Monday, April 06, 2009

BERR consultation responses - “03”

In reference to BERR response “p2p – 03 – FOI.PDF”

A short and succinct response, which makes its points clearly and quickly, but gives few actual easily followed references, instead alluding to events. The writer is clearly technology literate, P2P literate, and has been following most of the main cases involving P2P at a level including critical analysis, rather than press releases and mainstream reporting.

I would also have to disagree with the writer on a factual basis, at least on his claim that section 3.6 of the consultation document is flawed. It is actually accurate. However, its the manner in which certain companies go about this that is flawed. It's as much about semantics as anything else. The idea (section 3.6) is sound, the practical operation of it is flawed. Also, there is a slight factual inaccuracy again in 'notices sent to photocopiers'. In actuality, the notices were sent to printers, and other non-storage network capable devices, in a study by the University of Washington, to see if they could spoof IP addresses and get notices sent. Printers and similar were chosen because they were IP addresses that were physically incapable of doing the actions they were accused of. I covered it in more detail in my TorrentFreak article, published when the study came out.

As far as breaching privacy goes, I think that's an argument that will go nowhere. They are not accessing anything you've not released to be accessed. Either knowingly, or unknowingly, and have not used any tools, beyond the counterpart to a program you are using, to obtain data. Now, the legality of a company obtaining data on individuals, for hire, is another question. In many US states, such activities usually fall under the description of “Private Investigator” and require the investigator to be licensed with the state. I'm unclear of the status of similar laws and requirements in the UK, but I am currently unaware of anyone working in a company that does this sort of work holding any such license.

The references to 3.38 though, the E-Privacy Directive, are in the main fairly accurate though. There has been little peer-review of antiP2P detection methods. Most companies claim 'trade secrets' over their collection methodology and technology. However, the vast majority of methods do not manage to identify anything beyond an IP address, much less a computer, and certainly NOT an individual. Thus, under the E-Privacy directive, asserting anyone to be the infringer is false, as there is no evidence to back it up, and so it fails the accuracy standard. The only way to even have a hope of identifying the person, is probably through behavior observation, using deep packet inspection for all computer activity. Even this will be confused by multiple people operating a single computer collectively, or multiple computers behind NAT.

There is also more comment on the quality of the investigation with reference to consultation assertions that it must be successful if so many pay up. However, the consultation itself gives the reasons for it, on the next page, observing that “such legal action can cost in excess of £10,000” In comparison, £500 isn't such a bad figure, and in that case, it's cheaper and easier to pay up. This is the problem with the current method of dealing with alleged copyright infringement, and it's one that will be dealt with more in a more appropriate response, such as Davenport Lyons' response.

As the conclusion of the submission rightly points out, though, the vast majority of the consultation document makes the assumption that identifying the infringer is easy and highly accurate. However, there are plenty of cases where this has been shown to be completely false. Thus, the writer is correct in saying that the majority of the document, and any proposed sanctions, are irrelevent unless and until an accurate and accountable system of identification can be found.

Consultation analysis overview

No comments:

Post a Comment