Friday, August 28, 2009

Eircom, three strikes and false positives

I've said before now that the three strikes system which Eircom has agreed to use is likely to result in innocent people being wrongly accused.

Some of these cases will be due to Eircom's own incompetence in issuing up to 250,000 wireless routers with easily guessable passwords - which will result in some people piggybacking on Eircom users' connnections. But there is a wider problem, in that the investigators used by the music industry have a track record of making false copyright infringement claims.

A particularly interesting study from the University of Washington (Zeropaid story | Full details and paper) shows the risks.

In that study, the researchers document receiving 487 notices under the DMCA: all wrongfully alleging that files were being illegally shared over BitTorrent. Among the alleged culprits were three laserjet printers which between them were accused on nine separate occasions of downloading movies. (Bad printers! No toner for you tonight.)

The research conclusions?
Practically any Internet user can be framed for copyright infringement today.
By profiling copyright enforcement in the popular BitTorrent file sharing system, we were able to generate hundreds of real DMCA takedown notices for computers at the University of Washington that never downloaded nor shared any content whatsoever.

Further, we were able to remotely generate complaints for nonsense devices including several printers and a (non-NAT) wireless access point. Our results demonstrate several simple techniques that a malicious user could use to frame arbitrary network endpoints.

Even without being explicitly framed, innocent users may still receive complaints.
Because of the inconclusive techniques used to identify infringing BitTorrent users, users may receive DMCA complaints even if they have not been explicitly framed by a malicious user and even if they have never used P2P software!
In light of these findings, I wonder how reliable the evidence presented by the music industry to Eircom will be, and whether the flaws identified in this study will be addressed. So far, all we have to go on are leaked details of a draft protocol between Eircom and the music industry on the information to be provided with each accusation.

Those details are, however, too vague at this stage to be useful.

For example, the draft apparently provides that "the information which will be provided by the record companies will be of the same type as that used in the three previous disclosure actions in the Irish High Court". What precisely does this mean? Similarly, the protocol appears to require the music industry to provide "the digital fingerprint/hash for copyright material detected". Does this mean that before a complaint can be made, the investigators must download the entire file allegedly shared by the user? There is also apparently provision for "reputable annual independent certification that the necessary ... I.T. ... controls relating to the obtaining, generating and processing of data by Detecnet ... have been complied with". Will this require certification that the types of problems identified by the University of Washington and others have been solved? In fairness to Eircom, it does appear that it has made some efforts to include elements in the agreement which might meet some of these problems. But without more detail on the agreement it's impossible to be confident that innocent users (or printers!) will not be wrongly accused.

No comments:

Post a Comment