Re: classifying P2P traffic - what about legit uses? Part Deux

[Randy Marchany <marchany () VT EDU>]

A few more observations.....

1. There is no direct correlation between banning P2P traffic and reducing the
number of DMCA violations that occur on your campus. I can violate the DMCA
with HTTP, SSH, FTP. All that you can say is that no DMCA violators using P2P
have been "caught" by the MPAA/RIAA.  You can't claim you've eliminated DMCA
violations. If the P2P block is at the campus border, you still have P2P
within campus and you can still have DMCA violations. If you block P2P within
campus, then I feel sorry for your net admins :-). It says nothing about the
practice of downloading illegal copies of material. Solve this user awareness
issue and illegal DMCA events drop dramatically.

2. Blocking/restricting P2P traffic because of performance issues is a legit
concern. However, even the smallest schools can address this issue by doing
things like rate limiting, charging the highest bandwidth users, etc. and not
banning the technology outright. Remember that P2P isn't the only massive data
transfer service on the net. In the days before P2P, it was WWW, FTP traffic.
Do you block those services because they consume net bandwidth? Restrict
access? How do you justify interfering with the normal course of business (I
need my FTP, I need my P2P, I need my SSH, I need my HTTP) of your
institution?  Bandwidth limiting addresses a net performance problem that is
"independent" of data transfer technologies such P2P, FTP, HTTP, SSH, etc. and
DMCA violations. Blocking one technology only shifts the burden to other
transfer technologies. The real problem to be solved here is how to increase
net bandwidth.

3. I'm part of our IT Security Office and have done security stuff for 16
years or so. One of the most difficult things to do is balance security needs
with normal business operations of the University. One of the easiest errors a
security type can make is to dictate a certain security course of action
without examining its impact on the business process of the departments. Years
ago, a friend of mine got a Mac. I geeked over it and she patiently waited for
me to finish and then calmly told me, "That's nice but as far as my job is
concerned, the Mac is a stapler. It helps me do my REAL job." The message: IT
is a tool that make the business process more efficient. Now, when we come up
with security directives, we try to measure its impact on the business
process. If it's too restrictive, people will work around and the end result
is that we still have a security issue. Too restrictive works in the
commercial and military world, not ours.

4. We need to figure what the real problem is and then work to solve it. The
real problem of "illegal" P2P traffic is copyright violations and the threat
of sanction from RIAA/MPAA. Joel said it simply: "if it's against the law and
you get caught, you are in trouble." Hammer that message to your user
community and we start to solve this problem.

5. Remember that my original comments were on "legitimate" use of P2P. Find
solutions that allow that to happen and don't take the easy way out by banning
it. You only shift the problem to other transfer technologies. A number of
schools leave up to a vendor solution (IPS, etc.) to identify illegal P2P
traffic. How does a vendor know what's illegal? Why would you trust them?


        -r.