Thursday, August 02, 2012

Malte Spitz: Your phone company is watching

Malte Spitz: Your phone company is watching "Every time you use your mobile phone let it be a reminder that you have to fight for self determination in a digital age."



Tell your friends privacy is a value of the 21st century and it is not outdated... tell your political representatives that just because companies and state agencies can store certain information doesn't mean they have to [or should be allowed to] do it.

Wednesday, August 01, 2012

DEA & robust evidence of copyright infringement

Consumer Focus last week published a really important report by Dr Richard Clayton of Cambridge University on collecting robust evidence of online copyright infringement through peer-to-peer filesharing. The report was commissioned to help Ofcom:
"in the implementation of the Digital Economy Act 2010 through a statutory Initial Obligations Code. When it comes to taking action against people accused of infringement, the standards of evidence are critical. The Digital Economy Act 2010 requires that the Initial Obligations Code makes provisions on the ‘means of obtaining evidence’ and the ‘standard of evidence’ for copyright owners who want to lodge ‘copyright infringement reports’ against consumers with their internet service provider (ISP).
The report provides advice on standards and procedures which should be adopted to ensure that copyright owners can reliably identify an internet connection which has been used to infringe copyright through peer-to-peer filesharing. Dr Clayton then describes how ISPs can robustly match internet subscriber details to IP addresses, which are dynamically allocated to domestic internet connections. Under the Digital Economy Act 2010 subscribers, who are the bill payers for an internet connection, can appeal a notification of alleged copyright infringement if they can show that they did not commit the alleged infringement, and took ‘reasonable steps’ to prevent others from infringing. Dr Clayton therefore concludes his expert report on traceability by assessing how subscribers to an internet connection could identify who may have used their connection to infringe copyright."
Saskia Walzel, policy manager at Consumer Focus responsible for copyright policy, has a nice article in ORGZine explaining the key findings.
In outline the report covers:
  • the theoretical basis for monitoring file sharing activity and detailed advice on how this should be done properly - this monitoring is theoretically possible but it is essential that the practical details are right
  • the need for good record keeping to ensure all this monitoring can be audited, errors detected and corrected
  • the problems ISPs will face 
  • a "doctrine of perfection" in relation to the gathering of evidence (if the ISP receives a batch of data containing just a single error then the whole batch should be rejected) that needs to be applied to reduce the risk of systemic failures leading to widespread false accusations of copyright infringement
  • the problems with identifying suspected subscribers when ISPs are using large scale NATs (which breach end to end neutrality)
  • the fact that the ISP customer may be unable to identify who has been using their account for inappropriate file sharing
  • p2p designs and development and likely evolution to evade the kind of monitoring the DEA requires
  • when an ISP writes to a customer about alleged copyright infringement it is recommended that an outline of how the monitoring system works should be included; they should also be told "the full range of scenarios" as to how file sharing can occur on their account without their knowledge.
The reality of the Digital Economy Act's (DEA) online infringement of copyright provisions (sections 3 - 18) may finally begin to hit home next year (theoretically) when thousands of people start to get accusatory letters about copyright infringement from their ISPs. The UK courts have not fully tested evidence presented in such copyright infringement cases as the few that have been pursued were eventually settled out of court. So there is no authoritative legal guidance on standards of evidence or process. Richard Clayton's report is, therefore, an invaluable contribution, particularly so for the clarity with which he analyses the technical, evidentiary, monitoring and systems processes involved.

The report describes, in detail, the kinds of procedures and standards that need to be followed and the how, what, when, where, who and why of specific technical evidence that needs to be collected to be confident of identifying a specific IP address used in copyright infringement.  It is unacceptable just to crudely harvest IP addresses and send out threatening letters as the now infamous ACS Law crew did. There has to be a clear unbroken chain of solid, reliable, technically sound, recordable, auditable evidence, delivered through a robust investigative process, leading from the infringement to the alleged offending IP address.

Establishing the IP address is only the first step according to the DEA. The ISP then has to identify the customer associated with that IP address at the relevant time and notify them of a complaint by a copyright owner. The customer then has to decide whether to appeal. There's a £20 fee for appealing but if they can prove that they personally didn't engage in copyright infringement and took “reasonable steps” to prevent others from infringing they'll win the appeal.

Unfortunately, as Richard Clayton very articulately explains in the report, the ISP customer whose name is on the account may not be able to identify who has been using their internet connection for file sharing.  The reasons are many (see paragraphs 108 to 134 of the report).  That finding alone raises important questions about the DEA online copyright infringement provisions and whether they can be operated fairly and with due process.

I highly recommend reading the report in full. It should be required reading for anyone who considers themselves an informed citizen. It's a very accessibly written technical document on how to gather, robustly and reliably, digital forensic evidence of internet users' alleged misuse of peer to peer technologies.  Richard Clayton makes no comment about the privacy or ethical issues associated with all this - though there are clear warnings e.g. about the need for the monitoring system design to be open to the public, as 'secret' or proprietary designs are not capable of creating reliable results - but the pervading sense of this report is overwhelmingly one of: if you have to do this then you damn well better do it properly and with due process.

Dr Clayton should be highly commended for producing a unique, terrific report on an important subject which even the most geekily challenged reader can peruse with little difficulty.

Monday, July 30, 2012

Brailsford, trolling and modern day Murrows

Further kudos to Dave Brailsford, the performance director of British cycling.

I heard Victoria Derbyshire on Radio 5 live this morning idiotically attempting to goad him into getting into a row with the press. It's really irritating when media 'personalities' try to create controversy out of nothing by provoking people. Ms Derbyshire asked Mr Brailsford what he thought about the severe critcism of some of the Sunday papers. He quite reasonably and good naturedly responded that he didn't read them.

Ms Derbyshire replied that she did not want to be the bearer of bad news (I believed her but millions wouldn't) but the newspapers had described Mark Cavendish's failure to win the gold medal in the Olympic cycling road race on Saturday as a "disaster", "catastrophic" and other similar such exaggerations and harbingers of doom. She wanted to know what Mr Brailsford's reaction to that criticism was and would not let go.

He calmly again explained he didn't read the papers but that the team had given everything in their efforts in the race and he was proud of them and could not have expected any more.

It is ridiculous to characterise the failure of a sports star to win a race as a 'disaster' (a sudden ruinous event or great misfortune or mishap causing great loss of life, damage, or hardship e.g. an earthquake, a flood or a plane crash). Even more so to lend such descriptions credence. And worse again when so called 'respected' journalists, like Derbyshire, try to incite heated reactions to such unadulterated nonsense in order to create a story out of nothing. With the Olympics in town it's not as if they are exactly short of sports stories anyway! I'm no believer in golden ages when the media reported rather than created stories but we could do with a few more Edward R. Murrows influencing the modern news agenda.

Ms Derbyshire tried every angle she could think of to stir up a row - what did they do wrong; how was Mark Cavendish feeling; why didn't the team do something different; how were the team reacting to it and each other; how did Mr Brailsford feel about the press criticism; what would he do differently; surely if they got another chance they would try something different.

Mr Brailsford batted it all away calmly and neutrally and expertly refused to get pushed into lashing out at media trolling. There are a lot of cycling events to come and the team have prepared well and are hoping for success. Judge them by all means on the medal haul at the end of the Games rather than the disappointment of failing to win the first. Well done Mr Brailsford and good luck to you and your team... apart, of course, from when you're up against the Irish!