[unisog] Chronicle of Higher Ed. article on NetPD

Paul Neubauer prn at bsu.edu
Fri Nov 9 14:53:57 GMT 2001

Bruce wrote:
 >Now on to the question I would like to ask the list.  What
 >would members of the list consider to be an acceptable digital
 >signature for emails being sent out?
 >1.  A PGP key issued for the role 'Client-Notifications' where
 >a key would be created for each client

Not bad, but this might be more complicated than a single key, both at 
your end and ours.

 >2.  A personal PGP key issued to a NetPD Employee

I suspect that this would be worse than either 1 or 3. I would much more 
strongly prefer a *company* key for a *role* over a personal key.

 >3.  A key issued by a company (maybe Verisign) for the role

A key signed by Verisign might be a good idea, but I don't think it 
would be absolutely necessary.

 >4.  Something that I have over looked?
 >My personal preference would be #1.

Personally (and I am NOT the DCMA contact or any other sort of legal 
contact here, so I am speaking only for myself) I would think a single 
key for the company (NetPD) would be acceptable.  If the key were signed 
by Verisign, that might make it a little simpler to verify, but I 
suspect that simply publishing the public key on your web site 
(especially if it is accessible in relatively standard browsers) should 
be fine. If it ever came down to a legal proceding, there would need to 
be testimony on the provenance of the key no matter what. I don't see 
any added value in having different keys for signing complaints from 
different clients, except as I discuss below.

 >Also can anyone recommend ways of getting keys signed?  I am not
 >currently a PGP user.

I don't think you really need to worry too much about the "web of 
trust." That concept is not really the most relevant model for what you 
are doing here. Publishing the public key on your web site would 
probably be enough to supply adequate evidence (for everyday purposes) 
that a specific e-mail notification is from you and not forged.  A 
Verisign signature would be much more than adequate. As I said, if it 
comes down to legal procedings, no signature would *by itself* be 
adequate. Testimony would be required in any case, so signatures (beyond 
self-signing, of course) should not really be needed for day-to-day 

Additional signatures or verification would gain in value *only* if you 
had your keys signed with public keys that could readily be verified to 
belong to the clients. That is, if Sony were to sign the key you used to 
send out complaints about Michael Jackson songs using a key that they 
(Sony) published on their web site or otherwise made readily available, 
then you could demonstrate that you were, in fact as required by the 
DCMA, an authorized agent for Sony. As it is, you have asserted on the 
unisog list that your mailings are authorized, but as I understand the 
various complaints, your e-mail notifications do not even assert that 
you are authorized by Sony, much less demonstrate it. If Sony signed 
your key, that would be a prima facie reason to believe that you are 
acting as an agent of Sony.

The impressions I get are that your "notices" are not even close to the 
"legal notice" specified in the DCMA. I understand that you are located 
in the UK so you are not bound by US law, but you are notifying *us* of 
violations under US law, so the notifications ought to conform to the 
requirements of the law that your clients are hoping to use. They cannot 
use the provisions of the DCMA unless their agents (you) follow the 
requirements of the DCMA. Nevertheless, I understand that your clients 
would probably strongly prefer that they not be forced into the 
unprofitable need to bring the alleged violations into an actual court 
if they don't have to, and I also get the impression that virtually all 
of the unisog participants want to act in good faith and reduce the 
number of copyright violations at their sites as much as possible. (We 
know that eliminating them completely is next to impossible, but we do 
want to do our best.) You can help in that regard by making your own 
good-faith attempt to supply the necessary information. A digital 
signature from the notifying agent (you) would appear to be one of the 
missing requirements, so even if you do it in a minimal way, it would 
help. Publish a PGP (or maybe even better a GPG <www.gnupg.org>) key on 
your web site and use it to sign your notices.

At least as important is a way for university (or ISP) admins to verify 
your findings. As numerous people have pointed out, an IP address is not 
sufficient. We need at least a time and date in addition so that we can 
make an attempt to identify IP addresses that vary due to DHCP or NAT. A 
port or protocol would be handy too. By now, there are so many different 
"file-sharing" clients that verifying any of the information is 
unreasonably cumbersome. Whatever logs or other information you can 
supply would be a big step forward. Saying that IP iii.jjj.kkk.lll is 
serving "Foo" by Michael Jackson is not really adequate. Saying that "At 
time T on date D, you found IP iii.jjj.kkk.lll serving 'Foo' by Michael 
Jackson using Gnutella on port P" is a huge improvement.  I'm sure that 
others will have more concrete suggestions for what information they 
will find most helpful in tracking down the culprit and/or verifying 
your information, but my suggestion is to start work now on improving 
your notifications. Improving your technology for finding infringing 
material is good, but unless the information you develop can be used to 
find and stop the infringement, it is ultimately useless to the admins 
of the domains hosting the infringers as well as to your clients.

Best Regards,

Paul Neubauer
prn at bsu.edu

More information about the unisog mailing list