星期二, 5月 01, 2007
PISA comments on "Copyright Protection in the Digital Environment”
With the effort of PISA members, PISA prepared the below comments "Copyright Protection in the Digital Environment". Welcome your comments and look forward to have further discussion with you all.
Antony
++++++++++++++++++++++++++++++
Commerce and Industry BranchCommerce,
Industry and Technology BureauLevel 29,
One Pacific Place,88 Queensway,
Hong KongE-mail: co_review@citb.gov.hk
Dear Sir/Madam,
Response to the Consultation on“Copyright Protection in the Digital Environment”
A. Background
A.1 Professional Information Security Association (“PISA”) is a non-profit-distributingassociation established in 2001 in Hong Kong for local professionals in the informationsecurity sector. Our vision is to utilize our expertise and knowledge to help bring prosperityto the society in the Information Age.A.2We are working very closely with the Government especially in the information securityarea. We are currently a member of the Office of the Government Chief Information Officer(“OGCIO”) Special Task Force on Information Security under the Digital21 StrategyCommittee. We were a member of the Cyber Security Taskforce of WTO MC6 in 2005. Inthe past years, we had been interviewed by the Police Magazine; invited by the Hong KongComputer Emergency Response Team Coordination Centre (“HKCERT”), the OGCIO andthe Hong Kong Police Force to deliver security awareness seminars to the public, and bythe OGCIO to deliver internal briefings to government officers.
A.3 On the issues dealt with in this consultation paper, we had also been consulted byCustoms and Excise Department on P2P security and investigation issue in 2005.Furthermore, we had also contributed article(s) to RTHK Digest on the issues of evidencecollection by copyright owner(s) in civil cases in 2006.A.4We take this opportunity in sharing our views as a professional body expertise in securityand privacy, and hope that we can offer independent and impartial views on the matter.A.5This document was prepared by a team of PISA members, including:
B. Building the foundation of our viewpoints
B.1Our views are based on our expertise and ethical standard in information security, and aswell are based on professional independence and critical thinking.B.2We must admit that there is no easy answer to each question raised.
Our stand is:
1. A Copyright Law that catches up with the Digital Age ( a Balanced View)
1.1We agree with the consultation paper that we have to view the copyright issue in the realmof a digital age. We have witnessed the merger of the broadcasting andtelecommunication authorities of the HKSAR Government, which reflects the merging oftraditional broadcasting industry with the new telecommunication and informationtechnology. We have also witnessed the different digital media merging. We no longer seepeople wearing mini-drive nor CD-walkman along the street, but enjoying music or amovies over the MP3 players, mobile phones or even PSP game players. We are alsowitnessing the iTune and other online delivery of copyrighted works flourishing outsideHong Kong. Can our copyright law cope with these changes?
1. 2 P rivate Copying and Fair Use
1.2.1 Private CopyingCurrently, copying creative pieces of work from one's own CD disc to one's hard drive, orto a MP3 player, or to a mobile phone is itself an infringement of right (copyright), thoughthe music and film industry is not eager to sue this action for “damages”. If the law is tostay updated with the digital age, the law should be amended in such a way that it focuseson infringement of unlicensed material only, freeing the public who owns a licensed copyfrom the threat of unnecessary civil claims. PISA cannot see any reason for the industryand the pubic to have doubt with this. This point of view has been supported in the UK'sGowers Review of Intellectual Properties 2006 (note 1).
1.2.2 Fair UseWe suggest the HKSAR Government to make reference to the US Digital MillenniumCopyright Act (DMCA) and the concept of “fair use”. In the US, fair use is a concept thatcertain uses of copyright protected material do not require permission of the copyrightowner when done for essentially non-commercial reasons. Any person may make fair use of a copyrighted work—including the making of unauthorized copies—in the following contexts:
As a practical matter, fair use is primarily an affirmative defense to a claim of copyrightinfringement to argue that even if infringement occurred, there is no liability, because theinfringing activity was excusable as a fair use of the original work.
1. 3 E ncouraging the use of digital mediaGovernment should also give incentive to research and development in the digital rightsmanagement technology, and to encourage the industry to use digital formats to delivertheir work pieces. This is a more efficient and environmental friendly medium fordistribution. From the perspective of information security sector, the development of digitalrights management is crucial to protection of copyright in digital age as well as on dataprotection.
1 .4 A pproaches of Protection and Advocacy of Creativity
1.4.1We have seen two contrasting approaches, namely the “Free/Open Source (software) -Creative Common (non-software)” movement and the “Copyright protection (software andnon-software)” movement in the development of software and creative work industries. Inthe extreme end of this continuum in the “copyright protection” side is the call by CliffRichard in the UK record industry extend retrospectively the terms of copyright materialsfrom the current practice of 50 years to 95 years.
1.4.2We must point out that both movements are contributing to the software and creative workindustries in different perspectives. As information security professionals, we are mostbenefited from the free software tools written by authors mostly from overseas. Theirquality are considered to be as high as commercial copyrighted tools in many ways.Successful experience from security software, such as the Snort (or SourceFire4, thecommercial version), Nessus (or Tenable5, the commercial version) and creative workssuch as stock photo exchange stock.xchng (or stockxpert6, the commercial service), haveproved that a programmer or creative worker can distribute software or creative works incombinations of licenses and otherwise simultaneously to benefit the user community,while making commercial senses. Without these brilliant works, the hurdle in acquisition ofknowledge and skill will be steep and the lack of such works may be fatal to a knowledgebasedeconomy. Labels of “All Rights Reserved”, “Some Rights Reserved” and “No RightsReserved” should be equally respected by the users.
1.4.3Our copyright laws should be modernized allowing a flexibility of different category of“copyright” licenses to coexist and to develop in parallel. Under the current arrangement,however, if an artist prefers to license his musical or vocal creative work free so as tomaximize its distribution (to allow the maximum number people enjoy, and to make hisfame goes, etc), or he wants to use his own works in public arena, then he is still obliged topay a license fee to the records licensing industry association. Can we lift hurdles like thisin Hong Kong? It appears that the philosophy of the consultation paper is biased to oneend of the copyright license continuum and has paid little attention to address this bizarrephenomena.
1. 5 R ecommendations
a. PISA considers the fair and reasonable application of copyright material isimperative to Hong Kong’s movement towards a “knowledge economy”.
b. The copyright laws should cover and enables the enforcement in cases whereprivate users-practicing the copying of copyrighted materials (in particular those forprivate uses and by any technology means which are equivalent to using a CD)
.c. The copyright law should cover fair use of copyrighted material in thesecircumstances:
2. Building Better Practice in Private Investigations of Copyright Infringement
2.1In the past year, we have seen a proactive approach taken by copyright owners toinvestigate cases of copyright infringement. We appreciate they take ownership of theirrights. We also have found that some of these cases were settled out of court, achievingsaving of costs and time. However, we have the following suggestions to increase thecredibility of this approach in alleviating the legal burden.
2. 2 C oncern on privacy over the copyright owners' investigationsCollection of personal activity information over the Internet touches on the most sensitiveprivacy issue, namely privacy. Not all private investigation may meet the level of prudencethat were that carried out by the law enforcers. If some of them are problematic, then thegeneral public have the right to question the legitimacy of such kind of activities.
2 .3 C oncern on prudence of methodology of the copyright owners' investigationAccording to the information collected from technical staff from some ISPs and universities,some of the IP address/time information produced by copyright owners in investigationproduced no match – i.e. no one was using the revealed IP address at that time. It mightindicate that the data collection approach was itself problematic: the lack of timesynchronization of the data collected with the Hong Kong Observatory clock reference, orother issue. The integrity of the data collected therefore could bring about the wrong casewith the wrong interpretation by the Court thus leading to erroneous decision of the Court.
2 .4 C oncerns on the handling of personal data received from the ISPFrom the security and privacy perspective, the data obtained by the copyright ownersduring their investigation and from the ISP should be treated as strictly confidential dataasset. The storage, transport and erasure should be undertaken in a secure and managedway.
2 .5 A re the cases settled in a fair way?a. If an innocent ISP customer is wrongly investigated, what protection and remedyare available for him, after disclosure of his personal information and privacy beinginfringed? This is one fairness problem.b. Out of the Court settlement amounts to the majority of the copyright cases. Onemight question if threatening tactic has been used in these cases. We have noevidence to either prove or disprove such cases and insofar we have entrusted thecopyright owners. However, a lack of user-end organization like EFF7 (ElectronicFrontier Foundation in the US) to protect the privacy of Internet users could makethe see-saw toppled to one side. This is another fairness problem.
2 .6 R ecommendationsa. The industry carrying out investigations and surveillances should provide moretransparency on the methodology of investigation, scope of the surveillance, andhow the collected data is handled, so as to alleviate the public concerns overprivacy infringement.b. PISA encourages the ISP to carry out validity checking before turning out customerdata, and to undertake the best practices in keeping good evidence (including moresynchronization with an observatory clock. PISA also encourages the film industry, which is a major claimant of copyrightcases, to carry out validity checking of the evidence themselves.
d. The Court should also develop higher standard in admitting the preliminaryevidence provided by copyright owner in applying for warranty, to enforce ISP toprovide customer information according to such preliminary evidence provided.e. PISA encourages these efforts be coordinated and balance the interests of differentparties. A round table with meeting agenda and published results can facilitate thegeneral public in understanding the discussion and agreement reached.f. It appears to be more transparent and fair for both sides, if a dispute resolutionsystem by a neutral third party (outside the Court, which is overseen by a panel ofdifferent stakeholders) is capable of resolving the disputes. This is a directionworth to consider.
3. Should Copyright be criminalized and should ISP be obliqued to log P2P?
3.1PISA understands that the problem of copyright infringement is hampering thedevelopment of the software and creative work businesses. We also understand that theinvestigation is not a simple job. As part of the IT sector which is in a symbiosisrelationship with creative media industry in this digital age, PISA is in total empathy withthem.
3.2On the other hand, we have to balance the interests of different parties. From a legal pointof view, whether a user downloading a copyright material via P2P file sharing is publishingthat material is still arguable.8 Another question is, “Is copyright infringement so seriousthat we have to criminalize it, disregarding other factors?” There is no sufficiently strongargument at this moment. We have seen various implementations in different countries.For some countries which do criminalize the act, the scope of application is narrower, todownloading for commercial advantage only for exceeding certain large amount.
3. 3 L og Record KeepingCurrently ISPs in Hong Kong are not legally mandated to keep logs and retain them for aspecified period of time. However, as a practice developed by the industry, most ISPs arekeeping logs of a customer's identity login/logout time and assigned IP address, and thegeneral retention period is six months. Under an order of the court, ISPs are giving outrelevant customer's information for investigation of criminal cases. In the past, civil casesrelating to copyright infringement have been taking advantage of this system. Copyrightowners were able to obtain the customer's information from ISP by providing the IPaddress-timestamp pair, by providing a court order.If there is a legislation to transform the current practice into written law, it would not beunreasonable. However, the benefit of legislation should be only very marginal, mainlyforcing the minority uncooperative ISPs to comply.
Those people most actively proposing that ISPs should keep logs, are asking forADDITIONAL logging, which includes records of users performing P2P activities. Currentlymost ISPs are not logging activities of users beyond than login/logoff. They could performadditional logging of individual user when there is an order from law enforcement incriminal cases. If we demand a higher standard of logging from the ISPs to ALL users'P2P activities, would it be proportional to the severity of act or crime conducted?Furthermore, would it be fair to transfer the burden of evidence collection to another party,i.e. ISPs, for the sake of protecting another party's commercial interest (copyright)?Would it be fair to transfer the burden of evidence collection to another party (i.e. the ISP)for the sake of protecting of another party’s (i.e. the copyright owner) commercial interest?
3.4Even if copyright owner is willing to pay for and cover the additional resources for ISPlogging, would it be compliant to the privacy of the users if their Internet activities arelogged before they are proved to be criminal? Currently there is no requirement for ISP tolog suspicious Internet activities of individual user before the Police has obtained warrantsor orders from the Court. Why is a "potential but not proved" copyright infringementjustified to log certain network activities of all users? Is copyright infringement itself a muchmore severe crime than other “tamer” crime like hacking or virus spreading? This is a bigbig question mark!By the same principle, PISA also questions the justification to allow copyright owners todemand ISPs to give out suspected copyright infringer's information without going to thecourt.
This fast track process is itself putting the severity of copyright infringement(currently a civil liability) over other criminal acts.
3.5Even if (1) copyright infringement is criminalized, (2) copyright owner is willing to take upthe extra resources of logging and (3) for some reasons, copyright infringement becomesmore important than other cybercrimes those require extra logging, then the question iswhether it is proper to log “copyright infringement probable” traffic.
3.6Even if we have overcome all problems stated above, we have to ask what are the specificP2P protocols to log. At this moment no party can give a definitive answer. P2P in itself isa collective name for families of different protocols for different purposes.Even if we limit our scope to say, BT, today, from an information security aspect, then thelogging can be evaded easily tomorrow. We have seen protocols of ICQ, MSN and othersbeing targeted by corporations for some time and blocked at the firewall level. After a shortwhile, the protocols themselves evolve to use other TCP ports or other technology tobypass the blocking. In this case, for example, using TCP port 80, which is used by everyweb access. However, at the same time P2P is also used for productive activities likedownload of freeware software CD image, media streaming and file transfer. So theeffectiveness of logging merely the P2P protocol is questionable, and furthermore, no oneis sure how to easily identify the P2P required to log.
3.7P2P is a disruptive technology. It brings about opportunity but it also creates troubles. ButP2P is by far the most resilient technology now for delivering information. The biggestdisruptive technology is ironically the big “Internet” technology as a whole. As informationsecurity professionals, we admit that Internet itself is the biggest source of securityproblems and crimes today. Yet we do not propose the ban this technology but ratherincreases its security assurance in order that the world can enjoy the productivity andbenefits it brings about. Businesses and individuals are starting to add accountabilityelement to BT alike protocols in order to track the sources.
3. 8 S ummary of Comments on Criminalization, etc.PISA has not identified strong evidence that copyright infringement by downloading is anurgent need to be criminalized and so is against criminalizing it at this moment.
Should there is any inquiry, please contactus at telephone 81046800 or email: info@pisa.org.hk
Yours faithfully,Mr. Howard Lau
Chairperson
Professional Information Security Association
Antony
++++++++++++++++++++++++++++++
Commerce and Industry BranchCommerce,
Industry and Technology BureauLevel 29,
One Pacific Place,88 Queensway,
Hong KongE-mail: co_review@citb.gov.hk
Dear Sir/Madam,
Response to the Consultation on“Copyright Protection in the Digital Environment”
A. Background
A.1 Professional Information Security Association (“PISA”) is a non-profit-distributingassociation established in 2001 in Hong Kong for local professionals in the informationsecurity sector. Our vision is to utilize our expertise and knowledge to help bring prosperityto the society in the Information Age.A.2We are working very closely with the Government especially in the information securityarea. We are currently a member of the Office of the Government Chief Information Officer(“OGCIO”) Special Task Force on Information Security under the Digital21 StrategyCommittee. We were a member of the Cyber Security Taskforce of WTO MC6 in 2005. Inthe past years, we had been interviewed by the Police Magazine; invited by the Hong KongComputer Emergency Response Team Coordination Centre (“HKCERT”), the OGCIO andthe Hong Kong Police Force to deliver security awareness seminars to the public, and bythe OGCIO to deliver internal briefings to government officers.
A.3 On the issues dealt with in this consultation paper, we had also been consulted byCustoms and Excise Department on P2P security and investigation issue in 2005.Furthermore, we had also contributed article(s) to RTHK Digest on the issues of evidencecollection by copyright owner(s) in civil cases in 2006.A.4We take this opportunity in sharing our views as a professional body expertise in securityand privacy, and hope that we can offer independent and impartial views on the matter.A.5This document was prepared by a team of PISA members, including:
- Mr. SC Leung
- Mr. Sang Young
- Mr. Andy Ho
- Mr. Howard Lau
- Mr. Antony Ma
B. Building the foundation of our viewpoints
B.1Our views are based on our expertise and ethical standard in information security, and aswell are based on professional independence and critical thinking.B.2We must admit that there is no easy answer to each question raised.
Our stand is:
- we must strike a balance between fostering creativity for the general good andgiving business opportunities
- we must strike a balance on the interests of different stakeholders
- we must strike a balance between the enforcement of the laws and the liberty ofthe citizens, or more specifically, the Netizens.
- copyright law should endure the rapid changes in technological advancements
1. A Copyright Law that catches up with the Digital Age ( a Balanced View)
1.1We agree with the consultation paper that we have to view the copyright issue in the realmof a digital age. We have witnessed the merger of the broadcasting andtelecommunication authorities of the HKSAR Government, which reflects the merging oftraditional broadcasting industry with the new telecommunication and informationtechnology. We have also witnessed the different digital media merging. We no longer seepeople wearing mini-drive nor CD-walkman along the street, but enjoying music or amovies over the MP3 players, mobile phones or even PSP game players. We are alsowitnessing the iTune and other online delivery of copyrighted works flourishing outsideHong Kong. Can our copyright law cope with these changes?
1. 2 P rivate Copying and Fair Use
1.2.1 Private CopyingCurrently, copying creative pieces of work from one's own CD disc to one's hard drive, orto a MP3 player, or to a mobile phone is itself an infringement of right (copyright), thoughthe music and film industry is not eager to sue this action for “damages”. If the law is tostay updated with the digital age, the law should be amended in such a way that it focuseson infringement of unlicensed material only, freeing the public who owns a licensed copyfrom the threat of unnecessary civil claims. PISA cannot see any reason for the industryand the pubic to have doubt with this. This point of view has been supported in the UK'sGowers Review of Intellectual Properties 2006 (note 1).
1.2.2 Fair UseWe suggest the HKSAR Government to make reference to the US Digital MillenniumCopyright Act (DMCA) and the concept of “fair use”. In the US, fair use is a concept thatcertain uses of copyright protected material do not require permission of the copyrightowner when done for essentially non-commercial reasons. Any person may make fair use of a copyrighted work—including the making of unauthorized copies—in the following contexts:
- in connection with criticism of or comment on the work
- in the course of news reporting
- for teaching purposes, or
- as part of scholarship or research activity.
As a practical matter, fair use is primarily an affirmative defense to a claim of copyrightinfringement to argue that even if infringement occurred, there is no liability, because theinfringing activity was excusable as a fair use of the original work.
1. 3 E ncouraging the use of digital mediaGovernment should also give incentive to research and development in the digital rightsmanagement technology, and to encourage the industry to use digital formats to delivertheir work pieces. This is a more efficient and environmental friendly medium fordistribution. From the perspective of information security sector, the development of digitalrights management is crucial to protection of copyright in digital age as well as on dataprotection.
1 .4 A pproaches of Protection and Advocacy of Creativity
1.4.1We have seen two contrasting approaches, namely the “Free/Open Source (software) -Creative Common (non-software)” movement and the “Copyright protection (software andnon-software)” movement in the development of software and creative work industries. Inthe extreme end of this continuum in the “copyright protection” side is the call by CliffRichard in the UK record industry extend retrospectively the terms of copyright materialsfrom the current practice of 50 years to 95 years.
1.4.2We must point out that both movements are contributing to the software and creative workindustries in different perspectives. As information security professionals, we are mostbenefited from the free software tools written by authors mostly from overseas. Theirquality are considered to be as high as commercial copyrighted tools in many ways.Successful experience from security software, such as the Snort (or SourceFire4, thecommercial version), Nessus (or Tenable5, the commercial version) and creative workssuch as stock photo exchange stock.xchng (or stockxpert6, the commercial service), haveproved that a programmer or creative worker can distribute software or creative works incombinations of licenses and otherwise simultaneously to benefit the user community,while making commercial senses. Without these brilliant works, the hurdle in acquisition ofknowledge and skill will be steep and the lack of such works may be fatal to a knowledgebasedeconomy. Labels of “All Rights Reserved”, “Some Rights Reserved” and “No RightsReserved” should be equally respected by the users.
1.4.3Our copyright laws should be modernized allowing a flexibility of different category of“copyright” licenses to coexist and to develop in parallel. Under the current arrangement,however, if an artist prefers to license his musical or vocal creative work free so as tomaximize its distribution (to allow the maximum number people enjoy, and to make hisfame goes, etc), or he wants to use his own works in public arena, then he is still obliged topay a license fee to the records licensing industry association. Can we lift hurdles like thisin Hong Kong? It appears that the philosophy of the consultation paper is biased to oneend of the copyright license continuum and has paid little attention to address this bizarrephenomena.
1. 5 R ecommendations
a. PISA considers the fair and reasonable application of copyright material isimperative to Hong Kong’s movement towards a “knowledge economy”.
b. The copyright laws should cover and enables the enforcement in cases whereprivate users-practicing the copying of copyrighted materials (in particular those forprivate uses and by any technology means which are equivalent to using a CD)
.c. The copyright law should cover fair use of copyrighted material in thesecircumstances:
- in connection with criticism of or comment on the work
- in the course of news reporting
- for teaching purposes, or
- as part of scholarship or research activity.
2. Building Better Practice in Private Investigations of Copyright Infringement
2.1In the past year, we have seen a proactive approach taken by copyright owners toinvestigate cases of copyright infringement. We appreciate they take ownership of theirrights. We also have found that some of these cases were settled out of court, achievingsaving of costs and time. However, we have the following suggestions to increase thecredibility of this approach in alleviating the legal burden.
2. 2 C oncern on privacy over the copyright owners' investigationsCollection of personal activity information over the Internet touches on the most sensitiveprivacy issue, namely privacy. Not all private investigation may meet the level of prudencethat were that carried out by the law enforcers. If some of them are problematic, then thegeneral public have the right to question the legitimacy of such kind of activities.
2 .3 C oncern on prudence of methodology of the copyright owners' investigationAccording to the information collected from technical staff from some ISPs and universities,some of the IP address/time information produced by copyright owners in investigationproduced no match – i.e. no one was using the revealed IP address at that time. It mightindicate that the data collection approach was itself problematic: the lack of timesynchronization of the data collected with the Hong Kong Observatory clock reference, orother issue. The integrity of the data collected therefore could bring about the wrong casewith the wrong interpretation by the Court thus leading to erroneous decision of the Court.
2 .4 C oncerns on the handling of personal data received from the ISPFrom the security and privacy perspective, the data obtained by the copyright ownersduring their investigation and from the ISP should be treated as strictly confidential dataasset. The storage, transport and erasure should be undertaken in a secure and managedway.
2 .5 A re the cases settled in a fair way?a. If an innocent ISP customer is wrongly investigated, what protection and remedyare available for him, after disclosure of his personal information and privacy beinginfringed? This is one fairness problem.b. Out of the Court settlement amounts to the majority of the copyright cases. Onemight question if threatening tactic has been used in these cases. We have noevidence to either prove or disprove such cases and insofar we have entrusted thecopyright owners. However, a lack of user-end organization like EFF7 (ElectronicFrontier Foundation in the US) to protect the privacy of Internet users could makethe see-saw toppled to one side. This is another fairness problem.
2 .6 R ecommendationsa. The industry carrying out investigations and surveillances should provide moretransparency on the methodology of investigation, scope of the surveillance, andhow the collected data is handled, so as to alleviate the public concerns overprivacy infringement.b. PISA encourages the ISP to carry out validity checking before turning out customerdata, and to undertake the best practices in keeping good evidence (including moresynchronization with an observatory clock. PISA also encourages the film industry, which is a major claimant of copyrightcases, to carry out validity checking of the evidence themselves.
d. The Court should also develop higher standard in admitting the preliminaryevidence provided by copyright owner in applying for warranty, to enforce ISP toprovide customer information according to such preliminary evidence provided.e. PISA encourages these efforts be coordinated and balance the interests of differentparties. A round table with meeting agenda and published results can facilitate thegeneral public in understanding the discussion and agreement reached.f. It appears to be more transparent and fair for both sides, if a dispute resolutionsystem by a neutral third party (outside the Court, which is overseen by a panel ofdifferent stakeholders) is capable of resolving the disputes. This is a directionworth to consider.
3. Should Copyright be criminalized and should ISP be obliqued to log P2P?
3.1PISA understands that the problem of copyright infringement is hampering thedevelopment of the software and creative work businesses. We also understand that theinvestigation is not a simple job. As part of the IT sector which is in a symbiosisrelationship with creative media industry in this digital age, PISA is in total empathy withthem.
3.2On the other hand, we have to balance the interests of different parties. From a legal pointof view, whether a user downloading a copyright material via P2P file sharing is publishingthat material is still arguable.8 Another question is, “Is copyright infringement so seriousthat we have to criminalize it, disregarding other factors?” There is no sufficiently strongargument at this moment. We have seen various implementations in different countries.For some countries which do criminalize the act, the scope of application is narrower, todownloading for commercial advantage only for exceeding certain large amount.
3. 3 L og Record KeepingCurrently ISPs in Hong Kong are not legally mandated to keep logs and retain them for aspecified period of time. However, as a practice developed by the industry, most ISPs arekeeping logs of a customer's identity login/logout time and assigned IP address, and thegeneral retention period is six months. Under an order of the court, ISPs are giving outrelevant customer's information for investigation of criminal cases. In the past, civil casesrelating to copyright infringement have been taking advantage of this system. Copyrightowners were able to obtain the customer's information from ISP by providing the IPaddress-timestamp pair, by providing a court order.If there is a legislation to transform the current practice into written law, it would not beunreasonable. However, the benefit of legislation should be only very marginal, mainlyforcing the minority uncooperative ISPs to comply.
Those people most actively proposing that ISPs should keep logs, are asking forADDITIONAL logging, which includes records of users performing P2P activities. Currentlymost ISPs are not logging activities of users beyond than login/logoff. They could performadditional logging of individual user when there is an order from law enforcement incriminal cases. If we demand a higher standard of logging from the ISPs to ALL users'P2P activities, would it be proportional to the severity of act or crime conducted?Furthermore, would it be fair to transfer the burden of evidence collection to another party,i.e. ISPs, for the sake of protecting another party's commercial interest (copyright)?Would it be fair to transfer the burden of evidence collection to another party (i.e. the ISP)for the sake of protecting of another party’s (i.e. the copyright owner) commercial interest?
3.4Even if copyright owner is willing to pay for and cover the additional resources for ISPlogging, would it be compliant to the privacy of the users if their Internet activities arelogged before they are proved to be criminal? Currently there is no requirement for ISP tolog suspicious Internet activities of individual user before the Police has obtained warrantsor orders from the Court. Why is a "potential but not proved" copyright infringementjustified to log certain network activities of all users? Is copyright infringement itself a muchmore severe crime than other “tamer” crime like hacking or virus spreading? This is a bigbig question mark!By the same principle, PISA also questions the justification to allow copyright owners todemand ISPs to give out suspected copyright infringer's information without going to thecourt.
This fast track process is itself putting the severity of copyright infringement(currently a civil liability) over other criminal acts.
3.5Even if (1) copyright infringement is criminalized, (2) copyright owner is willing to take upthe extra resources of logging and (3) for some reasons, copyright infringement becomesmore important than other cybercrimes those require extra logging, then the question iswhether it is proper to log “copyright infringement probable” traffic.
3.6Even if we have overcome all problems stated above, we have to ask what are the specificP2P protocols to log. At this moment no party can give a definitive answer. P2P in itself isa collective name for families of different protocols for different purposes.Even if we limit our scope to say, BT, today, from an information security aspect, then thelogging can be evaded easily tomorrow. We have seen protocols of ICQ, MSN and othersbeing targeted by corporations for some time and blocked at the firewall level. After a shortwhile, the protocols themselves evolve to use other TCP ports or other technology tobypass the blocking. In this case, for example, using TCP port 80, which is used by everyweb access. However, at the same time P2P is also used for productive activities likedownload of freeware software CD image, media streaming and file transfer. So theeffectiveness of logging merely the P2P protocol is questionable, and furthermore, no oneis sure how to easily identify the P2P required to log.
3.7P2P is a disruptive technology. It brings about opportunity but it also creates troubles. ButP2P is by far the most resilient technology now for delivering information. The biggestdisruptive technology is ironically the big “Internet” technology as a whole. As informationsecurity professionals, we admit that Internet itself is the biggest source of securityproblems and crimes today. Yet we do not propose the ban this technology but ratherincreases its security assurance in order that the world can enjoy the productivity andbenefits it brings about. Businesses and individuals are starting to add accountabilityelement to BT alike protocols in order to track the sources.
3. 8 S ummary of Comments on Criminalization, etc.PISA has not identified strong evidence that copyright infringement by downloading is anurgent need to be criminalized and so is against criminalizing it at this moment.
- While PISA is very sympathetic with the copyright owners in the problems ofcopyright infringements, PISA do not have strong reasons to justify passing theburden to the Police or ISPs.
- PISA has not identified strong reasons to put more severity of copyrightinfringement over other cybercrime where the Laws require ISPs to do extra loggingof all users’ P2P traffic.
- PISA objects to a proposal where the copyright owners do not need to apply anorder from to court to enforce the ISPs to give out customer data of suspectedcopyright infringer.
- PISA objects to force ISPs to log P2P traffics because it is not effective and it canbe evade.
Should there is any inquiry, please contactus at telephone 81046800 or email: info@pisa.org.hk
Yours faithfully,Mr. Howard Lau
Chairperson
Professional Information Security Association
# posted by Antony @ 9:53 下午 
