I've discussed Audible Magic and its filtering technology on "The Importance Of..." before: Audible Magic's Sleight of Hand. Basically, Audible Magic filters content based on an audio fingerprinting service that checks against a database of copyrighted works. Installed in a piece of P2P software, it prevents copyrighted works from being transmitted in the first place, which is what the article above discussed. However, Audible Magic is now attempting to sell its technology to schools and universities. In such cases, Audible Magic's technology will listen in to the data transfers (aka sniff packets) in the network and attempt to terminate those virtual circuits it believes are violating copyright. See, Audible Magic's six-page white paper: Managing Peer-to-Peer Traffic with the CopySense™ Network Appliance [PDF].
EFF has just posted a technical analysis of the CopySense technology and concluded that it would be easy to defeat (Audible Magic — No Silver Bullet for P2P Infringement):
Session encryption for file transfers based on ephemeral keys represents a cheap, easily implemented countermeasure that would effectively frustrate Audible Magic's filtering technology. Based on publicly available information, it does not appear that this vulnerability can be easily remedied. Should Audible Magic's technology be widely adopted, it is likely that P2P file-sharing applications would be revised to implement encryption. Accordingly, network administrators will want to ask Audible Magic tough questions before investing in the company's technology, lest the investment be rendered worthless by the next P2P "upgrade."However, EFF's technical paper doesn't address many of the policy issues. When I read their report, however, one policy/legal issue immediately came to mind:
An engineering goal of Audible Magic's network appliance is to add no additional latency to the network. Therefore, it cannot be interposed between the client and the server, as it would be in traditional firewall or filtering proxy deployment. The network appliance is installed as a peer to other hosts on a network segment, not as a gateway or bridge. The segment is configured such that the appliance can sniff all traffic going over the link layer fabric.Audible Magic functions like a wiretap. Which leads to the question: (Read on...)
Does Audible Magic Violate Wiretap Laws?
I believe that there is good reason to think so. Interestingly, I was unable to find a discussion of this issue on Audible Magic's website. There was a reference to legal issues in their white paper, but it was ambiguous:
Some of the P2P vendors are encrypting packet content. Does that affect sensing? Some of the P2P applications do encrypt the search process, but encryption is not used in the actual file transfer. This would carry legal implications if it were implemented.What would carry legal implications? Implementing encrypting for file transfers? It would certainly carry legal implications if Audible Magic were cracking encryption to look at copyrighted content. It's called a violation of the anti-circumvention provisions of the DMCA. Even if there were a technical means for Audible Magic to crack encryption during packet sniffing, it would clearly be illegal under existing law. But I digress.
The wiretap law in question is 18 USC 2511: "Interception and disclosure of wire, oral, or electronic communications prohibited." In pertinent part it reads:
(1) Except as otherwise specifically provided in this chapter any person who -To understand this, however, we have to look at a couple of the definitions (18 USC 2510):(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication;....shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5).
(4) ''intercept'' means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device....Alright, let's look at this. P2P transfers would certainly seem to qualify as "electronic communication." Perhaps I'm mistaken, but sniffing and holding packets in order to analyze the content for digital fingerprints would seem to be "acquisition of the contents" of an electronic communication. Indeed, using the contents of the copied packets in this manor might also be a violation of 2511(1)(d):
(12) ''electronic communication'' means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce,....
(d) intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection....shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5).However, does Audible Magic's technology fall into any of the exceptions? Such as, 2511(2)(a)(i)
It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.Is Audible Magic's technology a "necessary incident" to the rendition of service? Nope. Is it a "necessary incident" to protection of the rights or property of the provider of the service? No. There are various traffic control algorithms that don't need to be as invasive as Audible Magic's technology if P2P traffic is a problem. Legally, the DMCA's safe harbor provisions (17 USC 512) don't require packet sniffing.
There is one provision that might provide protection: 2511(2)(d):
It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.The key here, however, is that there must be consent on the part of one of the communicating parties. Now, most terms of service include provisions for packet sniffing for "security purposes." Presumably, this would include things like scanning for viruses or trojans or what not. I don't think copyright enforcement is a "security purpose." Spam filtering for email is usually a separate consent for email terms of service.
You would think that Audible Magic's webpage might mention that consent is necessary for this before someone implements their system and subjects themselves to possible criminal and civil (18 USC 2520) liability.
For those who are wondering, the recent email wiretap case, US v. Councilman, which I've discussed previously (E-Mail Wiretap Decision: Out of the Wiretap Frying Pan, Into the Copyright Fire), would not control in this case. Unlike the copying of stored emails, Audible Magic involves packet sniffing, which would be a "contemporaneous acquisition" and thus the equivalent of a wiretap.
Ok, So We Get Consent, So What?
Well, it's an awful precedent. With the exceptions of particular applications (such as email) in which the filtering is explicit and essentially implemented by the users, this is a program that looks into the content (application layer) of every packet no matter tha application. Generally, network management takes place on much lower communication layers and isn't concerned with content at all.
However, if universities and other organizations adopt a policy that it is permissible to inspect application layer packets, what other filtering regimes might they implement? Why not an indecency or obscenity filter? Why not a program that flags and terminates conversations when key words such as "bomb" or "cheat" are mentioned? Do we really want to encourage a regime of private wiretaps to enforce various policies? This may sound alarmist, but once you've set a precedent that it is okay to inspect application layer packets for "illicit" bits, you've begun to significantly erode privacy.
And, in any case, such filtering ultimately wouldn't work as EFF points out. Reduction in privacy for no benefit. That's great.