The House bill was prompted by a series of embarrassing leaks of government-held data on everything from nuclear facilities to Army officers’ Social Security numbers to confidential congressional ethics investigations.  Those ethics panel leaks were labeled by the Recording Industry Association of America as “a powerful catalyst to enact real reforms to protect consumers.”  A recent report revealing the troubling degree of insecurity in federal government file transfers will probably only add urgency to the debate on the Senate bill.  The study, titled “Why Encrypt? Federal File Transfer Report,” was released on May 11, 2010 by MeriTalk, a government IT network, in conjunction with Axway, a company specializing in business-to-business integration software.  The report surveyed 200 federal IT and information security professionals.  It found that an alarming number of these personnel use unsafe file-transfer methods, including physical media (66%), FTP (60%), and personal email accounts like Gmail or Yahoo (52%).  Although 80% claimed their agency had adequate transfer-security policies, only 58% said employees were aware of those policies, and just 42% said such policies were consistently followed. 

It will be worth staying tuned to see whether these damning statistics will convince the entire Senate to bolster federal file-transfer security — and raise awareness about the issue — by passing the Secure Federal File Sharing Act.  One might also wonder whether these legislative developments would influence private-sector policymakers — in corporations and other institutions — to follow the federal government’s lead in banning P2P software use. 

In any event, P2P security initiatives in the private sector may get a direct boost from the federal government through “The P2P Cyber Protection and Informed User Act”, introduced by Senators John Thune (R-SD) and Amy Klobuchar (D-MN). 

If the Secure Federal File Sharing Act seeks to protect the government and the public alike from the dangers of data leaks within federal networks, the Thune-Klobuchar legislation seeks to protect all individual users of P2P software from inadvertently exposing their own private files to the public.  Thune saidhis bill will take aim at “the privacy and security threats associated with” P2P file-sharing.  Klobuchar explained to the Minneapolis Star Tribune that “without proper precautions, P2P software can allow anyone on the network to gain access to all the files on your computer, not just the ones you intend to share.”  She said that because such software often “allow[s] access to private financial or family records, it’s an invitation to identity thieves and sexual predators.” 

The Klobuchar-Thune bill, whose companion legislation has already been passed in the House as the “Informed P2P User Act” (H.R. 1319), includes two major components.  First, it would require all P2P software to provide a user with “clear and conspicuous” notice of the program’s function, and obtain the user’s consent, before the software is downloaded or installed.  Second, the bill would make it illegal to prevent a user from blocking, disabling, or removing P2P software.  The bill would bestow enforcement authority upon the FTC, which in February 2010 notified about 100 private and public organizations that they had suffered P2P-based data breaches.    

It would be worth speculating on whether this wider regulation of P2P software could ultimately have a chilling effect on the general public’s use of programs like uTorrent, Shareaza, Ares, Limewire, and BitComet.  If so, one might imagine that content owners may get behind the bill in an effort to stem the losses from P2P-based infringement.  The bill has received support from the RIAA, the Direct Marketing Association, Stop Child Predators, and 41 state attorneys general.     

Stay tuned.

**  Nathaniel Fintz, a summer associate with the Firm, assisted in the preparation of this post.

Dan will be part of a panel entitled “Global Perspective – Changing Rules for P2P and Cloud Computing”, which will discuss the key laws and regulations that P2P and cloud computing software developers and distributors need to comply with, the changes taking place in the regulatory environment affecting P2P and cloud-computing technologies, the impact of recent actions and rulings and other issues in the legal and policy arenas that might foster investment and commercial development of P2P and cloud computing. More information on registration is available on the DCIA’s website.

On a related note, the video from the DCIA’s March 9 conference has been posted.  At that conference, Dan participated in a  panel discussing the various business models utilized by P2P and cloud computing providers, including ad-supported, subscription, paid download and other innovative strategies.

If adopted, the new Act would bar government employees and contractors from downloading, installing or even using P2P file sharing software, such as LimeWire, without official approval.  In response to the most recent leak, the bill would also require the White House to develop rules for employees working on home or personal computers.  In order to use file sharing networks, an agency head or CIO would have to make a special request to use the P2P software.  Furthermore, agencies would be obliged to establish P2P use policies, require that employees and contractors comply with them, and then create security mechanisms to detect and remove prohibited software. 

In 2004, the White House Office of Management and Budget advised federal agencies simply not to use any P2P software.  As evidenced by the most recent embarrassment, this “advice” was not sufficient and now hopes that putting the prohibition into federal law will grant it much greater weight.  Critics of P2P software complain that personal data including social security numbers, medical records and tax returns are being shared because users are unaware of how the software operates, primarily because inadvertent filing sharing occurs (for example, when a user wants to share music or video files from a specific location or folder on his/her PC, a variety of other personal data and files, in all different formats, may also be shared). 

Security industry experts appearing at Congressional hearings earlier this year testified that file sharing software has resulted in the release of personally identifiable information associated with members of the U.S. Military, including social security number of master sergeants, medical records and even surveillance photos.  In addition, information accidentally released from a Fortune 100 company included thousands of e-mails, contact addresses, phone numbers and passcodes.  Rep. Towns’ goal is to “put a referee on the field” in terms of regulating use of such software in response to what he deems as the file-sharing industry’s unwillingness and/or inability to ensure user safety.  It appears he will also dedicate resources to encourage the government to launch a national consumer education campaign about the dangers associated with the use file-sharing software. 

Rep. Towns also proposed that the Federal Communications Commission and Federal Trade Commission look to aid in preventing this growing problem.  Right now, however, it is unclear what kind of influence is statutorily granted to the FCC, if any at all. 

Regardless, it will also be very interesting to see if or when the specter of enacting this new bill into law will affect future P2P file sharing program use in the commercial sector, or lead to additional policy and regulatory initiatives in the area.

*  Kari Hirsch, who recently joined the DigitalHHR team, contributed to the preparation of this post.

Tomorrow a Swedish court is expected to announce it’s ruling in a criminal case that has been closely watched by nearly everyone with a stake-financial or otherwise-in the free-wheeling world of P2P file swapping.  At its core, the ruling will determine whether the operators of the Pirate Bay, the popular torrent search and indexing site, are guilty of violating Sweden’s copyright law.  A conviction-which many observers expect-could lead to imprisonment and a possible fine, as well as a shut-down of the site.  However, despite the potential immediate impact on the Pirate Bay and its operators, the broader implications of a guilty verdict, including whether or not it will serve as a deterrent against unauthorized file-sharing, are a little less certain.

For the uninitiated, a little background:  the Pirate Bay is a Swedish web site that bills itself as the world’s largest BitTorrent tracker.  According to various measurements, the site ranked 105th for daily traffic over the past three months and an estimated 2.7 million people from the US visit every month.  

BitTorrent is a peer-to-peer file sharing protocol used to transfer files, which accounts for approximately 35% of all traffic on the Internet according to one study.  BitTorrent differs from traditional P2P file-sharing in that a single file may be downloaded from numerous sources, each providing small packets of data, rather than from a single source.  A client implementing the protocol creates a small file called a “torrent” which contains metadata about the files to be shared and about a tracker computer that coordinates file distribution.  A user seeking to download the file must first obtain the torrent file associated with it and connect to the tracker computer, which then tells the user’s computer which other computers on the network have pieces of the file to be downloaded.

The defendants in the Pirate Bay case are relying on the underlying nature of the BitTorrent protocol to serve as the basis for their defense.  Specifically, they claim that since the Pirate Bay website only serves as an index for torrent files, and does not actually store any copyrighted materials, the site’s operations cannot be deemed to be infringing.  Taking the argument a bit further, they claim that because many sites and services on the Web point to or link to infringing content or allow users to upload such content-including Google-the infrastructure and inherent nature of the Internet are at issue in the case.  The defendants used the analogy of roads and telephones that sometimes are used for illegal activities: no one suggests destroying the road network or hauling phone companies into court due to offenses committed by one or more individuals using such roads or telephones.

Prosecutors countered that search services like Google, and the roads and telephone lines, were established to foster legal activities.  In contrast, the Pirate Bay’s entire raison d’être appears to be to foster primarily illegal activity in the form of infringing file-sharing. 

The trial itself, which was held over three weeks in February and March, was a bit of circus.  The defendants and their supporters posted daily accounts of the trial on the Web.  And, after the web site of the International Federation of the Phonographic Industry, the trade group for the music industry, was hacked during the trial, one of the defendants posted a note on his Twitter account saying, “Whoever is hacking the IFPI websites, please stop doing that.  It only makes us look bad!”

In many ways, the Pirate Bay’s notoriety is an “only in Sweden” affair.  Until recent amendments, the Swedish copyright law did not prohibit downloading copyrighted material for personal use.  Nearly every Swedish household has a cheap broadband connection, and polls have found that over 10% of the population engaged in some sort of P2P file-sharing and downloading.  A political party dedicated to legalizing P2P file sharing-regardless of copyright issues-was formed and has made credible efforts to gain seats in the Swedish Parliament.

However, in response to international pressure, the Swedish government has begun to take a tougher stance against illegal file-sharing.  Earlier this month, a law came into effect allowing content owners to obtain from Swedish ISPs the names and addresses of people suspected of sharing copyrighted materials without authorization.  The law, which brings to Sweden an investigation and enforcement tool available throughout the EU, had an immediate impact. On the day the law went into effect, total Internet usage decreased by 40% and has remained suppressed since such time.

During the trial, the head of the IFPI testified that 30% of the losses suffered by the global music industry were a result of illegal file sharing, citing several academic papers.  He also testified that, following successful court actions in recent years which led to the shut-down of P2P file-sharing sites Grokster and Kazaa, the Pirate Bay had become the No. 1 source for illegal music on the Web. 

Despite the fact that early in the trial prosecutors dropped charges alleging that the operators were “assisting copyright infringement”-leaving the primary allegation based on “assisting in making available” copyrighted material-it appears that the prosecution will ultimately prevail. 

However, it is unclear what impact, if any, shutting down the Pirate Bay will have on illegal file-sharing as a whole.  As has been seen numerous times over the past decade, every time a prominent P2P site or service has been successfully challenged and shut down (see Napster, Kazaa, Grokster, etc.), downloaders have simply found other sites to use.  Moreover, the Pirate Bay is merely one of many BitTorrent search and tracking services currently available to end users, including Mininova, isoHunt and btjunkie.  (Ironically, while none of these sites have become a high-profile target of the entertainment industry, Mininova actually has a higher traffic ranking than the Pirate Bay (86^th v. 105^th).  And the others aren’t shy about self-promotion:  isoHunt says it is the “most comprehensive BitTorrent search engine”; and btjunkie bills itself as “the largest and most advanced BitTorrent search engine” with over 1.5 million active torrents.)  [As an aside, in researching the information above and merely visiting the home pages of those sites via Google links, the PC we were using was apparently infected with a virus (notwithstanding the fairly extensive systems in place here).  Perhaps the media industry's strategy vis a vis these sites is based on its awareness of this "deterrent" we unwittingly and regretfully stumbled upon.]

However, in light of the brazen attitude that the Pirate Bay’s operators have taken toward illegal file-sharing, a conviction will enable the entertainment industry to claim a major victory in its fight against Internet piracy.

Regardless of the outcome, the trial-and similar enforcement efforts-should not be viewed by the entertainment and media industry as a substitute for a viable P2P business strategy.  Current and future technologies are making the digital distribution of music, video and book files faster, simpler and more ubiquitous.  Initiatives such as collective licensing-under which ISPs would pay an independent agency a fee based on its user base (presumably passed on as a fee to the users), which would in turn be pooled by the agency and used to pay royalties to content owners-are being considered viable alternatives that may effectively compensate content owners, foster the wide distribution of entertainment assets and move the digital space to a less adversarial environment.

• The New York Times, owners of Boston.com, and GateHouse Media agreed on the eve of trial to settle their copyright lawsuit.  As part of the settlement, the complete details of which aren’t available, the headlines and first sentences from GateHouse articles will be removed from listings on Boston.com, although Boston.com will continue to link to GateHouse.  While the settlement appears to be a victory for GateHouse, some are questioning whether GateHouse’s objections to the content in the links made business sense as Boston.com was sending traffic to GateHouse.  The new restrictions may cause Boston.com to think twice about doing that in the future.  Other smaller media and content sites may want to consider these ramifications in raising similar issues.  Read here for more on the dispute.
• Controversy is already brewing at the President’s virtual home regarding privacy issues.  In what some called a “YouTube exemption” to the privacy policy at WhiteHouse.gov, YouTube was apparently permitted to plant tracking cookies on the computers of visitors to the White House site.  When objections were raised, the policy was quickly amended to limit the placement of cookies only on machines that actually click on the video.  The debate seems to point to the tricky nature of balancing the optimal privacy policy with the transparency of the actual terms of that policy.   More on the issue is here.
• In what may be the first of its kind corporate policy, Ireland’s largest ISP, Eircom, has agreed to implement a “three strikes and you’re shut down” policy for P2P file sharers.  The policy is the result of a settlement in a lawsuit against Eircom that was broght by the Irish branches of EMI, Warner, Universal and Sony.  While the concept of a graduated response has been debated before (it was actually specifically rejected by the European Parliament last year), Eircom now appears to be set to be the first ISP in the world to voluntarily cut off P2P users without court orders.    For more on this issue, read here.
• North Carolina joins a list of states now considering charging sales tax on digital downloads to help raise revenue for the state – a move that could deter customers who are already facing tough times.  More details here.
• In a move that is being widely criticized, Cox Communications, the third-largest cable company, has announced plans to test a system to manage Internet congestion by rating traffic based on its urgency and importance.   Coincidentally, Google released a new set of tools to enable users to find out if their ISPs are hindering traffic.  Read here for more.

The bill was introduced as the FCC was investigating Comcast for allegedly instituting measures to slow down P2P traffic on by its users. On August 1, the FCC entered an order finding that Comcast had, in fact, violated FCC net neutrality principles by examining users’ connections and routing them (in actuality, slowing them down) based on whether the connection was being used for P2P uploads.  In effect, Comcast was managing traffic connections not based on destination but on application.  The order directed Comcast to suspend the network management practices that violated the FCC rules, with the intention of making the suspension permanent. 

As expected, on September 4, Comcast filed suit in the US Court of Appeals for the DC Circuit seeking to overturn the FCC ruling.  While Comcast has said it will comply with the directives in the order, it was appealing the order because, in the words of a Comcast spokesperson, “the Commission’s action was legally inappropriate and its findings were not justified by the record.”

Stay tuned . . .