Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

EPIC Letter on P2P Monitoring

From: Dave Farber <dave () farber net>
Date: Wed, 06 Nov 2002 12:00:11 -0500

------ Forwarded Message
From: Chris Hoofnagle <hoofnagle () epic org>
Date: Wed, 06 Nov 2002 11:47:43 -0500
To: dave () farber net
Subject: EPIC Letter on P2P Monitoring

Dear Professor Farber,

EPIC is sending a letter today on network monitoring of P2P usage in the
higher education community.  We've advised colleges and universities not to
take on any obligation to monitor P2P usage, as such monitoring can chill
free speech, impinge upon academic freedom, and invade privacy.  I hope you
will consider sharing the letter with the IP list.

The full text of the letter is pasted below, and is online at
http://www.epic.org/privacy/student/p2pletter.html

Regards,
Chris

November 6, 2002

Dear College or University President,

We are writing in regard to a series of letters you recently received on
issues of copyright infringement and peer-to-peer (P2P) file trading
networks. <[1]>  The Electronic Privacy Information Center (EPIC) is a
not-for-profit research center that focuses on the right to privacy and
emerging civil liberties issues. We believe these issues require a
circumspect analysis of the impact of network monitoring on privacy and
academic freedom. While network monitoring is appropriate for certain
purposes such as security and bandwidth management, the surveillance of
individuals' Internet communications implicates important rights, and
raises questions about the appropriate role of higher education
institutions in policing private behavior.

We recommend that your institution carefully consider the issues recently
detailed in a report by the National Science Foundation Logging and
Monitoring Project (LAMP). <[2]>  The LAMP report examines the intersection
of network logging, privacy issues, and security risks. It also recognizes
the unique environment of higher education institutions, and recommends
caution when engaging in monitoring.

While the Recording Industry Association of America (RIAA) has legitimate
interests in protecting against infringement, it is worth noting that
copyright law sets limits on the exclusive rights of content owners, making
some uses of protected material legal. <[3]>  The copyright trade association
approach has not always been sensitive to these different types of uses,
while raising significant privacy and speech concerns. <[4]>  Now, the RIAA
wishes to involve colleges and universities in the process of policing the
communicative activities of students, staff, and faculty in a way that is
significantly outside institutional missions. For this reason, and the
considerations listed below, we urge caution in adopting network monitoring
and other similar methods to address concerns about infringement.

Network monitoring can have a chilling effect on the marketplace of ideas.
It is critical that higher education institutions set policies that foster
open-mindedness and critical inquiry. As Chief Justice Earl Warren noted in
Sweezy v. New Hampshire, "Teachers and students must always remain free to
inquire, to study and to evaluate, to gain new maturity and understanding;
otherwise our civilization will stagnate and die." <[5]>

Monitoring the content of communications is fundamentally incompatible with
the mission of educational institutions to foster critical thinking and
exploration. Monitoring chills behavior, and can squelch creativity that
must thrive in educational settings. Furthermore, in order to monitor at
the level desired by the copyright industry--to detect file transfers
"without authorization"institutions would have to delve into the content
and intended uses of almost every communication. Such a level of monitoring
is not only impracticable; it is incompatible with intellectual freedom.

Monitoring individuals' network usage leads to data protection
responsibilities. Monitoring of individuals' network usage habits generates
records subject to a system of protections under the Federal Educational
Rights and Privacy Act (FERPA). <[6]>  In addition to the protections
provided by FERPA, a 1997 report by CAUSE (Association for Managing and
Using Information Resources in Higher Education) recommends a full system
of Fair Information Practices (FIPs) for the treatment of these student
records. This framework includes notification of policies; minimization of
collection of data; limits on secondary use; nondisclosure and consent; a
need to know before granting third parties access to data; data accuracy,
inspection, and review; information security, integrity, and
accountability; and education. <[7]>

Network monitoring appliances can be systems of general surveillance. The
RIAA has recommended widespread use of network monitoring to manage P2P
file sharing. These technical approaches can become systems of
surveillance. Once installed on an institution's network, they could be
used for copyright control today, and the control of ideas tomorrow.
Institutions should not build in a network infrastructure that facilitates
monitoring because "<[w]>hat may begin as logging activity to protect the
efficient and effective functioning of one system can become targeted data
collection and surveillance of a specific individual." <[8]>

Free environments shun technological controls on behavior. Because
individuals at institutions of higher education must always remain free to
inquire, colleges and universities are not the place for technological
restrictions on communication. Institutions of higher education should not
practice content monitoring, an approach that the controlled environments
of corporate workplaces and kindergartens have adopted.

Further, institutions that simply install a network monitoring application
circumvent deliberative academic policymaking. All stakeholders of the
university--including students--must be involved in a process that
recognizes the legitimate concerns of the copyright industry without unduly
hindering academic freedom, privacy, and fair use rights. As Professor
Virginia Rezmierski and Aline Soules have noted:

For a policy to be effective in guiding community behaviors, it must
reflect the full range of the community's values, must be understood and
embraced by community members, and must reinforce the most important values
and the mission of the institution as a whole. An effective policy requires
campus-wide discussion and the involvement of each of the major
constituencies of the community. <[9]>

The purported privacy and security risks of P2P are largely red herrings.
The copyright industry alleges that P2P programs jeopardize network
security and privacy. While all network-enabled applications raise security
concerns, P2P systems are not uniquely vulnerable and do not warrant
special treatment on these grounds. Far more damage to data integrity and
privacy results from exploits of Microsoft Outlook than from P2P
applications. Academic institutions have not responded to Outlook-based
security threats with prohibition or surveillance; instead, measures are
put in place to limit entry of known threats and educate network users
about appropriate protection measures.

Network surveillance and enforcement is likely to lead to an escalating
network "arms race," potentially harming overall network integrity and
performance. While P2P traffic currently travels over easily identifiable
TCP ports, if these ports are blocked or unreasonably throttled, it is
likely that this traffic will move to less easily filtered modes. Certain
P2P clients already use port 80 (usually reserved for Web browsing) when
they detect the presence of a firewall blocking other ports. <[10]>
Furthermore, file sharing applications utilizing sophisticated encryption
already exist, <[11]> and are likely to become widely deployed in response to
efforts to limit these systems. Academic institutions should not adopt a
confrontational role with respect to these technologies. By permitting
reasonable use of these applications, they can ensure that the traffic
remains identifiable for purposes of efficient bandwidth allocation without
the use of needlessly privacy-invasive techniques.

Under current law, educational institutions are required to take down
infringing content hosted on a university Web server. These provisions
provide an adequate remedy to address online infringement. But this new
proposal would shift the burden to colleges and universities to devote
scarce resources to monitoring online communications and to identifying and
"prosecuting" individuals suspected of using P2P networks to commit
copyright violations. This is neither a reasonable nor an appropriate
burden to place on institutions of higher education. Refusing to accept
this burden will not leave the copyright trade associations without
recourse in cases of infringement via P2P networks; instead, the power to
authorize policing and adjudicate guilt or innocence will remain where it
belongs, in the courts. If a copyright owner suspects such infringement, it
can initiate a lawsuit against the suspected wrongdoer.

We recommend that institutions take a careful approach to addressing the
legitimate concerns of the copyright industry. We also recommend that
institutions not adopt privacy-invasive technologies or policies that
impinge upon academic freedom and privacy in order to address those
concerns. Network monitoring for bandwidth management is appropriate, but
monitoring of individuals' activities does not comport with higher
education values.

Sincerely,

Marc Rotenberg
Executive Director

Chris Hoofnagle
Legislative Counsel

Adam Kessel
IPIOP Fellow

Ruchika Agrawal
IPIOP Fellow

Cc:

Mary A. Burgan, American Association of University Professors
Judith Boettcher, Corporation for Research and Educational Networking
Alan Charles Kors, Foundation for Individual Rights in Education
Robert Paterson, SIGUCCS, Americans for Computing Machinery
Julie Beatty, United States Student Association
Jackie Tyson, National Association of Graduate-Professional Students




<[1]> Letter from Hillary Rosen, Chairman and CEO, Recording Industry
Association of America, to College and University Presidents (Oct. 3,
2002), at http://www.riaa.com/pdf/Universityletter.pdf; Letter from David
Ward, President, American Council on Education, to College and University
Presidents (Oct. 9, 2002), at http://www.riaa.com/pdf/Copyrightletter.pdf.

<[2]> Virginia E. Rezmierski & Nathaniel St. Clair, II, Identifying Where
Technology Logging and Monitoring for Increased Security Ends and
Violations of Personal Privacy and Student Records Begin, Final Report of
the National Science Foundation Logging and Monitoring Project (2001), at
http://www.aacrao.org/publications/catalog/NSF-LAMP.pdf.

<[3]> See 17 U.S.C. §§ 107-122, 1008.

<[4]> Jessica Litman, War Stories, 20 Cardozo Arts & Entertainment Law
Journal 337 (2002) (forthcoming), at
http://www.law.wayne.edu/litman/papers/warstories.pdf; John Markoff,
Scientists Drop Plan to Present Music-Copying Study That Record Industry
Opposed, New York Times, Apr. 27, 2001; Legal Concerns Delay Publication of
Research on 'Digital Watermarks,' Chronicle of Higher Education, Feb, 9,
2001.

<[5]> 354 U.S. 234 (1957).

<[6]> 20 U.S.C. § 1232g.

<[7]> Privacy and the Handling of Student Information in the Electronic
Networked Environments of Colleges and Universities, CAUSE, April 1997, at
http://www.educause.edu/ir/library/pdf/pub3102.pdf.

<[8]> Rezmierski & St. Clair at 1.2. Further, "College and university
communities are vulnerable to unwitting as well as purposeful abuses of
network and information systems." Id. at 1.1.

<[9]> Virginia E. Rezmierski & Aline Soules, Security vs. Anonymity: The
Debate over User Authentication and Information Access, EDUCAUSE Review
(March/April 2000), at http://www.educause.edu/ir/library/pdf/ERM0022.pdf

<[10]> http://www.groove.net/.

<[11]> http://www.freenetproject.org/.

--------------------------------------------------------------------
Chris Hoofnagle, Legislative Counsel    +1.202.483.1140 (tel)
Electronic Privacy Information Center   +1.202.483.1248 (fax)
1718 Connecticut Ave., NW Suite 200     hoofnagle () epic org
Washington, DC 20009  USA
http://www.epic.org/                    http://www.privacy.org/
--------------------------------------------------------------------



------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: