of data logs would be required to figure out whether or not we could make the push that Detica’s system is a failure. At the very least, they appear to be making a real effort in keeping data sets anonymous and doing what they can to prevent privacy infringing behaviour.

One of the questions I posed to Detica, which was related to CView identifying copyright infringing files, went as follows:

“…what method is used to identify content. Is Detica using a file hash-based identification process or fingerprinting system? I ask because broadly identifying protocol alone would render any analysis of P2P data traffic as inherently infringing somewhat problematic, given that P2P is also used for legitimate file transfers.”

The member of the company I wrote to admitted that they couldn’t go into the specifics of how the system performed identifications for commercial reasons – this is normal when dealing with what are effectively corporate secrets – and thus couldn’t speak to their system using either fingerprinting or hash-based analysis. They did say, however, that the system is conservative, insofar as it makes its assessments based on assumptions that transfers are legitimate unless there are reasonable grounds for determining otherwise. As I read/translate this statement, it says to me that rather than classifying all P2P traffic as infringing, the system only flags infringing content as that which can be matched against its index of infringing files. Whether this entails fingerprinting (where only a fragment of a file is identified as infringing, as in a mashup that includes a second or two of a song, instead of the whole file, as in a .mp3 file of Madonna’s ‘Like a Virgin’), however, is unknown.

Detica’s responses maintain that their CView system is deployed in a passive mode (which is expected), and I’ve asked for clarification about whether or not it rests inline or offline – whether the appliances will perform traffic analysis in real time inline with the flow of data passing through the ISP’s network, or in a delayed fashion that sees the data traffic ‘offloaded’ out of the ISP’s network. I expect that it is a passive, inline appliance, but we’ll see. The company does maintain that “there is no persistence of any analysed content – Detica CView(tm) is a measurement system so could not be used as an evidence collection mechanism.” This means that the DPI appliance cannot be used, as designed, to identify individuals trading infringing material online, and thus cannot be effectively used to enforce any three-strikes law.

Ultimately, given that CView is engaging in network-level intelligence, without correlating IP addresses with a unique signature or code, let alone a subscriber ID, I’m not certain that this system is necessarily ‘privacy infringing’ as it’s presently configured and deployed. Does this mean that it can be used to subsequently insist on deeper penetration and analysis of who is trafficking following the establishment of a ‘piracy index’? Quite possibly – the political ramifications of having quantifiable network intelligence are vast. One of the reasons why DPI appliances in general are so interesting is how they are wrapped up in the politics of net neutrality, privacy, and copyright. Despite their interesting intersection along the crossroads of digital issues, perhaps we need to develop an archetype to engage with these devices as follows:

1. What does the technology do, today? Does this constitute a privacy (or, preferably, constitutional rights grounded) infringement?
2. What can the technology do, tomorrow? In light of what it can do, how should we advocate for strong protections to prevent our concerns from arising, and channel the technology towards ‘good’ outcomes?
3. Ask the question ‘what needs to be put in place to ensure that the ‘good’ outcomes of tomorrow triumph over the possible ‘bad’ ones?’ and provide resources to achieve the good and avoid the bad.

This is a simple schema (and, actually, deserving a deeper analysis), but parallels what I’ve come to adopt over the past few months. It is critical that we analytically distinguish between temporal realities and futural possibilities, as well as between the issues of network neutrality, copyright, and privacy (among others) to develop sufficiently nuanced and complicated understandings and resolutions to the insertion of DPI appliances in ISP infrastructures. DPI is unlikely to go away; the aim now has to be to identify and proclaim ‘good’ uses of the technology and work to prevent the ‘bad’ uses from becoming prominent telecommunication practices.

Other posts you might be interested in:

1. Virgin Media to Monitor Copyright Infringement
2. Aggregating Information About CView
3. Copyright and the Blank Media Levy

1. I have a request in to the company manufacturing these appliances, Detica, and have been promised responses to my questions. In light of this, I’m not accusing Detica or Virgin Media of engaging in any ‘privacy invasive’ uses of DPI, at least not at the moment.
2. The information that I’ll drawing on is, largely, from a consultation paper that Detica presented in late September of 2009.
3. This post is largely meant as a ‘let’s calm down, and wait to hear about the technology’s details’ before suggesting that a massive campaign be mounted against what might be a relatively innocuous surveillance technology.

With that stated…

Detica describes themselves as a “business and technology consultancy specialising in helping clients collect, manage and exploit information to reveal actionable intelligence. As the digital revolution causes massive amounts of data to converge with a new generation of threats, many of our clients see this as one of their greatest challenges.” Their CView DPI system is meant to let ISPs better identify the amount of copyright infringing work that is coursing across their networks, in an effort to give ISPs better metrics as well as to determine whether arrangements between ISPs and content providers has a significant, measurable effect on the transfer of copyright infringing files.

The consultancy piece that is provided by Detica maintains that their DPI system is meant to preserve customer privacy, though the lack of technical insight in the paper itself means that many individuals and groups are deeply concerned about the actual instantiation of privacy-protective measures (e.g. Twitter’s #virginmedia hashtag is filled with concerns and complaints). What I’ll do is outline the most relevant parts of the consultancy piece, and follow each part with the questions that were provided to Detica. I’ll also include one question set that I forgot to ask, and will be sending along once I get my response from Detica. First, what’s exactly is this DPI appliance, anyways?

CViewTM is a pre-built, secure service providing a statistically-significant sample of all illegal file sharing activity across an ISP network. CViewTM resides within the secure environment of an ISP network, operating in a “lights out” environment (i.e. without human intervention). It aggregates all of the individual “in-network” file sharing activity and performs analysis on this dataset with pre- defined statistical models to present ISPs and CPs with detailed reports of the volume and nature of the P2P activity by subscriber groups (achieved by clustering similar behaviour types).

That the technology operates without human intervention is a no-brainer; the company is selling a device that is meant to massively aggregate and analyze data traffic. If an individual human, or team of network specialists, had to watch the logs and then run their own calculations based on what the log revealed then the product would be a dud for the purposes that it’s being sold for. Something that I expect is unsettling for many, especially those concerned with the impact of imposing statistical behaviour sets on users, is that there are pre-defined statistical models that will report on users by clustering similar behaviour types. What I failed to ask in relation to this includes:

• What are these kinds of behavioural types?
• Can the ISP with a CView product in their network infrastructure alter how behaviour types are collated?
• When Detica suggests (earlier in the consultancy piece) that they will be creating a ‘piracy index’, is this index meant to be a standard that is controlled by Detica, or is it fungible so that ISPs can configure it to suitably engage with their own customer base and customer habits? If the latter is true, then doesn’t this suggest that a industry standard index is immediately jeopardized?

There are a set of four principles that are ingrained with the development of the CView devices themselves. The first:

anonymous data collection — all records collected from the network have their IP addresses strongly anonymised such that no reference to an individual can be made, even in conjunction with other ISP systems. No content data is recorded (e.g. URLs).

As pertains to records being ’strongly anonymised’, I want to know what, exactly, this entails. While Google claims to have ’strong’ anonymization for the IP address information that they collect, they only remove the last 8 bits of the IP address in their logs. Given that this comprises the last octet only, and each octet can contain the values from 1-255, Google’s technique lets a computer user hide amongst 254 computers at most. Google’s approach is juxtaposed against, say Microsoft’s, which deletes cookies and full IP addresses along with other identifiable information after 18 months. What, exactly, is entailed in Detica’s ’strong anonymisation’ process?

The second:

proportional to right to privacy — traffic is inspected to establish what the content is and the application being used, with no persistence of traffic data or identity information.

I presume that this means that there is simply an inspection of the content, a record or log kept concerning what is (and what isn’t?) identified, and then no efforts to store content streams offline. Is traffic inspected inline with the Virgin network, or is content being offloaded and subsequently analyzed ‘offline’? I fully expect that CView examines known protocols (which DPI appliances are generally capable of doing) but wonder what method is used to identify content. Is Detica using a file hash-based identification process or fingerprinting system? I ask because broadly identifying protocol alone would render any analysis of P2P data traffic as inherently infringing somewhat problematic, given that P2P is also used for legitimate file transfers (in Canada, our national news station, film board, and other government bodies are using P2P for the dissemination of public content, as an example), and there are substantial differences between the application of fingerprinting or hash-based systems (fingerprints might catch mash-ups, whereas hash-based targets full files). Further, when it is suspected that encrypted P2P traffic is crossing a network, does this constitute infringing traffic, non-infringing, or place a user in an entirely separate  behavioural category-type?

The third and fourth:

closed system — no traffic data or identity information is ever made available to a person. Traffic application data is produced by an entirely closed and automated “lights out” system. Appropriate hardware, software and process controls prevent intentional or accidental breaches of privacy (e.g. preventing access to the live system when data is being processed).

no feedback loop — none of the behavioural data collected can ever be attributed back to a person or drive action against an individual.

This appears to be a positive maneuver, though I would wonder how much access ISPs actually have to these devices: are they prevented from reconfiguring these devices, or offloading information to a SAN for their own analysis? Should an ISP demand it, is is even possible for these devices to disclose the traffic data or identity information of ISP subscribers and their related data traffic? How are updates performed to the device, and what would such updates comprise (e.g. would they update the protocols/files that are detected, or go so far as to modify the ‘piracy index’ as well and extend the ability to discretely associate infringing content with particular IP addresses)? Finally, given that different categories of users are being established, while the device cannot use behavioural data to target individuals, can it be used to target the groups that the device identifies?

As stated at the head of this post, I haven’t heard back from Detica, and until I do I’m refraining from decrying (or praising) this technology, in part because I’ve been aware of this kind of technology for some time: despite Detica’s suggestions, DPI manufacturers such as iPoque have included this in some of their devices for some time (also, and contrary to their consultancy piece, Canadian ISPs have been tracking P2P use for some time). Identifying and preventing the distribution of copyright infringing files, while certainly a problem for the P2P movement, would likely be read (in the UK) as complying with the recent ‘Digital Britain’ initiatives. If the technology genuinely provides some significant level of anonymity, and presuming that the ‘piracy index’ isn’t rigged in some manner (perhaps have it open-sourced?), then this could just be a manifestation of a company selling a very particular product to address a particular need for network intelligence in compliance with British Law. This isn’t something that is strongly desired by some parties – the ‘dumb pipe’ position is commonly adhered to by network neutrality advocates – but perhaps speaks to the real need to address the misconceptions about information services, and how they legally (at least in Canada and the US) differ from telephone services.

I’ll end this by noting that I’m less familiar with UK law and regulations; I don’t know RIPA in and out, and I’m not trying to justify the Detica appliance. Instead, I’m just suggesting that until more data is released that privacy advocates and network neutrality advocates alike should take a step back, take a deep breath, and wait for a little more information before letting loose the dogs of war.

Other posts you might be interested in:

1. Update to Virgin Media and Copyright DPI
2. Copyright and the Blank Media Levy
3. Aggregating Information About CView

One of the key elements of the site that interest me the discussion of paying artists (and other content creators); how can we avoid demonizing P2P users while at the same time allocating funds to artists/copyright owners in a responsible manner. On October 5th, this topic was broached under the posting ‘In Favour of a Music Tax‘, and I wanted to bring some of my own comments surrounding the idea of a music tax to the forefront of my own writing space, and the audience here.

I think that an ISP-focused levy system is inappropriate for several reasons: it puts too much authority and control over content analysis than carriers need, puts carriers at risk when they misidentify content, and would make carriers (for-profit content delivery corporations) in charge of monitoring content without demanding consumers that pay ‘full value’ for content moving through their networks. This last point indicates that an ISP-based levy puts ISPs in a conflict of interest (at least in the case of the dominant ISPs in Canada). Another solution is required.

I’m a Canadian, and I don’t have an issue with a levy-system that works. In Canada, we are charged a levy on all blank media that is sold. The levy originated several years ago, and was meant to recoup losses from the copying of mp3s (and related audio files) onto disks. The levy is very small:

• $0.24 per unit for Audio Cassette tape (40min or longer);
• $0.21 per unit for CD-R Audio, CD-RW-Audio & MiniDisc;
• $0.21 per unit for CD-R, CD-RW (non audio).
• In 2009 the levy on CDs and MiniDiscs will rise to $0.29 (Source)

Arguably, fewer people burn mp3s onto disks than in the past – with the advent of cheap and portable storage media, media tends to find its way to mp3 players and similar portable (and slightly less portable) media environments. Rather than targeting ISPs (who, really, should function like semi-intelligent data piping networks, rather than smart content monitors) why not impose a small levy on mp3 players/consumer electronic storage equipment? When I see an iPod or something like it, and am told that ‘160GB of storage just isn’t enough’, I have a hard time believing that someone has paid the not-so-small fortune to fill it with music, TV shows, and other content. I argue that we should toss a levy on the device at the point of sale, and then have a mechanism where the money is blackboxed and distributed back to content owners.

Is blackboxing ideal? No, but distributing the funds collected can be improved by developing either a more broadbased sampling of what is being listened to (i.e. one that accounts for the long tail of P2P downloads, YouTube watches, etc) or ’smarter’ devices (i.e. ones that can read what is being played and then report this back to a mothership) to adjust the levy distribution in near-real time. As a consumer, the former is an acceptable shift in distributing the levy, whereas the latter strikes me as a gross violation of my reasonable expectations of privacy (regardless of whether it would cross an actual legal boundary). Let’s think through what this ‘tracking’ system might look like:

First, it won’t involve any deep packet inspection appliances, so we can dispel any worries associated with that particular technology. Instead, we get a few clever programmers together to develop an aggregation system that identifies the number of downloads of songs/albums/artists across a wide set of media environments (e.g. P2P sites, YouTube, MySpace, etc). Either the sites themselves or the aggregation system can include anonymization protocols that scrub data sets after initial collation, ensuring that the data can’t be traced to individuals/sites. Scrubbing protects consumers and has the benefit of mitigating some efforts to ‘game’ the system by demanding particular sites are included in the aggregation step at the expense of less favourable ones. It should be noted that I’m not seeing this system as one that tracks particular users but instead the number of downloads particular sites have for files. While this doesn’t generate 100% accurate picture of content transfers, it will capture the long tail better than the present Canadian levy’s evaluation metrics. Taking account of the fluidity of the P2P environment, it is important that the aggregation system is designed so that adding new sites to the scrape is relatively simple, and the system generally should be modular so that it can scrape new P2P platforms as they come available.The nice thing is that, once this system is paid for and set up, it’s largely self-running AND can be exported to different jurisdictions as needed. This system should be open source, so that anyone who is interested can take a look at how the algorithms calculate levy distribution in an effort to facilitate transparency and rigorous code-checking.

While there are certainly valid concerns around the organizational collection and distribution of these levy fees, I see a distinction between the value of a levy and organizational logics. In Canada, as an example, a key issue that I keep hearing between major players in the content industry is that the metrics used to identify popular artists is defunct – it needs to be broadened to capture the long-tail of media downloads. The Canadian situation sees (relatively) little overhead, and has distributed over $100 million dollars since the levy’s inception. This isn’t a small amount of money.

This model does recognize that labels will get some of the money out of the levy system should they own the copyright of the content being downloaded. There isn’t any reason why they shouldn’t receive some of this money from a (layman’s) legal perspective. If this is perceived as a problem, because it ignores the artist, then that’s a larger issue of copyright ownership and not a reason why the levy itself is unworkable. If artists retain their copyright, they get the cut of the levy fund instead of a label. If there is a strong desire to change how present copyright systems work (and I think that there should be) that doesn’t undermine the levy-system; we should reform rather than scrap the levy, and not let copyright/label issues motivate a refutation of the levy model.

Perhaps most crucially, the levy is not designed to capture the ‘full value’ of media – it doesn’t correlate one download to one sale. Instead, it recognizes that there is partial value derived from a download that is unlikely to parallel the same value that is demonstrated when someone purchases a CD, pays to download music through a content delivery system like iTunes, or attends a concert. If we take the stance that P2P is a means of facilitating interest (and partial value) for content then it is obvious that the levy-system is not enough, on its own, to create a full-value stream between artists and fans. Additional monetization schemes must be adopted so that, after deriving partial value from a download, fans (as distinguished from downloaders) can provide what they perceive as full value to the artist(s) in question. How this is done extends beyond a levy system – while important, I don’t want to work through my thoughts on this extension right now.

I want to quickly turn to some very broad, general, and tentative ideas of how the collection and distribution of a levy might work. This is most definitely a work in progress.

While there is a worry that the levy could increase as various parties who are not currently supported by the levy system try to muscle their way in, I think that the solution is just to set a particular (fixed) rate for the levy, and have it increased by X (where X=rate of inflation, or some other clearly identified, relatively autonomous metric that is outside of the music market), and then an organizational metric for distributing funds. Figure that every Y years the distribution metric could come up for organizational review, with the review board being composed of a balanced group of people (e.g. members of the non-profit’s board, artist and label copyright holders, hardware vendors, fans, etc). Where it appears as though the non-profit levy-distribution group is overstepping their bounds, a judicial review could occur (as happened in Canada, when there have been attempts to extend our levy to portable music devices).

In terms of actually establishing how much money the levy should collect per device, I’m inclined to set a very low levy that is based on a per GB/TB calculation of the storage media purchased. These rates should be automatically adjusted over time per a formula that takes into account drive size increases by reducing the cost-per-GB/TB so that the levy doesn’t get prohibitively high. The algorithm for this can be developed prior to the levy being restarted/instated to avoid hidden surprises and put in the public domain. Participation from a wide community should be invited, with a recognition that any formula set is a compromise position; there is no way that everyone is going to be happy. Consensus is highly to emerge between all the interested parties.

On the whole, what I’m trying to express is that levies are workable, partial, solutions. They do facilitate artists getting paid for their contributions to culture. They do benefit the consumer because it is clear why the levy exists and how funds are distributed without adding complexity (for the consumer) at the point of sale. Levy systems do not try to equate one download to one sale, and instead recognize the partial value of downloaded media. The proposed hardware-centric levy does not require ISPs to spy on content as it moves across their networks. Further, as I’ve proposed the aggregation of data points, this levy system does preserve anonymity and privacy.

Does this approach ultimately result in consumers paying a slightly higher price for blank media/devices? Sure, but I don’t think that’s anymore unreasonable than paying the trivially small environmental taxes already associated with the purchase of new computer equipment.

Other posts you might be interested in:

1. Virgin Media to Monitor Copyright Infringement
2. Update to Virgin Media and Copyright DPI
3. Analysis: ipoque, DPI, and copyright

At issue, however, is that filing lawsuits is big money, and in Europe especially it looks like Digiprotect has moved in to assume first-mover advantage. Digiprotect gets “the legal rights from the companies to distribute these movies to stores, and with these rights we can sue illegal downloaders. Then we take legal action in every country possible, concentrating on the places where such action will be profitable” (Source). They avoid demanding too much money from infringers, on the basis that few judges like the idea of imposing million dollar fines on individuals – usually opting for suits demanding in the vicinity of 500 Euros. This amount of money ‘teaches’ individuals and provides enough money to keep the employees paid. No staff member has a fixed salary – they are paid according to the ‘cases’ that are won. The actual method of determining the financial burdens are based on the business expenses, profit, and money to be distributed to artists. In effect, the company sets up a honeypot and then sues whomever it is profitable to sue.

On the one hand, you have to give the company some credit: this is a particularly innovative way of eking out an existence. Of course, various types of bacteria that eke out similarly interesting existences under rocks. This seems to be a extortion racket similar to what the RIAA has been running in the US for years; by not asking for absolutely massive amounts of money it is (almost) senseless for the individual consumer to hire a lawyer and put up a fight in court. The amounts of money are low enough that it makes more sense to pay Digiprotect and get them to go away. At the same time, however, it means that an individual who has been falsely identified (which is highly likely, given that Digiprotect performs their backwards trace using the IP address alone) is in a tough situation where they either fight the charge and build up their own legal costs, or pay out to avoid an escalation of costs. This isn’t just speculative theorizing: the BBC has an article that discusses that people who clearly haven’t infringed on copyright are being sued on a regular basis by Digiprotect.

There is no indication of how the IP address is maintained, what information the company links it with, how long data is stored, etc. In effect, it’s unclear whether the company is adhering to German data protection laws – I presume that by participating in a P2P session an individual is not ‘consenting’ to a collection of their personal information that extends beyond the mere technical requirements of sharing data. On this basis, I cannot see how it is reasonable for someone operating in a privacy regime that espouses the need to minimize data collection and retention, while maintaining consent, can let a company obfuscate their actual business practices that depend of the capture of personal information under the auspice of honeypot activities.

Further, since copyright holders are licensing the content to be distributed on P2P systems it is unclear to me how an individual is ‘infringing’ on content where distribution licenses have been secured; licensing content to be shared, and then suing individuals for taking advantage of that sharing seems obtuse. The companies that are using Digiprotect are aware that their content is being put on P2P networks; the aim is to ‘catch’ people and sue them after the company intentionally puts itself in a position of being ‘harmed’ by virtue of sharing their content. This is particularly snakey; companies claim that P2P damages their industry, and to prove their point have their own contend seeded on P2P networks and sue people as ‘proof’ of the harms caused by P2P. In some senses their actions remind me of skits where individuals throw themselves in from of cars, claim that the driver injured them, and then sue them for this harm that the individual put themselves in. I guess it’s a good thing that there isn’t a file sharing insurance packages – the might of insurance companies opposed to payouts would surely shut down companies like Digiprotect like they do claims submitted by people throwing themselves in front of cars.

Of course, companies like MediaSentry have been engaging in these sorts of actions for year, but the difference between them and Digiprotect are:

1. MediaSentry works for the RIAA, and thus is an instrument of the labels rather than a semi-autonomous profit-making company (MediaSentry makes a profit, but through far more direct relations with labels). There isn’t an attempt to keep MediaSentry at a significant arms length, whereas Digiprotect has their own network of law offices who are receptive to this technique, and just pay a portion of their suit-earnings to labels. The labels get a cut without having to ’smear’ their own images in court;
2. MediaSentry doesn’t have to worry about EU privacy laws

As for the second of those claim, I’d need more time than I can devote to break down all the differences between American and German data protection law, and then see if Digiprotect is in violation of law by developing databases containing people’s personal information without their consent. Given that Germany, at least, is far more sensitive to that issue it would be interesting to see how/if Digiprotect has gotten past that privacy block. More broadly, I wonder if Digiprotect is in any way worried about DPI appliances that are sensitive to copywritten files’ signatures as potentially endangering their operations? iPoque could be their worst foe in the sphere of competition; could DPI ’save’ consumers from this nasty business model where DPI appliances pre-emptively prevent the sharing of tagged copywritten files?

Other posts you might be interested in:

1. Newspapers: Effects of Closing their Content Ecosystem?
2. Copyright and the Blank Media Levy
3. Will Copyright Kill eHealth?