TheNetStudio.com

Internet Music Collaboration

Think.Code.Repeat.

The Architect's Blog
May 1st, 2009

Understanding the complex reality of improper data sharing.

Thoughts about Copyright Law

Laws are good, and good laws are critical for the healthy balance required for a free society to thrive. It is my belief that Intellectual Property laws are critically necessary for any free society to function, grow, and flourish.

I subscribe to the belief that anybody who invents or creates something new owns it. And that person may keep it, rent (license) it, or outright sell it to anybody else, under terms that both parties agree on.

Copyright is just such a law. Once a work is copyrighted, the Copyright owner has the right to decide who can copy the work, and under what circumstance the copy can be made. Anyone who copies the work without the consent of the Copyright owner is stealing it from the rightful owner.

Moving from Physical to Virtual

Copyright used to be a pretty straightforward concept when works were copied and traded on physical mediums such as books, vinyl records, CDs, videocassettes, etc... But those physical transmission mediums are no longer the only (or preferred) way to exchange content. We have now come to an age where no discreet physical medium is ever required to create and/or transmit a copyrighted work.

An entire album for instance can be recorded, mixed, mastered, uploaded, and downloaded without ever being copied to a CD or cassette tape. It can reside on the hard disk of a computer, be transmitted over the Internet, and then loaded onto an MP3 player without any requirement for it to be a physically packaged product. The appearance to the consumer is that no physical item has ever been traded (although that in not entirely true).

This, I believe, contributes to the dilemma we have found ourselves in. I perceive that the average consumer may have come to believe that when they buy a record, they are paying for the physical media. Conversely, if a record is transmitted (or copied) without the physical media, they may reason that it is not being stolen. Or, at least, that the impact on the content creator (or owner) is minimal because nothing tangible existed, or was taken. Nothing could be farther from the truth. And without the intellectual construct of, and respect for, Intellectual Property, consumers may wrongfully believe that digitally trading music, books, or videos is perfectly acceptable.

Finding Our Bearings

In order to address widespread Copyright violation, the consumer must be re-oriented, and educated to understand that even though a music file (an MP3) has no physical medium associated with it is still the property of the Copyright owner, and copying or downloading it without the permission of the owner (not paying for it), is stealing. This will not be an easy task, since modern American youth culture does not generally think in this manner. It will be a slow ship to turn. But without the establishment of respect for Intellectual Property, our society will not be able to maintain it's health and growth. I firmly believe Americans have a respect and love for fairness, and given the chance they will indeed do the right thing.

Note: I know that there are many other reasonings for improper copying of Copyrighted works, but for this article I want to primarily address the impact that the proliferation of digitized content has had on Copyright violation.

There are many people that believe this problem can or should be solved somehow by technology. Unfortunately, given today's state of technology, that is not likely. Technology can aid in prosecution of violators, but a pure technology solution to this issue is not possible.

The Dichotomies of Technology

But, technology created the problem. Why can't technology solve the problem?

Put simply, the exact same technology that allows you to do online banking, or to buy something on eBay, also allows others to illegally share MP3 files. In other words: The exact same basic technology can be IMPLEMENTED as an online banking system, or IMPLEMENTED as a nearly traceless file-sharing program.

This is why both the personal computer and the Internet have enabled unprecedented advances in so many different areas. Both are powerful yet basic and open technologies that have no real built in limitations. They simply enable other technologies to be built on top of them. Their wide open architectures are a blank slate on which almost any type of information sharing can be built.

For the sake of brevity I want to focus only on improper file sharing, even though there is much more to discuss and understand regarding the impact of these technologies on culture, society, and the economy.

Specifically, I want to focus this article on the four primary technologies that I believe enable improper file sharing. They are: The digitization of content, The open nature of Internet data transmission, Data encryption, and Routing.

Digitization of Content

Prior to the personal computer and the Internet, content existed in a discreet, fixed, physical form (A book, a CD, a tape). This was usually a transitional format. That is: It existed only because we had no other way to retain and reproduce the content and transmit it from one place to another. The physical medium itself, in many cases was not the content, it was just the only way we could save and transmit the content.

I think it is also interesting to note how good we got at marketing and packaging the content to make it appear more enticing.

Once the personal computer had sufficiently matured, content - which is often simply the expression and transmission of ideas, could be created digitally. It is hard to communicate how significant this is. With the aid of the computer, the average person could now create content that had previously been too expensive, or too time consuming for them to even attempt.

For example, in the area of music: With a relatively small investment, today's hobbyist musician can record an entire album with their computer. The quality and complexity of recordings that they can now inexpensively create with their home computer would have been nearly impossible without a record contract, and access to a recording studio, just a short 20 years ago. This ability has really democratized the creation of music such that there is no longer a significant financial barrier to creating very high quality multi-track recordings.

The computer itself does not know if the proper Copyright holder recorded that song, if it is a cover song, a sampled version of the song, or if it was ripped from a CD. The computer is really just a tool that simply shuffles and calculates bits. This is why the personal computer has been so successful - It makes no value judgment. Instead, it is actually the software built on top that has to make the value judgment of what can and cannot be done. And if the software does not limit what can be done, it is left to the computer USER to make a value judgment of how to properly use/license/copy/share the data that is on that computer.

The Open Nature of Internet Data Transmission/Protocols

Just like the personal computer simply ships data around inside the computer itself, the Internet has extended that ability between computers. The Internet design is also without morality. It is an open architecture that just takes data from point A and sends it to point B.

This is done via something called "protocols". Protocols are simply a type of language that both sides understand so that data can be sent and received. The average computer user associates the transmission of data with the program they are using. This is a false assumption, and it contributes to the problem of really understanding why improper data transmission (improper digital content sharing) is so hard to control.

Let me explain: A company may allow web browsing, but prevent file sharing programs on it's network and/or computers. They reason that web browsing, which uses the HTTP (or HTTPS) protocol and runs on port 80 or 443 are OK. But that a file sharing program that runs across port 8011 and has it's own unique protocol should be blocked. The problem is that the Internet and the computer don't know or care what the actual data is! So a simple program can be written to share files using the HTTP protocol specification on port 80, and neither the computer, nor the firewall, nor the Internet routers will not know if the user is browsing a web page or downloading improper content! This is commonly called "tunneling".

In order to address this issue, the security industry has created something called "Deep Packet Inspection". Deep Packet Inspection firewalls look at the actual data that is being transmitted, and they can determine if the computer program is tunneling (for instance: HTTP is being used to share music files). The problem with Deep Packet Inspection is that it assumes that the data is "in the clear" i.e. not encrypted. Which we will soon find out is not always the case.

Encryption

The role that encryption plays in this issue is very complex.

First, for this article, let's define encryption as a method to mathematically scramble data, so that it cannot be read or used without being unscrambled (usually with a password of some sort).

For the sake of brevity I will break encryption down into two types: Data At Rest, and Data In Transit. Data at rest is simply the data on the computer that is just sitting there. An example of encrypting data at rest would be encrypting your local financial database so that if your computer was stolen (or hacked), your financial data would be unreadable. I encrypt all of my source code when I develop software, so that if my computer was hacked, my source code would be safe - no one could steal my ideas.

Encryption of Data In Transit is most commonly known as SSL (or TLS). It is what your web browser uses when you do your online banking. When you connect to your bank, many things happen between your computer and the bank computer - but for this article, we will simply say that a password is created that just your computer and the bank's computer agree on. From then on your computer encrypts (scrambles) all data before it transmits it over the Internet, and the bank computer does the same. Since only your computer and the bank computer know the password, only those two computers can unscramble the transmitted data. Using this type of encryption, only your computer and the remote computer can know if you are paying a bill online, downloading your monthly statement, or sharing improper content. Not even Deep Packet Inspection firewalls know what you are doing.

Encryption is critical to online commerce. And without encryption online commerce would not even be possible. Unfortunately there is a dark side to encryption: Encryption also enables improper content to be hidden within HTTPS/SSL. Once this tunneling is done it is very difficult to know exactly what is being transferred. Rather, we can only guess what type of information is being transmitted, based on traffic patterns.

Routing

What a computer (or computer user) is actually doing can sometimes be inferred from what other computer(s) it is connecting to. For instance, if a home computer is connecting to a bank computer, then they are probably doing online banking. That connection from the home computer to the bank computer is called a "virtual circuit". It is not a direct physical connection between the home computer and the bank computer. Rather, it is a series of connections through multiple "routers" on the Internet, that create a "route" to the banking computer. Anywhere along this route the virtual circuit can be inspected to determine who is connected to whom. Since routes are dynamic (they can change), the inspection is typically done at either the endpoints (your computer or the bank computer), or at the endpoint's ISP.

This is how computers typically connect to each other on the Internet - But you don't HAVE to connect to a remote computer this way. You can instead use anonymizers or proxies. An anonymizer is a computer that you connect to, and then tell THAT computer to go get your data, and return it to you.

Using our banking example: At your end of the virtual circuit, an inspection would show a connection to the proxy server (but not to the bank). At the bank end an inspection would show only a connection from the proxy server (but not from you). an anonymizer or proxy can therefore hide who is connecting to whom. This is fairly easily defeated when only a single proxy server is used (using traffic pattern analysis).

However, an even more stealthy mechanism called "Onion Routing" can be employed to make tracing nearly impossible. Onion Routing is accomplished by connecting multiple encrypted proxy servers together in a randomized fashion, such that no traffic within the system can ever be attributed to any single end point. Basically it takes the idea of a virtual circuit (a connection from one point to another), and scatters it in such a way that no one can figure out where it goes to or comes from.

Current State of Affairs

These are the primary technologies, that when tied together enable a virtually anonymous way to send and receive any type of digital content. The content can be scrambled in such a way that no one knows whether it is a bank statement or an MP3 file. And the connections between computers can be scattered in such a way that no one can really tell who is connected to whom. The technology can be used to pay bills online, protect the (anonymous) free speech of those in oppressed countries, or send illegal MP3s.

What?! So have we lost?

Hardly.

There are other mechanisms that can be employed to prevent improper digital content sharing. But without understanding these technologies, a workable solution cannot be crafted. Unfortunately the horse has definitely left the barn, and a slow methodical process must be put in place to address this issue. That includes educating content consumers that copying content is improper, working with law enforcement to secure endpoints, watermarking content to trace it's origins and destinations, and to work with vendors to build applications that encourage proper content usage and sharing.

I will be exploring solutions to the problem of improper content sharing in my next blog post: Resolving the issues of improper data sharing.